LO61388: ATTEMPT TO ACCESS SERVER DENIED WHEN USING DA WITH NESTED GROUPS AND IN SECONDARY DIRECTORY THERE IS A GROUP WITH NO TITLE

APAR status

• Closed as fixed if next.

Error description

• Granting access to users not working with Nested Groups
  containing wild card
  
  
  STEPS to reproduce issue
  
  1. Install 851 Domino server
  
  Register a user:
  
  Test User/EXT/ACME
  
  2. In the Domino Directory Create 5 groups
  for example:
  Group " Access"
  Group " World"
  Group " Europe"
  Group " Germany"
  Group " External"
  
  And nest the groups
  World is member os Access
  Europe is member os World
  Germany is member os Europe
  External is member os Germany
  
  
  and include in "External Group" the member as an
  organizational unit */EXT/ACME
  
  3. In the server document> Security> Server Access>
  Access Server:
  Enter in here the name of your Notes Administrator
  Your Test servers name
  and the Group earlier created named "Access"
  
  4. Set up a Directory Assistance on the server.
  
  5. Create a secondary Domino directory =
  
  
  On this  "SecondNames.nsf"  create a Group = "Test" and include
  as a
  member the name of the Test User/EXT/ACME
  
  On this  "SecondNames.nsf"  create a Simple agent to clear the
  value from the field "ListName" and run the agent selecting the
  group "Test" to clear the group name.
  
  
  
  6. On the Directory Assistance database create a Directory
  Assistance
  Document for the "SecondNames.nsf" Domino Directory
  
  with the following settings:
  
  Domain Type = Notes
  Domain Name = Company
  Company Name= Company
  Made this domain available to=
  Checkmark on Notes Clients & Internet
  Authentication/Authorization
  CheckMark on LDAP Clients
  Groups Authorisation=YES
  Use exclusively for group authorization or Credential
  Authentication=NO
  Enabled=YES
  
  Paste in the Replicas the replica of the  "SecondNames.nsf"
  
  
  
  7. Run the command show xdir to make sure that the DA is listing
  the
  "SecondNames.nsf"
  
  8. Switch id to select the user.id for the
  Test User/EXT/ACME
  
  In the server console you can see the error message
  
  
  ATTEMPT TO ACCESS SERVER by user Test User/EXT/ACME was denied
  

Local fix

• 1. Moving the Acess to with the wildcard */EXT/ACME from the 5
  level group "External" to the first level group "ACCESS" in the
  Domino Directory
  2. Changing in the Document for the SecondDirectory in the
  Directory Assistace the vaule
  
  Groups Authoritaion= from YES to NO
  

Problem summary

• This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

Problem conclusion

Temporary fix

Comments

• This APAR is associated with SPR# BBSZ8HLD38.
  
  This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

• R851 PSN

     UP