You can select the level of restriction IBM® Domino® uses when
authenticating users in Domino Directories
and LDAP directories, and the user has supplied a user name and password.
This applies to all Internet protocols (HTTP, LDAP, IMAP, POP3).
About this task
Using this setting makes servers less vulnerable to security
attacks by refining how Domino searches
for names and authenticates Internet clients. Domino also uses this setting when a Java™ applet hosted on a Domino server authenticates users
with the Domino IIOP protocol.
Procedure
- From the Domino Administrator,
click Configuration, and open the Server document.
- Click Security.
- In the Internet Access section,
choose one of the following in the Internet Authentication field:
- Fewer name variations with higher security (default)
- recommended for tighter security. This authentication method is
less vulnerable to attacks because a single authentication attempt
does not produce as many matches, lessening the likelihood that a
guessed password matches.
- More name variations with lower security - Domino tries to authenticate
users based on the name and password entered. This authentication
method can be vulnerable to hackers who guess names and passwords
in an attempt to use a legitimate user account to access a server.
- Save and close the document.
Results
If you selected
Fewer name variations with higher
security users enter the following in the name-and-password
dialog box in a Web browser or other Internet client:
Table 1. Authentication
required using Fewer name variations with higher security| Domino Directory
authentication
|
LDAP Directory authentication
|
|---|
| Full hierarchical name
|
DN
|
| Common name or Common name with CN= prefix
|
CN or CN with CN=prefix
|
| Not applicable
|
UID or UID with UID= prefix
|
| Alias name (a name listed in the User
name field of the Person document, excluding the first
name listed in the field)
|
Not applicable
|
| Internet address (user's e-mail address as
listed in the Internet address field in the
user's Person document)
|
Mail
|
If you selected
More name variations with lower
security users to enter any of the following in the name
and password dialog box in a Web browser:
Table 2. Authentication
required using More name variations with lower security| Domino Directory
authentication
|
LDAP Directory authentication
|
|---|
| Last name
|
Surname
|
| First name
|
Givenname
|
| Common name or Common name with cn=prefix
|
Common name (CN) or CN with CN=prefix
|
| Full hierarchical name (canonical)
|
DN
|
| Full hierarchical name (abbreviated)
|
DN
|
| Short name
|
UID or UID with UID=prefix
|
| Alias name (a name listed in the User
name field of the Person document, excluding the first
name listed in the field)
|
Not applicable
|
| Soundex number
|
Not applicable
|
| Internet address (user's e-mail address as
listed in the Internet address field in the
user's Person document)
|
Mail
|
What to do next
The Domino Web Server
Application Programming Interface (DSAPI) is a C API tool that lets
you write your own extensions to the Domino Web
server. These extensions, or filters, let you customize the authentication
of Web users. For more information on DSAPI and filters, see the current
Lotus® C API Toolkit for Domino and Notes, which is available at www.ibm.com.