Domino LDAP & hiding records

HCL Domino Domino Forum
1

I can’t work out how this has been done & would be grateful if someone could offer any ideas:

I have Domino running on 2 servers running the LDAP task. Both servers are using a custom database (based on pubnames.ntf) as their first directory assistance entry. If I open these databases with a Notes client, I can see all user entries on both servers. Using an LDAP browser I can view all entries on one of the servers, but on the other server I can only view a subset of entries. The “missing” users are all from particular OU’s - none of the users in these OU’s are visible on the second server via LDAP.

These custom databases replicate. They aren’t using selective replication and have the same document count and ACL. Readers fields are in use, but they are the same for the visible and the “missing” records. Extended ACL is not in use.

Does anyone know what mechanism might be used to “hide” LDAP entries in an OU in these circumstances? I thought it could only be done using selective replication, readers fields or extended ACL.

Thanks in advance.

2

Subject: Domino LDAP & hiding records

Just an idea - try setting the root of the LDAP search to one of the missing OUs to see if you can browse to them that way.

If you can, it might mean that the schema is damaged or corrupt in one address book. A view that shows all documents by form might help…

3

Subject: Help required - Domino LDAP & hiding records

Thanks Peter. Setting the root of the LDAP to one of the missing OUs gives no entries. I don’t think the issue is corruption - my predecessor has set up this arrangement deliberately. I need to tweak it but can’t do so without understanding how it works. What do you mean about a view which shows all documents by form?

4

Subject: RE: Help required - Domino LDAP & hiding records

I have also had some “fun” with LDAP recently, but I’m in a similar position of not fully understanding how it works.

However, I did discover that in my Domino Directory, there were some documents that did not show up in any of the normal views, but were somehow related to LDAP. I don’t know if the LDAP service created them, or whether they are a relic from an earlier version of Domino. I only discovered them because I have a view in my NAB that shows all documents by form. These documents use forms called ‘country’, ‘container’ and ‘locality’.

Anyhow, whatever their purpose, they also seem to function as “placeholders” or “paths” for LDAP browsing. Without these documents, if I started browsing at the root, my ldap browser could not “see” the country containers, and I could not drill down into the O and OU containers to see people. The only way I could see people was to set my LDAP base at the OU level. In other words, the LDAP browser needed to find a valid item at each “node” before it would let me drill down to the items contained below. I have found that certifier documents also show up the same way.

However, if you can’t see the people in your directory even by setting your search base to (say) OU=sales,O=acme,C=country, then it is probably all academic.

BTW, I’m using Softerra’s ldap browser.

5

Subject: Domino LDAP & hiding records

Thanks for your post Peter. I can see some “extra” documents in the directory, but they don’t help me to access my “missing” LDAP records. There’s obviously something in place which is hiding these records, but I’ve yet to find it. Thanks again for your input.

6

Subject: RE: Domino LDAP & hiding records

Hi Colin,I’ve just re-read your initial post, and I wonder whether the directory assistance database is restricting which OUs to export.

Open the directory assistance document that refers to your custom database, and look at the second tab - Naming Contexts (Rules). Are your OUs specified explicitly, or do you have wildcards (asterisks). I’ve only ever used wildcards, so I don’t know for sure what the effect would be if you specified a context.

7

Subject: RE: Help required - Domino LDAP & hiding records

However, I did discover that in my Domino Directory, there were some documents that did not show up in any of the normal views, but were somehow related to LDAP. I don’t know if the LDAP service created them, or whether they are a relic from an earlier version of Domino. I only discovered them because I have a view in my NAB that shows all documents by form. These documents use forms called ‘country’, ‘container’ and ‘locality’.

Anyhow, whatever their purpose, they also seem to function as “placeholders” or “paths” for LDAP browsing. Without these documents, if I started browsing at the root, my ldap browser could not “see” the country containers, and I could not drill down into the O and OU containers to see people. The only way I could see people was to set my LDAP base at the OU level. In other words, the LDAP browser needed to find a valid item at each “node” before it would let me drill down to the items contained below. I have found that certifier documents also show up the same way.

Explanation:

Your interpretation is a good one. In a Domino directory it is possible to manually create entries in the naming tree where not all parents are not present. e.g., I can manually create a Person doc whose FullName is “cn=Ken Lin/ou=Splat/ou=Westford/o=IBM” where there is no “ou=Splat/ou=Westford/o=IBM” certifier. Note that proper registration of users does not result in parent-less names.

LDAP servers expect all the nodes (except for the root) in their tree have parents. In fact, if you tried to use LDAP to add an object named “cn=Ken Lin,ou=Splat,ou=Westford,o=IBM”, it would return the LDAP error code that says there is no parent.

As you guessed, the Domino LDAP server can check for “holes” in the naming hierarchy and plug them up with the documents you mentioned. This is the job of the TELL LDAP VERIFYDIT command …

http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/0/bc6a8c87f734532e85256c1d003a34f0?OpenDocument

You can also find more information about LDAP in the “Domino Directory FAQ” (google it)