Planning the LDAP service

A IBM® Domino® server that runs the LDAP task functions as an LDAP directory server, ready to process requests from LDAP clients. Such requests can come from any of the popular Web browser clients that have built-in LDAP support to retrieve directory information, or from custom LDAP applications designed to search for and manage directory information.

About this task

Some of the questions to ask when planning for the LDAP service are:

  • What levels of LDAP client authentication do you want to use? Anonymous access, enabled by default, allows LDAP clients to connect without providing names and authentication credentials, such as password or certificates. Typically you allow LDAP clients connecting anonymously only read access to the directory.
  • Should you use an extended ACL to control LDAP access to the directory? An extended ACL provides more granular directory access control than the database ACL alone supports. If you use an extended ACL, the database ACL and extended ACL control Anonymous LDAP search access as well as anonymous access for the other supported client protocols. If you do not use an extended ACL, a Configuration Settings document controls Anonymous LDAP search access.
  • Should you create a full-text index for the Domino® Directory? If your LDAP clients typically use search filters that search for names or mail addresses, then it is not necessary to full-text index the directory. If LDAP clients user other types of search filters, creating a full-text index for the directory is recommended, so the LDAP service can process these kinds of requests more quickly by searching a full-text index.
  • Do you need to extend the schema to add support for new object classes or attributes? You may need to extend the schema if your company has LDAP applications that search for application-specific information. You can use the Domino® LDAP Schema database (schema.nsf) to extend the schema, or add forms and fields to the directory. Using the Schema database is recommended.

Planning directory assistance for the LDAP service

About this task

You can set up directory assistance on a server that runs the LDAP service so the LDAP service can extend client LDAP requests to a secondary Domino® Directory or to a remote LDAP directory. Some of the issues to consider with respect to setting up the LDAP service to use directory assistance for a secondary Domino® Directory include:

  • What access do you want LDAP clients to have to the secondary Domino® Directory? You control LDAP access separately for each Domino® Directory or extended directory catalog the LDAP service serves.
  • If you use a custom LDAP application to administer the directory, the LDAP service allows the application to modify the directory only if the directory is stored locally on the server running the LDAP service. If the secondary Domino® Directory is stored on a remote server, the LDAP service can return a referral to that server instead or processing the LDAP operations itself.

Some of the issues to consider with respect to setting up the LDAP service to use directory assistance to refer LDAP clients to a remote LDAP directory include:

  • The LDAP service can never process an LDAP search, add, or modify request in a remote LDAP directory. It can only refer LDAP clients to a remote LDAP directory.
  • By default the LDAP service can return a given LDAP client a referral to only one remote LDAP directory. If you want to enable the LDAP service to return an LDAP client more than one referral so that an LDAP client can follow up with alternate referral if the directory server specified in the first referral is unavailable, you must increase the Maximum number of referrals setting for the LDAP service.
  • You can specify alternate LDAP directories for referral in one Directory Assistance document for a remote LDAP directory.
Note: The LDAP service, like any Domino® Internet protocol server, can use directory assistance to authenticate its clients using credentials in a secondary directory, and to use groups in a secondary directory for database authorization.