® 8.5 multiple-server environment requires an LDAP directory for user authentication. The LDAP server should be set up and running before deploying Sametime
works with V3-compliant LDAP servers. See the "LDAP Servers" section of the System requirements tech note for a list of LDAP server products that are supported in this release:
Sametime 8.5.2 Interim Feature Release 1 (Sametime 8.5.2 must be installed first)
Planning for specific operating systems
Follow the guidelines for your operating system before setting up an LDAP server:
Multiple directory support
- AIX®, Linux™, Solaris, and Windows™:
To avoid resource conflicts that may degrade performance and result in LDAP lookup failures, do not host the directory on the same computer as the Sametime Community Server.
- IBM i:
The directory and the Sametime Community Server can reside on the same system. If using LDAP to access the contents of the Domino® directory, the LDAP service and the Community Server must run on separate Domino servers to prevent LDAP lookup failures.
Note: System capacity planning for anticipated workloads must be performed.
Support for multiple directories with the following restrictions:
An LDAP Server connection is a prerequisite for some servers
- Groups may only contain members present on the same directory server and base DN specified in the LDAPServer document. Sametime does not support mixed groups at this time.
- Multiple replicas of the same directory in the stconfig.nsf database are not supported. For effective load balancing, you should route LDAP traffic through a load balancer.
- If the browse feature is enabled on the server, certain features such as LDAP timeouts or the maximum number of search results returned may need to be disabled.
If you use multiple LDAP repositories, you must ensure that the base entries do not overlap, as that causes problems when Secure Socket Layer (SSL) is enabled. For example, the following base entries have a field in common, so they overlap:
These base entries use different fields and are acceptable:
After installing the Sametime
System Console, you will be instructed to connect it to the LDAP server. These other servers require that an LDAP directory be set up and running to be able to complete the installation:
- The Sametime Meeting Server
- The IBM Sametime Community Server, when installed with a deployment plan through the Sametime System Console
An IBM Sametime Community Server integrated with the Sametime System Console must connect to a user directory in LDAP format.
- Sametime Advanced
might experience difficulties when users include large public groups in their contact lists. To avoid problems, limit the size of public groups used with Sametime
to 1000 users.
Sametime servers and the LDAP mail attribute
8.5 and later requires authenticated users to have a mail
attribute assigned in the LDAP directory. The mail attribute must be a unique string, which preferably follows the syntax and length restrictions of email addresses.
The softphone provided by Sametime
uses the email field for user identification. To support audio video communications, the LDAP directory must have the email field populated for every user.
This attribute is not used for email purposes, and does not have to be assigned as a user name for logging into Sametime
. Instead, the "mail" attribute serves as a common attribute between the various Sametime
subsystems, such as Calendar Integration, Business Cards, LDAP, and REST APIs. This attribute is also used when generating a URL for a user's persistent meeting room (for example, http://firstname.lastname@example.org/users-room
). In addition, using the "mail" attribute provides certain performance advantages since translation between attributes is not required; it also provides consistency and integrity by using a common and well-understood attribute.
Not all users need to be authenticated to use the server; the mail
attribute is not required for anonymous (guest) users.
recommends that the user repository (LDAP server) create a mail attribute for users who plan to authenticate with the Sametime
servers. The mail
attribute must be a unique string, which preferably follows the syntax and length restrictions of email addresses.
If you used a Lotus
Directory in its native format with a release prior to Sametime
8.5, you have two options for setting up your user directory:
Policy assignments use the UUID (Universally Unique ID) LDAP attribute by default.
- Convert the existing Lotus Domino Directory to LDAP format. The LDAP service and the community server must run on separate Domino servers.
- Set up a dedicated LDAP directory for use with Sametime.
With this release, Sametime uses the UUID LDAP attribute by default. After upgrading servers, you must upgrade policies to use the UUID attribute before they can be used.
The LDAP attribute used for UUID is different for every LDAP Server type. For example, Domino LDAP uses a String attribute named dominounid and Active Directory uses a Binary attribute named objectguid. If the UUID attribute does not exist or is invalid, then the DN can also be used by selecting to use the DN by creating or editing the LDAP Deployment Plan Advanced Person Settings.
New and existing custom Java classes for searching the Community Server’s LDAP directory must include the appropriate UUID attribute for the LDAP directory if UUID is used with policy assignments or Sametime user login IDs:
Best Practices for using LDAP with Sametime article
- Lotus Domino LDAP: dominounid
- IBM Tivoli Directory Server: ibm-entryuuid
- Microsoft Active Directory: objectguid
- Novell eDirectory: guid
- Sun ONE: nsuniqueid
on the Sametime
wiki contains an overview of LDAP components and describes how the Sametime
Community Server works with LDAP to provide authentication, name lookups, and name resolution. The article describes best practices for creating search filters, setting sametime.ini
parameters, and enhancing Sametime
and LDAP performance.
Parent topic: Planning
Creating custom Java classes for searching the LDAP
Upgrading policies from Release 8.5 or 8.5.1
LDAP directory settings