Enabling or disabling LDAP write access to a directory served by the LDAP service

By default, the LDAP service does not allow LDAP clients to modify the directories the LDAP service serves. If you enable directory changes to be made via LDAP, the directory database ACL and, optionally, an extended ACL, control the extent to which authenticated and anonymous LDAP users can modify directory entries.

About this task

For example, an LDAP user with Editor database ACL access can modify all entries, whereas an LDAP user with only Author database ACL access and the UserModifier role can modify only Person entries and not other entries.

To enable or disable LDAP write access to the primary Domino® Directory of the LDAP service, or to a secondary Domino Directory or Extended Directory Catalog the LDAP service serves:

Procedure

  1. From the Domino Administrator, open the directory for which you want to enable write access.
  2. Select the Servers > Configurations view.
  3. If you do not see a domain Configuration Settings document in the view, a document named * - [All Servers], skip to step 4. If you see this document, do the following:
    1. Open the document
    2. Click the LDAP tab.
    3. Click Edit Server Configuration.
  4. If you do not see a domain Configuration Settings document in the view, create one by doing the following:
    1. Click Add Configuration.
    2. On the Basics tab select Yes next to Use these settings as the default settings for all servers.
    3. Click the LDAP tab.
    Tip: If you are enabling write access for the primary Domino Directory in the domain, a shortcut for steps 2-4 is: from the Domino Administrator open the server that stores the directory. Click the Configuration tab and expand Directory > LDAP, and then select Settings; click Edit LDAP Settings.
  5. For Allow LDAP users write access, select one:
    • Yes to allow directory changes via LDAP.
    • No (default) to prevent directory changes via LDAP.
  6. Click Save & Close.
  7. For each server in the domain that runs the LDAP service, do the following:
    1. If you enabled LDAP write access, set up the database ACL, and optionally extended ACL, to specify the directory contents that LDAP users can modify.
      Note: To allow users to modify documents in the directory, the Maximum Internet name-and-password access setting in the Advanced pane of the database Access Control dialog must be set to Editor access or higher.
    2. Configure how the LDAP service responds when it finds more than one occurrence of a name specified in an LDAP write operation.