Sametime prerequisite: Connecting to an LDAP server for the expanded deploymentAdded by IBM on November 23, 2011 | Version 1 (Original)
|This activity takes you through the steps for identifying users and groups in an LDAP directory that need access to IBM® Sametime®.
This activity takes you through the steps for identifying users and groups in an LDAP directory that need access to IBM
Before you begin
An LDAP server must be installed and configured.
About this task
Connect IBM Sametime
servers to the LDAP server. After your Sametime
server connects to the LDAP server, it can search the LDAP directory and authenticate Sametime
users. If you have already connected Sametime
to an LDAP server, but now you want to edit or delete a connection, use this activity.
- Connect to LDAP server.
In Connect to LDAP servers, click Add.
If you want to edit or delete an LDAP connection instead, then click the appropriate button.
If you edit an LDAP connection for a Cell-based WebSphere® Application Server product that is already installed, you must manually update the product's LDAP configuration. The System Console Cell’s LDAP is updated and the changes are also pushed to a connected LDAP server. You can delete an LDAP connection if it is not being used by an installed product.
- Bind to LDAP.
- Click Authenticated access to ensure that the Sametime server uses credentials to authenticate with the LDAP server.
Provide the Bind distinguished name (DN) and Password when you are prompted to enter this information.
Select Anonymous access only if you are certain that all attributes are accessible when the Sametime server binds to the LDAP server.
- Enter a Deployment Name for this LDAP connection to identify the connection for future reference. It does not need to map to any existing server name or value.
- Enter the fully qualified domain name of the LDAP server that you want to connect to in the Host name field. Do not use an IP address or a short host name.
- Enter the Port of the LDAP server.
The default value is 389. If your LDAP server is running on a different port, enter the correct port value here.
- To use an SSL connection with the LDAP server, click Is secure LDAP connection.
Attention: Selecting this option requires additional configuration for Sametime Community Servers. When you set up the deployment plan for either of these servers, you must elect to configure the LDAP server manually. After installation, set up trust with the LDAP server's SSL certificates and then manually configure the LDAP directory to finish setting up the secure LDAP connection. See "Enabling encryption between Sametime and the LDAP server" for more information.
- If you selected Is secure LDAP connection, click Import SSL Certificate.
This action imports the LDAP server's SSL certificate into the Default Cell Trust Store. You only need to do this once.
- If you selected Authenticated access, enter the Bind distinguished name (DN) and Password fields. These are the user credentials you will use to authenticate with your LDAP server. If you have selected Anonymous Access, these fields are not shown.
- Click Next.
When designating an authenticated user, create a unique directory entry that is used only for the purpose of authenticating connections from the Sametime server to the LDAP server. After creating the directory entry, you must ensure that this directory entry has at least read access to the attributes of the LDAP directory entries.
- Base Distinguished Name and Filter for Searches.
Enter the base distinguished name and filter for searches information.
- Select your base distinguished name and filter for searches from the list or enter a value. You specify the basic LDAP parameters required to conduct searches for people and groups in the LDAP directory. Some of these parameters are also necessary for displaying the names of users in the Sametime user interface.
Failure to specify a base distinguished name prevents authenticated users from creating and attending meetings on the meeting server.
Restriction: The list displays a base DN that is detected by the guided activity; however, the list does not display for a Lotus® Domino® LDAP directory. Additionally, Lotus Domino LDAP is the only LDAP directory that uses a blank base DN. WebSphere Application Server requires a base DN for federating repositories and does not let you use an empty base DN. It sets the base DN to C=US. The LDAP repositories are listed by base DN after they are federated.
- Optional: To specify the search filter and basic LDAP settings for person and group entries, click Configure advanced LDAP settings.
- Click Next.
- Collect Person Settings.
To search for a user name, users enter a text string in the Sametime
user interface. This setting defines the LDAP search filter responsible for selecting a user name from the LDAP directory. The search filter matches the text string to information contained within the attributes of LDAP directory person entries.
- Enter the attributes of an LDAP person entry.
Table 1. Person attributes
|Object class||Specifies a set of attributes used to describe an object that identifies the entry as a person. Sametime determines whether a directory entry returned by a search is a person or a group. Groups are represented by entries with a unique object class. The name of the object class specified in this setting is compared to the object class values. |
|LDAP user search base|
|Policy ID for users and groups||Specifies which ID to search for when the administrator selects User ID as the search criteria for managing policies.|
UUID is the default. Select Distinguished Name to use the distinguished name of users and groups instead if the default UUID attribute does not exist in the LDAP server.
