Anyone else experiencing this? Some users can access with shortname fine while others cannot. If the user enters a common name (e.g. John Doe instead of jdoe), it works. I initially thought that the internet name variations was an issue. This doesn’t make sense since some users can access. We do have a directory assistance document… authenticating web users against an LDAP server (which resolves to mailfile in person doc in names.nsf). We are having an issue where someone can authenticate using shortname but ends up in another user’s Db!?! We are using uid for the distinguished name (same as shortname)… Could the DirAssist. doc be causing shortname issues?
Subject: shortname & DWA login issues (inconsistent)
Starting with Domino 6, an ambiguous authentication (therefore, no authentication) will result if a username and password pair matches in both the primary and secondary authentication servers.
Example 1:
Domino Shortname = LDAP UID = username1
Domino password = password1, LDAP password = pswd1
This user will be able to authenticate against Domino successfully
Example 2:
Domino Shortname = LDAP UID = username2
Domino password = password2, LDAP password = password2
This user will NOT be able to authenticate against a Domino server that is using Directory assistance to the LDAP directory.
The workaround I used for this was to direct users to a primary server that does not use directory assistance and when the authentication fails, I pass them to a second server that uses directory assistance to LDAP to try again. This way the user only gets to the Dirassist server when the password doesn’t match the Domino password. Yes, this was a lot of work. We requested an enhancement that would allow us to specify that the Domino server authentication be treated as authoritative like it was in R5 but I don’t think it has been added as of R7. I haven’t checked 8.
Subject: RE: shortname & DWA login issues (inconsistent)
Wow… this is right on! Our understanding (from IBM) is that a person document is required. Authentication can occur against an LDAP server but the person doc is needed to resolve mailfile location. e.g. DWA redirect. Seems strange… why not have a mailfile attribute in LDAP with no person doc (just for web only, non-Notes users). Authentication seems to work for some… will confirm that the passwords are different (UID=shortname in all cases). I’m a bit confused about using another server w/o dirassist… how would you pass?
Subject: RE: shortname & DWA login issues (inconsistent)
I think that the explanation may be beyond the scope of what I can put in here. I have created a customized DWA Redirect and login forms that handle this. If you want to contact me at my profile email address, we can discuss it further.
Subject: RE: shortname & DWA login issues (inconsistent)
Thanks… I was able to sort the issue by referencing a new OPenLDAP attribute that contained the “cn=John Doe, ou=Test, o=TestCo”… this was used in the “Notes DN attribute” field in the DirAssist doc. Works like a charm… still references the person document. I could see having a mailfile attribute in LDAP and grabbing this value.