I have set up Directory Assistance, primarily for secondary address books. One of the address books should only be accessible to a single group (Executives) in our agency. How do I restrict all other people and groups from being able to LOOKUP addresses in this restricted address book. The cascaded list will not allow any other people/groups to OPEN the address book, that part works great. But I’ve found that anyone can type in a name, and thru typeahead, a name from the restricted address book will successfully load. I hope this is clear. What fields should I disable in the Directory Assistance entry for this? I have “make this domain available to - Notes clients & Internet Authentication…” enabled. Please help, this is a security problem that I really have to correct. Thank you so much for your help, Cheryl
Subject: RE: Directory Assistance AND Security on Lookup
Hi Cheryl,
I’m afraid that you can’t restrict them. The reason for this is because NAMELookup() is an implicitly trusted operation for clients.
Fer instance: If your environment consisted of
A server named ‘A’
A server named ‘B’
A regular employee’s client machine ‘POC’ (plain, old client)
An executive’s client machine ‘EC’
Lets say B trusts A and allows it to access one of its directory databases via Directory Assistance.
Well, even if B doesn’t trust any clients, A trusts POC and it also trusts EC and A can access B’s directory at will, so it will happily give them all the information they can obtain via a NAMELookup().
That being said, (and since you haven’t put restrictions on possible fixes ; ) the easiest solution for all this is to have two directory servers:
‘A1’ —> its DA should point at the common directories that everyone can access.
‘A2’ —> it should use DA to point at both the common directories AND the executive-only directories. The executive’s Notes clients should use this as their home mail server (or alternately, specify it as their directory server)
So you don’t have to sync up too many DA databases you could even make the A1 and A2 be the same db and just use a selective replication formula that will filter out the sensitive DA documents when A2 replicates to A1.
Does this help at all?
Regards,
-Josh Burchard
Subject: *thanks Josh, it helped alot. I’ll try it. Cheryl