We have a problem whereby our Domino 8.0.2 server, which is using Directory Assistance (DA), and connecting to our campus Active Directory (AD) LDAP service, makes excessive and unnecessary authentication attempts against AD’s LDAP. The numbers of attempts to authenticate against Active Directory LDAP are so large (up to 50,000 in a morning) that the ‘bind’ account for our use of the Active Directory LDAP server has been terminated by our Network team as our Domino Server is regraded as having caused a ‘Denial of Service’ condition preventing legitimate users of the Active Directory service from using it.
The Active Directory authentication doesn’t fail when it’s needed (it would normally be just Web authentication to AD LDAP in fact) - just that the number of attempts to authenticate transactions that are already being serviced by correctly by the Domino 8.0.2 server is huge and in 99.9% of cases, not required to be sent to the AD LDAP at all. It’s even apparently passing authentication requests which are being initiated by people opening databases on their Notes Client to the ADs LDAP.
As an extra frustration, we believe that we are observing the same happening to all attempts to open web pages where the ‘Anonymous’ Domino entity is set as ‘Reader’. This means that the LDAP AD is being asked to validate each and every web page that is opened or (as today) being inspected by Google Bots. This hugely increases the traffic passing to the AD - Domino ought to be satisfying those ‘Anonymous’ requests internally without passing them on as well.
To prove this, we have put a Wireshark trace on the server and a trial LDAP server (not a Microsoft AD but an Open Source one we can configure ourselves) to work against to monitor behaviour. We have observed that enormous numbers of authentication requests with a canonical name appropriate only to the Domino server (in the form ID/domain/UK) which ought to have been satisfied immediately and internally by the Domino Directory without recourse to Directory Assistance are being sent out to the LDAP server anyway.
We’ve reviewed all the settings recommended for LDAP and Directory Assistance linked to Active Directory - ours has been running unchanged for a number of years without attracting this kind of unwanted attention from our vigilant network people. It’s happening out of both 8.02 and 7.02 servers according to our wireshark traces.
I’ve raised an IBM PMR - but I’m throwing this open here too as we have serious business issues with our inability to use the AD LDAP authentication.
I know IBM is planning on better and better integration with Active Directory over time - so the emergence of this problem gives us serious concerns - as it ought to them!
In summary - I am not reporting a failure of DA AD authentication - just very bad and extremely ‘noisy’ behaviour which appears to be new.
David Clover
IT Development Manager
Mathematics, Computing and Technology Faculty
The Open University
Walton Hall
Milton Keynes MK7 6AA
T: +44 (0)1908 653529