Topics
06 History of changes
Server
Directories enhancements in R5.0.1

New directory catalog configuration options
There are additional options available under the "Group types" configuration field for a directory catalogs. The options now available are:

You can change the name of the Users view in the Directory Catalog
You can now change the name of the Users view in a directory catalog as long as you keep the name Users as an alias.

Field configuration for anonymous LDAP access applies to a directory catalog

When you use a directory catalog on a server that runs the LDAP service, the anonymous access field configuration carries over to LDAP searches of the directory catalog. If a field an anonymous LDAP user is attempting to search is part of the directory catalog configuration, the LDAP service always refers to the list of fields in the "Choose fields that anonymous users can query via LDAP" setting for the primary Domino Directory to determine whether the user can search the field in a particular directory entry. If a field the user is attempting to search is not part of the directory catalog configuration, then the LDAP service refers to the anonymous setting for the Domino Directory from which an entry is derived to determine if an LDAP user can search a field in a particular entry.

For example, suppose the following is true:


When an LDAP user searches for the Location field, the LDAP service returns the value for the field for entries in both the primary and secondary Domino directories. When the user searches for the CompanyName field, the LDAP service returns the value for the field for entries from the primary Domino Directory but not for entries from the secondary Domino Directory.

LDAPSEARCH utility
The LDAP search utility is now available on all supported platforms. See the release note "LDAP search utility corrections" under the category Documentation Updates for corrections to the instructions on using this utility.

Domino LDAP Schema database
You can use the new command tell ldap exportschema to build/update the Domino LDAP Schema database (SCHEMA50.NSF) in the Domino data directory. This database provides information about the directory schema in a user-friendly format and can reflect any changes you make if you extend the directory schema. If you extend the directory schema, use the command tell ldap reloadschema, which loads the updated schema into memory, before using tell ldap exportschema.

When the Designer task runs it also reloads the schema into memory and then creates or updates the Domino LDAP Schema database.

Changes to LDAP attribute searches
In R5.0 if you searched for a binary attribute without using the syntax attribute;binary, the LDAP service would nevertheless return a value for the attribute. If you do this in R5.0.1, the LDAP service doesn't return a value. For example, if there's a binary attribute in the directory called photo, the LDAP service won't return the contents if you search for photo, only if you search for photo;binary or all attributes.

In R5.0.1 the LDAP service supports the certificate syntax, a kind of binary attribute. R5.0 supported userCertificate attribute if you used the syntax ;binary. R5.01 supports all certificate attributes and regardless if you specify ;binary.

LDAP searches of groups have changed
In Release 5.0.1, LDAP searches of all types of groups except "Mail only" groups are generally quicker because by default the LDAP service uses a view in the Domino Directory to search these groups rather than using full-text searching as it did in R5.0.

Searches of "Mail only" groups are handled differently, however. By default, the LDAP service does not return results for "Mail only" groups if all of the following is true:

1. A search query uses the equality filter objectclass=value, where value is one of these object classes: groupOfNames, groupOfUniqueNames, dominoGroup, or group.

2. A search query uses an equality filter with one of these attributes: member, uniqueMember, or members.

3. The two filters above are concatenated using the AND operator.

Since queries that meet all of the above criteria are typically used for authentication, this default behavior helps to prevent "Mail only" groups from being used for authentication. The LDAP service still returns results for "Mail only" groups when search queries are used that do not meet all of the above criteria and in these cases full-text indexing is used to search the "Mail only" groups.

For example, by default the LDAP service does not return results for "Mail only" groups if queries such as these are used:

It does return results for "Mail only" groups when queries such as these are used, however:Use the NOTES.INI setting LDAP_MailOnlyGroupOption to change the way the LDAP service handles searches of "Mail only" groups.

Use LDAP_MailOnlyGroupOption=1 to always return results for searches of "Mail only" groups
Use LDAP_MailOnlyGroupOption=2 to always exclude results for searches of "Mail only" groups

UTF-8 character encoding is used to return search results to LDAP V2 clients
In Release 5.0.1, the LDAP service by default uses UTF-8 character encoding when returning results using international characters to LDAP V2 clients even though LDAP V2 RFC doesn't support the use of UTF-8. This has been done to be compatible with LDAP V2 clients that also use UTF-8 such as Netscape Communicator and EudoraPro 4.1.

Use the NOTES.INI setting LDAP_UTF8Results=0 if you want to change this default behavior in order to support LDAP V2 clients that don't use UTF-8. (The setting LDAP_UTF8Results=1 indicates the default behavior.) If you use LDAP_UTF8Results=0, then any LDAP V2 clients that use UTF-8 may sometimes be unable to receive results returned using international characters.

Note that this issue is relevant for only LDAP V2 clients and not LDAP V3 clients such as Microsoft Outlook Express or the Notes R5 client.