SECURING
Name-and-password authentication, also known as basic password authentication, uses a basic challenge/response protocol to ask users for their names and passwords and then verifies the accuracy of the passwords by checking them against a secure hash of the password stored in Person documents in the Domino® Directory.
When set up for this, Domino asks for a name and password only when an Internet/intranet client tries to access a protected resource on the server. Internet/intranet access differs from Notes® client and Domino server access in that a Domino server asks a Notes client or Domino server for a name and password when the client or server initially attempts to access the server.
If you want to assign database access to an Internet/intranet client based upon Domino ACL security, you must create a Person document for that client in the Domino Directory, or, optionally, in a secondary Domino directory or an external LDAP directory. Clients who do not have Person documents are considered Anonymous and can only access servers and databases that allow Anonymous access.
Note: For users with records located in an external LDAP directory, password verification takes place through an LDAP bind operation that can only succeed if the user has provided the correct password.
Name-and-password authentication allows Domino to locate the Person document (if one exists) for the client accessing the server. After the client is identified, access to server resources can then be determined. For example, if you want Alan Jones to have Editor access to a database and all others accessing the database to have Author access, you must create a Person document for Alan Jones. You can set up the database ACL to include Alan Jones as an Editor and Anonymous as Author.
You can use name-and-password authentication with either TCP/IP or TLS on any servers that run an Internet protocol -- namely, LDAP, POP3, HTTP, SMTP, IIOP, or IMAP. For each Internet protocol enabled on the server, you can specify the method of security. For example, you might enable client certificate authentication for HTTP connections but require name-and-password security for LDAP connections that use TCP/IP. Or you might use name-and-password security with anonymous and TLS client authentication -- for example, to allow users with TLS client certificates to authenticate using TLS client authentication and to allow other users to enter a name and password if they do not have an TLS client certificate.
Note: Name-and-password authentication is not supported when a Domino server acts as an SMTP client -- for example, when a Domino server connects to an SMTP server to route mail. Name-and-password security is supported only when a Domino server acts as an SMTP server -- that is, when SMTP clients access a Domino server.
If you are setting up name-and-password authentication for an HTTP server, you have an additional method to use with name-and-password authentication: session-based authentication. Name and password authentication sends the name and password in unencrypted format and is sent with each request. Session-based authentication differs in that the user name and password is replaced by a cookie. The user' name and password is sent over the network only the first time the user logs in to a server. Thereafter the cookie is used for authentication. Session-based name-and-password authentication offers greater control over user interaction than basic name-and-password authentication and lets you customize the form in which users enter their name and password information. It also allows users to log out of the session without closing the browser.
Name-and-password authentication over non-TLS secured connections
Use name-and-password authentication over non-TLS secured connections to identify users without tightly securing access to data on the server -- for example, when you want to display different information to different users based on the user name and when the information in the database is not confidential. No information, including the name and password, sent between the user and server is encrypted. In this case, name-and-password authentication deters some types of hackers but does not prevent others from listening to network transmissions and guessing passwords.
Name-and-password authentication over TLS
Using TLS, all information, including the name and password, is encrypted. TLS provides confidentiality and data integrity for users set up for name-and-password authentication. Requiring a name and password in addition to TLS security provides security for users who do not use client certificate authentication and allows you to identify individual users who access a database.
Customizing name-and-password authentication
The Domino Web Server Application Programming Interface (DSAPI) is a C API that you can use to write your own extensions to the Domino Web Server. These extensions, or "filters," let you customize the authentication of Web users.
For more information on DSAPI and filters, see the Lotus® C API Toolkit for Notes and Domino and its documentation in related topics.
Setting up basic name-and-password authentication To enable basic name-and-password authentication, for both TCP and TLS, for all Internet protocols: Web (HTTP); IMAP; POP3; LDAP; SMTP Inbound; and IIOP, you must complete three separate procedures.
Session-based name-and-password authentication for Web clients To set up name-and-password authentication for Web clients who have access to a Domino Web server, you can use one of two methods: basic name-and-password authentication or session-based name-and-password authentication. Session-based name-and-password authentication includes additional functionality that is not available with basic name-and-password authentication. A session is defined as the time during which a Web client is actively logged onto a server with a cookie. To specify settings that enable and control session authentication, you edit the Web Site document or the Server document, depending on your configuration.
Controlling the level of authentication for Internet clients You can select the level of restriction HCL Domino uses when authenticating users in Domino Directories and LDAP directories, and the user has supplied a user name and password. This applies to all Internet protocols (HTTP, LDAP, IMAP, POP3).
Managing Internet passwords To manage the Internet passwords that you assign to users who have Person documents in the Domino Directory, use a security settings policy document. You can manage Internet password quality and length, as well as allow users to change their Internet passwords using a Web browser, and control expiration period and change intervals.
Securing Internet passwords Internet passwords can be subject to attacks by malicious sources. However, there are measures you can take to make Internet passwords more secure.
Anonymous Internet and intranet access When you set up anonymous access, Internet and intranet clients can access servers without identifying themselves. HCL Domino does not record these clients' database activity -- for example, in the log file and in the User Activity dialog box.
Validation and authentication for Internet and intranet clients After you set up name-and-password access and create Person documents for Internet/intranet users, Domino authenticates users either when they attempt to do something for which access is restricted, or Anonymous access is not allowed on the server.
Related concepts TLS security Setting up Notes and Internet clients for TLS authentication Session-based name-and-password authentication for Web clients
Related tasks Setting up basic name-and-password authentication