DIRECTORY SERVICES


Limiting directories to authentication-only lookups
You may need to deploy a directory for authentication purposes only if:
It is becoming common practice to use a corporate LDAP server to provide authentication (userid/password) services for single sign-on (SSO) purposes. Often, these LDAP servers are not configured, deployed, or intended to support mail routing (or other Domino-based) directory lookups.

Because Domino does not support a universal name mapping scheme for Domino-style identities (fullnames or distinguished names of the form cn=xxxx, ou=yyyy, o=zzzz) and the less (or differently) constrained distinguished name formats that are implemented by various LDAP directories, deploying an LDAP directory to be used for authorization can cause name ambiguity problems with some Domino services if duplicate entries exist in the native Domino directories and the LDAP directory being deployed. Since duplicate entries are usually the case if the LDAP directory is being deployed to allow SSO, or to provide LDAP-based authentication for Internet services, it is necessary to avoid sending certain lookups to the LDAP directories. Otherwise, sending email can result in an a large number of unnecessary lookups to the LDAP directory, thereby decreasing performance.

You indicate that a directory should be used only for authentication on the Basics tab of the Directory Assistance document as follows:


If neither setting is enabled, the directory will be searched.