LDAP related Notes.ini variables

Many administrators find themselves increasingly relying on their LDAP directories these days. To help support this effort, the Notes.ini file includes a number of LDAP-related variables that allow you to configure and administer your LDAP directory. Some of these are documented, including:

• LDAPBatchAdds
  This specifies which views in the Domino Directory the LDAP service updates after processing an LDAP write operation.
• LDAPConfigUpdateInterval
  This sets the interval at which the LDAP service detects and puts into effect changes to a number of configuration settings.
• LDAPGroupMembership
  This changes the LDAP service default behavior for group searches.
• LDAPNotesPort
  This specifies the name of the Notes network port for TCP/IP that you are linking the LDAP service with.
• LDAPPre55Outlook
  This setting is designed for use with pre-5.5 Microsoft Outlook Express clients which, when users don't specify a search, automatically use the country associated with the software version as a search base.

For more information on these Notes.ini variables, see the Domino 6 online help.

In addition, there are a number of other variables (mostly undocumented) to help you analyze and resolve LDAP issues. This column discusses several of these, listing a common LDAP issue you may encounter, and the Notes.ini variable that can help you address it. As always, Professor INI recommends you do not modify your Notes.ini file unless you're an experienced Domino administrator, ideally under the guidance of Lotus Support.

First, let's look at an LDAP question a reader sent us recently:

Q. I have discovered the following variables in one of my servers:

        LDAPNoAutoStartRepairDIT=1
        LDAPServer=ldap://xxxxxxx:389

I have not been able to find any reference as to what either of these lines is supposed to do. Can you help?
Both LDAPNoAutoStartRepairDIT and LDAPServer are undocumented Notes.ini variables introduced in Domino 6. LDAPServer lets you select the hostname(s) and port(s) of the LDAP server(s) to use for LDAP authentication. For example, LDAPServer=ldap://acme.sales.com:123 specifies the LDAP server hostname acme.sales.com, and that port 123 is to be used for authentication. (If this line is absent from Notes.ini, the default LDAP server data specified in the LDAP API is used.)

As for LDAPNoAutoStartRepairDIT, Professor INI has very little information on this variable other than it in fact does appear to exist. However, we cannot recommend modifying it in any way. Can any reader help us out by providing more information on this variable?

Now let's turn our attention to some LDAP-related issues and the Notes.ini variables that can help resolve them:

I want to stop LDAP from automatically loading on my Domino server.
A new Domino 6 feature is automatic loading of LDAP on a Domino Administrative server. To prevent LDAP from loading automatically, make the following modifications to your server's Notes.ini file:

• Remove LDAP (if present) from the ServerTasks setting.
• Add DisableLDAPOnAdmin=1 to the server's Notes.ini file (or change its value from 0 to 1 if this variable is already present).

After you set these variables, restart your server.

How do I control the LDAP QR cache?
Another new feature in Domino 6 is the LDAP QR cache. This cache helps speed up frequently performed name searches by storing user names and attributes that have previously been searched for. The default cache size is 16 MB. You can decrease (but not increase!) the size of the cache by setting the undocumented variable LDAP_QRCache_Size. This sets the cache size in bytes. (If you exceed 16 MB, the default is used.) You can also disable the cache by setting the undocumented variable LDAP_Disable_QRCache=1.

How do I enforce LDAP schema checking?
Schema checking helps you control the content of your LDAP directory and helps prepare your directory to interact with other directories. By default, the LDAP service doesn't enforce schema checking. To enforce schema checking, add the undocumented variable LDAP_Enforce_Schema=1 to the Notes.ini file of the server running the LDAP service, and then restart the LDAP service. This instructs the LDAP service to verify the following:

• Each object class specified in an add operation is defined in the schema.
• Attributes specified in an add or modify operation are associated with valid object classes for the entry.
• During an add operation all mandatory attribute(s) required by the object classes for the entry are provided .
• All attribute values conform to input validation formulas.

Directory Assistance and LDAPSearch are not able to bind successfully to my Domino 5.x server.
This can happen if the first port specified in the Ports variable of the server's Notes.ini file is invalid. The LDAP binding operation uses the first Notes port specified in Ports, unless this setting is overridden by LDAPNotesPort. If DA and LDAPSearch fail to bind to an LDAP server, you can try either of the following:

• Confirm the first port specified in Ports is a valid TCPIP port. Also check the corresponding <PortName>_TcpipAddress value.
• Set LDAPNotesPort to override the Ports setting.

Note that these are just a sampling of LDAP related variables. Many more exist, most of which are undocumented. We'll take a closer look at these variables that affect LDAP operations in a future installment of Ask Professor INI.


Do you have a Notes.ini question? Send it in to Professor INI. We'll answer as many questions as we can in future "Ask Professor INI" columns. Keep in mind, however, that we may not be able to answer every question, nor can we quickly respond to requests that require immediate attention. If you need an immediate response to a question, we recommend you post it in the Notes/Domino 6 Forum or Notes/Domino 4 and 5 Forum where someone from the general Notes community might be able to help, or contact Lotus Support Services.