Suggestion - Directory Assistance Password Security

HCL Domino Domino Forum
1

Hi there,

I’m not sure where this suggestion should go…

I recently set up Directory Assistance to use my Active Directory as an LDAP server for authentication. It required me to enter a username and password to access the listings. Shouldn’t there be some security on that password? Especially since the template marks the Default access of the database as Reader.

I’m going to go into designer and create a role to block it out for everyone besides Admins (and set it to not refresh per the Lotus template), but thought I’d post the request anyway.

Regards,

Carol

2

Subject: Directory Assistance Password Security- We’ve got it!

Encryption is provided in Directory Assistance for LDAP name and passwords. The documentation (below) is specified in the Adminstrator’s Guide for Notes and Domino.

http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/fe24903970b82d3585256c1d00394173?OpenDocument

Specifying a name and password for Domino servers in a Directory Assistance document for a remote LDAP directory
In the “Optional Authentication Credential” section on the LDAP tab of a Directory Assistance document for a remote LDAP directory you can enter a distinguished user name and a password. If a Domino server connects to the remote LDAP directory server, it presents the name and password so the remote LDAP directory server can authenticate the Domino server.

If you don’t specify a name and password, a Domino server attempts to connect to a remote LDAP directory server anonymously. You must specify a name and password if the remote LDAP directory server does not allow anonymous access.

Enter a distinguished name in the Username field, and a password in the Password field. The name and password must correspond to a valid name and password in the remote LDAP directory. Enter the distinguished name in LDAP format, for example cn=domino server,o=acme.

The Username and Password fields are encryptable fields. Do the following to encrypt the fields to limit which Domino administrators and servers can read their contents:

  1. Create a secret encryption key.

  2. Use the secret encryption key to encrypt the Directory Assistance document.

  3. Distribute and merge the encryption key only into the ID files of administrators and Domino servers who should read the user name and password.

Only administrators and servers with the secret encryption key can read the user name and password. Any Domino server that connects to the remote LDAP directory server or that replicates changes to the directory assistance database requires the encryption key.

For information on creating and using secret encryption keys, see Domino 6 Designer Help.

Terri Warren

Domino Directory Engineer

Messaging and Collaboration Development

IBM