|Professional Services||Second Signal||Presentations||Andrew's Blog||Support|
I have a client who has a web based solution in which the users are passed from an outside system. The NCT SSO works great, but the usernames from the other site are actually EMAIL addresses. Domino will allow them to be logged in since the NCT SSO creates the token for them -- but putting email addresses in groups does not work for ACL's.
To get around this, I broke one of my cardinal rules. I modified the Domino Directory. Worse, I modified the most important view in the databases (or one of the two most important anyway). I modified the first column of "$ServerAccess". I did this to prevent stripping usernames from group membership that have "@" symbols in them.
There are many reasons why you shouldn't modify the Domino Directory. Security, Stability, Performance, and future upgrades can all be negatively impacted. Until we have time to modify the entire user management system to alter the usernames as they come in, this is the way we have to do it. In this particular case, since this is the only purpose for this server, the security risk is minimized. The performance risk is also minimized because I'm not creating a new view, and I'm actually simplifying the formula. Still, upgradeability becomes a problem.
I hope we can remove this hack soon, and handle users correctly. Still, I thought some of you might find this hack useful.
Please wait while your document is saved.