Lotus Developer Domain: Notes/Domino Fix List

Notes/Domino Fix List

SPR # MKRN5ZVGLW

Fixed in 6.0.5 release

Security fix

Product Area: Server

Technical Area: DSAPI

Platform: Cross Platform

Lotus Customer Support APAR: LO02935

SPR# MKRN5ZVGLW - Under some conditions, the authentication code will choose to use the credentials for an anonymous user if no other known credentials are supplied with the http request. Even though a DSAPI filter, through some private mechanism, authenticates the user and returns a non anonymous user.

Technote Number: 1177645

Problem:
This issue was reported to Lotus software Quality Engineering and has been
addressed in Domino 6.5.3 and Domino 6.5.2 Fix Pack 1 (FP1) and Domino 6.0.5.
The issue occurs only in Domino 6.5.2; it does not occur in 6.5 or 6.5.1.
To work around the issue in Domino 6.5.2 when using a DSAPI filter, you can
change the "Internet authentication" field on the Security tab of the Server
document to "More name variations with lower security."

Excerpt from the Lotus Notes and Domino Release 6.5.3 MR fix list (available at
http://www.ibm.com/developerworks/lotus):

Web Server
SPR# NORK632KQA - Fixed a problem in Web Authentication, with DSAPI, when
"fewer names, more security" is enabled. This regression was introduced in
6.0.2. The problem has been fixed in 6.0.5, 6.5.3, and 6.5.2 FP1.

DSAPI
SPR# MKRN5ZVGLW - Under some conditions, the authentication code will choose to
use the credentials for an anonymous user if no other known credentials are
supplied with the http request. Even though a DSAPI filter, through some
private mechanism, authenticates the user and returns a non anonymous user.
Additional information
The problem occurs when a Web user logs in using something other than the
hierarchical name, for example, a short name or any other alias listed in the
Person document. Therefore, the name returned by the DSAPI filter is one of
the aliases for the Web user. If you enable debug for the Web authentication,
you can see that the problem occurs when Domino maps this secondary name
returned by the DSAPI filter to a Notes distinguished name (DN) and adds it
into the user cache. With the setting "Fewer name variations with higher
security", the namelookup returns "NOTES" as the DN instead of returning the
actual user name, even though a user match has been found.

The symptoms that appear for this issue reported in SPR# MKRN5ZVGLW are a
rolling or looping log in when attempting to authenticate through a DSAPI
filter. In you enable debug on the server (webauth_verbose_trace), you see the
message: "Adding anonymous user 'anonymous' to cache." More >

Last Modified on 12/08/2013

Go back