Usability - Productivity - Business - The web - Singapore & Twins

Fixing Domino's LDAP

Domino's LDAP needs some fixing before it can be used as fully standard compliant LDAP, e.g. for Linux authentication. Alan Bell decribed the procedure long ago, but no action was taken by IBM/Lotus. So Nathan stepped forward and published a project on OpenNTF.
Unfortunately the template contained modifications of IBM copyrighted code (other than the mail and application templates the Domino Directory template never was published under an Apache 2.0 license), so the project had to be taken down. I had a look at it and used DXLMagic to run a comparison that revealed only modest changes:

XMLComparison: pubnames.ntf.dxl to DemoDirectory.nsf.dxl

Element Name Changes
Modified ( 86 changes)
form " (PublicDirectoryProfile) " 37 changes ( A57A396D2617685D852565D300812356 )
outline " (AllViews) " 30 changes ( 8BD254C7A4FBCA6B85256A450072C65D )
subform " $GroupExtensibleSchema " 4 changes ( D3095315B1612EC2852565D7005C620E )
subform " $PersonExtensibleSchema " 5 changes ( D64258C1970DE85A852565D70058B520 )
view " ($LDAPHier) " 5 changes ( E72D0DA8994BDCB08525668E007FC98E )
view " ($LDAPRDNHier) " 5 changes ( 0E315EB2B26A4532852567DD007187B4 )
Element Name Unid
Added ( 4 additions)
subform " DominoDirectoryProfileAddin " ( 1FB319E88A4DFA0C48257A320049FCA3 )
subform " LDAPGroupExtensions " ( E57DA00E4BFFE3D648257A320049FCA4 )
subform " LDAPPersonExtensions " ( C479022EFB0069E748257A320049FCA5 )
view " ($IDNumbers) " ( 9864DF762EC0FA9648257A3200499A64 )
Quite some of that changes are subtle alteration of the pardef settings - which are 100% irrelevant to our task (see the detailed report). The main challenge here are the changes inside the original IBM design elements. Altering a design is one of the DXLMagic capabilities. So without publishing IBM © code it can inject the neccessary changes.The trick here is to find the right injection points expressed as XPath expressions and the right DXL snippet to do the job. The DXLMagic module needed here is the DesignInjector. These are the injection points:
XPath Insertion Type File Name
/d:database LASTCHILD view_$IDNumbers.dxl
/d:database/d:form[@alias="DirectoryProfile"]/d:body/d:richtext/d:section[position()=last()] LASTCHILD form_DirectoryProfile.dxl
/d:database/d:subform[@name="$PersonExtensibleSchema"]/d:body/d:richtext LASTCHILD subform_$PersonExtensibleSchema.dxl
/d:database/d:subform[@name="$GroupExtensibleSchema"]/d:body/d:richtext LASTCHILD subform_$GroupExtensibleSchema.dxl
/d:database/d:view[@name="($LDAPRDNHier)"]/d:column[position()=1] Attributes change itemname="$RDNRootColumn" profiledocname="DirectoryProfile" usecolumnformula="true" userdefinable="true"
/d:database/d:view[@name="($LDAPHier)"]/d:column[position()=1] Attributes change itemname="$RDNRootColumn" profiledocname="DirectoryProfile" usecolumnformula="true" userdefinable="true"
Download is coming soon.
Use it at your own risk (read: try it on a copy of pubnames.ntf and have a backup at hand).
As usual YMMV!

Posted by on 05 July 2012 | Comments (3) | categories: Show-N-Tell Thursday


  1. posted by ursus on Friday 06 July 2012 AD:
    Thank you very much for working round the problem of copywrited code - am happy to have the changes :o)
  2. posted by Craig Wiseman on Friday 06 July 2012 AD:
    I guess it doesn't surprise me that IBM won't fix Domino's LDAP. Now that we're in the final laps, they don't want to draw attention from their "preferred" solutions.
  3. posted by Victor Toal on Monday 09 July 2012 AD:
    Excellent! I am looking forward to running a comparison and benchmark it. I run into issues with large Domino directories, especially when there are aallot of groups.