How the LDAP service works

When the LDAP task is running on a server, the server can listen for and process LDAP client requests. By default, the LDAP task runs automatically on the administration server for the Domino® Directory. The schema daemon spawned by the LDAP task on the administration server uses the Domino® LDAP Schema database to propagate schema changes to any other servers in the domain that run the LDAP service. The LDAP task on the administration server for the LDAP service domain Domino® Directory also verifies the directory tree to ensure the LDAP service complies with the standard LDAP requirement that each part of a distinguished name has an entry in the directory that represents the name part as an object class.

In addition to using its primary Domino® Directory for processing LDAP requests, the LDAP service can extend LDAP request processing to directory catalogs and secondary Domino® directories, and can refer LDAP clients to remote LDAP directories, if processing is unsuccessful in any Domino® Directory or directory catalog.

By default the LDAP task listens for LDAP client requests over TCP/IP port 389, and accepts both anonymous connections, and connections that bind using name-and-password security. The LDAP service can also listen for requests over an SSL port, usually port 636. The LDAP service can accept requests over the SSL port from anonymous LDAP clients, and from LDAP clients authenticated using name-and-password security and/or X.509 certificates.

To search for an entry specified in an LDAP request, the LDAP service does either a view lookup or a full-text search, depending on the search filter specified in the request. Views lookups are typically faster than full-text index searches.

Note: The LDAP service always does a full-text search to locate information in a condensed directory catalog.

When an LDAP search filter specifies a name or mail attribute, the LDAP service uses views to quickly locate entries. The PUBNAMES.NTF template design property for these hidden views has Universal with Unicode standard sorting selected for the sort order. Unicode provides a unique definition for every character an LDAP client can specify regardless of the language configured on the client. Using Unicode sorting, the LDAP service can accurately process LDAP requests specified in different languages when using these views.

If an LDAP search filter searches for an attribute other than a name or mail attribute, the LDAP service searches the full-text index, if one exists. If no full-text index exists, the LDAP service uses a view, but the search will take longer than the full-text index search.

Note: The first value in the FullName field defines the distinguished name for any entry in the Domino® Directory except a Domino® Group or Domino® Server; the first value in the ListName field defines the distinguished name for a Domino® Group, and the first value in the ServerName field defines the distinguished name for a Domino® Server.