26/07/2007

Using email address for Web authentication? Shame on me! ;-)

I was snooping around in the Lotus Domino support knowledge base when I found this interesting IBM technote titled:

Using email address to identify users or group members for Web authentication
(reference # 1209955)

What?! I surely missed something. :-(
I tried this tip to enter my company mailbox:
username: cdaloisio@mydomain.com
password: *********

and IT WORKS!

I thought it was NOT possible to use e-mail address as username during Domino web authentication: in fact over the years many users asked me to do that on the company website... I even thought about buying some third-party DSAPI filter for the Domino http server.

Some months/years ago I even read an interesting article (The View magazine) explaining a workaround to use user email address during web authentication, but it was done using LotusScript programming & HTML, no DSAPI filters or standard Domino settings.

But please, read the technote for important additional info about this (new?) feature.

How many of you already knew about this opportunity? Please, speak up.

For example I asked two up-to-date friends about that, but they confessed they were not aware of it.



References:
1) Lotus Domino support home page
2) Using email address to identify users or group members for Web authentication (technote reference # 1209955)

6 comments:

Virusface said...

Your link to lotus support is broken. It just points to support's homepage.

Can you please fix it ?

Cristian D'Aloisio said...

Actually there were no broken links: the first link was meant to point to the support home page, and a second link pointed to the technote ;-)

Anyway, I re-edited my post to a better style (I hope), it was not so explicit...

Did you know about using email address for web authentication? I was amazed ;-)

Giuseppe said...

well... i'm amazed too!

Virusface said...

Well, I've been using this for years. I always tought it to be quite common. Anyway the technote doesn't tell you how the FullName fields work.

These years the names.nsf db is becoming more and more assimilated to an ldap directory.

In an LDAP directory you've a DN (distinguished name) that's unique and points to the "record" and a CN (common name), then you have givenName (first name), sn (last name) and so on...

In domino the mapping works this way:

The first value of the FullName field in a person document becomes DN.

The second value of the FullName field in a person document becomes CN.

FirstName field becomes givenName

LastName field becomes sn

Short name becomes uid.

---

At this point should be clear that when web authentication happens domino looks up for the entered value uid, cn and dn (based on more or less secure web authentication setting).

The important thing is that at the end of the resolution domino gets the real DN (first value of fullname) to match against any ACL in place (explicit or group).

This is also used when domino is in a WebSphere SSO domains. Matching is based on DN vs DN.

I've built an environment with 2 ldap servers, domino and ITDS (Tivoli Directory Service) in which internal users where both in ITDS and Domino and used DN mapping features to get SSO from and to Domino.

It works great..

Bye

Cristian D'Aloisio said...

Virusface , thanks for your explanation!

I'm sure that sharing knowledge is great, even when we think that a subject is already known among people: there are always people who can benefit from it, at any level of experience.

Let's keep sharing ;-)

Tim Tripcony said...

According to the technote, IBM's not saying that you can't authenticate using the email address; rather, that you can't reference groups in an ACL if they only contain the email address. Unless the group contains the CN or full name of the user, Domino won't grant them the level of access granted to the group. They'll still be authenticated, but they'll get whatever access level is assigned to the -Default- entry for the database they're accessing.