Directory assistance for the LDAP service

If a Domino® server runs the LDAP service, you can set up directory assistance for a Domino® Directory or extended directory catalog so that the LDAP service uses the directory to process LDAP client operations. You can also set up directory assistance for a remote LDAP directory so that the LDAP service can refer LDAP clients to the directory when a search is unsuccessful in any Domino® Directory or extended directory catalog.

Processing LDAP operations using a secondary Domino® Directory or extended directory catalog

About this task

The LDAP service can use a secondary Domino® Directory or an extended directory catalog to process LDAP client requests if there is a Directory Assistance document for the directory in a directory assistance database that the LDAP service uses, and LDAP Clients is selected in the Make this domain available to field on the Basics tab of the document. To prevent the LDAP service from using a Domino® Directory or extended directory catalog when processing LDAP client requests, do not select LDAP Clients in the Directory Assistance document for the directory. Naming rules configured for the directories affect which of the directories the LDAP service uses.

You control LDAP client access separately for each directory that the LDAP services uses. For example, you can allow anonymous LDAP users to access specific attributes in one directory, but not in another.

If the Domino® Directory or extended directory catalog is remote, the remote server does not have to run the LDAP service. To process an LDAP search request using a remote directory, the directory ACL on the remote server must give the server running the LDAP service Reader access through a "Server group" or "Server" user type entry if either of the following is true:

  • The search request comes from an authenticated LDAP client
  • Extended access is enabled on the directory.

Servers typically have this required access through the LocalDomainServers and OtherDomainServers groups default access in the directory ACL.

The LDAP service does not process write operations to a remote Domino® Directory or extended directory catalog. Instead, it returns the client an LDAP referral to the administration server for the directory, or if there is no administration server, the server that stores the remote replica specified in the directory assistance database. This referral occurs regardless if the remote server runs the LDAP service.

Note: You can also use directory assistance to prevent the LDAP service from searching its primary Domino® Directory.

Results

LDAP service referrals to a remote LDAP directory

About this task

If the LDAP service can't find information for which an LDAP client is searching in the primary Domino® Directory, a condensed directory catalog, or a Domino® Directory or extended directory catalog configured in a directory assistance database, it can refer the client to a remote LDAP directory. In the Directory Assistance document for the remote LDAP directory on the Basics tab, for Make this domain available to, select LDAP Clients. To prevent the LDAP service from referring clients to the directory, do not select LDAP Clients.

To return a referral, the Domino® LDAP service uses information in the Directory Assistance document for the remote LDAP directory. The referral is compliant with LDAP v3 and includes:

  • The URL hostname for the LDAP directory server
  • The base distinguished name configured for the directory in the Directory Assistance document.
  • The port the LDAP directory server uses

Note that when returning a referral, the Domino® server running the LDAP service never connects to the remote LDAP directory server.

Some LDAP clients can accept more than one referral so that if the host name specified in one referral is unavailable, the client can attempt to use another. By default, for a given search, the LDAP service can refer an LDAP client to only one remote LDAP directory host name. If there are LDAP clients that use the LDAP service that can accept more than one referral, you can use the LDAP service configuration setting Maximum number of referrals to increase the number of referrals that the LDAP service can return.