Lotus Developer Domain: Notes/Domino Fix List

Notes/Domino Fix List

SPR # NORK632KQA

Fixed in 6.0.5; 6.5.2 FP1 release

Security fix
Regression in 6.5.2

Product Area: Server

Technical Area: Web Server

Platform: Cross Platform

Lotus Customer Support APAR: LO03263

SPR# NORK632KQA - Fixed a problem in Web Authentication with DSAPI, when "fewer names, more security" is enabled. Prior to this fix, when using a DSAPI filter that authenticates a user and then passes that user off to Domino, the user cache was updated with the user 'Notes' and not the actual username. This regression was introduced in 6.0.2 and has been fixed in 6.0.5, 6.5.3, and 6.5.2 FP1.

Technote Number: 1177645

Problem:
This issue was reported to Lotus software Quality Engineering and has been
addressed in Domino 6.5.3 and Domino 6.5.2 Fix Pack 1 (FP1) and Domino 6.0.5.
The issue occurs only in Domino 6.5.2; it does not occur in 6.5 or 6.5.1.
To work around the issue in Domino 6.5.2 when using a DSAPI filter, you can
change the "Internet authentication" field on the Security tab of the Server
document to "More name variations with lower security."

Excerpt from the Lotus Notes and Domino Release 6.5.3 MR fix list (available at
http://www.ibm.com/developerworks/lotus):

Web Server
SPR# NORK632KQA - Fixed a problem in Web Authentication, with DSAPI, when
"fewer names, more security" is enabled. This regression was introduced in
6.0.2. The problem has been fixed in 6.0.5, 6.5.3, and 6.5.2 FP1.

DSAPI
SPR# MKRN5ZVGLW - Under some conditions, the authentication code will choose to
use the credentials for an anonymous user if no other known credentials are
supplied with the http request. Even though a DSAPI filter, through some
private mechanism, authenticates the user and returns a non anonymous user.
Additional information
The problem occurs when a Web user logs in using something other than the
hierarchical name, for example, a short name or any other alias listed in the
Person document. Therefore, the name returned by the DSAPI filter is one of
the aliases for the Web user. If you enable debug for the Web authentication,
you can see that the problem occurs when Domino maps this secondary name
returned by the DSAPI filter to a Notes distinguished name (DN) and adds it
into the user cache. With the setting "Fewer name variations with higher
security", the namelookup returns "NOTES" as the DN instead of returning the
actual user name, even though a user match has been found.

The symptoms that appear for this issue reported in SPR# MKRN5ZVGLW are a
rolling or looping log in when attempting to authenticate through a DSAPI
filter. In you enable debug on the server (webauth_verbose_trace), you see the
message: "Adding anonymous user 'anonymous' to cache." More >

Last Modified on 12/09/2013

Go back