Planning for an LDAP directory
IBM® Sametime® requires an LDAP directory for user authentication. The LDAP server should be set up and running before deploying Sametime.
System requirements
Sametime works with V3-compliant LDAP servers. See the LDAP Servers section of the IBM Sametime System Requirements for a list of LDAP server products that are supported in this release.
If you use an IBM Domino® Directory, you must convert it to LDAP format for use with Sametime. For information, see Replacing the Domino Directory with an LDAP directory in the Sametime wiki.
Performance
To avoid resource conflicts that may degrade performance and result in LDAP lookup failures, do not host the directory on the same computer as the Sametime Community Server.
- Client lookups
- Authentication
- Contact list management
- Invitations to meetings
- Business card features
- Mobile clients
- Policy assignment
To minimize the burden on LDAP, use minimal search filters wherever possible. Login choices such as name, email address, employee ID, and so on, create longer search filters and greater performance loads on LDAP.
When planning for LDAP, don't forget Single Sign-On (SSO). Talk to your company's application teams about SSO. Propose a standard way that you allow people to log in to keep logins simple and minimal. All applications should LDAP in the same way. If applications have different search filters, then this creates search problems and authentication problems.
Mail attribute
Sametime requires the LDAP mail attribute in each person record.
The mail attribute provides performance advantages since translation between attributes is not required; it also provides consistency and integrity by using a common and well-understood attribute.
This attribute is not required for anonymous (guest) users. The attribute must be a unique string, which preferably follows the syntax and length restrictions of email addresses. In addition, the mail attribute must be populated for every user to support audio and video communications,
The mail attribute is not used for email purposes, and does not have to be assigned as a user name for logging into Sametime. Instead, it serves as a common attribute between the various Sametime subsystems, such as Calendar Integration, Business Cards, LDAP, and REST APIs. This attribute is also used when generating a URL for a user's persistent meeting room (for example, http://meetings.company.com/stmeetings/room/user@company.com/users-room.)
Multiple directory support
- Groups may only contain members present in the same directory server and base DN specified in the LDAP Server document. Sametime does not support mixed groups at this time.
- Multiple replicas of the same directory in the stconfig.nsf database are not supported. For effective load balancing, you should route LDAP traffic through a load balancer.
- If the browse feature is enabled on the server, certain features such as LDAP time-outs or the maximum number of search results returned may need to be disabled.
-
If you use multiple LDAP repositories, you must ensure that the base entries do not overlap, as that causes problems when Secure Socket Layer (SSL) is enabled. For example, the following base entries have a field in common, so they overlap:
o=renovations o=sales,o=renovations
These base entries use different fields and are acceptable:
o=renovations,c=us o=sales
An LDAP server connection is a prerequisite for all Sametime server installations.
Contact lists
Sametime might experience difficulties when users include large public groups in their contact lists. To avoid problems, limit the size of public groups used with Sametime to 1000 users.
Upgrade considerations
- Convert the existing Domino Directory to LDAP format. The LDAP service and the community server must run on separate Domino servers.
- Set up a dedicated LDAP directory for use with Sametime.
Policy assignments use the UUID
Policy assignments use UUID (Universally Unique ID) LDAP attribute by default. After upgrading servers, you must upgrade policies to use the UUID attribute before they can be used.
The LDAP attribute used for UUID is different for every LDAP Server type. For example, Domino Directory (LDAP format) uses a String attribute named
Dominounid
and Active Directory uses a Binary attribute named
objectguid
. If the UUID attribute does not exist or is invalid, then the DN can
also be used by selecting to use the DN by creating or editing the LDAP Deployment Plan's Advanced
Person Settings.
- Domino Directory (LDAP format only):
Dominounid
- IBM Security Directory Server:
ibm-entryuuid
- Microsoft™ Active Directory:
objectguid
- Novell eDirectory:
guid
Best Practices
The Community article Best Practices for using LDAP with Sametime on the Sametime wiki contains an overview of LDAP components and describes how the Sametime Community Server works with LDAP to provide authentication, name lookups, and name resolution. The article describes best practices for creating search filters, setting sametime.ini parameters, and enhancing Sametime and LDAP performance.