An administrator can use Directory Assistance to add remote directories for authentication (such as LDAP to Active Directory).
This will allow users to authenticate to Domino using credentials from a remote directory.
This idea suggests the following new features:
There should be an option to disable the local Domino Directory for authentication. In that case, only remote directories should be used.
If a user is found in both a remote and local Domino Directory, and if the passwords are identical, Domino will refuse to authenticate. In this situation, Domino should authenticate the user.
There should be an option in Person Documents to override Directory Assistance (enforce using local credentials). This could be used for special users, which are consuming Domino services that don't support neither DA nor SAML.
Currently, encrypted LDAP (i.e. LDAPS) requires remote certificates to be stored locally on each Domino server in Domino Keyring files (KYR files). This is done with the command line tool "kyrtool import roots". There should be an option in DA to accept any untrusted and/or expired certificates. And DA should use the Internet Certificates in the Domino Directory as Certificate Trust store, rather than KYR files.
Currently, when Directory Assistance is configured to use remote LDAP servers through an encrypted channel (LDAPS), it will use the fields in Domino Server Documents to configure encryption (e.g. path to KYR file). These fields are hidden when a Server Document is configured to use "Internet Site Documents". Directory Assistance should not depend on hidden fields in Server Documents. Directory Assistance should not require access to the KYR file, when it is acting as a client (e.g. LDAP client towards remote directory).
[Toni Feric, Belsoft Collaboration]