Configuring the LDAP server Document

In previous releases of Sametime, there was a separate Administration client to configure LDAP settings. These settings are now done directly inside of the configuration database that holds the settings.

About this task

Note: If you have multiple Sametime servers in your community, it is very important that these settings are identical on each Community Server. Once the settings are completed, this document can be copied and pasted into the other server’s configuration.

Procedure

  1. Launch the HCL Notes or Administration client, as the administrator.
  2. Click on Open > Applications > Open an application
  3. In the servername field, enter the hostname of the Sametime server.
  4. In the filename field, enter “stconfig.nsf”.
  5. Scroll to the LDAPServer document and double-click to open it.
  6. Place the document in edit mode by double-clicking inside the document.

    Connection Settings

    These are the settings that define how Sametime Community server contacts the LDAP Server.

    Table 1. Connection Settings
    Field name What to enter
    Organization name Leave blank
    Network Address of LDAP Connection Enter the fully qualified hostname of the LDAP server, or if your LDAP is high availability, the hostname of the network device front ending the LDAP servers.
    Port number for LDAP Connection 389 is the default unsecure port for LDAP, this can be modified if using a custom LDAP port.
    Login Name for LDAP Connection

    An authenticated bind is recommended, enter the DN of the bind account. Typically these are accounts created for this purpose and are meant to be used by servers, not users.

    For anonymous bind, you can leave this blank.

    Password for LDAP Connection Enter the password being used for the bind account.
    SSL Enabled*

    Enter false for unencrypted LDAP

    Enter true for encrypted LDAP

    SSL Port Enter the secure LDAP port number (typically 636)
    Search order Each LDAPServer document should have a unique search order. If you only have one document, leave this at 1.
    Note: For Encrypted LDAP there are additional configuration steps. If you enable the SSL Enabled setting to true, LDAP will not work properly until all steps are completed for secure LDAP.

    Search Filters

    These settings will vary depending on your business needs and the type of LDAP server you have in place.

    Table 2. Search Filters
    Setting name Description Example
    Search Filter for resolving person names Specifies the search filter used when searching for a person. It is recommended to at least keep the mail attribute. Each occurrence of “%s” is replaced with the supplied name to create the actual filter. When paired with the asterisk it returns all users whose names begin with the supplied name.

    Active Directory:

    (&(objectclass=organizationalPerson)(|(cn=%s*)(sn=%s*)(sAMAccountName=%s*)(mail=%s*)))

    Search filter to use when resolving a user name to a distinguished name This is the authentication filter, which is used when searching for a user to resolve the user to a Distinguished Name. Each occurrence of “%s” is replaced with the supplied name to make the filter.

    Active Directory:

    (&(objectclass=organizationalPerson)(|(cn=%s)(sn=%s)(sAMAccountName=%s)(mail=%s)))

    Search filter for resolving group names Specifies the search filter used when searching for a group. Each occurrence of “%s” is replaced with the supplied name to create the actual filter. When paired with the asterisk it returns all users whose names begin with the supplied name.

    Active Directory:

    (&(objectclass=groupofnames)(cn=%s*))

    Search Base and Scope

    Base DN specifies the tree location where the search operation starts. When the LDAP directory is searched, the query always searches downwards, based on the specified scope. The search is never upwards. When configuring your base objects, make sure you enter the DN closest to the top where the users or groups reside.

    Table 3. Search Base
    Field name Description Example
    Base object when searching for person entries Enter the base DN at the top most level where users reside

    Domino LDAP: O=Example

    Active Directory:

    CN=Users,DC=Example,DC=com

    IBM Security Directory: O=Example,C=US

    Base object when searching for group entries

    Enter the base DN at the top most level where groups reside

    Note: In Domino LDAP all groups are flat, so it should be your O level or leave blank.

