After configuring Directory Assistance, despite having no access to the secondary directory database, users can search in this directory
Steps to Reproduce:
1. Administrator creates directory assistance database (da.nsf) on server1 whose domain is Domain1.
2. Administrator open da.nsf, creates one directory assistance document which contains the secondary directory. The secondary directory domain is Domain2.
3. Open the secondary directory Access Control list, add one common user (eg: test one) in the Access Control List and whose right is No Access.
4. Check the Access Control List, both -Default- and Anonymous also are No Access.
5. User test one logs into iNotes, open the new mail message page, click the To link which pops-up the "Select Addresses" dialog box, and notice that the user can't see the Domain2 directory.
However test one can search these users from the Domain2 directory.
Users in the Notes client cannot search users in this second directory, however if they press F9 they will also have access to this second directory.
Diagnosing the problem
The search for an iNotes user is done by the server. So once the server has rights to the second directory an iNotes user can find these other users.
If you press F9 in the Notes client new mail document then name lookup is done by the server, and the server usually has the rights to check all available address books. Restricting the ACL of a secondary address book will only avoid that the users see this address book in the namepicker dialogue. But if the user types a name and presses F9 then the server will search for the name and find it even if user is not allowed to see the address book.
Resolving the problem
This issue has been raised by Quality Engineering as SPR # JSSI86H9FF.
This behaviour is working as designed however. Opening a database indeed obeys the ACLs as it should. Type-ahead, when sent from the client to the server is then executed with the permissions configured in Directory Assistance. This is as designed.
One possible solution is to deploy Extended Acls (xACLs) . Doing so allows permissions of the user to be taken into consideration. However deploying xAcls because of permission checking can result in performance hits. xAcls cannot use directory caching mechanisms, so directories should be local to the server. Care should be taken when considering xAcls.
Translate this page: