Ken Lin 3.Mar.04 11:18 AM Lotus Notes
Domino Server All Releases All Platforms


I'm new to Domino Directories. Where do I start? (ver 2)
"Lotus Domino Administrator 6 Help - Directory Services chapter"
Where can I get additional general information about Domino Directories? (ver 2)
"Getting the Most from your Domino Directory" - IBM Redbook
Using Domino Directory for a general purpose or enterprise directory. Using Directory Catalog and Directory Assistance. Integrating with directories and applications.

Where can I find information on the internal architecture of Domino directory technologies? (ver 2)
"Inside Notes: The Architecture of Notes and the Domino Server"

What are the new directory features in ND6? (ver 3)
"Broader Directory Support"
"LDD Today - Lotus Domino 6 Technical Overview"

Where can I get directory upgrade information? (ver 2)
"Upgrading to Lotus Notes and Domino 6" - IBM Redbook

Where can I get Lotus documentation? (ver 6)
"Lotus Documentation"

Where can I find Lotusphere and other conference presentations? (ver 7)
Lotus Sandbox - Conferences

What LDAP RFCs are relevant to the Domino LDAP server? (ver 7)
Title Url
RFC 2782 (DNS SRV)
RFC 2798 (inetOrgPerson)
RFC 2849 (LDIF)
RFC 3045 (Vendor Information)
RFC 3673 (* operational attr)
RFC 4511 (LDAP protocol)
RFC 4512 (LDAP information model)
RFC 4513 (LDAP authentication & security)
RFC 4514 (LDAP DN)
RFC 4515 (LDAP search filters)
RFC 4517 (LDAP syntax & matching rules)
RFC 4518 (LDAP i18n string prep)
RFC 4519 (LDAP schema)


How are Notes fields mapped to LDAP attributes? (ver 1)
"How an LDAP syntax relates to a field type"
There are some syntaxes in the default Domino LDAP schema that map to Domino field types. For example, the LDAP syntax Integer maps to the field type Number. To see whether a syntax maps to a Domino field, find the document for the syntax in the Schema database (SCHEMA.NSF), and compare the LDAP name field to the Notes mapping field.
"The Domino LDAP Schema"

How can my application determine the Domino schema? (ver 5)
"Searching the root DSE and schema entry"

How is the LDAP mail attribute generated? (ver 1)
"How the Domino LDAP service forms a value from the mail attribute"

Is there a limit on the number of members in a Group? (ver 1)
Yes, the Members field is subject to Notes field size limits. See "Problems with Group Documents Related to the Field Size Limitation in Notes"

How can I extend the Domino's LDAP Schema? (ver 3)
"Methods for extending the schema"

Multiple Directories

Can I use a directory other than my Names.NSF? (ver 1)
"Directory Assistance"

How can I easily configure Directory Assistance to access other LDAP servers? (ver 7)
Lotusphere 2007 - Take Control of Your IBM Lotus Domino Directory Infrastructure with Lotus Domino 8! (See "Directory Assistance LDAP Helpers")

Can my Notes clients access other LDAP servers? (ver 2)
"Creating a Directory Assistance document for a remote LDAP directory"
"Setting up clients to use the LDAP server"

Is there a way I can exclude certain secondary Domino Directories from being searched by the Domino LDAP server? (Scott) (ver 1)
Not only can you exclude the primary Domino Directory (e.g. names.nsf) from being searched, but you can exclude any secondary Domino Directory! See this

When addressing mail messages Notes clients don't get expected matches from a remote LDAP directory configured via Directory Assistance. I suspect this is because my LDAP server has a different schema than most, is there a way to configure the LDAP searches sent by a Domino home/directory server? (Scott) (ver 1)
See this.

I have configured Directory Assistance to allow Web user to authenticate using credentials from an LDAP directory, but the DNs in this directory don't match the names on ACLs of my Domino databases. What can I do? (Scott) (ver 1)

How does Directory Assistance work? (Terri) (ver 2)
"Directory assistance and failover for a directory"

When querying the Domino LDAP server, when are LDAP referrals to foreign LDAP servers returned? (ver 3)
"Directory search order for LDAP searches" bullet 4

What is Central Directory? (ver 3)
"Using Central directory architecture in a Domino domain"
"Lotusphere 2002: ID214 Domino Directory Services - Practical Instruction on Two Key Options"

Directory Assistance Troubleshooting (ver 1)
Directory Catalog Troubleshooting (ver 1)
When should I use the LDAP Distinguished Name syntax vs. the Notes DN syntax (Scott) (corrected from ver 4)
When dealing with multi-directory scenarios that include entries which reside in both Domino and LDAP directories it's important to understand what contexts to use a Notes DN and what contexts to use an LDAP DN (defined in RFC 2253). The general rule is use a Notes DN in a Domino database field (e.g. Fullname field or any other names field) or ACL, and use an LDAP DN in an LDAP directory attribute.

