SECURITY


Controlling the level of authentication for Internet clients
You can select the level of restriction IBM® Lotus® Domino™ uses when authenticating users in Domino Directories and LDAP directories, and the user has supplied a user name and password. This applies to all Internet protocols (HTTP, LDAP, IMAP, POP3). Using this setting makes servers less vulnerable to security attacks by refining how Domino searches for names and authenticates Internet clients. Domino also uses this setting when a Java™ applet hosted on a Domino server authenticates users with the Domino IIOP protocol.

Fewer name variations with higher security

The option "Fewer name variations with higher security" is the default setting and is recommended for tighter security. This authentication method is less vulnerable to attacks because a single authentication attempt does not produce as many matches, lessening the likelihood that a guessed password matches. It requires users to enter only the following in the name-and-password dialog box in a Web browser or other Internet client:
Domino Directory authenticationLDAP Directory authentication
Full hierarchical nameDN
Common name or Common name with CN= prefixCN or CN with CN=prefix
Not applicableUID or UID with UID= prefix
Alias name (a name listed in the User name field of the Person document, excluding the first name listed in the field)Not applicable
Internet address (user's e-mail address as listed in the Internet address field in the user's Person document)Mail

More name variations with lower security

Domino tries to authenticate users based on the name and password entered. This authentication method can be vulnerable to hackers who guess names and passwords in an attempt to use a legitimate user account to access a server. This option allows users to enter any of the following in the name and password dialog box in a Web browser:
Domino Directory authenticationLDAP Directory authentication
Last nameSurname
First nameGivenname
Common name or Common name with cn=prefixCommon name (CN) or CN with CN=prefix
Full hierarchical name (canonical)DN
Full hierarchical name (abbreviated)DN
Short nameUID or UID with UID=prefix
Alias name (a name listed in the User name field of the Person document, excluding the first name listed in the field)Not applicable
Soundex numberNot applicable
Internet address (user's e-mail address as listed in the Internet address field in the user's Person document)Mail

To select the level of authentication for Internet clients

1. From the Domino Administrator, click Configuration, and open the Server document.

2. Click Security.

3. In the Internet Access section, choose one of the following in the Internet Authentication field:

4. Save and close the document.

See Examples of names allowed for Internet client authentication.

Note The Domino Web Server Application Programming Interface (DSAPI) is a C API tool that lets you write your own extensions to the Domino Web server. These extensions, or filters, let you customize the authentication of Web users. For more information on DSAPI and filters, see the current Lotus C API Toolkit for Domino and Notes, which is available at www.lotus.com/techzone.

Example

See also