Certifier IDs are required to ensure offline user authentication works when users are in different organizational hierarchies from the IBM® Lotus® Quickr™ server, when users are at different levels of organizational hierarchy, or for other security and organizational situations.
The following points about certifier IDs are important to keep in mind to ensure offline user authentication works properly. For more information on certifier IDs, see Domino Administrator Help.
New organization certifier required for external users in a different organization from the server
If external offline users are in a different organization hierarchy from the IBM Lotus Domino® server on which IBM Lotus Quickr runs, you must create an organization certifier ID for their organization, cross-certify that certifier ID with the Domino server's organization certifier ID, and then attach the cross-certified ID to an Offline Security Policy document. For example, if the Domino server is within the /Org organization, but there are external users within the /Acme organization, create an /Acme organization certifier ID, cross-certify it with the /Org certifier ID, and then create an Offline Security Policy document and attach the cross-certified /Acme certifier ID to it.
Certifiers authenticate one level down
A certifier ID authenticates only users with names at its level and one organizational unit level down in the name hierarchy. For example, the /Acme organization certifier authenticates Alice Brown/Acme, Lee Moutal/Marketing/Acme, and Maryane Burns/Sales/Acme, but not Claudia Basso/East/Sales/Acme. To authenticate Claudia Basso/East/Sales/Acme, you must create an organizational unit certifier ID for /Sales/Acme, and then create an Offline Security Policy document and attach the ID to it.
Separate organizational unit certifier recommended for external users within the same organization as the server
If offline users are within the organization hierarchy of the Domino server on which Lotus Quickr runs, put them under their own organizational unit certifier as a security measure to limit their access to the Domino server.
Distinguished names that do not follow the Domino naming convention require translation
Domino recognizes only the following delimiters in a distinguished name: "CN,"OU," "O," and (optionally) "C". If the distinguished names of external member use different delimiters, you must use the name_translation setting in the offline section of the qpconfig.xml file on the server to translate them to the Domino format. When you create an Offline Security Policy document, you use the Domino format when specifying the certifier name.
/QP organizational unit certifier required for local users
For local offline users, create the organizational unit certifier /QP from the Domino server's certifier. For example if the Domino server's certifier is the organization certifier /Org, use the /Org certifier ID to create the organizational unit certifier /QP/Org, and then attach the /QP/Org certifier ID to an Offline Security Policy document. Or if the Domino server's certifier is the organizational unit certifier /Sales/Org, use the /Sales/Org certifier ID to create the organizational unit certifier /QP/Sales/Org, and then attachthe/QP/Sales/Orgcertifier to an Offline Security Policy document.
Separate Security Policy documents required for local and external users
You must create separate Security Policy documents and IDs for local users (users registered in places) and external users (users registered in a directory). You can attach only one certifier ID to each Security Policy document.
Parent topic: Creating certifier IDs for offline use