DIRECTORY SERVICES
Using an Extended Directory Catalog for client authentication
To allow a server to use an Extended Directory Catalog to look up client names for authentication, in the Directory Assistance document for the Extended Directory Catalog, enable a rule that is trusted for credentials.
In addition, if you don't aggregate all fields from documents as recommended, you must make sure to aggregate the fields required for the authentication. For example, to use name-and-password security, aggregate the HTTPPassword field from Person documents. Or to use X.509 certificate security, aggregate the userCertificate field.
If you want servers to use some secondary IBM® Lotus® Domino™ Directories for Internet client authentication but not others, you can create one Extended Directory Catalog that aggregates the Domino Directories to use for authentication, and another that aggregates the other Domino Directories. Then create a Directory Assistance document for each Extended Directory Catalog, and enable a rule that is trusted for credentials only in the one that aggregates the directories to be used for authentication.
Using a condensed Directory Catalog for client authentication
To enable a server to look up authentication credentials for any user name aggregated in a condensed Directory Catalog, select the option "Trust the server based condensed directory catalog for authentication with internet protocols" on the Basics tab of the server's Server document in the Domino Directory.
To allow a server to look up credentials for user names from only one or some of the source Domino Directories aggregated into a condensed Directory Catalog, do not select the above option. Instead, create a directory assistance database on the server. In the database, create a Directory Assistance document for each aggregated Domino Directory you want to use for authentication. In each Directory Assistance document, enable a rule that is trusted for credentials.
If you use name-and-password security for Internet client authentication, you can store the passwords in the condensed Directory Catalog. To do this, aggregate the HTTPPassword field from Person documents. In this case, a server looks up the passwords in the directory catalog, and doesn't require directory assistance to look them up in the source Domino Directories.
If you use X.509 certificates for client authentication, storing the certificates in a condensed Directory Catalog isn't recommended due to their size. Instead, set up directory assistance to look up the certificates directly in the source Domino Directories. Similarly, servers can use directory assistance to look up passwords in the source Domino Directories, rather than aggregating the passwords into the directory catalog, as a way to keep the condensed Directory Catalog small.
When you don't store passwords and X.509 certificates in a directory catalog, using the directory catalog and directory assistance in conjunction is quicker than using directory assistance alone, because only one database, the directory catalog, needs to be used to find a name.
Directory catalogs and Notes client authentication
By default, when a IBM® Lotus® Notes® client logs on to a server, the server does not look up information in Domino Directory Person documents during the client authentication process. However, if the option "Compare Notes public keys against those stored in Directory" is enabled in the server's Server document, then the server must be able to look up public key information in Person documents to authenticate Notes clients. If there are Notes users who use a server with this option enabled who are not registered in the server's primary Domino Directory, servers can use a directory catalog that it trusts for credentials, to look up names to do the public key comparison.
See also