Configuring LDAP for a single server on IBM i

IBM Sametime® Gateway Server requires that IBM® WebSphere® Application Server be configured to use a Lightweight Directory Access Protocol (LDAP) user registry that contains members of the local Sametime community. Complete the following steps if you did not create a connection to LDAP at installation, or you completed a connection to LDAP but want to secure that connection over SSL.

Before you begin

Expected state: Administrative security is enabled. The deployment manager is running.

About this task

For additional information about default paths, see Directory conventions.

Procedure

  1. If not already started, start Sametime Gateway Server:
    1. Open a QShell session.
    2. Navigate to the Sametime Gateway Server profile directory that contains binaries: profile_root\bin
    3. Type the following command. Note that RTCGWServer is case-sensitive.
      startServer RTCGWServer
  2. Ensure that the enterprise LDAP server is running.
  3. Complete the following sub steps to connect to connect to LDAP over SSL, otherwise skip this step. If the LDAP server is using a public certificate, then you need to obtain the public root CA and import it. If your LDAP server is using a self-signed certificate, then you simply import the self-signed certificate.
    1. From the Integrated Solutions Console, select Security > SSL Certificates and key management, then select Key stores and certificates.
    2. Click NodeDefaultTrustStore.
    3. Click Signer certificates.
    4. Click Add.
    5. In the Alias field, type a description for the certificate, whether it's self-signed or a public CA.
    6. In the File name field, type the path to the certificate file.
    7. Click Apply and then Save.
  4. From the Integrated Solutions Console, select Security > Global Security.
  5. Make sure the Enable administrative security and Enable application security options are selected.
  6. In the Available realm definitions, select Federated repositories.
  7. Click Set as current.
  8. Click Configure.
  9. Click Add base entry to the Realm.
  10. On the next screen, click Add Repository...
  11. Type a logical name for the repository in the Repository Identifier field. The identifer can be any value, as long as it's unique within the cell.
  12. Select the type of LDAP server to use from the Type list. If you have an IBM Domino® Version 7.0 server, select IBM Domino Version 6.5 as your LDAP type.
  13. Enter the fully qualified host name of the LDAP server in the Primary host name field. You can enter either the IP address or domain name system (DNS) name.
  14. Enter the LDAP server port number in the Port field. The host name and the port number represent the realm for this LDAP server in the WebSphere Application Server cell. The default value is 389.
  15. Optionally, enter the bind DN name in the Bind distinguished name field. The bind distinguished name can be any user with read permission for the directory server. The bind DN need not be the LDAP administrator. Leave this field blank to connect to the LDAP server anonymously.
  16. Optionally enter the password corresponding to the bind DN in the Bind password field. Leave this field blank to connect to the LDAP server anonymously.
  17. Specify the Login properties when setting up the repository. The cn, uid, and mail are common login property values. If your LDAP server uses a login property other than uid, you must change the value to match your user prefix.
  18. Click Apply, and then click Save.
  19. In the Distinguished name of a base entry that uniquely identifies this set of entries in the realm field, type the base DN of your choice such as "o=myLDAPRealm" or "o=defaultWIMLDAPBasedRealm". This DN is for internal Websphere Application Server use only and is used to identify a set of entries when returning search results.
  20. In the Distinguished name of a base entry in this repository field, type the DN of the base entry within the directory to begin searches. Leave this field blank to start LDAP searches at the root of your LDAP repository, or if you have a Domino LDAP, which always begins searches at the root of the directory. An example of a DN for the base entry in a repository:
    dc=IBM,dc=COM
  21. Click Apply, and then click Save.
  22. Use a text editor and open wimconfig.xml. The directory path that follows is all on one line but represented here on two lines for printing:
    was_install_root\profiles\RTCGW_Profile
\config\cells\cell_name\wim\config\wimconfig.xml
    The cell_name is the name of your cell.
  23. Search for the following text:
    <config:attributeConfiguration>
  24. After this line of text, add the following line if it does not exist: <config:externalIdAttributes name="dominounid"/> , specifying the correct value for your directory from the following list:

    Domino LDAP: dominounid

    IDS: ibm-entryuuid

    Active Directory: objectguid

    Novell eDirectory: guid

    Sun ONE: nsuniqueid

    For example, if you have a DominoLDAP, your text may look like this. Note that your text may be different.
    <config:attributeConfiguration> 
  <config:externalIdAttributes name="dominounid" /> 
  <config:attributes name="userPassword" propertyName="password" /> 
  <config:entityTypes>Group</config:entityTypes> 
  </config:attributes>
- <config:attributes name="cn" propertyName="cn">
  <config:entityTypes>Group</config:entityTypes> 
  </config:attributes>
     <config:propertiesNotSupported name="businessAddress" />
</config:attributeConfiguration>
  25. Now find the <config:repositories> element and add the following line to the <config:attributeConfiguration> element block:
    <config:externalIdAttributes name="<unique_attribute>" 
 syntax="<attribute_syntax>"/>

    where <unique_attribute> is the unique LDAP attribute that you want to use and <attribute_syntax> identifies the syntax. Include the syntax attribute only if the syntax is something other than a type of string.

