使用 LDAP 修改 LDAP 服務提供的目錄
依預設,LDAP 服務不容許 LDAP 用戶端修改 LDAP 服務提供的目錄。
如需如何設定此功能,請參閱下列各主題:
但是,您可以啟用下列任何目錄的 LDAP 寫入權,以允許具有必要資料庫存取的 LDAP 使用者修改目錄:
- Primary Domino® Directory of the LDAP service
- Secondary Domino® Directory or extended directory catalog the LDAP services serves
個別控制每一個目錄的 LDAP 寫入存取權。 For example, you could enable write access for the primary Domino® Directory, and leave write access disabled for an extended directory catalog.
Note: You cannot enable LDAP write access to a condensed directory catalog served by the LDAP service.
如果您啟動目錄的 LDAP 寫入存取權,請注意下列幾點:
程序
- Domino® does not provide a tool for doing LDAP write operations, you must develop or obtain one.
- 如果您允許 LDAP 寫入存取權,請使用目錄資料庫ACL 與進階 ACL(選用)
- 啟動 LDAP 服務的綱目檢查,來要求透過 LDAP 進行的目錄變更符合目錄綱目。依預設會停用綱目檢查,如果您允許 LDAP 寫入作業,建議啟動它以維護目錄內容的一致性。
- 「管理程序」伺服器作業不會回應 LDAP 寫入作業。例如,如果 LDAP 使用者刪除「人員」文件,「管理程序」不會從資料庫ACL 上刪除相關的使用者名稱。
- The LDAP service can carry out an LDAP write operation in a secondary Domino® Directory or extended directory catalog only if that directory is stored locally on the server that runs the LDAP service. If the LDAP service receives a write operation request for a Domino® Directory on a remote server, it sends an LDAP referral to the client.LDAP 服務會讓用戶端參考目錄的管理伺服器。如果沒有指定管理伺服器,它會讓用戶端參考儲存該目錄的遠端伺服器。然後用戶端則必須遵循參考資料本身。
- 目錄項目的識別名稱限制為 256 個字元。 Distinguished names do not have to conform to the standard Notes® naming model of organizational unit (ou), organization (o), and country (c).例如,可接受如下這些識別名稱:
- dn: cn=Jay Walker + uid=123456,u=Sales,o=Widget Inc.,c=GB
- dn: foo=Bar, o=Renovations
- dn: cn=L. Eagle,o=Sue\, Grabbit and Runn,c=GB
Note: Names such as these are recommended primarily for entries that are accessed only through LDAP, since Notes® users may find them confusing. - Prior to doing batch adds of 100 or more directory entries, you can use the NOTES.INI setting
LDAPBatchAddsto process the additions more quickly.當批次新增完成時,停用該設定。 - 您無法修改項目的結構化物件類別屬性值。