Securing connections between Sametime Community and LDAP
When Sametime is configured to connect to an LDAP server, the Sametime Community Server makes five separate connections to the LDAP server.
Before you begin
About this task
- Authenticate users.
- Resolve a user name to a distinguished name as part of the login procedure.
- Resolve user and group names (for example, as a response to an "Add Person or Group" request from a Sametime Connect Client).
- Browse the directory.
- Get the content of public groups.
The Sametime Community Server and LDAP servers exchange directory information, including user names and passwords, over these connections. To ensure this information is secure, the administrator can use SSL to encrypt the data that passes over these connections. The administrator should consider the level of protection required before enabling SSL. Using SSL to encrypt these connections can slow the server performance.
- Encrypt all data - This option encrypts all directory information (both user names and passwords) that is transmitted between the Sametime Community Server and the LDAP server. If you encrypt all data, all five connections between the Sametime Community Server and LDAP server are encrypted with SSL. This option provides the most security but also has the greatest effect on server performance.
- Encrypt only user passwords - This option encrypts passwords but no other directory information (such as usernames) passing over the connections between the Sametime Community Server and LDAP servers. If you encrypt only user passwords, only the "authenticating users" connection between the Sametime server and the LDAP server is encrypted with SSL. This option provides an intermediate level of security and has less effect on server performance than encrypting all the data.
- Encrypt no data - This option allows all directory information and passwords to pass unencrypted between the Sametime and LDAP servers. This option does not affect server performance and should be used if the administrator feels there is no chance that an unauthorized user can intercept information transmitted over the connections between the Sametime and LDAP servers.
- Using SSL to encrypt connections between the Sametime Userinfo servlet and LDAP - This option secures the communication for the business card data.
Import the LDAP server’s certificate into the trust store
If the LDAP server is using a public certificate, then you need to obtain the public root CA and import it into the trust store on the Sametime server. If your LDAP server is using a self-signed certificate, then you simply import the self-signed certificate. In the prerequisite topic, your trust store filename is defined in sametime.ini setting ST_TLS_TRUST_STORE_FILE or if using the individual scope in STLDAP_TLS_TRUST_STORE_FILE.
Update the stconfig.nsf to use the secure LDAP settings
- Set the Connection settings to the secure LDAP port (typically 636).
- Set the field SSL Enabled to true.
Update the userinfoconfig.xml to use the secure LDAP settings
By default, the business cards LDAP connection is unsecure. To secure these settings, see the topic Configuring Business cards using an LDAP Directory and complete the optional step “Enabling Encryption”.
Encrypt only password related operations
- Remote to the Sametime Community Server.
- Open the sametime.ini file using a text editor (located in the Domino program directory).
- In the [Directory] section add the following line:
ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1
- Save and close the sametime.ini file.
- Restart Sametime Server for the change to take effect.