Configuring business cards using an LDAP directory
Follow these steps to configure the business card using an LDAP directory. Domino® LDAP is considered an LDAP directory.
Before you begin
- HCL Sametime® Community Server has been installed and configured.
- Sametime authentication is configured to use an LDAP directory.
- The LDAP server is running and accessible by the Sametime Community Server.
- All LDAP attributes needed by Business Card are accessible for query via anonymous connection or by using a specific bind account and password.
- The Sametime Community Server is running.
- For Domino LDAP only: To allow anonymous users to access required user details, you can edit the Server Configuration Settings All Servers document in
names.nsf
. Under the LDAP tab, all LDAP attributes that you want to be retrieved by anonymous users should be added to the list of Anonymous Users Can Query. - Photos must be less than 45 KB (recommended: 10 KB) and must be in the .jpg or .gif file type. Photos are not required to be stored inside your LDAP directory. Please see the topic Configuring Business Cards to use Two Repositories.
About this task
Configuring business cards is done in the userinfoconfig.xml file. This requires access to the server operating system. Userinfoconfig.xml is located inside the Domino program directory. When modifying the XML file be sure to check the formatting after using a browser. If there is invalid XML formatting of this file, it will result in failure for the User Info (Business Card) service.
Multiple Sametime Servers
Once configuration of this file is complete, copy and paste this file to the other Community servers to ensure all settings are identical.
Multiple LDAP Servers
Sametime supports the use of multiple LDAP servers. Each LDAP server requires its own
settings, and by default only the first server that was configured during server setup is
configured. To add additional LDAP servers, use the existing settings as a template. Locate the
top of the <StorageType=”LDAP”> section and copy everything between
<StorageType=”LDAP”> and </Storage>
.
Paste the new section below the first </Storage>
tag.
Disabling updates from stconfig.nsf:
stconfig.nsf
and in the userinfoconfig.xml
file. This can be simplified by adding a setting to the userinfoconfig.xml
file to ignore the stconfig.nsf
settings.
- Open the userinfoconfig.xml file with a text editor.
- Locate the
<UserInformation>
tag. - Add a new line under this tag and paste the below setting:
<ReadStConfigUpdates value="false"/>
Optional: Using an Authenticated Bind to LDAP
By default, the business card service uses an anonymous bind to LDAP. In some environments,
not all the attributes are available to an anonymous bind, and an authenticated bind must be
used. To use an authenticated bind, locate the <StorageDetails UserName>
tag for the LDAP server configuration you are modifying. Enter the bind account username between
the double quotes. Inside the same tag is a Password field, enter the password for the bind
account between the double quotes. The Password field needs to be moved next to the UserName
field.
For example, if the bind credentials are cn=Directory Administrator and password is securePassword:
Change this:
<StorageDetails UserName="" SslPort="636" SslEnabled="false"
SearchFilter="(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))"
Scope="2" Port="389" Password="" HostName="ldap.example.com" BaseDN=""/>
To this:
<StorageDetails UserName="cn=Directory Administrator" Password="securePassword"
SslPort="636" SslEnabled="false"
SearchFilter="(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))"
Scope="2" Port="389" HostName="ldap.example.com" BaseDN=""/>
The Sametime server will encode the credentials next time the server restarts and replace the UserName and Password with a new setting called userEncodedAuth.
Optional: Enabling Encryption
By default, the LDAP operations are unencrypted, and all communications are sent over clear text. To enable encryption, first follow the instructions in the Securing LDAP topic.
After the keystore has been created, enter the path to the keystore and its password in the
tags <SslProperties KeyStorePath="keys.p12" KeyStorePassword="securePassword"/>
Check the SslPort="636" and change if the LDAPS port is not 636.
Change the setting SslEnabled="false" to SslEnabled="true"
Modifying the Search Filter
Review the default search filter and make changes to fit your LDAP server’s schema.
Setting the Search Base and Scope
The BaseDN
is the field used to specify where to start searching in the directory.
For example,if the users are all located in cn=users,dc=example,dc=com
, you could set your BaseDN=”cn=users,dc=example,dc=com“
so that the rest of the directory is not searched. A BaseDN is required if using Microsoft Active Directory it is not required for Domino LDAP.
0 = Base - A lookup operation. Only a single entry described by the base DN is matched and nothing more.