Also, in these types of scenarios name conversions between Notes and LDAP DN syntaxes may be necessary. For instance, when entering the DN of an entry that resides in an LDAP directory into the ACL of a Domino database (or secondary value of Fullname) you need to convert it to it's Notes DN equivalent. Or, when using the Notes DN mapping feature in Directory Assistance you should convert the Notes DN to its LDAP equivalent and use that value in the specified attribute of the LDAP directory. The table below is a helpful reference for how to do these conversions.

Real Character in name component
LDAP DN representation
Notes DN Representation
, <comma>
\, <backslash + comma>
, <comma>
+ <plus>
\+ <backslash + plus>
"+" <doublequote + plus +doublequote>
\ <backslash>
\\ <backslash + backslash>
"\" <doublequote + backslash + doublequote>
> <greaterthan>
\> <backslash + backslash>
> <greaterthan>
< <lessthan>
\< <backslash + lessthan>
< <lessthan>
; <semicolon>
\; <backslash + semicolon>
; <semicolon>
" <doublequote>
\" <backslash + doublequote>
""" <doublequote + doublequote + doublequote>
= <equals>
\= <backslash + equals>
"=" <doublequote + equals + doublequote>
# <numbersign>
\# <backslah + numbersign>
# <numbersign>
@ <atsign>
@ <atsign>
"@" <doublequote + atsign + doublequote>
/ <slash>
/ <slash>
"/" <doublequote + slash + doublequote>


What is the syntax for an LDAP search? (ver 7)
RFC 4514 - LDAP String Representation of Search Filters

What is the syntax of an LDAP URL? (ver 7)
RFC 4515 - LDAP Uniform Resource Locator

Why can I only retrieve some of the attributes for a found entry? (ver 1)
You're probably performing an anonymous search, which only returns some of the fields. Either perform an authenticated bind/search or change the fields that anonymous users can access. See the "Anonymous LDAP users can't search certain fields" section of "LDAP Service - Troubleshooting"

My ldapsearch for a direct group member does not return all members (ver 1)
There are two probable reasons for this:
  • The Group document's Member list does not list the "distinguished name" of the member (e.g., "Ken Lin/Westford/IBM"), but instead lists some other non-fully qualified name (e.g., "Ken Lin"). Both the LDAP groupOfNames specification and Notes Internet Authentication require distinguished names.
    Hide details for From
    Note When Domino authenticates an Internet user, it uses the "distinguished name," which is the first name that appears in the Full Name field of a Person document. This name should be used in entries for groups, delegated server administration, database ACLs, and file protection documents.
    a. Next, the server compiles a "grouplist," which contains Andrew's distinguished name, plus any wildcard entries and any groups of which he is a member on that server.
    b. The server then checks the database ACL to determine if Andrew's name is listed explicitly on the ACL, or if any of the grouplist entries for his name appear in the ACL.
    c. If Andrew's distinguished name, or the name of any group of which is a member, matches an entry in the ACL, then Andrew gets access to the database using the access level specified for that entry in the ACL. Otherwise, he is denied access.
  • The Group document is a Mail Only group:
    Hide details for From

    Description: The LDAP service always searches Domino groups specified as "Multi-purpose," "Access Control List only," "Servers only," or "Deny List only" groups because it can do so quickly. However because searches of Domino Groups specified as "Mail only" groups or of groups that do not have a value for the GroupType attribute can be slow, by default the LDAP service does not always search these types of groups. The LDAP service does not search these types of groups if a search query meets all of the following criteria, indicating a query that is typically used for authentication:

