NotesMail - HCL Domino Administrator 11.0.1 Help

CONFIGURING

Using LDAP to modify a directory served by the LDAP service

By default, the LDAP service does not allow LDAP clients to modify the directories served by the LDAP service.

About this task

However, you can enable LDAP write access for any of the following directories to allow LDAP users with the required database access to modify the directories:

Primary Domino® Directory of the LDAP service
Secondary Domino Directory or extended directory catalog the LDAP services serves

You control LDAP write access separately for each directory. For example, you could enable write access for the primary Domino Directory, and leave write access disabled for an extended directory catalog.

Note: You cannot enable LDAP write access to a condensed directory catalog served by the LDAP service.

Keep the following points in mind if you enable LDAP write access for a directory:

Procedure

1. Domino does not provide a tool for doing LDAP write operations, you must develop or obtain one.

2. If you allow LDAP write access, use the directory database ACL, and optionally, extended ACL, to control the directory changes that LDAP users can make.

3. Enable schema checking for the LDAP service to require that directory changes made via LDAP conform to the directory schema. By default schema checking is disabled, if you allow LDAP write operations, enabling it is recommended to maintain consistent directory contents.

4. The Administration Process server task doesn't respond to LDAP write operations. For example, if an LDAP user deletes a Person document, the Administration Process can't delete the associated user name from database ACLs.

5. The LDAP service can carry out an LDAP write operation in a secondary Domino Directory or extended directory catalog only if that directory is stored locally on the server that runs the LDAP service. If the LDAP service receives a write operation request for a Domino Directory on a remote server, it sends an LDAP referral to the client. The LDAP service refers the client to the administration server for the directory. If there is no administration server specified, it refers the client to the remote server that stores the directory. The client must then follow the referral itself.

6. The distinguished names of directory entries are limited to 256 characters. Distinguished names do not have to conform to the standard Notes® naming model of organizational unit (ou), organization (o), and country (c). For example, distinguished names such as these are acceptable:

dn: cn=Jay Walker + uid=123456,u=Sales,o=Widget Inc.,c=GB
dn: foo=Bar, o=Renovations
dn: cn=L. Eagle,o=Sue\, Grabbit and Runn,c=GB

Note:

Names such as these are recommended primarily for entries that are accessed only through LDAP, since Notes users may find them confusing.

7. Prior to doing batch adds of 100 or more directory entries, you can use the NOTES.INI setting LDAPBatchAdds to process the additions more quickly. Disable the setting when the batch adds are complete.

8. You cannot modify the value of an entry's structural object class attribute.

Help on Help

All Help Contents

Help on Help

All Help Contents