New and existing custom Java classes for searching the Community Server’s LDAP directory must include the appropriate UUID attribute for the LDAP directory if UUID is used with policy assignments or Sametime user login IDs:
- Lotus Domino LDAP: dominounid
- IBM Tivoli Directory Server: ibm-entryuuid
- Microsoft Active Directory: objectguid
- Novell eDirectory: guid
- Sun ONE: nsuniqueid
|Display name||Displays a user's name in Sametime user interfaces. The attribute must not be the same as the one you use for Similar name distinguisher or Email address due to WebSphere Application Server configuration rules.|
|Similar name distinguisher||Differentiates between two users that have the same common name (cn) attribute. The attribute must not be the same as the one you use for Display name or Email address due to WebSphere Application Server configuration rules.|
|Email address||Contains the user's email address in the field. The attribute must not be the same as the one you use for Display name or Similar name distinguisher due to WebSphere Application Server configuration rules.|
|Home Sametime server||Enter the name of the LDAP Attribute that contains a user's Home Sametime server. The Home Sametime server is a community server Domino name or a community server cluster name that indicates which community server or cluster a user should use. If your environment includes multiple community servers or you have deployed other applications enabled with Sametime technology, every user must be assigned to a home community server or cluster. |
|Membership attribute||Enter the attribute that specifies which groups a user belongs to if your LDAP server supports this feature.|
- Enter the search and authentication attributes of an LDAP person entry.
Table 2. Search and filter
|Authentication attributes||Allows the user to authenticate with more than one attribute of the user's entry. For example, if this field is set to mail;cn the user can authenticate with either of these names.|
The guided activity allows the use of any of these three properties: mail, cn, and uid. When forming the search filters, the mail, cn, and uid properties are replaced with the attributes specified above. For example if the "Similar name distinguisher" or uid is set to sAMAccountName, the attribute sAMAccountName is used in the filter. Similarly, if "Display Name" maps to "cn", the attribute "cn" is used in the filter and if "Email address" maps to "mail," the attribute "mail" is used in the filter.
Important: For the meeting server to work, the first field of the Authentication attribute must be set to mail and must be listed first. Add other fields, separated by a semicolon (;). For example, the Authentication attribute can be set to mail;cn;uid.
|Search attributes||Specifies the fields used for searching the directory for users. The fields must be separated by a semicolon (;). For example, the Search attribute can be set to mail;cn;uid. |
- Click Next.
- Collect Group Settings.
To search for a group name, users enter a text string in the Sametime
user interface. This setting defines the LDAP search filter responsible for selecting a group name from the LDAP directory. The search filter matches the text string to information contained within the attributes of LDAP directory group entries.
- Enter the attributes of an LDAP group entry.
Table 3. Group attributes
|Object class||Specifies the attribute of a directory entry that identifies the entry as a group. Sametime determines whether a directory entry returned by a search is a person or a group. Groups are represented by entries with a unique object class. The name of the object class specified in this setting is compared to the object class values.|
|LDAP group search base|
|Display name||Displays a group's name in Sametime user interfaces.|
|Similar name distinguisher||Differentiates between two groups that have the same common name (cn) attribute.|
|Group membership attribute||Specifies the name of the attribute in the group entry that contains that names of individual people or subgroups that belong to the group. If users add a group to a presence list, privacy list, or a list that restricts meeting attendance, Sametime must obtain the list of members within the group.|
- Click Next.
- Task Completion Summary.
Review the configuration details in the Task Completion Summary table, and click Finish to connect to the LDAP server.
- If you selected the Import SSL Certificate, restart the system console deployment manager.
- Restart the system console deployment manager to complete the LDAP federation process.
- (Optional) To push the LDAP changes to all nodes, go to System Administration -> Nodes. Select all nodes and click Synchronize.
What to do next
If you are installing, proceed to Installing a Sametime community server and supporting software
If you are upgrading from Release 8.0.x or 7.5.1, proceed to Connecting to a Sametime Community Mux server for the expanded deployment
Parent topic: Connecting to an LDAP server for the expanded deployment
Starting the Sametime System Console
Assign users and groups to policies
Enabling encryption between Sametime and the LDAP server
LDAP directory settings
Command reference for starting and stopping servers