  • A search query uses the equality filter objectclass=value, where value is one of these object classes: groupOfNames, groupOfUniqueNames, dominoGroup, or group.
  • A search query uses an equality filter with one of these attributes: member, uniqueMember, or members.
  • The two filters above are concatenated using the AND operator.
    For example, by default the LDAP service does not search Domino "Mail only" groups and groups that do not have values for the GroupType attribute if search queries such as these are specified:
  • (&(objectclass=dominoGroup)(member=cn=jack brown,o=acme))
  • (|(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=jack brown,o=acme))(&(objectclass=groupOfNames)(member=cn=jack brown,o=acme)))
    However, by default the LDAP service does search these groups if search queries such as these are specified:
  • (&(objectclass=dominoGroup)(member=*br*))
  • (member=cn=jack brown,o=acme)
  • (|(&(objectclass=dominoGroup)(member=cn=jack brown,o=acme))(cn=*groupname*))
    To change the LDAP service default behavior for group searches, specify one of these values for this setting:

    1 - Always search all groups that meet specified search criteria. If you choose this setting, full-text indexing the directory is recommended to improve the speed of searches of Domino "Mail only" groups and groups that do not use the GroupType attribute.

    2 - Never search Domino "Mail only" groups or groups that do not use the GroupType attribute.

    In Domino 5 the name of this setting is LDAP_MailOnlyGroupOption. The name has been changed in Domino 6 for clarity. However, you can use either setting name.

How do LDAP substring (wildcard) searches work? (ver 6)
See "minimum characters for wildcard search",wildcard


Can I use LDAP to modify the Domino Directory? (ver 3)
Although it is possible to use LDAP Add, Delete, Modify, ModifyDN operations to modify the Domino directory, these operations do not perform all the provisioning otherwise performed by the Domino Server's Administration Process (AdminP). The LDAP operation will merely change the directory entry without performing the other associated directory and non-directory changes you may need.

How do I enable/disable write access for the Domino LDAP server? (Scott) (ver 1)
"Enabling or disabling LDAP write access to a directory served by the LDAP service"

Why are my renamed entries reverting back to their old names? (ver 6)
"Renamed Users are Reverted Back to their Old Names After 21 days"

Where do I find out more about the Administration Process? (ver 3)
"Administration process requests"


Why can't I edit fields like Internet address, First name, and others in my Person document? (Terri) (ver 1)
These fields are PROTECTED (see its field properties) which means you need Editor access or above to modify its value. Most users in the directory might only have Author access, which prohibits them from editing protected fields.

Can I use groups from a secondary Domino Directory or LDAP Directory on the ACL of a database? (Scott) (ver 1)

I don't want to have to type those long ugly names in my "ACL group enabled" LDAP Directory in the ACL of my Domino databases, is there an easy way to select them? (Scott) (ver 1)
Yes, use an LDAP account record on your Notes client.

Is there an easy way to do this for all my Notes clients? (Scott) (ver 1)
Yes, use setup or desktop policies to automatically create LDAP accounts.

How can I limit access to certain directory entries? (ver 3)
"Extended ACL"
"Lotusphere 2002: ID214 Domino Directory Services - Practical Instruction on Two Key Options"
"Upgrading to Lotus Notes and Domino 6 - Chapter 14 Extended ACL" (ver 6)

How can I change the LDAP filter used by Directory Assistance? (ver 1)
"Configuring search filters in a Directory Assistance document for a remote LDAP directory"

Restricting users from sending mail to groups listed in the Domino Directory (ver 1)

How can I protect my Domino directory's Internet Password hashes? (ver 6)
"Technote #1244808: Configuring xACLs to protect Internet Password fields in the Domino Directory"

Anonymous LDAP searches stop working when XACLs are enabled (ver 1)
"Converting the default anonymous access settings to database ACL and extended ACL settings "

I've got other XACL problems (ver 1)
See "Extended ACL Troubleshooting"
Why are some documents marked as Truncated? (ver 7)
See "Extended ACL access settings"

How do I debug Web authentication problems? (ver 1)


How do I use single sign on? (ver 6)
"Single Sign-on in a Multi-directory World"

Using LDAP for Directory Integration - IBM Redbook (ver 3)

How can I integrate with Active Directory? (ver 3)
"Getting Started with Active Directory Integration" (ver 6)
"Active Directory Synchronization with Lotus ADSync" RedPaper
"Using Notes shared login to suppress password prompts" (ver 9)
"Using Notes client single logon to synchronize Notes and OS passwords" (ver 9)

Why is Outlook or Outlook Express having problems with Domino LDAP? (ver 3)

Lotus Domino 6.51 and Extended Products Integration Guide (ver 3)

How can I use the Domino Directory with Lotus Workplace? (ver 3)
"Integrating IBM Lotus Workplace with Lotus Domino"

