Lotus Domino Administrator 6 Help - Creating a DOLS Offline Security Policy document

DOMINO OFF-LINE SERVICES

Creating a DOLS Offline Security Policy document
Use Offline Security Policy documents to set different ID policies for users in different domains. For example, you can generate IDs automatically for users inside the company, but require users in a domain outside the company to provide IDs you have given them.

To create an Offline Security Policy Document, do the following:

1. Open Lotus Domino Administrator 6.

2. Click the Configuration tab.

3. Click Offline Services.

4. Click Security.

5. Click "New Security Policy."

6. Fill out the following fields in the Basics tab:

Field Description

Security domain Enter the domain that this policy affects. For example, /US/Company, or /Company (include the leading slash). All users in this domain are subject to the deployment policy you set in this document.
The domain specified in this field includes users one level down from the root. For example, Cambridge/Lotus includes users in /Security/Cambridge/Lotus and /Dev/Cambridge/Lotus.

Prompt for ID during download Before the subscription installs, users are asked to specify where on their computer their user ID is stored. The administrator must provide an ID to the user. This is the default ID deployment policy.

Automatically generate user IDs Before installation, a certifier ID is generated for the user automatically.
The Automatic tab appears when this option is selected. Click this tab and attach the certifer ID to be generated, set the password, and set the ID expiration date.
It is recommended that you do not attach the absolute root certifier for your organization (for example, /Lotus). Instead, you should automatically generate a user ID against a subcertifier (for example, /NewUsers/Lotus). You may also want to generate the user ID in a new domain.

Use the Domino Directory for ID lookup Before installation, the server looks for an existing user ID in the Domino Directory (formerly called the Names and Address book).
The Lookup tab appears when this option is selected. Enter the relative path for the Domino Directory that contains the IDs.

Roaming User Override security policy for roaming users. Select this box to set the Domino server to behave appropriately with "Roaming users" who access the subscription. The server will recognize the user as a Roaming user, ignore the current security policy, and find the user's ID on the user's home server.

ID Management Overwrite existing user IDs. Select this box to have user's offline ID overwritten with a new ID each time they install a subscription.
Caution! This setting should not be turned on in an enterprise that uses encrypted subscriptions. Users whose IDs are overwritten will not be able to open an offline subscription encrypted with a key from the previous ID.

7. If you selected "Automatically generate user IDs," fill out the following fields in the Automatic tab:

Field Description

Certifier ID to use Attach a certifier ID to this rich text field. The certifier ID must support the Security domain field specified in the "Security domain" field.
For example, if the Security domain is /A/B/C, then either /A/B/C, /B/C, or /C would be acceptable certifiers.
The certifier ID file attached here must share the same root certifier as the server’s ID for DOLS. If they do not share the same root certifier, the user may receive replication errors about a lack of cross-certifiers.

Password for certifier ID Enter the password for the certifier ID. The password, which is case-sensitive, must be correct or the user will not be able to install.
Make sure you protect stored passwords by appropriately restricting the ACL of this database (doladmin.nsf).

Expiration date to set on created user IDs Select or enter an expiration date for the ID. For example, 03/31/2006.

8. If you selected "Use NAB for ID lookup," fill out the following fields in the Lookup tab:

Field Description

Address book to look up ID files from Enter the database filename, with relative path, of the directory where your server's user IDs reside. The target database must have standard NAB views & documents, with ID files attached to each person document.

See Also

Increasing the server's output timeout for DOLS downloads

Optional tasks for DOLS administrators

Glossary

Feedback on Help?

Help on Help

Open Full Help Window

Glossary

Feedback on Help?

Help on Help

Open Full Help Window

Field	Description
Security domain	Enter the domain that this policy affects. For example, /US/Company, or /Company (include the leading slash). All users in this domain are subject to the deployment policy you set in this document. The domain specified in this field includes users one level down from the root. For example, Cambridge/Lotus includes users in /Security/Cambridge/Lotus and /Dev/Cambridge/Lotus.
Prompt for ID during download	Before the subscription installs, users are asked to specify where on their computer their user ID is stored. The administrator must provide an ID to the user. This is the default ID deployment policy.
Automatically generate user IDs	Before installation, a certifier ID is generated for the user automatically. The Automatic tab appears when this option is selected. Click this tab and attach the certifer ID to be generated, set the password, and set the ID expiration date. It is recommended that you do not attach the absolute root certifier for your organization (for example, /Lotus). Instead, you should automatically generate a user ID against a subcertifier (for example, /NewUsers/Lotus). You may also want to generate the user ID in a new domain.
Use the Domino Directory for ID lookup	Before installation, the server looks for an existing user ID in the Domino Directory (formerly called the Names and Address book). The Lookup tab appears when this option is selected. Enter the relative path for the Domino Directory that contains the IDs.
Roaming User	Override security policy for roaming users. Select this box to set the Domino server to behave appropriately with "Roaming users" who access the subscription. The server will recognize the user as a Roaming user, ignore the current security policy, and find the user's ID on the user's home server.
ID Management	Overwrite existing user IDs. Select this box to have user's offline ID overwritten with a new ID each time they install a subscription. Caution! This setting should not be turned on in an enterprise that uses encrypted subscriptions. Users whose IDs are overwritten will not be able to open an offline subscription encrypted with a key from the previous ID.

Field	Description
Certifier ID to use	Attach a certifier ID to this rich text field. The certifier ID must support the Security domain field specified in the "Security domain" field. For example, if the Security domain is /A/B/C, then either /A/B/C, /B/C, or /C would be acceptable certifiers. The certifier ID file attached here must share the same root certifier as the server’s ID for DOLS. If they do not share the same root certifier, the user may receive replication errors about a lack of cross-certifiers.
Password for certifier ID	Enter the password for the certifier ID. The password, which is case-sensitive, must be correct or the user will not be able to install. Make sure you protect stored passwords by appropriately restricting the ACL of this database (doladmin.nsf).
Expiration date to set on created user IDs	Select or enter an expiration date for the ID. For example, 03/31/2006.

Field	Description
Address book to look up ID files from	Enter the database filename, with relative path, of the directory where your server's user IDs reside. The target database must have standard NAB views & documents, with ID files attached to each person document.