Sametime Prerequisite: Connect to LDAP Servers

This activity takes you through the steps for identifying users and groups in the LDAP directory that will be used by your IBM® Sametime® deployment.

Before you begin

The LDAP server must be installed and running before you begin this guided activity.

Tip: Find the most up-to-date help, and translated versions of the help, in the product documentation published on IBM Knowledge Center. For more information on the LDAP directory settings described here, see "LDAP directory settings used in the prerequisite activity" in the product documentation.

About this task

Follow these steps to connect Sametime servers to the deployment's LDAP server, which enables user authentication. You can also use this guided activity to modify or delete existing LDAP connections. Depending on the options you select, some steps may not be needed and you will be instructed to skip those steps.

Procedure

  1. Connect to LDAP server.

    In the Connect to LDAP Servers guided activity, click Add.

  2. Bind to LDAP.

    Provide LDAP bind settings, and then click Next:

    • Select a type of access:

      • Anonymous access

        Allows unauthenticated users to access the Sametime deployment.

      • Authenticated access

        Ensures Sametime requires users to log in with accounts contained in the LDAP directory.

    • Deployment Name

      Type a descriptive name to identify this LDAP connection in the future (the name does not need to map to any existing server name or value).

    • Host Name

      Type the fully qualified domain name of the LDAP server that you want to connect to (do not use an IP address or a short host name).

    • Port

      Type the port that the LDAP server is listening on.

    • Is secure LDAP connection

      Click to enable the use of SSL (Secure Socket Layers) encryption between the LDAP server and the Sametime servers.

    • Import SSL Certificate

      Click to import the LDAP server's SSL certificate into the Sametime System Console's Default Cell Trust Store.

    • If you selected Authenticated access, supply a user name and password that Sametime can use when communicating with the LDAP directory:

      • Bind distinguished name (DN)

        Type a user name that exists in the LDAP directory and has at least read access to LDAP attributes. Type the name using the DN (Distinguished Name) format; for example:

        cn=LDAP Administrator,ou=IT,o=Renovations,st=Massachusetts,c=US
      • Password

        Type the password associated with the Bind user name.

  3. Base Distinguished Name and Filter for Searches.

    Provide the base distinguished name and filter for use when searching the LDAP directory, and then click Next:

    • Detected LDAP base DNs

      Select the base level for name searches (the list is populated based on entries in the LDAP directory).

      Important: You must select a base DN to ensure that authenticated users can create and attend meetings. If you use an IBM Domino® LDAP directory, the base DN is automatically changed from its default value of null to C=US to ensure that the LDAP repository can be federated to the Sametime System Console.
    • LDAP base entry

      Type the DN entry at which user searches should begin.

    • Configure advanced LDAP settings

      (Optional) Click to define attributes and filters to be used when searching the LDAP for persons or groups.

  4. Collect Person Settings.

    If you did not click Configure advanced LDAP settings, skip this step.

    Provide settings to use when searching the LDAP for individuals, and then click Next.

    1. Specify the attributes of an LDAP person entry:

      • Object class

        Specify the type of entry that will be searched. By default, searches for a user name will look in this set of records.

      • LDAP user search base

        Specify the level of the distinguished name where searches begin.

      • Policy ID for users and groups

        Specify which ID to search for when the administrator selects User ID as the search criteria for managing policies:

        • UUID is the unique attribute assigned to every member of the LDAP and provides the most useful search results.

        • Distinguished Name is the user name with all of its distinguishing levels; select this option if your LDAP directory does not provide the UUID attribute.
          Restriction: If your Sametime Community Server uses a native IBM Domino Directory (accessed by the native Domino protocol and not the LDAP protocol), you must select this option.

      • Display name

        Specify the attribute to be displayed as a user's name in Sametime user interfaces. This attribute must not be the same as the attribute you use for Similar name distinguisher or Email address due to WebSphere® Application Server configuration rules.

      • Similar name distinguisher

        Specify the attribute that differentiates between two users who have the same common name (cn) attribute.

      • Email address

        Specify the attribute that contains user's email address.

      • Home Sametime server

        Specify the attribute that contains the name of the user's Home Sametime Community Server.

      • Membership attribute

        Specify which groups a user belongs, to if your LDAP server supports this feature.

    2. Provide the search and authentication attributes of an LDAP person entry:

      • Authentication attributes

        Specify which attributes can be used for authentication. For example, if this field is set to mail;cn the user can authenticate with either of these names.

        Important: The Sametime Meeting Server requires the first Authentication attribute to be mail. Additional fields must be separated by a semicolon (;). For example, the Authentication attribute can be set to mail;cn;uid.
      • Search attributes

        Specify the fields used for searching the directory for users. The fields must be separated by a semicolon (;). For example, the Search attribute can be set to mail;cn;uid.

  5. Collect Group Settings.

    If you did not click Configure advanced LDAP settings, skip this step.

    Provide settings to use when searching the LDAP for groups, and then click Next:

    • Object class

      Specify the type of entry that will be searched.

    • LDAP group search base

      Specify the level of the distinguished name where searches begin.

    • Display name

      Specify the attribute to be displayed as the group's name in Sametime user interfaces. This attribute must not be the same as the attribute you use for Similar name distinguisher or Email address due to WebSphere Application Server configuration rules.

    • Similar name distinguisher

      Specify the attribute that differentiates between two groups that have the same common name (cn).

    • Group membership attribute

      Specify the attribute within the group entry that contains that names of individual people or subgroups that belong to the group.

  6. Task Completion Summary.

    Review the configuration details in the Task Completion Summary table, and click Finish to connect to the LDAP server.

  7. Restart the Sametime System Console (or other deployment manager) to complete the LDAP federation process.
  8. Push the LDAP changes to all nodes that are managed by the Sametime System Console by synchronizing the nodes:
    1. In the navigation tree, click System Administration > Nodes.
    2. In the nodes table, select every node.
    3. Still in the nodes table, click Synchronize.
    Note: If you edited an LDAP connection for a Sametime server that is administered by a deployment manager other than the Sametime System Console, then only the Sametime System Console and the LDAP server will be updated. You must manually update the LDAP configuration settings on the WebSphere Application Server that hosts the Sametime product.