How can I integrate Lotus Workplace and Notes Applications with Active Directory? (ver 3)
"Integrating Lotus Workplace and Domino LDAP using IBM Tivoli Directory Integrator"

How can I integrate Domino Web Access with Domino's directory services? (ver 5)
"iNotes Web Access Deployment and Administration"
Chapter 3.7 Directory Assistance and Directory Catalog
"Name resolution and searching: Comparing Lotus Notes and Domino Web Access" (ver 6)

How can I improve Websphere Portal performance with Domino LDAP (ver 6)
"Selecting 'Displayname' as searchable attribute in People Finder causes FT Search if using Domino LDAP Server"

How can I improve Sametime performance with Domino LDAP (ver 6)
"Optimizing LDAP connections and queries on a Sametime server"

How can I setup Business Card photos using the Domino Directory (ver 8)
"How to setup Business Card photos using the Domino Directory"

How can I allow SameTime to use photos stored in person entries in a Domino LDAP server (ver 8)
"How to setup Business Card photos using the Domino LDAP"

How can I integrate QuickPlace with Domino's directory services (ver 6)
"Setting up Domino to manage user directory lookups"

How can I connect Mozilla Thunderbird to the Domino LDAP Server? (ver 6)

How can I integrate my anti-spam appliance with Domino LDAP? (ver 6)
Domino LDAP does not enumerate all possible valid email addresses. See these two features instead ...

"Verify that local domain recipients exist in the Domino Directory", in "Restricting users from receiving Internet mail"

"Restricting SMTP inbound routing" for more information on SMTP controls

Where can I learn more about Tivoli Directory Integrator (TDI)? (ver 6)
"Tivoli Directory Integrator"
IBM Lotus Domino Integration Using Tivoli Directory Integrator - IBM Redpaper REDP-4629-00 (ver 9)
Robust Data Synchronization with IBM Tivoli Directory Integrator - IBM Redbook (ver 7)
"IBM Tivoli Directory Integrator Users Group"
Google Sites (ver 9)


How can I easily test an LDAP search? (ver 1)
"ldapsearch Utility"

LDAP Troubleshooting (ver 1)
"LDAP Service - Troubleshooting"
How can I tell what my LDAP server has been doing? (ver 4)
"LDAP activity logging"
show stat ldap

How can I determine potential problems with entries in my Domino Directory? (ver 7)
Lotusphere 2007 - Take Control of Your IBM Lotus Domino Directory Infrastructure with Lotus Domino 8! (See "DirLint")

How can I determine which LDAP searches are slow? (ver 7)
Lotusphere 2007 - Take Control of Your IBM Lotus Domino Directory Infrastructure with Lotus Domino 8! (See "Domino LDAP Search Performance")


What TELL commands does LDAP support? (ver 2)
"LDAP Tell commands"

What Notes.INI variables does LDAP support? (ver 3)
"Ask Professor INI - LDAP related Notes.ini variables"

What kind of directory performance improvements were made to ND6 directory access? (ver 2)
"LDD Today - Performance Perspectives - Domino 6 Directory performance improvements"

How do I access the Domino Directory via LotusScript? (ver 6)
See @NameLookup in "Programming Guide, Volume 1: Overview and Formula Language"$File/prog1.pdf

How do I access the Domino Directory via Java? (ver 2)
"Collaborative Cuisine's 1 Hour JNDI Cookbook"

"Building Directory Friendly Applications"

"Java Naming and Directory Interface"

"Building real-time access to an LDAP directory server from your Notes application"

"Introduction to LDAP: Part 1: Installation and simple Java LDAP Programming" (ver 6)

How do I access the Domino Directory via C/C++ (ver 3)
"Building Directory Friendly Applications"

"Lotus C API Toolkit" see NAMELookup and LDAP categories
Domino Directory (NAMELookup) -

Lotus Notes/Domino 6/7/8 Directory ... (Ken Lin 3.Mar.04)
. . Thanks for assembling and posting t... (Bill Ernest 3.Mar.04)
. . great resource, thanks eom> (Gerco Wolfswink... 4.Mar.04)
. . RE: Lotus Notes/Domino 6 Directory ... (Steven A Marino... 2.Feb.06)
. . Lotus Notes, Rename .nsf database f... (C. Siong Lee 21.Dec.06)
. . *oh boy, I take directories is goin... (Normunds Kalnbe... 18.Jan.07)
. . RE: Lotus Notes/Domino 6/7/8 Direct... (K Lin 4.Feb.14)

