Configuring anonymous LDAP search access to a directory

You can allow anonymous LDAP access to a directory if the TCP/IP and/or SSL port configuration for the LDAP service allows it.

If the TCP/IP and/or SSL port configuration for the LDAP service allows anonymous LDAP access, use one of these methods to specify which information anonymous LDAP users can search in an IBM® Domino® Directory or an Extended Directory Catalog served by the LDAP service:

  • Domain Configuration Settings document
  • Database ACL/extended ACL

You specify anonymous search access separately for each directory the LDAP service serves.

Note: Always use the directory database ACL, optionally with an extended ACL, to control directory access for authenticated LDAP users, and to prevent anonymous LDAP users from modifying the directory.

Domain Configuration Settings document

The default method used to determine search access for anonymous LDAP users is the Choose fields that anonymous users can query via LDAP setting on the LDAP tab of a domain Configuration Settings document in a Domino® Directory or Extended Directory Catalog. The LDAP service uses the default settings in this document as the default anonymous search access, even if you do not create the document.

You can modify the Choose fields that anonymous users can query via LDAP setting to customize search access for anonymous LDAP users.

Database ACL/Extended ACL

You can use the database ACL along with an extended ACL to define anonymous LDAP search access to a directory, rather than use the domain Configuration Settings document.

Choosing which method to use

The database ACL/extended ACL is a more flexible method of controlling anonymous LDAP search access than the domain Configuration Settings document. For example, when you use the domain Configuration Settings document to allow or deny access to an attribute, the access applies to all entries that contain the attribute. However, when you use the database ACL/extended ACL, you can deny access to an attribute contained in entries at a particular branch of the directory tree, but allow access to the same attribute contained in entries located at other branches. Or you can deny access to the attribute in a particular type of entry throughout the directory, but allow access to it in another type of directory entry.

However, there are implications to using extended access that don't apply to the use of the domain Configuration Settings document. For example, after you enable extended access, you can make directory changes only on a directory replica located on a Domino® 6 or later server. You cannot make such changes on releases earlier than Domino® 6. ACL method also causes database security to be enforced for IBM® Notes® namelookups, such as type-ahead lookups. If the domain Configuration Settings document method is adequate for your needs, it might make sense to use it instead.