Configuring the LDAP server Document
In previous releases of Sametime, there was a separate Administration client to configure LDAP settings. These settings are now done directly inside of the configuration database that holds the settings.
About this task
Procedure
- Launch the HCL Notes or Administration client, as the administrator.
- Click on Open > Applications > Open an application
- In the servername field, enter the hostname of the Sametime server.
-
In the filename field, enter
“stconfig.nsf”
. - Scroll to the LDAPServer document and double-click to open it.
-
Place the document in edit mode by double-clicking inside the document.
Connection Settings
These are the settings that define how Sametime Community server contacts the LDAP Server.
Table 1. Connection Settings Field name What to enter Organization name Leave blank Network Address of LDAP Connection Enter the fully qualified hostname of the LDAP server, or if your LDAP is high availability, the hostname of the network device front ending the LDAP servers. Port number for LDAP Connection 389 is the default unsecure port for LDAP, this can be modified if using a custom LDAP port. Login Name for LDAP Connection An authenticated bind is recommended, enter the DN of the bind account. Typically these are accounts created for this purpose and are meant to be used by servers, not users.
For anonymous bind, you can leave this blank.
Password for LDAP Connection Enter the password being used for the bind account. SSL Enabled* Enter false for unencrypted LDAP
Enter true for encrypted LDAP
SSL Port Enter the secure LDAP port number (typically 636) Search order Each LDAPServer document should have a unique search order. If you only have one document, leave this at 1. Note: For Encrypted LDAP there are additional configuration steps. If you enable the SSL Enabled setting to true, LDAP will not work properly until all steps are completed for secure LDAP.Search Filters
These settings will vary depending on your business needs and the type of LDAP server you have in place.
Table 2. Search Filters Setting name Description Example Search Filter for resolving person names Specifies the search filter used when searching for a person. It is recommended to at least keep the mail attribute. Each occurrence of “%s” is replaced with the supplied name to create the actual filter. When paired with the asterisk it returns all users whose names begin with the supplied name. Active Directory:
(&(objectclass=organizationalPerson)(|(cn=%s*)(sn=%s*)(sAMAccountName=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name This is the authentication filter, which is used when searching for a user to resolve the user to a Distinguished Name. Each occurrence of “%s” is replaced with the supplied name to make the filter. Active Directory:
(&(objectclass=organizationalPerson)(|(cn=%s)(sn=%s)(sAMAccountName=%s)(mail=%s)))
Search filter for resolving group names Specifies the search filter used when searching for a group. Each occurrence of “%s” is replaced with the supplied name to create the actual filter. When paired with the asterisk it returns all users whose names begin with the supplied name. Active Directory:
(&(objectclass=groupofnames)(cn=%s*))
Search Base and Scope
Base DN specifies the tree location where the search operation starts. When the LDAP directory is searched, the query always searches downwards, based on the specified scope. The search is never upwards. When configuring your base objects, make sure you enter the DN closest to the top where the users or groups reside.
Table 3. Search Base Field name Description Example Base object when searching for person entries Enter the base DN at the top most level where users reside Domino LDAP: O=Example
Active Directory:
CN=Users,DC=Example,DC=com
IBM Security Directory: O=Example,C=US
Base object when searching for group entries Enter the base DN at the top most level where groups reside
Note: In Domino LDAP all groups are flat, so it should be your O level or leave blank.Domino LDAP: O=Example
Active Directory:
CN=Groups,DC=Example,DC=com
IBM Security Directory: O=Example,C=US
Scope
Table 4. Search Scope Field name Description Example Scope for searching for a person If this is left blank only the base scope is searched, and will not search down the tree. Set this to recursive to have all sub-trees searched. recursive Scope for searching for a group If this is left blank only the base scope is searched, and will not search down the tree. Set this to recursive to have all sub-trees searched. recursive Table 5. Schema Settings: People Field name Description Example The attribute of the person entry that defines the internal ID of a Sametime user Optional setting: if this is left unspecified, DN is used. This entry defines the internal ID of a Sametime user that is appropriate for logging in to Sametime. Select a stable LDAP attribute that is not likely to change when users change their name or relocate. Domino LDAP: dominounid
*Active Directory: objectGUID
IBM Directory Server: ibm-entryUUID
The attribute of the person entry that defines a person’s name This is the attribute used to display the user’s name in the contact list. cn Attribute used to distinguish between two similar person names There are times when users have similar names, enter an attribute that is unique that can be used to distinguish the person to a particular entry in LDAP. dn Attribute of the person entry that defines the person’s email address Enter the name of the attribute that has the user’s email address. Domino LDAP: mail
Active Directory: mail
IBM Security Directory: mail
The person object class used to determine if an entry is a person Each entry in LDAP is assigned to an object class, enter the object class for the person entry. Domino LDAP: organizationalPerson
Active Directory: person
IBM Security Directory: organizationalPerson
*Active Directory has a special use case. Please see the topic Defining the ID attribute for Active Directory
Table 6. Schema Settings: Groups Option Description Example Attribute used to distinguish between two similar group names This can be left blank, or be set to an attribute such as description The attribute of the group entry that defines the group’s name This is the attribute that is used to determine how the group name is displayed in the contact list. cn Attribute in the group object class that has the names of the group members In the group there is an attribute that holds the names of the members. Domino LDAP: member
Active Directory: member
IBM Security Directory: IBM-AllMembers
The group object class used to determine if an entry is a group This is the name of the object class used by groups Domino LDAP: groupOfNames
Active Directory: group
IBM Security Directory: groupOfNames
Home Server
The Name of the Home Server attribute can be left blank if you have only one Community server or one cluster of Community servers. For environments that have multiple clusters, please review the topics on Clustering Community servers for additional information.
Membership
These settings are used by Sametime Policies to determine group membership.
Table 7. Membership Option Description Example GroupMembership *This is the filter used to search for a user’s membership to a group. This can be set to an actual filter like the default setting, or set to an attribute that contains the user’s groups that they are a member of. Using the attribute instead of a search yields better performance. Default setting:
(&(objectclass=groupofnames)(member=%s))
Example of using the MemberOf attribute:
Domino LDAP: dominoaccessgroups
Active Directory: memberOf
IBM Security Directory: memberOf
BaseMembership This can be left blank, or enter the base DN for searching this group membership search. *For additional information on setting the group membership, see Policy group search filter causes policies to take minutes to be returned.
- After completing the configuration, click File > Save to save the document.
-
Restart the Community server in order for these changes to take effect.
Note: If the LDAP document in stconfig.nsf has "The attribute of the person entry that defines the internal ID of a Sametime user" set to a value that is not a distinguished name value, set CL_USE_USER_DN=1 in the sametime.ini under [Config]. If this setting is not found, the server defaults to using the Sametime user ID as the user's identifier for a chat log. This flag should be used if your Sametime user ID is not a distinguished name.
-
CL_USE_USER_DN=0 uses the Sametime user ID as the user's identifier for a chat log.
Announcement originators and recipients can only be identified by their Sametime user IDs, so logging must also use the Sametime user IDs.
- CL_USE_USER_DN=1 uses the person's distinguished name (from the LDAP
directory) as the user's identifier for a chat log.
If a distinguished name is not found, it instead uses the Sametime user ID. The distinguished name attribute can be either the Sametime user ID or another attribute.
-