Lotus Domino Administrator 8.5 Help - Changing the LDAP service port and port security configuration

DIRECTORY SERVICES

Changing the LDAP service port and port security configuration
By default, LDAP clients can connect to the LDAP service over TCP/IP port 389, anonymously or using name-and-password authentication. By default, LDAP clients cannot connect using SSL.

Note To authenticate using name-and-password security some LDAP clients -- for example Microsoft® Internet Explorer and IBM® Lotus® Notes® clients with LDAP accounts -- first do an anonymous search to retrieve the distinguished names used for the authentication, so that users don't have to specify the distinguished names themselves. To enable such clients to authenticate using names and passwords, you must enable anonymous access, as well as name and password authentication, for the LDAP service port the clients use to connect. You must also allow anonymous read access to the attribute(s) the clients use to search the directory anonymously to retrieve the distinguished names. Attributes typically searched for are cn, uid, sn, givenname, or mail.

Follow these steps to change the LDAP service port and port security configuration on a specific server that runs the LDAP service:

1. From the IBM® Lotus® Domino® Administrator, click the Configuration tab.

2. In the left pane, expand Server and open the Server document for the server that runs the LDAP service.

3. Click Edit Server.

4. Click the Ports - Internet Ports - Directory tab.

Note

If you are administering a hosted organization environment, an asterisk (*) in the following tables indicates options you must specify instead in an Internet Site document. In a non-hosted organization environment, you can use the Internet Site document, but you aren't required to.

5. To change the TCP/IP port configuration for the LDAP service, complete these fields:

Field	Enter
TCP/IP port number	Choose 389 (default) to use the industry standard port for LDAP connections over TCP/IP. You can specify a different port, but 389 works in most situations.
TCP/IP port status	Choose one: "Enabled" (default) to allow LDAP clients to connect to the server without using SSL. "Redirect to SSL" to direct LDAP clients connecting without using SSL to use SSL instead. The LDAP service returns a message to LDAP clients indicating that they must connect over SSL. "Disabled" to prevent LDAP clients from connecting using the TCP/IP port.
Enforce server access settings	Choose one: Yes to apply the "Access server" and "Not access server" settings set in the Server Access section on the Security tab of this Server document to authenticated LDAP clients connecting to the LDAP service over the TCP/IP port. No (default) to specify that the LDAP service ignore the Server Access settings.
Authentication options: Name & Password	If the "TCP/IP port status" field is set to Enabled, choose one: Yes (default) to allow LDAP clients to use name-and-password authentication when connecting using the TCP/IP port. No to prevent LDAP clients from using name-and-password authentication when connecting using the TCP/IP port.
Authentication options: Anonymous	If the "TCP/IP port status" field is set to Enabled, choose one: Yes (default) to allow LDAP clients to connect anonymously using the TCP/IP port. No to prevent LDAP clients from connecting anonymously using the TCP/IP port.

6. To change the SSL port configuration for the LDAP service, complete these fields:

Field	Enter
SSL port number	Choose 636 (default) to use the industry standard port for LDAP connections over SSL. You can specify a different port, but 636 works in most situations.
SSL port status	Choose one: "Enabled" to allow LDAP clients to connect to the LDAP service over SSL. "Disabled" (default) to prevent LDAP client connections over SSL.
Authentication options: Client certificate	If "SSL port status" is set to Enabled, choose one: Yes to allow LDAP clients to use client certificate authentication when connecting. No (default) to prevent the LDAP service from using client certificate authentication.
Authentication options: Name & password	If the "SSL port status" field is set to Enabled, choose one: Yes to allow LDAP clients to use name-and-password authentication when connecting to the LDAP service over SSL. No (default) to prevent LDAP clients from using name-and-password authentication over SSL.
Authentication options: Anonymous	If the "SSL port status" field is set to Enabled, choose one: Yes (default) to allow LDAP clients to connect to the LDAP service anonymously over SSL. No to prevent anonymous SSL connections.

7. Click Save & Close.

8. If you made the changes on a different server than the one for which you are configuring the LDAP service, replicate the changes to the server that runs the LDAP service.

9. Enter the following command on the server that runs the LDAP service to put the changes into effect:

Restart Task LDAP

Related topics

Understanding Internet site documents

Setting up Notes user, Domino server, and Internet user access to a Domino server

Name-and-password authentication for Internet/intranet clients

Anonymous Internet/intranet access

Setting up Notes and Internet clients for SSL client authentication

Customizing the LDAP service configuration

The LDAP service

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary