Configuring LDAP for a cluster
The IBM® Sametime® Gateway Server requires that IBM WebSphere® Application Server be configured to use the LDAP directory that contains records for members of the local Sametime community. Set up a connection to the LDAP directory using a self-signed certificate.
Before you begin
About this task
Procedure
- Log in to the deployment manager node as a user with administrative privileges. Make sure you have an enterprise LDAP server that contains members of the local Sametime community and the LDAP server is running.
- Complete the following sub steps to connect to LDAP over
SSL, otherwise skip this step. If your LDAP server is using a public
CA, then you need to obtain the public root CA and import it. If your
LDAP server is using a self-signed certificate, then you simply import
the self-signed certificate.
- From the Integrated Solutions Console, select Security > SSL Certificates and key management, then select Key stores and certificates.
- Click CellDefaultTrustStore.
- Click Signer certificates.
- Click Add.
- In the Alias field, type a description for the certificate, whether it's self-signed or a public CA.
- In the File name field, type the path to the certificate file. For example, c:\certname.cer.
- Click Apply and then Save.
- Select Security > Global security.
- Make sure the Enable administrative security and Enable application security options are selected.
- In the Available realm definitions, select Federated repositories.
- Click Set as current.
- Click Configure.
- Click Add base entry to the Realm
- On the next screen, click Add Repository...
- Type a logical name for the repository in the Repository Identifier field. The identifer can be any value, as long as it is unique within the cell.
- Select the type of LDAP server to use from the Type list. If you have a Domino® Version 7.0 server, select IBM Domino Version 6.5 as your LDAP type.
- Enter the fully qualified host name of the LDAP server in the Primary Host field. You can enter either the IP address or domain name system (DNS) name.
- Enter the LDAP server port number in the Port field. The host name and the port number represent the realm for this LDAP server in the WebSphere Application Server cell. The default value is 389.
- Optionally, enter the bind DN name in the Bind distinguished name field. The bind distinguished name can be any user with read permission for the directory server. The bind DN need not be the LDAP administrator. Leave this field blank to connect to the LDAP server anonymously.
- Optionally, enter the password corresponding to the bind DN in the Bind password field. Leave this field blank to connect to the LDAP server anonymously.
- Specify the Login properties when setting up the repository. The cn, uid, and mail are common login property values. If your LDAP server uses a login property other than uid, you must change the value to match your user prefix.
- Click Apply, and then click Save.
- In the Distinguished name of a base entry that uniquely identifies this set of entries in the realm field, type the base DN of your choice such as "o=myLDAPRealm" or "o=defaultWIMLDAPBasedRealm". This DN is for internal Websphere Application Server use only and is used to identify a set of entries when returning search results.
- In the Distinguished name of a base entry in
this repository field, type the DN of the base entry within
the directory to begin searches. Leave this field blank to start LDAP
searches at the root of your LDAP repository, or if you have a Domino LDAP, which always
begins searches at the root of the directory. An example of a DN for
the base entry in a repository:
dc=IBM,dc=COM
- Click Apply, and then click Save.
- Log out of the Integrated Solutions Console.
- On the deployment manager, use a text editor and open
wimconfig.xml
. The directory path that follows is all on one line but represented here on two lines for printing:was_install_root\profiles\RTCGW_Profile \config\cells\cell_name\wim\config\wimconfig.xml
The cell_name is the name of your cell. - Find the configLdapRepository section:
</config:repositories><config:repositories xsi:type="config:LdapRepositoryType">
- Within that section, find the config:attributeConfiguration element block.
- Add a line for config:externalIdAttributes if
one does not already exist, using one of the following formats.
- Add this line if the ID attribute has a default syntax type of
string.
<config:externalIdAttributes name="unique_attribute"/>
where unique_attribute is the unique LDAP attribute that you want to use.
The following example adds a string called dominounid:
<config:externalIdAttributes name="dominounid"/>
- Add this line if the ID attribute has a syntax type other than
string.
<config:externalIdAttributes name="unique_attribute" syntax="attribute_syntax"/>
where unique_attribute is the unique LDAP attribute that you want to use and attribute_syntax identifies the syntax. You must include the syntax attribute only if the syntax is a type other than string.
The following example adds an octetString attribute called GUID, which is the Novell eDirectory attribute:<config:externalIdAttributes name="GUID" syntax="octetString"/>
The following are some examples of commonly used unique attributes for different flavors of LDAP:
- Domino LDAP:
dominounid
- IDS:
ibm-entryuuid
- Active Directory:
objectguid
- Novell eDirectory:
guid
- Sun ONE:
nsuniqueid
- Domino LDAP:
- Add this line if the ID attribute has a default syntax type of
string.
- Save the file.
- Navigate to the
rtcgw_profile_root\bin
directory. - Stop the deployment manager and wait for the command to
finish, and then restart the deployment manager. Use the user name
and password that you created when you enabled administrative security.
Type the following commands:
AIX® and Linux™.
