You can select the level of restriction HCL Domino® uses when authenticating users in Domino Directories and LDAP directories, and the user has supplied a user name and password. This applies to all Internet protocols (HTTP, LDAP, IMAP, POP3).

About this task

Using this setting makes servers less vulnerable to security attacks by refining how Domino searches for names and authenticates Internet clients. Domino also uses this setting when a Java™ applet hosted on a Domino server authenticates users with the Domino IIOP protocol.

Procedure

1. From the Domino Administrator, click Configuration, and open the Server document.

2. Click Security.

3. In the Internet Access section, choose one of the following in the Internet Authentication field:

• Fewer name variations with higher security (default) - recommended for tighter security. This authentication method is less vulnerable to attacks because a single authentication attempt does not produce as many matches, lessening the likelihood that a guessed password matches.
• More name variations with lower security - Domino tries to authenticate users based on the name and password entered. This authentication method can be vulnerable to hackers who guess names and passwords in an attempt to use a legitimate user account to access a server.

Results

If you selected Fewer name variations with higher security users enter the following in the name-and-password dialog box in a Web browser or other Internet client:

Table 1. Authentication required using Fewer name variations with higher security

Domino Directory authentication	LDAP Directory authentication
Full hierarchical name	DN
Common name or Common name with CN= prefix	CN or CN with CN=prefix
Not applicable	UID or UID with UID= prefix
Alias name (a name listed in the User name field of the Person document, excluding the first name listed in the field)	Not applicable
Internet address (user's e-mail address as listed in the Internet address field in the user's Person document)	Mail

If you selected More name variations with lower security users to enter any of the following in the name and password dialog box in a Web browser:

Table 2. Authentication required using More name variations with lower security

Domino Directory authentication	LDAP Directory authentication
Last name	Surname
First name	Givenname
Common name or Common name with cn=prefix	Common name (CN) or CN with CN=prefix
Full hierarchical name (canonical)	DN
Full hierarchical name (abbreviated)	DN
Short name	UID or UID with UID=prefix
Alias name (a name listed in the User name field of the Person document, excluding the first name listed in the field)	Not applicable
Soundex number	Not applicable
Internet address (user's e-mail address as listed in the Internet address field in the user's Person document)	Mail

Examples of name variations allowed for Internet client authentication
The level of security partially depends on the number of name variations. Limiting the number of name variations users can employ during Internet authentication provides for greater security.

Authenticating Internet name-and-password clients in secondary Domino and LDAP directories
When an Internet client authenticates with a server, by default the server checks the primary HCL Domino Directory to see if it can find a Person document with a name and password that match those entered by the Internet client. If your organization uses a secondary Domino Directory and/or an LDAP directory to verify Internet clients who use name-and-password authentication, you can set up Domino to check those additional directories. To do so, you set up the secondary Domino Directories and LDAP directories as trusted domains in the Directory Assistance database.

Related concepts
Name-and-password authentication for Internet/intranet clients
Customizing access to a Domino server

Related reference
Examples of name variations allowed for Internet client authentication

Help on Help

All Help Contents

Help on Help