Title: | How to Configure Web Authentication Using Multiple NABs or Domino Directories on a Domino Server |
Product Area: | Domino Server |
Product: | Domino Server 5.x, Domino Server 4.6x, Domino Server 4.5x |
Topic: | Internet \\ Web Server \\ Security |
Number: | 163412 |
Date: | 04/04/2000 |
Problem:
You have two Name & Address Books (NAB) or Domino Directories on your Domino server. AddressBook1 is the primary NAB, and AddressBook2 contains users who are accessing the Domino server with a Web browser, not a Notes client.
How can users in AddressBook2 authenticate with the Domino Web server?
Solution:
Depending on the Domino release, you can use either a Master Address Book / Directory Assistance or cascaded Name & Address Books to allow authentication of Web users. The use of a Master Address Book (MAB) or Directory Assistance is recommended as it offers additional security options.
Cascaded NABs
For Domino versions prior to 4.6.1, you can use cascaded Address Books. In Domino 4.6.2, modifications and enhancements in the way name lookups are performed from the Web mean that only the primary NAB is used for Web authentication. Therefore, in Domino 4.6.2 you must use a Master Address Book for authentication with multiple Address Books. However, due to customers' requests, a NOTES.INI variable was introduced in 4.6.2a that allows the use of cascaded Address Books, instead of the MAB, for Domino 4.6.2a and later. To use cascaded Address Books in 4.6.2a or later, add the following setting to the server's NOTES.INI:
In R5, Web clients cannot authenticate from cascaded Public Address Books or Domino Directories (the NAMES= line in the NOTES.INI file). To authenticate Web clients using secondary address books or directories in R5, set up Directory Assistance.
Master Address Book in Domino 4.6x, Directory Assistance in Domino 5.x
In Domino 4.6x, you use a Master Address Book to allow users listed in NABs other than the primary one to authenticate with the Domino Web server. In Domino 5.x, this functionality is now called Directory Assistance.
To configure a Master Address Book in Domino 4.6x, take the following steps:
1. Verify that a Master Address Book exists on your Domino server, or create one using the template.
2. The MAB must contain a Directory Assistance document. Follow the instructions in "Quick Guide to Setting up Directory Assistance with the Master Address Book" (#164705 ) to create the Directory Assistance document. This Directory Assistance document is used to retrieve the Person document information when called upon.
3. Verify that Person documents for each Web user are created in the secondary NAB. These Person documents must have entries in the following fields:
* The User Name field must be in an hierarchical format, for example, John Doe/Internet.
* The Domain Name field is filled in with a domain name other than your Notes domain, for example, "Internet". The entry should match the domain specified as part of the user's name. This forms the Web user's identity.
* The Short Name field must contain an entry; it can be whatever the user wishes to enter, for example, Jdoe or John Doe.
* The Internet Password field must be filled in.
4. Examine the Access Control List (ACL) of databases to be used by Web users. If needed, you can add the Web user names by clicking the Add button in the ACL Dialog Box (File, Database, Access Control). You can select names from the primary or secondary NAB.
5. Using a Web browser, access the Domino Web server. Open a database that requires authentication. Enter your short name and Internet password and you authenticate with the server.
To configure Directory Assistance in Domino 5.x, see "Setting up directory assistance" in the Domino 5 Administration Help.
Groups
The use of Group documents from secondary Address Books is not supported for Web authentication. Any references to Group documents in the ACL of a database should be groups from the Primary NAB. The names in the group must be in hierarchical format, as in the User Name field of the Person document. These groups can contain users from secondary Address Books. An enhancement request for this new functionality has been submitted to Lotus Quality Engineering (spr #PHAD3QJPVE).
Supporting Information:
Related Documents:
Web User Authentication that Uses Cascading NAB's no Longer Works in Domino 4.6.2
Document #: 164451
Quick Guide to Setting up Directory Assistance with the Master Address Book
Document #: 164705
New Users Listed in Secondary NAB Cannot Authenticate in LearningSpace
Document #: 171038
(C) Copyright 2001 Lotus Development Corporation. All rights reserved.
previous page
|