Notes.ini Entry


Name:
    Block_LookupID

Syntax
    Block_LookupID=1 / 2

Applies to:
    Servers

Add-on:

    First Release:
      6.5.5

    Obsolete since:

      Category:
        Directory, Certification

      Default:
        None

      UI equivalent:
        None

      Description:
      SPR# KEMG6R8JBF and has been fixed in Domino® 7.0.2 and Domino 6.5.5 Fix Pack 2 (FP2). The fix requires setting the "BLOCK_LOOKUPID" variable in the server's notes.ini file.

      There are two settings available.

      BLOCK_LOOKUPID=1

      If the name lookup unauthenticated transaction finds the requested person but no ID file, the error message is changed from "No ID file found for this user" to "User not found in Directory" so that this transaction cannot be used to verify the validity of a user name in the directory that does not have an ID file. When this is enabled, setup can still fetch ID files and Roaming User can still fetch ID files.

      BLOCK_LOOKUPID=2

      If the name lookup unauthenticated transaction is performed, it will always return "User not found in directory". This completely prevents all the attacks described in this advisory/SPR. However, it also prevents new client setup using ID files in the directory from working. It prevents Roaming User setup from working. This setting can be used if new users are physically given their ID files and Roaming User is never configured to delete local files on exit.