Using LDAP to modify a directory served by the LDAP service

By default, the LDAP service does not allow LDAP clients to modify the directories served by the LDAP service.

About this task

However, you can enable LDAP write access for any of the following directories to allow LDAP users with the required database access to modify the directories:

You control LDAP write access separately for each directory. For example, you could enable write access for the primary Domino Directory, and leave write access disabled for an extended directory catalog.

Note: You cannot enable LDAP write access to a condensed directory catalog served by the LDAP service.

Keep the following points in mind if you enable LDAP write access for a directory:


1. Domino does not provide a tool for doing LDAP write operations, you must develop or obtain one.

2. If you allow LDAP write access, use the directory database ACL, and optionally, extended ACL, to control the directory changes that LDAP users can make.

3. Enable schema checking for the LDAP service to require that directory changes made via LDAP conform to the directory schema. By default schema checking is disabled, if you allow LDAP write operations, enabling it is recommended to maintain consistent directory contents.

4. The Administration Process server task doesn't respond to LDAP write operations. For example, if an LDAP user deletes a Person document, the Administration Process can't delete the associated user name from database ACLs.

5. The LDAP service can carry out an LDAP write operation in a secondary Domino Directory or extended directory catalog only if that directory is stored locally on the server that runs the LDAP service. If the LDAP service receives a write operation request for a Domino Directory on a remote server, it sends an LDAP referral to the client. The LDAP service refers the client to the administration server for the directory. If there is no administration server specified, it refers the client to the remote server that stores the directory. The client must then follow the referral itself.

6. The distinguished names of directory entries are limited to 256 characters. Distinguished names do not have to conform to the standard Notes® naming model of organizational unit (ou), organization (o), and country (c). For example, distinguished names such as these are acceptable:

7. Prior to doing batch adds of 100 or more directory entries, you can use the NOTES.INI setting LDAPBatchAdds to process the additions more quickly. Disable the setting when the batch adds are complete.

8. You cannot modify the value of an entry's structural object class attribute.

Related concepts
Customizing the LDAP service configuration
The LDAP service

Related tasks
Enabling or disabling LDAP write access to a directory served by the LDAP service
Directory assistance for the LDAP service
Configuring how the LDAP service responds to multiple name matches when processing write and compare operations