DIRECTORY SERVICES

Directory assistance and naming rules
When you configure directory assistance for a directory, you define at least one naming rule that corresponds to the names of users in the directory. Naming rules are based on the X.500 distinguished name model. This model uses a directory tree name hierarchy of country ©, organization (o), and organizational unit (ou) to divide names into parts that together represent unique locations in the directory tree. This is also the naming model IBM® Lotus® Domino® and IBM® Lotus® Notes® have traditionally used.

Each directory assistance naming rule includes six parts, with each part containing one of the following:


It's common to assign an all-asterisk rule to a directory (*/ */ */ */ */ */ *) to represent all names in a directory. However if directories configured in directory assistance use discrete name hierarchies, then it's useful to define rules for the directories that corresond to the hierarchies, so servers can target a specific directory when searching for specific names.

For example, assume Directory A and Directory B are both configured in a directory assistance database. Names in Directory A fall under o=acme, c=us so you specify the rule, */ */ */ */ acme/us for it, and the names in Directory B fall under o=acme,c=fr so you specify the rule */ */ */ */ acme/fr for it. To find the name cn=jack brown,o=acme,c=fr, a server searches only Directory B, and not Directory A, and to find the name cn=joan brown,o=acme,c=us, a server searches only Directory A and not Directory B.

This type of targeted directory search can occur when:


Note that Domino does not apply directory assistance name rules to searches of nested groups. Sometimes, although the DN of a group will match the name rules established for a secondary directory which has been enabled for group expansion, the dn of a member of that group - either a user or a nested group - does not. In such cases not using directory assistance name rules circumvents the problem and enables the search to return a complete Nameslist for the subject of the search.

To find a flat name, a name without distinguishing parts, or to process an LDAP search request that doesn't specify a search base, a server ignores naming rules and searches directories according to search orders specified for the directories in the Directory Assistance documents.

Note Some LDAP directories do not use the country ©, organization (o), and organizational unit (ou) naming model. If you set up directory assistance for an LDAP directory such as this, use an all-asterisk naming rule for the directory.

Trusted naming rules

When an Internet client passes a logon name to a server to initiate authentication, the server looks for the name in a directory configured in the directory assistance database only if the directory has at least one configured naming rule that is "Trusted for Credentials" -- known as a trusted rule. If the client logon name is hierarchical, the server looks for the name only in directories with a trusted rule that matches the client logon name, in addition to the primary Domino Directory. If the client logon name is flat, for example John Smith, then the server looks for the name in all directories with a trusted rule.

When a server finds the client logon name in a user entry in a directory, the server compares the distinguished name assigned to the user entry to the trusted rule(s) defined for the directory. The server only authenticates the client if the distinguished name matches a trusted rule. If you use a remote LDAP directory for client authentication and add Notes distinguished names to the directory, the Notes distinguished names, not the original LDAP distinguished names, must match a trusted rule for the directory.

Examples of naming rules

The following table provides examples of naming rules, illustrating how each rule includes or excludes names such as:

Related topics