The boys behind Idea Jam and I ran into a bit of a problem this week.  Accounts that were previously working fine stopped working all of sudden.  Bruce and Matt both claimed innocence and swore nothing changed on the server.  After killing ourselves for much of the day and then bringing in the big guns, the solution came to Bruce and I as we were chatting it through last night.

During the registration process, we create a fake hierarchical name based on the following formula:

firstname lastname/email_at_domain.com

We did this for to allow the user's real name to be shown using @Name([CN];@UserName), but still allow for multiple John Smiths in the system.  Everything was working perfectly until someone went in and saved the group document in the Notes Client.  That group is what we use to grant access to the site.  Can you guess what changed when the group was saved?

Although it looked the same to the user, the firstname lastname/email_at_domain.com was actually converted to CN=firstname lastname/O=email_at_domain.com in the members field.  This caused the Domino server to not find firstname lastname/email_at_domain.com in any group.

The solution to the problem was very simple.  In the script that processes the registration, I simply created a NotesName object with the firstname lastname/email_at_domain.com string and then added the NotesName.Canonical to the person and group documents.  After doing this, everything started working again.

So the moral of the story is:  Always add canonicalized names to Names fields because firstname lastname/organization CN=firstname lastname/O=organization!