For passwords stored in the Domino Directory, administrators can set up xACLs to limit access to Internet passwords to the users themselves for accessing and changing their own passwords, and to administrators for allowing administrative changes to passwords.
To do so, first enable extended access for the Domino Directory:
1. Open the database, and choose File - Database - Access Control.
2. Make sure you have Manager access in the database ACL.
3. Click Advanced, and then select "Enable Extended Access."
4. At this prompt, click Yes to continue:
"Enabling extended access control enforces additional security checking. See Domino Administrator Help for more details. Do you want to continue?"
5. At this prompt, which appears only if the advanced database ACL option "Enforce a consistent Access Control List across all replicas" is not yet enabled, click Yes:
"Consistent access control must be enabled first. Do you want to enable it now?"
6. At this prompt, click OK:
"If more than one administrator manages extended access control for this database, enable document locking on the database to avoid conflicts."
7. Click OK in the Access Control List dialog box.
8. At this prompt, click OK:
"Enabling extended access control restrictions. This may take a while."
9. Save and close the database.
Next, set up the extended access to secure Internet passwords.
- Open the database, and choose File - Database - Access Control.
- Click Extended Access. The Extended Access dialog box appears.
- In the Target pane, select the root [ /] and click Add.
- In the Access List pane, select Default.
- Click Form and Field Access. The Form and Field dialog box appears.
- In the Forms list box, select Person. Leave the Access settings for Forms blank.
- In the Fields list box:
Select HttpPassword and set the Read and Write access settings to Deny.
If it appears, select dspHttpPassword and set the Read and Write access settings to Deny.
- Click Ok.
- Repeat this process for the HttpPassword and dspHttpPassword (if it appears) settings in the Person form for the following Access List entries:
| Access List entry | Read access setting | Write access setting | | Self | Allow | Allow | | [Local administrators group] | Allow | Allow | | [Local servers group] | Allow | Allow | Notes:
If Anonymous access was previously defined in the Access List, it should be set up to deny read and write access to HttpPassword and dspHttpPassword (if it appears) fields in the Person form.
Once xACLs are enabled for a Domino Directory, LDAP Anonymous Access is not controlled by the list of fields in the All Server Configuration document. Because the default xACL setting for Anonymous is "No Access," once xACLs are enabled all anonymous LDAP searches will fail. For more information about the changes you need to make in the xACL to restore the default list of fields Anonymous users can query, see the Domino Administrator Help topic "Converting the default anonymous access settings to database ACL and extended ACL settings."
Enabling xACLs forces the 'enable consistent ACL' setting.
There is a known issue with Sametime installation failing when xACLs are configured for Domino. This issue has been reported to Sametime Quality Engineering as SPR# JFWG6SH2EQ. A workaround is to disable xACLs prior installing Sametime and then restoring the xACL settings after Sametime has been installed.
There is no way to save and restore xACLs. If the settings are lost, they must be reconfigured. Refer to technote 1317707 "Is it possible to copy and paste xACL settings?" Additional server processing is required when xACLs are configured, so there may be some impact on server performance. We conducted two sets of benchmarking testing; one using the iNotes workload and another with LDAP searches. In both cases, Domino 7.0.2 was used for the baseline run and a second run was done with xACLs enabled as described in this technote. For the iNotes workload, there was no performance degradation with xACLs enabled. On average, LDAP searches took 15-20% longer to complete.
Internet Password Hash Formats: Domino offers the choice of two algorithms for storing the Internet password in the Person record. The original format is a single unsalted hash. In Domino 4.6, a second format was introduced, known as the "More secure Internet password format," which is a salted hash. When using this format, the string "(355E98E7C7B59BD810ED845AD0FD2FC4)" will not be the hash for the string "password," and the hashed value will be different for every user who chooses the same password value. This format is not backwards-compatible with Domino R4.5, so all servers must be at R4.6 or higher. IBM Lotus strongly recommends the use of the "More secure Internet password format" for storing Internet passwords in the Domino Directory.
To upgrade existing Person documents, select the Person documents from the view and select Actions -> Upgrade to More Secure Internet Password Format. This action runs an agent to enforce the use of the salted hash. To ensure that the more secure Internet password format is used when creating new Person records, edit the Directory Profile from Actions -> Edit Directory Profile and select "Yes" for the "Use more secure Internet password format" field. This requires Domino 5.0.6 or higher. | 
