The LDAP service and directory tree verification

When the LDAP service starts on the server that is the administration server for the primary Domino® Directory, it displays certain messages at the server console. These messages indicate that the LDAP service is verifying that each part of a Notes-style distinguished name in a document in the directory has a separate document to define the name part. If the LDAP service detects that a part of a name is missing such a corresponding document, it creates one in a hidden view. Creating an additional document in this way ensures that LDAP clients can always use subtree searches to find the original document.

Messages are:

LDAP server: "Started verifying Directory Tree on filename"

LDAP server: "Finished verifying Directory Tree on filename"

For example, if the distinguished name in a Person document is Phyllis Spera/Boston/Renovations, and there is no Domino Certifier document registered for the organizational unit Boston, the LDAP service creates an organizationalUnit document for Boston. Then, an LDAP user can use a search filter that specifies a search base of "ou=Boston,o=Renovations" with the subtree scope to find the entry cn=Phyllis Spera,ou=Boston,o=Renovations.

If the server running the LDAP service is the administration server for a Domino Directory or Extended Directory Catalog, the LDAP service can verify the directory tree. The LDAP service does not verify the directory tree for a Configuration Directory or for a condensed Directory Catalog.

The LDAP service can create three types of documents, depending on which part of a Notes® distinguished name is missing one: country, organizationalUnit, and organization documents. The LDAP service adds such a document when:

  • A Notes user name is registered with a unique organizational unit that is not controlled by a certifier. In this case, the LDAP service creates an organizationalUnit document.
  • A Notes user name is registered with a country part. In this case, the LDAP service creates a country document.
  • An administrator creates a document manually that contains a Notes-style distinguished name with an organizational unit or organization that doesn't correspond to a Notes certifier document. In this case, the LDAP service creates an organizationalUnit or an organization document.

Directory tree verification applies only to the distinguished names of documents are added and visible through Notes, since entries added through the LDAP protocol always have an object class defined for each distinguished name part.

Running directory tree verification manually

You can run directory tree verification manually, for example if you've added documents to a directory since you last started the LDAP service. To run directory tree verification manually, enter this command from the Domino Directory administration server: 

Tell Ldap VerifyDIT

Finding the documents that directory tree verification creates

To find the documents created by directory tree verification, use an LDAP client and specify the following search filter:

"creatorsname=servername"

where servername is the name of the name of the Domino that created the documents. Specify the name in LDAP format, for example:

"creatorsname=cn=westserver,o=renovations"