Link to home
Start Free TrialLog in
Avatar of clomb
clomb

asked on

Nested groups over two directories are not working

In our environment, we have two directories (names1.nsf and names2.nsf) and one directory assistance (da.nsf).
Now in the second directory (names2.nsf) we've a  group (azerty)  who has as member another group (qwerty, one from the first  directory names1.nsf).
The database authorization isn't working for members from the group qwerty (the group from names1.nsf).
Does anyone has a workaround for this problem.
I know that it's a known limitation.
Notes "When authorizing database access, a server can search a group that is nested in a group listed in a database ACL, and search a group nested in the nested group, and so on, as long as all the groups are located in the same directory."
SOLUTION
Avatar of mbonaci
mbonaci
Flag of Croatia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of clomb
clomb

ASKER

mbonaci,
We want two NAB for separating the groups.
One NAB is for all the persons and for the department (groups), the other is for creating groups that we'll use for our notes app or for our websphere portal.
Also the security is not the same for the two NAB's, the persons who may create new docs are not the same in both NAB's.
Plus extra advantages..............

qwaletee,
List both independently is not a solution, most of the time the two groups are the same.
In the ACL we only use groups, there fore we create for each app several groups.
The responsible can then update the groups and give the people extra rights.
Create a script is one of the possible solutions but we thought may be there is a solution with changing settings so that it isn't necessary to write a script.
PS I'm dutch
Separating the groups in two NABs just because they are going to be used for different purposes is IMHO not a real reason for two NABs.
I would instead use some kind of prefix for group names, depending on their purpose/place of usage.

As far as security is concerned, I'd rather use Extended ACL then two NABs:

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_EXTENDED_ACLS_OVER.html

Which other advantages? Any crucial ones?
how is the directory assistence setup?
Avatar of clomb

ASKER

sorry for the late answer. But for avoiding problems, we've put everything (groups and persons) in one addressbook.