The absolute joys of Domino licensing - not - An interesting conversation about anonymous access
The item in question is around anonymous access to Domino servers and what is, and is not, allowed and if so, on Enterprise licensing and/or Express licensing.
You have read the Domino 8.5.1 license agreement right? Thought so....on with the show.
So first things first, what institutes an "authorized user". From the license :
Exhibit 1 (emphasis is mine)
An Authorized User is a unit of measure by which the Program can be licensed. An Authorized User is a unique individual inside or outside of Licensee's Enterprise with a specific identity that is validated when accessing a IBM Lotus Domino server. The Authorized User's unique identity could be defined by his or her Notes ID/password ("PW") combination, his or her IBM Lotus Domino HTTP Name/PW combination, or any other third party authentication source that defines the Authorized User's unique identity. The Program may be installed on any number of computers or servers, but Licensee must obtain PoE for every user authorized to access the Program. Licensee must have entitlements for each Authorized User accessing the Program in any manner directly or indirectly (for example: via a multiplexing program, device, or application server) through any means. Entitlements for Authorized Users may not be shared, nor may they be reassigned other than for the permanent transfer of the Authorized User entitlement to another individual.
So in reading the above, one could surmise that an authorized user is one who is somehow authenticated via an ID file, a web password or other 3rd party authentication source. The word here is validated. Right? So where is anonymous? Missing in action.
From the same license text we'll look at the "addendum" (my word not IBMs) for Lotus Domino Collaboration Express:
IBM Lotus Domino Collaboration Express
Where the Program is IBM Lotus Domino Collaboration Express, (i) the Program is licensed on a per user basis for use only by Licensee's employees and independent contractors, and those of a Related Company (collectively, "Licensee's company"); (ii) Licensee must acquire one PoE for Domino Collaboration Express for each Authorized User who accesses the Program; and (iii) the Program use is limited to companies of no more than one thousand (1,000) employees and/or independent contractors; therefore, Licensee's company may not acquire more than a total of one thousand (1,000) PoEs of Domino Collaboration Express or Domino Messaging Express combined.
Item (i) seems to indicate it is "for use only by Licensee's employees and independent contractors". Hummm....so anonymous is barred. OK....
Item (ii) seems to indicate "Licensee must acquire one PoE for Domino Collaboration Express for each Authorized User". Hummmm, but an authorized user seems to anything other then anonymous (from exhibit 1)....so maybe it is OK for anonymous access.
So which is correct? Is it (i) or (ii)? Clear as mud right?
So what is an Authorized User and does it include or disbar anonymous access? From Exhibit 1 one would have to say anonymous is allowed as there is no authentication for anonymous users and authentication is what dictates an authorized user (technically the term is validation, but surely they are synonymous) but item (i) seems to change that assumption. Well there is a Domino Licensing FAQ that one would hope would clear this up:
(Emphasis in the answer is mine)
Q. What are the differences between Lotus Domino Enterprise Server and Lotus Domino Collaboration Express?Look at the bold text above (ah, a negative sentence, just like a hide-when). The FAQ indicates that anonymous access is not allowed, at least with Express licensing. Ergo item (i) is correct and item (ii) is redundant.
A. Lotus Domino Enterprise Server is a single license for server software only. You acquire licenses for the number of processor value units associated with the hardware on which you deploy the software, and you acquire individual client licenses separately. Lotus Domino Enterprise Server is available to organizations of any size. Any user who has a client access license is allowed to access the server. In addition, anonymous access to non-mail applications (no sign-on or authentication involved) from a Web browser is allowed, even without a client access license.Lotus Domino Collaboration Express software includes combined server and client licenses, priced on a per user basis. You may deploy the server software on as many machines as you would like, but access is limited to the users for whom you have paid the per user charge. If you do not have a Lotus Domino Collaboration Express per user license, you are not entitled to access the Lotus Domino server, even if the you have a separately acquired client access license or only want to use applications anonymously from a Web browser. The offering is available only for companies who have 1000 employees or fewer, and removes select capabilities of Lotus Domino Enterprise Server that are designed for larger enterprises. The license restrictions are:
- No license to use Lotus Domino partitioning or clustering
- No use on IBM System z platform (Linux or z/OS)
- No license to use the following advanced administration functions: extended access control lists, cascading directories, directory catalogs, directory assistance, central directory (userless name and address book)
I have never, ever accepted a "FAQ" when installing software, but I always accept a license agreement. What happens when the two seem to collide?
Some suggestions to IBM:
1. Where anonymous access is specifically denied, deliberately label it so
2. In the license text, please hyperlink the individual products to the name and program number at the top of the page
3. Change the license so that anonymous access is allowed. Are you really trying to make this as difficult as this?
Discussion for this entry is now closed.
Comments (11)
The difference between IBM and RIM is that IBM's lawyers will work on fixing the issue, whereas RIM's lawyers would work on getting you to take down the post.
Oh, snap!
left this comment on Nathan's blog entry... anonymous access via the web is always cool under any Domino license. Authenticated access requires an authorized user which requires a license under any Domino license. That license can be through a Utility Server or it can be a CAL or it can be CEO or it can be Express.
Thanks Ed. Can I suggest the FAQ be updated to reflect this. As it stands today the FAQ is just plain wrong.
Hmm, now you're making me wonder whether that's deliberate (or historically was deliberate) or not. I think the thinking is the Utility Express server could be used for external users. But i agree there is a flaw in the logic somewhere.
My take on this, at least license wise, is that Utility Express is needed when you have "external" validated (aka authenticated) users and less than 1,000 employees, otherwise anonymous *should* be OK.
Again, I have never accepted a FAQ when installing Domino, therefore the license wins. Right?
I have a strong recollection of IBM documents stating that you are not allowed to have a public facing utility express server e.g. a simple catalog. I will try and find them
I have a strong recollection of IBM documents stating that you are NOT allowed to have a public facing express server e.g. a web simple catalog. I will try and find them
Well maybe it changed. I complained about this several times. See for example my (totally off-topic) comment here(6).
{ http://www.edbrill.com/ebrill/edbrill.nsf/dx/subcapacity }
in 2007.
At least in the past Anonymous Access was not allowed for Express without Utility Server.
It would be a great thing if IBM has changed their conditions in this point as it would allow to at least run you homepage with Domino (although unauthenticated).
I recently concluded an email coversation with Ed Brill. The rules are as follows:
1) Express - no anonymous access, period. You are required to get a Utility Express license for either anonymous or external authenticated access..
2) Domino Enterprise Server includes anonymous access. Obviously for external authenticated access Utility license is required.
What a scenario is like that:
Domino web based application is utilizing third party authentication tool/work around which does not require users to be registered in the NAB?
I honestly find it hard to believe that IBM's intent would be to prevent someone with a Collaboration Express server from putting up a Domino blog. But as I said on that thread, it's what the text says.
I'm completely speechless at this notion that I can't put a public-facing brochure for my company on a Collaboration Express server. It's like I'm taking crazy pills or something.