Field | Enter |
LDAP Configuration section | |
Hostname | The host name for the remote LDAP directory server -- for example, ldap.renovations.com. A Domino server uses this host name to connect to the remote LDAP directory server, or to refer LDAP clients to the LDAP directory.
Note: The host name should not be the local server that uses this Directory Assistance document. Specifying the local server causes the server to point to itself, which causes performance and other issues.
Click Suggest to open a dialog box that will enable you to look up the hostnames of any LDAP servers listed in your DNS.
Click Verify to open a dialog box that verifies that each hostname is an active LDAP server.
Or
Enter an additional host name or host names so that a Domino server can use an alternate LDAP directory server if the directory server represented by the first host name specified is unavailable. Separate host names with commas, semicolons, or by entering each host name on a new line.
If you specify more than one directory server and each listens on a different port, specify the ports after the host names. For example:
ldap1.acme.com:390, ldap2.renovations.com:391
Port values entered in this field override those specified in the Port field. If no port is specified in this field, then the value specified in the Port field is used.
Note: IPv6 addresses are also supported for use in this field. However, it is important to note that if an IPv6 address is specified in this field, than the Directory Assistance database should not be used by a pre-7.0 servers, as they do not support IPv6. |
LDAP Vendor | Enter the service provider of your LDAP directory (if necessary, check with your LDAP administrator). The default value is Domino LDAP.
Note: After you select a value for LDAP Vendor, the suggested value for Type of search filter to use under the Advanced Options section will adjust to match, but you can modify that value.
See the related topics for more information on configuring search filters in a Directory Assistance document. |
Optional authentication credential for search | For Optional Authentication Credential enter a user name and a password for a Domino server to present when it connects to the remote LDAP directory server. The LDAP directory server uses the name and password to authenticate the Domino server. If you don't specify a name and password, a Domino server attempts to connect anonymously.
Click Verify to open a dialog box that verifies that the user name and password you entered is valid on each hostname.
This setting may affect change detection for LDAP servers.
See the related topics for more information on specifying a name and password for Domino servers in Directory Assistance document for an LDAP directory. |
Base DN for search | A search base, if the LDAP directory server requires one. For example:
o=Ace Industry
o=Ace Industry,c=US
Click Suggest to open a dialog box that enables you to search each hostname for likely search bases.
Click Verify to open a dialog box that enables you to verify that the search base is accessible on each hostname using the configured credentials.
This setting may affect change detection for LDAP servers. See the related topics for more information on special considerations for change detection. |
Connection Configuration section | |
Channel encryption | Choose one:
- TLS (the default) to use TLS when a Domino server connects to the remote LDAP directory server
- None to prevent TLS from being used.
Keep TLS selected in the Channel encryption field if you use the remote LDAP directory for client authentication or to look up the members of groups for database authorization.
If you choose TLS, make selections in these associated fields:
- Accept expired SSL certificates
- Verify server name with remote server's certificate
See the related topics for more information on configuring TLS in a Directory Assistance document for a remote LDAP directory. |
Port | The port number Domino servers use to connect to the remote LDAP directory server.
- If you choose TLS in the Channel encryption field, the default port is 636.
- If you choose None in the Channel encryption field, the default port is 389.
If the LDAP directory server doesn't use one of these default ports, enter a different port number manually. |
Advanced Options section | |
Timeout | The maximum number of seconds allowed for a search of the remote LDAP directory; default is 60 seconds.
If the remote LDAP directory server is also configured with a timeout value, the smaller value takes precedence. |
Maximum number of entries returned | The maximum number of entries the LDAP directory server can return for a name for which a Domino server searches. If the LDAP directory server also has a maximum setting, the smaller value takes precedence. If the LDAP directory server times out, it returns the number of names found up to that point.
Default is 100. |
Dereference alias on search | Choose one to control the extent to which alias dereferencing occurs during searches of the remote LDAP directory:
- Never
- Only for subordinate entries
- Only for search base entries
- Always (default)
If aliases are not used in the LDAP directory, selecting Never can improve search performance.
See the related topics for more information on configuring alias dereferencing in a Directory Assistance document. |
Preferred mail format | If directory assistance is set up to allow Notes users to address mail to users in an LDAP directory, use this option to specify the format of addresses from the directory to be used in Notes mail. Choose one:
- Notes Mail Address - for example, John Doe/Renovations@Renovations. Typically, this option is used only when the LDAP directory is a Domino Directory.
- Internet Mail Address (default) - for example, jdoe@renovations.com.
See the related topics for more information on directory assistance and notes mail addressing. |
Enable name mapping | This check box allows Directory Assistance to map the Domino DN attribute to its DN attribute in an LDAP directory. It is disabled by default.
When name mapping is enabled with this check box, the new field Attribute is to be used for all lookups and the existing field Attribute to be used as Notes distinguished name become visible.
Note: Enabling this check box also requires you to enter a value in the existing field Attribute to be used as Notes distinguished name, or to accept the default (Notes DN) before you save the form.
See the related topics for more information on user name mapping when you manage Domino users through an active directory. |
Attribute to be used as Notes distinguished name | If a Domino server uses the remote LDAP directory for client authentication or for database authorization, optionally map users' LDAP directory distinguished names to corresponding Notes distinguished names.
Click Verify to open a dialog box that enables you to verify that there is at least one object containing the Notes DN attribute on each hostname, using the configured credentials under the specified base.
See the related topics for more information on using Notes distinguished names in a remote LDAP directory. |
Attribute is to be used for all lookups | Choose Yes or No.
By default when the Enable name mapping check box is on, this value is set to No, and name mapping is enabled only for Internet/Web authentication.
Selecting Yes for this field in combination with the Attribute to be used as Notes distinguished name enables Domino name mapping to be used for all directory searches, not just Internet/Web authentication. |
Type of search filter to use | Choose one to control which LDAP search filters are used to search the directory.
Standard LDAP works in most situations.
Click Suggest to open a dialog box that searches each hostname for the most likely type of search filter to use.
Click Verify to open a dialog box that verifies that the chosen search filter type is appropriate for each hostname.
Note: The options Domino LDAP and IBM Directory Server allow the LDAP Gateway to take advantage of any special capabilities belonging to a given LDAP server. Once these capabilities are determined, LDAP clients can then decide whether to take advantage of them. For example, the LDAP server can now serve up new attributes in its root directory server entries (DSE) to directly support LDAP client detection of dominoAccessGroups capabilities.
See the related topics for more information on configuring search filters in a Directory Assistance document. |