./stopManager.sh -username username -password password ./startManager.sh
Windows™
stopManager.bat -username username -password password startManager.bat
- Synchronize your changes to all nodes in the cluster. Click System Administration > Nodes
- Select all nodes in the cluster, then click Full Resynchronize.
- Restart the node agents.
- Log into the Integrated Solutions Console on the deployment manager node.
- Click System Administration > Node agents .
- Select all node agents, and then click Restart.
- Choose Servers > Clusters
- Select the Sametime Gateway Server cluster and click Start. Verify that the cluster status is started. (shown with a green arrow).
- Select Users and Groups > Manage Users.
- Click Search to verify that you can search your LDAP directory. If your LDAP functionality is enabled, you should see a list of users on the screen.
- Click a user name and make sure you can see the user's content. You can verify group names as well.
- Copy the following script:
from:
stgw_server_root/config/adminscripts/rtcgw_vmm.jacl
to the Deployment Manager node:was_install_root/bin
- Open a command window and navigate to
was_install_root/bin
. - Run the following command:
wsadmin -username username -password password -f rtcgw_vmm.jacl
Where username is the administrative user ID that you use to log into the Integrated Solutions Console. You created this user ID when you installed Sametime Gateway Server. For example:wsadmin -username wasadmin -password gateway4u -f rtcgw_vmm.jacl
This script will place the default file repository of the WebSphere Application Server at the bottom of listed config:repositories tags of wimconfig.xml, so it is searched after the newly created repository.
- In the DB2® window
on the deployment manager node, stop the deployment manager and wait
for the command to finish, and then restart the deployment manager.
Use the user name and password that you provided when you enabled
administrative security. Type the following commands:
AIX and Linux.
./stopManager.sh -username username -password password ./startManager.sh
Windows
stopManager.bat -username username -password password startManager.bat
- Restart the node agents.
- Log into the Integrated Solutions Console on the deployment manager node.
- Click System Administration > Node agents.
- Select all node agents, and then click Restart.
- Choose Servers > Clusters
- Select the Sametime Gateway Server cluster and click Start. Verify that the cluster status is started. (shown with a green arrow).
- The remaining optional steps apply to an LDAP server that
is not a native internal Domino directory. Complete
these steps to change the default attribute of the person entry that
defines the person's email address in was_install_root\profiles\RTCGW_Profile
\config\cells\cell_name\wim\config\wimconfig.xml.
The default attribute is mail. If you want
to change the default attribute to displayName,
complete the following steps:
- Use a Notes® client on the Sametime server to open the Sametime Configuration database (stconfig.nsf).
- Click File > Database > Open and select the Local server.
- Select the Sametime Configuration database (stconfig.nsf).
- Click Open.
- Locate the LDAP server entry in the Form Name column of the Configuration.
- Each LDAP Server document is in the LDAP Server entry within the Last Modified Date column. The date represents the last time the LDAP server document was modified.
- To open an LDAP Server document, double-click the date in the Last Modified Date column that represents the document.
- When the LDAP Server document opens, double-click the document to put it in edit mode.
- Search and replace mail with displayname.
Search filter for resolving person names:(&(objectclass=organizationalPerson) (|(uid=%s*)(givenname=%s*)(sn=%s*)(mail=%s*))) Search filter to use when resolving a user name to a distinguished name: (&(objectclass=organizationalPerson)(|(uid=%s)(givenname=%s)(sn=%s)(mail=%s))) "Attribute of the person entry that defines the person's email address" mail
- Save your changes and then restart the Domino server.
- On the Sametime Gateway
Server server
that is connected to LDAP, use a text editor and open the following
file:
was_install_root\profiles\RTCGW_Profile \config\cells\<cell_name>\wim\config\wimconfig.xml
- Add the following line after the other configuration
attributes:
<config:attributes name="displayName" propertyName="mail"/>
For example:<config:attributeConfiguration> <config:externalIdAttributes name="dominounid" /> <config:attributes name="userPassword" propertyName="password" /> <config:attributes name="cn" propertyName="displayName"> <config:attributes name="displayName" propertyName="mail"/> <config:entityTypes>Group</config:entityTypes> </config:attributes> <config:attributes name="cn" propertyName="cn"> <config:entityTypes>Group</config:entityTypes> </config:attributes> <config:propertiesNotSupported name="businessAddress" /> </config:attributeConfiguration>
- Save the file. Note: the dominounid attribute was introduced in Domino 6.5.4 and 7.0. In some cases this attribute may not appear in the schema database or on the Server Configuration document (LDAP tab). This can occur when the administration server for the Domino domain is version 6.5.3 or older. The Administration server controls the creation of the Schema database, as well as which attributes are available for anonymous queries through the Configuration document. To resolve the issue, the Administration server should be upgraded to Domino version 6.5.4 or later. In addition, while a particular Domino LDAP may not require to bind, binding is necessary to retrieve the dominounid attribute. Any bind user would be acceptable, read only is fine.
- Stop and restart the deployment manager, the node agents and Sametime Gateway Server servers.