By default, the LDAP service does not allow LDAP clients
to modify the directories the LDAP service serves. If you enable directory
changes to be made via LDAP, the directory database ACL and, optionally,
an extended ACL, control the extent to which authenticated and anonymous
LDAP users can modify directory entries.
About this task
For example, an LDAP user with Editor database ACL access
can modify all entries, whereas an LDAP user with only Author database
ACL access and the UserModifier role can modify only Person entries
and not other entries.
To enable or disable LDAP write access
to the primary Domino® Directory
of the LDAP service, or to a secondary Domino Directory or Extended Directory Catalog
the LDAP service serves:
Procedure
- From the Domino Administrator,
open the directory for which you want to enable write access.
- Select the view.
- If you do not see a domain Configuration Settings document
in the view, a document named
* - [All Servers]
,
skip to step 4. If you see this document, do the following:
- Open the document
- Click the LDAP tab.
- Click Edit Server Configuration.
- If you do not see a domain Configuration Settings document
in the view, create one by doing the following:
- Click Add Configuration.
- On the Basics tab select Yes next
to Use these settings as the default settings for all servers.
- Click the LDAP tab.
Tip: If you are enabling write access for the primary Domino Directory in the domain,
a shortcut for steps 2-4 is: from the Domino Administrator
open the server that stores the directory. Click the Configuration tab
and expand , and then select Settings; click Edit
LDAP Settings.
- For Allow LDAP users write access,
select one:
- Yes to allow directory changes via LDAP.
- No (default) to prevent directory changes via LDAP.
- Click Save & Close.
- For each server in the domain that runs the LDAP service,
do the following:
- If you enabled LDAP write access, set up the database
ACL, and optionally extended ACL, to specify the directory contents
that LDAP users can modify.
Note: To allow
users to modify documents in the directory, the Maximum
Internet name-and-password access setting in the Advanced pane
of the database Access Control dialog must be set to Editor access
or higher.
- Configure how the LDAP service responds when it finds
more than one occurrence of a name specified in an LDAP write operation.