Basic password authentication and database ACLs

You can set a database ACL to require basic password authentication.

Basic password authentication has the following characteristics:

  • Users are identified or authenticated when they access databases and applications on the server.
  • A web browser user must have a user name and an Internet password stored in the user's Person document to access databases. Only users with these credentials can access a database that requires basic password authentication.
  • Data transmitted between the user and the Sametime® server (including the name and password) is not encrypted.
  • Users are identified in the maintenance log files.

Basic password authentication identifies users, but it does not prevent unauthorized users from listening to network transmissions or gaining server access by guessing passwords. For information on using Secure Sockets Layer (SSL) to encrypt the data that passes over the web browser connection to the IBM® Sametime server, see Configuring Sametime to use SSL encryption.

Using the Default entry or individual names in database ACLs

When basic password authentication is enabled for a database, browser clients are authenticated when they attempt to open a database.

The Sametime Community Server challenges the user to supply a valid name and password and then verifies that the user's response matches the information stored in the user's Person document in the Domino® Directory (or LDAP directory if you have configured Sametime to operate with an LDAP directory). Authentication succeeds if the user name and password provided by the user matches the user name and password in the directory and one of the following conditions exists:

  • The user is listed individually or as a member of a group in the database ACL.
  • The Anonymous entry is set to No Access while an access level is specified for the Default entry in the ACL. Using this method allows you to require users to authenticate but prevents you from having to add individual entries for every user and group in the ACL.

When the Anonymous entry in the database ACL is set to No Access, users are presented with a logon prompt when they attempt to access the database.

Users must enter the user name and Internet password at the logon prompt. Users that are successfully authenticated are then provided with the access level that is specified for the Default entry in the database ACL.

If both the Anonymous entry and the Default entry in the database ACL are set to No Access, a user must be listed in the ACL individually or as part of a group to access the database. Setting the Anonymous and Default entries to No Access provides the strictest control over access to the database because only users and groups that are listed in the ACL are allowed to access the database.

An individual name receives precedence over the Default entry. If a user's name is entered in a database ACL and provided with an access level, the user receives the access level assigned to the user name entry in the database. Only users who are not listed individually in the database ACL receive the Default access level.

Note: If the Anonymous entry does not exist in the database ACL, the Default entry in the ACL must be set to "No access" to require basic password authentication to the database. When the Anonymous entry does not exist in the database ACL, anonymous users can access the database and receive the access level assigned to the Default entry in the database. If the Anonymous entry exists in the ACL and is assigned the "No access" access level, users are authenticated when accessing the database and receive the access level specified for the Default entry in the ACL.