DIRECTORY SERVICES


Creating a Directory Assistance document for a remote LDAP directory
To set up directory assistance for a remote LDAP directory, create a Directory Assistance document for the directory in a directory assistance database as follows. Make sure you have read about directory assistance services and concepts.

1. Make sure you have created and replicated a directory assistance database and have set up servers to use it.

2. If you are using the remote LDAP directory for any purpose other than LDAP service referrals, use the TCP/IP ping utility to test that the IBM® Lotus® Domino® servers that will use the LDAP directory can connect to the remote LDAP directory server.

3. From the Domino Administrator, choose File - Open Server, select a server that you have set up to use the directory assistance database, and click OK.

4. Click the Configuration tab.

5. In the left pane, expand Directory - Directory Assistance. If you see "Server Error: File does not exist," the server you selected in step 4 is not set up to use the directory assistance database.

6. Click Add Directory Assistance.

7. On the Basics tab, complete these fields:
FieldEnter
Domain typeChoose LDAP.
Domain nameA domain name of your choice that is different from the domain name specified for any other Directory Assistance document - Notes or LDAP - in the directory assistance database. For more information, see the topic "Directory assistance and domain names."
Company name(Optional) The name of the company associated with this directory. Multiple Directory Assistance documents can use the same company name.
Search order(Optional) A number affecting the order in which servers search or refer LDAP clients to this directory relative to other directories configured in the directory assistance database. For more information, see the topic "How naming rules relate to directory search orders."
Make this domain available toChoose one or both:
  • "Notes clients and Internet Authentication/Authorization" to use this LDAP directory for Notes mail addressing, Internet client authentication (including LDAP client authentication), or to look up the members of groups for database authorization. For group authorization, you must also enable "Group Authorization" (see below).
  • "LDAP Clients" to enable a server running the LDAP service to refer LDAP clients to this LDAP directory when an LDAP search is not succesful in any Domino Directory.
Group AuthorizationChoose one:
  • Yes to search the members of groups in this LDAP directory when authorizing database access.
  • No (default) to prevent searching the member of groups in the directory when authorizing database access.
Choose Yes for only one directory, Notes or LDAP, configured in the directory assistance database.

You do not have to enable a rule that is "Trusted for Credentials."

If you select Yes, in the "Nested group expansion" field that appears choose one:

  • Yes (default) to search nested groups -- groups that are members of groups listed in database ACLs.
  • No to search only the members of groups listed in database ACLs, and not the members of groups nested within those groups.
For more information on group authorization, see the topic "Directory assistance and group lookups for database authorization."
Use exclusively for Group Authorization or Credential AuthenticationNote This item is only visible if Group Authorization has been enabled for this directory, or if at least one rule has "Trusted" enabled.

Choose Yes to allow directory assistance to use this directory exclusively for Group Authorization or Credential Authentication. Enabling this will minimize the number of non-authentication and non-authorization lookups to this directory.

For more information, see the topic "Limiting directories to authentication-only lookups."

EnabledChoose Yes to enable directory assistance for this LDAP directory.

Note You can also enable and disable directory assistance for this directory from the main view of the Directory Assistance database. Select the directory assistance record for the directory and, on the toolbar, click Enable/Disable.

Attribute to be used as name in an SSO token (map to Notes LTPA_UserNm)Enter the name of the directory attribute that should be returned when the LTPA_UserNm field is requested. This value is used as the user name in any SSO token generated by Domino.

For more information about name mapping in the LTPA token used for single sign-on, see the topic "Configuring user name mappings in the SSO LTPA token."

8. On the Naming Contexts (Rules) tab, for each rule you want to define for the directory, complete the following fields. By default, an all-asterisk rule is enabled with "Trusted for Credentials" set to No.
FieldEnter
N.C. #Enter a naming context (rule) that describes the user names in the LDAP directory. For more information, see the topic "Directory assistance and naming rules.
EnabledChoose one:
  • Yes to enable a rule
  • No (default) to disable a rule
Trusted for CredentialsChoose one:
  • Yes to allow servers to use credentials in the LDAP directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule.
  • No (default) to prevent servers from using this directory to authenticate Internet clients whose distinguished names in the directory correspond to the rule.
For more information, see the topic "Trusted naming rules."
9. On the LDAP tab, complete the fields in the table below.

LDAP configuration wizard

1. Click Save & Close.

2. If you changed the Group Authorization field:

Related topics