1 = One level - The search “looks down” one level below the base DN and no further. This is like opening a folder in a file system and looking only at the direct elements inside the folder.
2 = Subtree - All child entries of the base DN are searched, whether direct or not, including the base DN itself.
It is recommended that your baseDN
and search scope configured in the sconfig.nsf/LDAPSettings
document match what you have here. The default setting of Scope=”2”
is the same as recursive
in the LDAPServer document.
Setting the Hostname
The hostname of the LDAP server is set during server setup. Review the HostName setting and confirm that it is the fully qualified hostname of the LDAP service, which may be a load balancer in front of a cluster of LDAP servers. Make any corrections as needed.
Mapping the fields to LDAP attributes
These settings are in the <Details>
section. For each type of data, there
is an Id and FieldName
. The Id is the internal name used by Sametime to
identify each area of the business card. The FieldName value is set to the LDAP attribute that
contains the data to display inside the business card. Modify any values that do not match your
LDAP schema.
Description | Id name (do not change) | Example |
---|---|---|
The name of the attribute that holds the email address | MailAddress | |
The name of the attribute that has the user’s Common Name. | Name | cn |
The name of the attribute that contains the user’s title. | Title | title |
The name of the attribute that contains the user’s physical address. | Location | postalAddress |
The name of the attribute that contains the user’s phone number. | Telephone | telephoneNumber |
The name of the attribute that has the Company, organization or department name. | Company | ou |
**The attribute containing the photo. | Photo | jpegPhoto |
Adding additional detail
If you would like to map additional detail to these fields it is possible with additional configuration.
For example,suppose there is both a desk phone number (attribute “telephoneNumber”) and a mobile phone number (attribute “mobile”) that you wish to include in the business card. This will be separated by a forward slash (you can choose other characters as a separator).
Locate the <Detail Type = Line that you wish to modify, in this example it is the
one for Telephone. In the field name, between the quotes, add the second attribute there,
separated by a comma. FieldName=”telephoneNumber,mobile”. Then before the closing tag, and a
space and a new setting: DisplaySeparator=" / "
.
The updated example line:
<Detail Type="text/plain" Id="Telephone" FieldName="telephoneNumber,mobile"
DisplaySeparator=” / “/>
Setting a URL for Photos
If you are using HCL Connections Profiles for the photos, see the topic Configuring Business Cards on HCL Connections.
If your Photos are stored in a URL on a web server, your LDAP server must have an attribute that contains the URL. The attribute can be an existing attribute that has been repurposed, or a new attribute can be created.
The photo name must be the email address of the user with a file extension of .jpg.
For example,if a user’s email address is jane@example.com, the file name must be jane@example.com.jpg.
To update the userinfoconfig.xml, under the <Details>
section create a new
<Details>
line for ImagePath. This will be used for the desktop clients. In
the FieldName, enter your attribute that holds the URL.
For example,if the attribute that holds the photo URL is “description” the new line is:
<Detail Type="text/plain" Id="ImagePath" FieldName="description"/>
If you have mobile clients, add an additional <DetailType>
for
PhotoURL.
For example:
<Detail Type="text/plain" Id="PhotoURL" FieldName="description"/>
Selecting the Fields to Display
In the Set params settings, select the Id names that you are including as part of the business card. Remove any Ids you do not want to include.
For example,if you do not want to include the company name, remove “Company” from the list of attributes.
If you have added ImagePath and/or PhotoURL, add these to the <Set params>
and remove Photo.
There are two lines that begin with <Set params>
, each one has a unique
SetID=. The one listed for SetId=”0” is for anonymous users. The one for SetId=”1” is for
authenticated users.
Special Cases
In the LDAPServer document there is a setting “The attribute of the person entry that defines the internal ID of a Sametime user.” If this setting is not blank or set to anything other than the DN, the userinfoconfig.xml file must be updated.
Locate the StorageDetails tag of the relevant LDAP directory and add the following flags:
UserIdAttribute= attribute_name
PersonObjectClass= object_class_name
Where attribute_name
is the name of the attribute configured as the internal ID.
Where object_class_name
is the name of the person object class (for example organizationalPerson).
When all updates are complete, save and close the userinfoconfig.xml file. It is a best practice to open the file with a browser to check for any formatting mistakes. If no mistakes are found, restart the Community Server for these settings to take effect.