LDAP directory settings used in the prerequisite activity
Find more details about LDAP settings for the guided activity, "Sametime® prerequisite: Connect to LDAP Servers."
Bind to LDAP
Bind to LDAP settings determine whether the system console binds to the LDAP server as an anonymous or authenticated user. Also specify the host name of the LDAP server, the port that the server is using, and whether to use SSL when connecting to the LDAP server.
| Attribute | Description | Comments and sample values |
|---|---|---|
| Authenticated access | Requires the Sametime servers to use credentials to authenticate with the LDAP server. | |
| Anonymous access | Select this type of access only if you are certain
all attributes are accessible when the Sametime server binds to
the LDAP server. Anonymous bind operations must be able to search
on a unique ID attribute specific to the LDAP server in use. Use these
attributes:
|
To accept anonymous access, the LDAP server must allow anonymous binding and anonymous access to the same attributes of the LDAP person and group entries that are required for the bind distinguished name (DN) and password as described later in this table. |
| Deployment Name for this LDAP connection | Specified a name that you provide to this LDAP connection for easy reference. It does not need to map to any existing server name or value. It is an easy way to identify this object when you reference it in the future. | Sample deployment name: ST_LDAP |
| Host name | Enter the fully qualified domain name of the LDAP server or Network Dispatcher serving the LDAP servers that you want to connect to. Do not use an IP address or a short host name. | Sample host name ldap1.example.com |
| Port of the LDAP server | The port number is the one on which the LDAP server listens for TCP/IP Connections. The default port for LDAP access is TCP/IP port 389. | Default 389 |
| Bind distinguished name (DN) and Password | If you have selected Authenticated
Access, specify the distinguished name of an LDAP directory
entry that the Sametime servers
use when binding to the LDAP directory, and then enter the password
associated with that user. The server transmits this user name and
password to the LDAP server when making its initial connection to
the LDAP server. The LDAP server verifies this user name and password
against an entry in the LDAP directory to authenticate the connection. When designating an authenticated user, create a unique directory entry that is used only for the purpose of authenticating Connections from the Sametime servers to the LDAP server. After creating the directory entry, you must ensure that this directory entry has at least read access to the attributes of the LDAP directory entries. If you have selected Anonymous Access, these fields are not shown. |
If you use a person entry for the authenticated
user, the Sametime server
must have access to the following attributes:
If you use a Group entry for the authenticated user,
the Sametime server
must have access to the following attributes:
|
Base Distinguished Name and Filter for Searches
The Base Distinguished Name and Filter for Searches settings ensure that Sametime users' names are found in the appropriate LDAP directory when they authenticate through the browser client.
| Attribute | Description | Comments and sample values |
|---|---|---|
| Detected LDAP Base DNs | For stconfig.nsf, edit the ldapserver document as follows: Search Base and Scope Base Objects Base object when searching for person entries: DC=austin,DC=ibm,DC=com Base object when searching for group entries: DC=austin,DC=ibm,DC=com The base distinguished name is detected according to the LDAP type. The one exception is the IBM Domino LDAP server, for which the base distinguished name is null by default. |
Sample Base distinguished name: dc=example,dc=com |
| LDAP user search base | Specify the base object of the directory or level of the directory from which to start a search for person or group entries. | |
| Configure advanced LDAP settings | Select this option to see additional settings that allow you to provide detailed authentication and search attributes for person and group entries in the LDAP directory. |
Collect Person Settings
To search for a user name, users enter a text string in the Sametime user interface. This setting defines the LDAP search filter responsible for selecting a user name from the LDAP directory. The search filter matches the text string to information contained within the attributes of LDAP directory person entries.
| Attribute | Description | Comments and sample values |
|---|---|---|
| Object class | Individual users are represented by entries with a unique object class. Enter the object class attribute used for people in the LDAP schema of the LDAP directory in your environment. The name of the object class specified in this setting to the object class values of each entry to decide whether the entry is a person or a group. | The value is set automatically to a default value based on the type of LDAP directory detected. |
| LDAP user search base | The level of the distinguished name where searches
begin. For example if the distinguished name format is cn=,
o=, c= and you type o=Managers in
this field, then user searches will be restricted to looking for Person
records within the Managers organization. |
|
| Policy ID for users and groups | Specifies which ID to search for when the administrator
selects User ID as the search criteria for
managing policies:
If the UUID attributes is used with policy assignments or
user IDs, then any custom Java™ classes
for searching the LDAP directory must include the appropriate UUID
attribute:
|
|
| Display name | Displays a user's name in Sametime user interfaces. The attribute must not be the same as the one you use for Similar name distinguisher or Email address due to WebSphere® Application Server configuration rules. | Sample display name:
|
| Similar name distinguisher | Differentiates between two users who have the same common name (cn) attribute. The attribute must not be the same as the one you use for Display name or Email address due to WebSphere Application Server configuration rules. | |
| Email address | Contains the user's email address in the field. The attribute must not be the same as the one you use for Display name or Similar name distinguisher due to WebSphere Application Server configuration rules. | |
| Home Sametime server | Specifies the name of the field within the LDAP
person entries that contains the name of each user's home Sametime Community Server. If you have installed multiple Sametime Community Servers, each user's person entry in an LDAP directory must contain a field in which a user's home server is specified. You can either:
|
Format for Sametime Community Server distinguished name:
Example:
|
| Membership attribute | Specifies which groups a user belongs, to if your LDAP server supports this feature. |
Collect Group Settings
To search for a group name, Sametime users enter a text string in the Sametime user interface. This setting defines the LDAP search filter responsible for selecting a group name from the LDAP directory. The search filter matches the text string to information contained within the attributes of LDAP directory group entries.
| Attribute | Description | Comments and sample values |
|---|---|---|
| Object class | Defines the type of entry that will be searched; for example the groupOfUniqueNames class describes a set of unique Person records that do not necessarily have any of the same values in their distinguished name levels (every user in the group might have a different O= value, for example). By default, searches for a group will assume that this is the case. | Groups are represented by entries with a
unique object class. Enter the object class attribute used for groups
in the LDAP schema of the LDAP directory in your environment. The
name of the object class specified in this setting is compared to
the object class values of each entry.
|
| LDAP group search base | The level of the distinguished name where searches
begin. For example if the distinguished name format is cn=,
o=, c= and you type o=Managers in
this field, then group searches will be restricted to looking for
Group records within the Managers organization. |
|
| Display name | Displays a group's name in Sametime user interfaces. | Sample display name:
|
| Similar name distinguisher | Differentiates between two groups that have
the same common name (cn) attribute. Specifies the attribute of a group entry that can differentiate between two groups that have the same common name (cn) attribute. In many LDAP directories, the "description" attribute contains descriptive information about a group. If a search on the name "Marketing" returns two group entries, the information contained in the description attribute (such as "West region" or "East region") can be used to distinguish between the two groups. |
|
| Group membership attribute | Specifies the name of the attribute in the group entry that contains that names of individual people or subgroups that belong to the group. If users add a group to a presence list, privacy list, or a list that restricts meeting attendance, Sametime must obtain the list of members within the group. | member uniquemember |
| Group Membership | The most effective policy search through the LDAP directory may be using a memberOf attribute. In this case, the Policy filter field contains this attribute name, therefore, if your LDAP server provides the memberOf attribute, you should know how to configure the use of this feature. |
|