Home
Configuring
Use this information to configure an IBM® Domino® network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters. Also use this information to set up IBM iNotes® on a server using Domino Off-Line Services (DOLS).
Configuring directory services
This section describes how to plan, set up, and use IBM® Domino® directory services.
Directory assistance
Directory assistance allows a server to look up information in a directory other than a local primary Domino® Directory (NAMES.NSF).
Directory assistance concepts
Before you set up directory assistance, read about these directory assistance concepts.
Directory assistance for the primary Domino® Directory
A server with a local replica of its primary Domino® Directory searches the directory automatically without the use of directory assistance.
Limiting directories to authentication-only lookups
You can limit the use of a directory to authentication.

Configuring
Use this information to configure an IBM® Domino® network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters. Also use this information to set up IBM iNotes® on a server using Domino Off-Line Services (DOLS).
- Configuring a network
  This section presents the planning concepts and setup procedures necessary for a successful IBM® Domino® deployment over a network. It provides information on network protocols from a Domino perspective but does not attempt to provide general network information.
- Configuring users and servers
  Topics in this section describe how to set up users and servers.
- Editing the NOTES.INI file
  You should rarely, if ever, need to modify a server's or client's NOTES.INI file. The NOTES.INI file contains many settings that Domino® and Notes® rely on to work properly. An accidental or incorrect change may cause Domino or Notes to run unpredictably. Therefore, you should edit the NOTES.INI file only if special circumstances occur or if IBM® Support Services recommends that you do so.
- Configuring directory services
  This section describes how to plan, set up, and use IBM® Domino® directory services.
  - The Domino® Directory
    The Domino® Directory, which some previous releases referred to as the Public Address Book or Name and Address Book, is a database that Domino creates automatically on every server. The Domino Directory is a directory of information about users, servers, and groups, as well as custom entries you may add. Registering users and servers in a domain automatically creates corresponding Person documents and Server documents in the Domino Directory for the domain. These documents contain detailed information about each user and server.
  - The LDAP service
    Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for searching and managing entries in a directory, where an entry has one or more attributes associated with a distinguished name. A distinguished name -- for example, cn=Phyllis Spera,ou=Sales,ou=East,o=Renovations -- is a name that identifies an entry within a directory tree.
  - LDAP schema
    A directory entry contains information about a particular entity, or object -- for example, a person or a group -- and is associated with a distinguished name. An LDAP schema is a set of rules that define what can be stored as entries in an LDAP directory. Each LDAP directory has a default schema, which organizations can customize, or "extend," by adding elements to it. The elements of a schema are attributes, syntaxes, and object classes. LDAP directory servers provide the ability to enforce the schema to ensure that directory changes made using LDAP operations conform to it.
  - ldapsearch utility
    Domino® and Notes® provide a command-line search utility, LDAPSEARCH.EXE, that you use to search entries in any LDAP directory. The ldapsearch utility connects to a directory server and returns results that match search criteria you specify. It is available on Domino server and Notes client platforms.
  - Directory assistance
    Directory assistance allows a server to look up information in a directory other than a local primary Domino® Directory (NAMES.NSF).
    - How directory assistance works
      To configure directory assistance, you create a directory assistance database from the template DA.NTF, and replicate it to the servers that will use it. A server must have a local replica of a directory assistance database to use directory assistance. Then you add the database file name to the Directory Assistance database name field in the Domino® Directory Server documents of these servers.
    - Directory assistance services
      Before you set up directory assistance, read about the services directory assistance can provide.
    - Directory assistance concepts
      Before you set up directory assistance, read about these directory assistance concepts.
      - Directory assistance and naming rules
        When you configure directory assistance for a directory, you define at least one naming rule that corresponds to the names of users in the directory. Naming rules are based on the X.500 distinguished name model. This model uses a directory tree name hierarchy of country (c), organization (o), and organizational unit (ou) to divide names into parts that together represent unique locations in the directory tree. This is also the naming model Domino® and Notes® have traditionally used.
      - Directory assistance and domain names
        When you configure directory assistance for a directory you must configure a domain name for the directory that is unique within the directory assistance database. You use the Domain name field on the Basics tab of a Directory Assistance document to configure a directory's domain name.
      - Directory assistance and failover for a directory
        When you set up directory assistance for a directory, you can configure failover for the directory.
      - Directory assistance for an extended directory catalog
        Unless you integrate an extended directory catalog directly into a server's primary Domino® Directory, a server uses directory assistance look up information in an extended directory catalog.
      - Directory assistance in conjunction with a condensed directory catalog
        Condensed directory catalogs are optimized for small size and client use. In this release of Domino®, using a condensed directory catalog on a server is no longer supported. If you created condensed directory catalogs and are using them on servers running earlier releases, they will continue to operate, but are not recommended.
      - Directory assistance for the primary Domino® Directory
        A server with a local replica of its primary Domino® Directory searches the directory automatically without the use of directory assistance.
        Using directory assistance to control which replicas of a Domino® Directory server can be used
        A Configuration Directory is a small, selective replica of a domain Domino® Directory that contains only Domino configuration information. A server with a Configuration Directory looks up information related to directory services, such as information in user and group documents, in a full replica of the domain primary Domino Directory on a remote server.
        Using directory assistance to prevent the LDAP service from searching the primary Domino® Directory
        You can set up directory assistance for the primary Domino® Directory to prevent a server that runs the LDAP service from using the primary Domino Directory when processing LDAP requests. For example, you might want the LDAP service to use a secondary Domino Directory, but not the primary Domino Directory.
        Limiting directories to authentication-only lookups
        You can limit the use of a directory to authentication.
      - Number of directory assistance databases
        Before you set up directory assistance, plan how many directory assistance databases to use. You can create and configure one directory assistance database that all or most servers use. Or you can create more than one directory assistance database, with groups of servers -- for example servers within a domain -- each using specific ones.
    - Setting up directory assistance
      To set up directory assistance in an Domino® domain, complete these procedures.
    - Directory assistance examples
      These examples illustrate directory assistance for one secondary Domino® Directory, for an extended directory catalog, and for an extended directory catalog and a remote LDAP directory.
  - Directory catalogs
    A directory catalog is an optional directory database that typically contains information aggregated from multiple Domino® directories. Clients and servers can use a directory catalog to look up mail addresses and other information about the people, groups, mail-in databases, and resources throughout an organization, regardless of the number of Domino domains and Domino Directories the organization uses.
  - Extended ACL
    An extended access control list (ACL) is an optional directory access-control feature available for a directory created from the PUBNAMES.NTF template -- a Domino® Directory or an extended directory catalog. An extended ACL is tied to the database ACL, and you access it through the Access Control List dialog box using a Notes® or Domino Administrator client.
  - Setting up Domino® Active Directory synchronization
    When the Domino® server is installed on a Microsoft™ Windows™ 2003 server, as an administrator, you typically need to maintain two separate directories for the same set of people and groups. Maintaining user and group information involves adding entries to both directories, deleting entries, ensuring that passwords are the same when users use Notes® Single Logon, coordinating group membership in both directories, and ensuring that user or group settings, such as email addresses and telephone numbers, are identical.
- Configuring messaging
  This section provides an overview of messaging and describes how to set up mail routing, how to set up and customize mail servers, and how to track mail.
- Configuring iNotes®
  IBM® iNotes® (previously IBM Domino® Web Access) provides IBM Notes® users with browser-based access to Notes mail and to Notes calendar and scheduling features. Administrators specify mail policy and security policy settings as well as notes.ini file settings to complete the full implementation of IBM iNotes.
- Configuring Web servers
  This section describes how to set up the IBM® Domino® Web server, the Domino Web Navigator, and other Web servers such as IBM HTTP.
- Domino® Off-Line Services
  Domino® Off-Line Services (DOLS) provides a way for users to take Domino Web applications offline, work in them, and synchronize the changes with an online replica on the Domino server. Users are not required to have Notes® client because the applications are accessed with a browser.
- Setting up a cluster
  Setting up a cluster includes the tasks of creating and verifying that it is working correctly, and then setting up user access, mail, replications, size quotas, directory assistance, roaming, web navigation, and use of a private LAN in the cluster.

