DIRECTORY SERVICES
The LDAP service can use a secondary Domino Directory or an Extended Directory Catalog to process LDAP client requests if there is a Directory Assistance document for the directory in a directory assistance database that the LDAP service uses, and "LDAP Clients" is selected in the "Make this domain available to" field on the Basics tab of the document. To prevent the LDAP service from using a Domino Directory or Extended Directory Catalog when processing LDAP client requests, do not select "LDAP Clients" in the Directory Assistance document for the directory. Naming rules configured for the directories affect which of the directories the LDAP service uses.
You control LDAP client access separately for each directory that the LDAP services uses. For example, you can allow anonymous LDAP users to access specific attributes in one directory, but not in another.
If the Domino Directory or Extended Directory Catalog is remote, the remote server does not have to run the LDAP service. To process an LDAP search request using a remote directory, the directory ACL on the remote server must give the server running the LDAP service Reader access through a "Server group" or "Server" user type entry if either of the following is true:
The LDAP service does not process write operations to a remote Domino Directory or Extended Directory Catalog. Instead, it returns the client an LDAP referral to the administration server for the directory, or if there is no administration server, the server that stores the remote replica specified in the directory assistance database. This referral occurs regardless if the remote server runs the LDAP service.
For more information on how naming rules for Domino Directories and Extended Directory Catalogs configured in the directory assistance database affect the LDAP service, see the topic "Naming rules and the LDAP service" later in the chapter. For information on controlling LDAP access to a directory, see the chapter "Setting Up the LDAP Service."
Note You can also use directory assistance to prevent the LDAP service from searching its primary Domino Directory.
LDAP service referrals to a remote LDAP directory
If the LDAP service can't find information for which an LDAP client is searching in the primary Domino Directory, a condensed Directory Catalog, or a Domino Directory or Extended Directory Catalog configured in a directory assistance database, it can refer the client to a remote LDAP directory. In the Directory Assistance document for the remote LDAP directory on the Basics tab, next to "Make this domain available to," select "LDAP Clients". To prevent the LDAP service from referring clients to the directory, do not select "LDAP Clients".
To return a referral, the Domino LDAP service uses information in the Directory Assistance document for the remote LDAP directory. The referral is compliant with LDAP v3 and includes:
Some LDAP clients can accept more than one referral so that if the host name specified in one referral is unavailable, the client can attempt to use another. By default, for a given search, the LDAP service can refer an LDAP client to only one remote LDAP directory host name. If there are LDAP clients that use the LDAP service that can accept more than one referral, you can use the LDAP service configuration setting "Maximum number of referrals" to increase the number of referrals that the LDAP service can return.
See also