SECURING


Name-and-password authentication for Internet/intranet clients

Name-and-password authentication, also known as basic password authentication, uses a basic challenge/response protocol to ask users for their names and passwords and then verifies the accuracy of the passwords by checking them against a secure hash of the password stored in Person documents in the Domino® Directory.

When set up for this, Domino asks for a name and password only when an Internet/intranet client tries to access a protected resource on the server. Internet/intranet access differs from Notes® client and Domino server access in that a Domino server asks a Notes client or Domino server for a name and password when the client or server initially attempts to access the server.

If you want to assign database access to an Internet/intranet client based upon Domino ACL security, you must create a Person document for that client in the Domino Directory, or, optionally, in a secondary Domino directory or an external LDAP directory. Clients who do not have Person documents are considered Anonymous and can only access servers and databases that allow Anonymous access.

Note: For users with records located in an external LDAP directory, password verification takes place through an LDAP bind operation that can only succeed if the user has provided the correct password.

Name-and-password authentication allows Domino to locate the Person document (if one exists) for the client accessing the server. After the client is identified, access to server resources can then be determined. For example, if you want Alan Jones to have Editor access to a database and all others accessing the database to have Author access, you must create a Person document for Alan Jones. You can set up the database ACL to include Alan Jones as an Editor and Anonymous as Author.

You can use name-and-password authentication with either TCP/IP or TLS on any servers that run an Internet protocol -- namely, LDAP, POP3, HTTP, SMTP, IIOP, or IMAP. For each Internet protocol enabled on the server, you can specify the method of security. For example, you might enable client certificate authentication for HTTP connections but require name-and-password security for LDAP connections that use TCP/IP. Or you might use name-and-password security with anonymous and TLS client authentication -- for example, to allow users with TLS client certificates to authenticate using TLS client authentication and to allow other users to enter a name and password if they do not have an TLS client certificate.

Note: Name-and-password authentication is not supported when a Domino server acts as an SMTP client -- for example, when a Domino server connects to an SMTP server to route mail. Name-and-password security is supported only when a Domino server acts as an SMTP server -- that is, when SMTP clients access a Domino server.

If you are setting up name-and-password authentication for an HTTP server, you have an additional method to use with name-and-password authentication: session-based authentication. Name and password authentication sends the name and password in unencrypted format and is sent with each request. Session-based authentication differs in that the user name and password is replaced by a cookie. The user' name and password is sent over the network only the first time the user logs in to a server. Thereafter the cookie is used for authentication. Session-based name-and-password authentication offers greater control over user interaction than basic name-and-password authentication and lets you customize the form in which users enter their name and password information. It also allows users to log out of the session without closing the browser.

Name-and-password authentication over non-TLS secured connections

Use name-and-password authentication over non-TLS secured connections to identify users without tightly securing access to data on the server -- for example, when you want to display different information to different users based on the user name and when the information in the database is not confidential. No information, including the name and password, sent between the user and server is encrypted. In this case, name-and-password authentication deters some types of hackers but does not prevent others from listening to network transmissions and guessing passwords.

Name-and-password authentication over TLS

Using TLS, all information, including the name and password, is encrypted. TLS provides confidentiality and data integrity for users set up for name-and-password authentication. Requiring a name and password in addition to TLS security provides security for users who do not use client certificate authentication and allows you to identify individual users who access a database.

Customizing name-and-password authentication

The Domino Web Server Application Programming Interface (DSAPI) is a C API that you can use to write your own extensions to the Domino Web Server. These extensions, or "filters," let you customize the authentication of Web users.

For more information on DSAPI and filters, see the Lotus® C API Toolkit for Notes and Domino and its documentation in related topics.


Parent topic: Securing

Related concepts
TLS security
Setting up Notes and Internet clients for TLS authentication
Session-based name-and-password authentication for Web clients

Related tasks
Setting up basic name-and-password authentication