    For example, to use a string called dominounid, edit the wimconfig.xml file to include the following element:

    <config:externalIdAttributes name="dominounid"/>

    If the attribute was not a string, you would identify its syntax as well. For example:

    <config:externalIdAttributes name="GUID" syntax="octetString"/>

    The following are some examples of commonly used unique attributes for different some flavors of LDAP:

    • Domino LDAP: dominounid
    • IDS: ibm-entryuuid
    • Active Directory: objectguid
    • Novell eDirectory: guid
    • Sun ONE: nsuniqueid
  26. Save the file.
  27. Stop and then restart the Sametime Gateway Server:
    1. Navigate to the directory that contains binaries: profile_root\bin
    2. Type the following commands, depending on your operating system, to stop and then start Sametime Gateway Server. You must use the user name and password that you provided when you enabled administrative security to stop the server. Wait for the stopserver command to finish before executing the startserver command. Note that RTCGWServer is case-sensitive.
      stopServer RTCGWServer -username username -password password
startServer RTCGWServer
  28. log into the Integrated Solutions Console.
  29. Select Users and Groups > Manage Users.
  30. Click Search to verify that you can search your LDAP directory. If your LDAP functionality is enabled, you should see a list of users on the screen.
  31. Click a user name and make sure you can see the user's content. You can verify group names as well.
  32. Copy the script: stgw_server_root/config/adminscripts/rtcgw_vmm.jacl to profile_root/bin .
  33. Open a separate command window and navigate to profile_root/bin .
  34. Run the following command:
    wsadmin -username username -password password -f rtcgw_vmm.jacl
    Where username is the administrative user ID that you use to log into the Integrated Solutions Console. You created this user ID when you installed Sametime Gateway Server. For example:
    wsadmin -username wasadmin -password gateway4u -f rtcgw_vmm.jacl
  35. Stop and then restart the Sametime Gateway Server:
    1. Navigate to the directory that contains binaries: profile_root\bin
    2. Type the following commands, depending on your operating system, to stop and then start Sametime Gateway Server. You must use the user name and password that you provided when you enabled administrative security to stop the server. Wait for the stopserver command to finish before executing the startserver command. Note that RTCGWServer is case-sensitive.

      AIX® and Linux™

      ./stopServer.sh RTCGWServer -username username -password password
./startServer.sh RTCGWServer

      Windows™

      stopServer.bat RTCGWServer  -username username -password password
startServer.bat RTCGWServer

      IBM i

      stopServer RTCGWServer -username username -password password
startServer RTCGWServer
  36. The remaining optional steps apply to an LDAP server that is not a Domino LDAP directory. By default, Sametime uses mail as the attribute in an LDAP record to search for users. If your LDAP directory uses a different attribute, you can change Sametime to use that attribute instead. For example, if you want to change Sametime to instead use the attribute displayName, complete the following steps:
    1. Use a Notes® client on the Sametime server to open the Sametime Configuration database (stconfig.nsf).
    2. Click File > Database > Open and select the Local server.
    3. Select the Sametime Configuration database (stconfig.nsf).
    4. Click Open.
    5. Locate the LDAP server entry in the Form Name column of the Configuration.
    6. Each LDAP Server document is listed after the LDAP Server entry in the Last Modified Date column. The date represents the last time the LDAP server document was modified.
    7. To open an LDAP Server document, double-click the date in the Last Modified Date column that represents the document.
    8. When the LDAP Server document opens, double-click the document to put it in edit mode.
    9. Search and replace mail with displayname. 
      Search filter for resolving person names:(&(objectclass=organizationalPerson)
(|(uid=%s*)(givenname=%s*)(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name: 
(&(objectclass=organizationalPerson)(|(uid=%s)(givenname=%s)(sn=%s)(mail=%s)))

"Attribute of the person entry that defines the person's e-mail address" mail
    10. Save your changes and then restart the Domino server.
    11. On the Sametime Gateway Server that is connected to LDAP, use a text editor and open the following file:
      profile_root\config\cells\<cell_name>\wim\config\wimconfig.xml
    12. Add the following line after the other configuration attributes: <config:attributes name="displayName" propertyName="mail"/>
      For example:
      <config:attributeConfiguration> 
  <config:externalIdAttributes name="dominounid" /> 
  <config:attributes name="userPassword" propertyName="password" /> 
- <config:attributes name="cn" propertyName="displayName">
  <config:attributes name="displayName" propertyName="mail"/>
  <config:entityTypes>Group</config:entityTypes> 
  </config:attributes>
- <config:attributes name="cn" propertyName="cn">
  <config:entityTypes>Group</config:entityTypes> 
  </config:attributes>
     <config:propertiesNotSupported name="businessAddress" />
</config:attributeConfiguration>
    13. Save the file.
    14. Stop and restart the Sametime Gateway Server.