    Domino LDAP: O=Example

    Active Directory:

    CN=Groups,DC=Example,DC=com

    IBM Security Directory: O=Example,C=US

    Scope

    Table 4. Search Scope
    Field name Description Example
    Scope for searching for a person If this is left blank only the base scope is searched, and will not search down the tree. Set this to recursive to have all sub-trees searched. recursive
    Scope for searching for a group If this is left blank only the base scope is searched, and will not search down the tree. Set this to recursive to have all sub-trees searched. recursive
    Table 5. Schema Settings: People
    Field name Description Example
    The attribute of the person entry that defines the internal ID of a Sametime user Optional setting: if this is left unspecified, DN is used. This entry defines the internal ID of a Sametime user that is appropriate for logging in to Sametime. Select a stable LDAP attribute that is not likely to change when users change their name or relocate.

    Domino LDAP: dominounid

    *Active Directory: objectGUID

    IBM Directory Server: ibm-entryUUID

    The attribute of the person entry that defines a person’s name This is the attribute used to display the user’s name in the contact list. cn
    Attribute used to distinguish between two similar person names There are times when users have similar names, enter an attribute that is unique that can be used to distinguish the person to a particular entry in LDAP. dn
    Attribute of the person entry that defines the person’s email address Enter the name of the attribute that has the user’s email address.

    Domino LDAP: mail

    Active Directory: mail

    IBM Security Directory: mail

    The person object class used to determine if an entry is a person Each entry in LDAP is assigned to an object class, enter the object class for the person entry.

    Domino LDAP: organizationalPerson

    Active Directory: person

    IBM Security Directory: organizationalPerson

    *Active Directory has a special use case. Please see the topic Defining the ID attribute for Active Directory

    Table 6. Schema Settings: Groups
    Option Description Example
    Attribute used to distinguish between two similar group names This can be left blank, or be set to an attribute such as description
    The attribute of the group entry that defines the group’s name This is the attribute that is used to determine how the group name is displayed in the contact list. cn
    Attribute in the group object class that has the names of the group members In the group there is an attribute that holds the names of the members.

    Domino LDAP: member

    Active Directory: member

    IBM Security Directory: IBM-AllMembers

    The group object class used to determine if an entry is a group This is the name of the object class used by groups

    Domino LDAP: groupOfNames

    Active Directory: group

    IBM Security Directory: groupOfNames

    Home Server

    The Name of the Home Server attribute can be left blank if you have only one Community server or one cluster of Community servers. For environments that have multiple clusters, please review the topics on Clustering Community servers for additional information.

    Membership

    These settings are used by Sametime Policies to determine group membership.

    Table 7. Membership
    Option Description Example
    GroupMembership *This is the filter used to search for a user’s membership to a group. This can be set to an actual filter like the default setting, or set to an attribute that contains the user’s groups that they are a member of. Using the attribute instead of a search yields better performance.

    Default setting: (&(objectclass=groupofnames)(member=%s))

    Example of using the MemberOf attribute:

    Domino LDAP: dominoaccessgroups

    Active Directory: memberOf

    IBM Security Directory: memberOf

    BaseMembership This can be left blank, or enter the base DN for searching this group membership search.

    *For additional information on setting the group membership, see Policy group search filter causes policies to take minutes to be returned.

  7. After completing the configuration, click File > Save to save the document.
  8. Restart the Community server in order for these changes to take effect.
    Note: If the LDAP document in stconfig.nsf has "The attribute of the person entry that defines the internal ID of a Sametime user" set to a value that is not a distinguished name value, set CL_USE_USER_DN=1 in the sametime.ini under [Config]. If this setting is not found, the server defaults to using the Sametime user ID as the user's identifier for a chat log. This flag should be used if your Sametime user ID is not a distinguished name.
    • CL_USE_USER_DN=0 uses the Sametime user ID as the user's identifier for a chat log.

      Announcement originators and recipients can only be identified by their Sametime user IDs, so logging must also use the Sametime user IDs.

    • CL_USE_USER_DN=1 uses the person's distinguished name (from the LDAP directory) as the user's identifier for a chat log.

      If a distinguished name is not found, it instead uses the Sametime user ID. The distinguished name attribute can be either the Sametime user ID or another attribute.