Domino Consulting - HCL Domino Administrator 12 Help

SECURING

Using xACLs to secure Internet passwords

One way to secure Internet passwords is to use Extended ACLs, or xACLs, to control access based on levels in the naming hierarchy, and at the form and field level. For passwords stored in the Domino® Directory, administrators can set up xACLs to limit access to Internet passwords to the users themselves, for accessing their own passwords, and to administrators, for allowing administrative changes to passwords.

Procedure

1. First, enable extended access for the Domino Directory:

Open the database, and choose

File

Application

Access Control

b. Make sure you have Manager access in the database ACL.

c. Click Advanced, and then selectEnable Extended Access.

d. Click Yes to continue when prompted:Enabling extended access control enforces additional security checking. See Domino Administrator Help for more details. Do you want to continue?

e. If the advanced database ACL option Enforce a consistent Access Control List across all replicas is not yet enabled, you are prompted Consistent access control must be enabled first. Do you want to enable it now? ClickYes.

f. Click OK at the prompt If more than one administrator manages extended access control for this database, enable document locking on the database to avoid conflicts.

g. Click OK in the Access Control List dialog box.

h. When the message Enabling extended access control restrictions. This may take a while. displays, clickOK.

2. Next, set up the extended access to secure Internet passwords:

Open the database, and choose

File

Application

Access Control

b. Click Extended Access. The Extended Access dialog box appears.

c. In the Target pane, select the root [ /] and clickAdd.

d. In the Access List pane, select Default.

e. Click Form and Field Access. The Form and Field dialog box appears.

f. In the Forms list box, selectPerson. Leave the Access settings for Forms blank.

g. In the Fields list box:

h. Click Ok.

i. Repeat this process for the HttpPassword anddspHttpPassword (if it appears) settings in the Person form:

Table 1. Access List entries in the Person form

Access List entry	Read Access setting	Write Access setting
Self	Allow	Allow
[Local administrators group]	Allow	Allow
[Local servers group]	Allow	Allow

Note:

If Anonymous access was previously defined in the access list, it should be set up to deny read and write access to

HTTPPassword

and

dspHTTPPassword

(if it appears) fields in the Person form.

Note: Once xACLs are enabled for a Domino Directory, LDAP anonymous access is not controlled by the list of fields in the All Server Configuration document. Since the default xACL setting for Anonymous is "No Access," once xACLs are enabled all anonymous LDAP searches will fail.

Parent topic: Securing Internet passwords

Help on Help

All Help Contents

Help on Help

All Help Contents