Directory assistance in conjunction with a condensed directory catalog

Condensed directory catalogs are optimized for small size and client use. In this release of Domino®, using a condensed directory catalog on a server is no longer supported. If you created condensed directory catalogs and are using them on servers running earlier releases, they will continue to operate, but are not recommended.

Note: Do not create a Directory Assistance document for a condensed directory catalog itself, only for the directories aggregated into the directory catalog.

Using directory assistance to look up information not aggregated into a condensed directory catalog

While you always aggregate fields containing mail addressing information into a condensed directory catalog to support the common task of looking up users' mail addresses, typically you would not aggregate fields containing information such as the following, because this would make the directory catalog too large:

  • X.509 certificates used for client authentication
  • Information LDAP clients only occasionally search for
  • Notes® users' public keys used to send encrypted mail

Instead, set up directory assistance for a Domino® Directory aggregated into the directory catalog, so servers can use directory assistance to look up the missing information directly in the Domino® Directory. Each entry in a condensed directory catalog includes the replica ID of the Domino® Directory from which the entry was derived and the UNID for the entry, a unique ID associated with a replicated document. In the cases where the condensed directory catalog doesn't aggregate a field being searched for, a server uses this directory catalog information and information available through directory assistance to access quickly the complete entry in the Domino® Directory. Searching a Domino® Directory by keying off entries in a condense directory catalog is faster than using directory assistance alone to locate and search the Domino® Directory.

If you aggregate a Domino® Directory into a condensed directory catalog, and you do not also set up directory assistance for the directory itself, a server can not use the directory to look up information omitted from the directory catalog.

If you set up directory assistance for a Domino® Directory but do not aggregate the directory into a condensed directory catalog, a server can use directory assistance to search the Domino® Directory after searching the directory catalog.

Note: If a Domino® Directory is aggregated into a condensed directory catalog, but a particular entry from the directory is not aggregated, for example a selection formula excludes the entry, servers cannot use directory assistance to look up the missing entry directly in the Domino® Directory.

Using directory assistance trust for client authentication on one or some directories aggregated into a condensed directory catalog

To indicate that a server should trust for client authentication all directories aggregated into a condensed directory catalog, select the option Trust the server based condensed directory catalog for authentication with internet protocols on the Basics tab of the server's Server document in the Domino® Directory. In this case, directory assistance is not required to indicate trust.

However, to tell a server to trust for client authentication only one or some directories aggregated in a condensed directory catalog, create a Directory Assistance document in a directory assistance database for each of the aggregated Domino® Directories to be trusted. In the Directory Assistance document for each such directory, do the following:

  • On the Basics tab, for Make this domain available to, select Notes clients and Internet Authentication/Authorization.
  • On the Naming Contexts (Rules) tab, enable at least one rule that corresponds to the names to be authenticated, and select Trusted for Credentials for the rule.
  • On the Replicas tab, include the replica of the Domino® Directory that the Dircat task uses to aggregate the directory into the condensed directory catalog. Note that you do not include the replica of the directory catalog.
Note: You are not required to store user passwords, and you should not store X.509 certificates, in a condensed directory catalog. Instead, you can set up directory assistance for the secondary Domino® Directories that are aggregated to enable servers to find the passwords/X.509 certificates.