Limiting directories to authentication-only lookups

You can limit the use of a directory to authentication.

You may need to deploy a directory for authentication purposes only if:

You have both an Domino® and an LDAP directory that contain some identical names.
You do not use the LDAP directory names for mailing.
Your mail clients are experiencing "Ambiguous name" dialog boxes when sending mail.

It is becoming common practice to use a corporate LDAP server to provide authentication (userid/password) services for single sign-on (SSO) purposes. Often, these LDAP servers are not configured, deployed, or intended to support mail routing (or other Domino-based) directory lookups.

Because Domino® does not support a universal name mapping scheme for Domino-style identities (fullnames or distinguished names of the form cn=xxxx, ou=yyyy, o=zzzz) and the less (or differently) constrained distinguished name formats that are implemented by various LDAP directories, deploying an LDAP directory to be used for authorization can cause name ambiguity problems with some Domino® services if duplicate entries exist in the native Domino® directories and the LDAP directory being deployed. Since duplicate entries are usually the case if the LDAP directory is being deployed to allow SSO, or to provide LDAP-based authentication for Internet services, it is necessary to avoid sending certain lookups to the LDAP directories. Otherwise, sending email can result in an a large number of unnecessary lookups to the LDAP directory, thereby decreasing performance.

You indicate that a directory should be used only for authentication on the Basics tab of the Directory Assistance document as follows:

Set Group Authorization to Yes or enable one of the Naming Contexts (Rules) as Trusted for Credentials. This reveals a new setting: Use exclusively for Group Authorization or Credential Authentication.
The default setting for Use exclusively for Group Authorization or Credential Authentication is No. Change it to Yes to limit searches on this directory strictly for authentication.

If neither setting is enabled, the directory will be searched.

Have feedback?
Google Analytics is used to store comments and ratings. To provide a comment or rating for a topic, click Accept All Cookies or Allow All in Cookie Preferences in the footer of this page.