Requiring distinguished logon names for LDAP name-and-password security

To conform to RFCs 2251 through 2254, you can use the LDAP service option DN Required on Bind? to require that an LDAP client that binds using name-and-password security to any LDAP service running in the domain use their fully qualified LDAP distinguished name as their LDAP client logon name. In a Person document in the Domino® Directory, the distinguished name is the first value in the FullName field, labeled User Name. By default, the LDAP service doesn't require an LDAP client to use the distinguished name as a logon name.

About this task

If you do not require distinguished names as logon names for name-and-password security, the Internet authentication field on the Security tab of a Server document for a server that runs the LDAP service controls which client logon names are allowed for name-and-password security.

To enable or disable the requirement that LDAP users use their distinguished names as log on names when using name-and-password security when binding to the LDAP service:


  1. From the Domino® Administrator, open a server that runs the LDAP service, or a server in the same domain as a server that runs the LDAP service.
  2. Click the Configuration tab.
  3. In the navigation pane, expand Directory, then LDAP, and then select Settings.
  4. Do one of the following:
    • If you see the prompt Unable to locate a Server Configuration document for this domain. Would you like to create one now? click Yes, then click the LDAP tab on the document that is created.
    • If you do not see this prompt, click Edit LDAP Settings.
  5. Next to DN Required on Bind? choose one:
    • Yes to require distinguished names as LDAP client logon names for name-and-password security.
    • No (default) to not require distinguished names for client logon names.
  6. Click Save & Close.