#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Directory Assistance: Several Enhancements for Authentication

An administrator can use Directory Assistance to add remote directories for authentication (such as LDAP to Active Directory).

This will allow users to authenticate to Domino using credentials from a remote directory.

This idea suggests the following new features:

  • There should be an option to disable the local Domino Directory for authentication. In that case, only remote directories should be used.

  • If a user is found in both a remote and local Domino Directory, and if the passwords are identical, Domino will refuse to authenticate. In this situation, Domino should authenticate the user.

  • There should be an option in Person Documents to override Directory Assistance (enforce using local credentials). This could be used for special users, which are consuming Domino services that don't support neither DA nor SAML.

  • Currently, encrypted LDAP (i.e. LDAPS) requires remote certificates to be stored locally on each Domino server in Domino Keyring files (KYR files). This is done with the command line tool "kyrtool import roots". There should be an option in DA to accept any untrusted and/or expired certificates. And DA should use the Internet Certificates in the Domino Directory as Certificate Trust store, rather than KYR files.

  • Currently, when Directory Assistance is configured to use remote LDAP servers through an encrypted channel (LDAPS), it will use the fields in Domino Server Documents to configure encryption (e.g. path to KYR file). These fields are hidden when a Server Document is configured to use "Internet Site Documents". Directory Assistance should not depend on hidden fields in Server Documents. Directory Assistance should not require access to the KYR file, when it is acting as a client (e.g. LDAP client towards remote directory).

[Toni Feric, Belsoft Collaboration]

  • Guest
  • Jul 29 2020
  • Needs Clarification
  • Attach files
  • Admin
    Thomas Hampel commented
    24 Mar, 2021 09:00pm

    LDAPS - Trusted Root Configuration can be done by CertManager in Domino V12

  • Guest commented
    30 Jul, 2020 10:26am

    @Thomas Hampel:

    Yes. Maybe we can split into

    • DA/LDAPS (several enhancement requests)

    • Option to disable DDIR for Authentication when DA is configured

    • Option to override DA authentication on a per-person level (enforce DDIR)

    • If user is found in both DDIR and remote directory, and password is identical, Domino should authenticate

    Do you agree?

  • Admin
    Thomas Hampel commented
    30 Jul, 2020 09:23am

    If you are okay with me changing your submission, I can shorten this idea to only cover DA with LDAPs so that you can submit the other items as a standalone idea.

  • Guest commented
    29 Jul, 2020 01:45pm

    @Thomas Hampel:

    Well yes I can, but the main takeaway from this idea here is that DA with LDAPS, as it is now, can be a frustrating experience for administrators, and it should be reworked as a whole, so that it becomes a seamless, effortless experience.

    In the current state, "nasty hacks" are required to make it work, and all of them have to go.

  • Admin
    Thomas Hampel commented
    29 Jul, 2020 12:57pm

    Can you please submit each bulletpoint as its own idea ? Otherwise its hard to vote & rank those items.