By default, the LDAP service does not allow LDAP clients
to modify the directories served by the LDAP service.
About this task
However, you can enable LDAP write access for any of
the following directories to allow LDAP users with the required database
access to modify the directories:
- Primary Domino® Directory
of the LDAP service
- Secondary Domino Directory
or extended directory catalog the LDAP services serves
You control LDAP write access separately for each directory.
For example, you could enable write access for the primary Domino Directory, and leave write
access disabled for an extended directory catalog.
Note: You
cannot enable LDAP write access to a condensed directory catalog served
by the LDAP service.
Keep the following points in mind if
you enable LDAP write access for a directory:
Procedure
- Domino does not
provide a tool for doing LDAP write operations, you must develop or
obtain one.
- If you allow LDAP write access, use the directory database
ACL, and optionally, extended ACL, to control the directory changes
that LDAP users can make.
- Enable schema checking for the LDAP service to require
that directory changes made via LDAP conform to the directory schema.
By default schema checking is disabled, if you allow LDAP write operations,
enabling it is recommended to maintain consistent directory contents.
- The Administration Process server task doesn't respond
to LDAP write operations. For example, if an LDAP user deletes a Person
document, the Administration Process can't delete the associated user
name from database ACLs.
- The LDAP service can carry out an LDAP write operation
in a secondary Domino Directory
or extended directory catalog only if that directory is stored locally
on the server that runs the LDAP service. If the LDAP service receives
a write operation request for a Domino Directory
on a remote server, it sends an LDAP referral to the client. The LDAP
service refers the client to the administration server for the directory.
If there is no administration server specified, it refers the client
to the remote server that stores the directory. The client must then
follow the referral itself.
- The distinguished names of directory entries are limited
to 256 characters. Distinguished names do not have to conform to the
standard Notes® naming model
of organizational unit (ou), organization (o), and country (c). For
example, distinguished names such as these are acceptable:
- dn: cn=Jay Walker + uid=123456,u=Sales,o=Widget Inc.,c=GB
- dn: foo=Bar, o=Renovations
- dn: cn=L. Eagle,o=Sue\, Grabbit and Runn,c=GB
Note: Names such as these are recommended primarily for entries
that are accessed only through LDAP, since Notes users may find them confusing.
- Prior to doing batch adds of 100 or more directory entries,
you can use the NOTES.INI setting
LDAPBatchAdds
to
process the additions more quickly. Disable the setting when the batch
adds are complete. - You cannot modify the value of an entry's structural object
class attribute.