Planning for an LDAP directory

IBM® Sametime® requires an LDAP directory for user authentication. The LDAP server should be set up and running before deploying Sametime.

System requirements

Sametime works with V3-compliant LDAP servers. See the LDAP Servers section of the IBM Sametime System Requirements for a list of LDAP server products that are supported in this release.

If you use an IBM Domino® Directory, you must convert it to LDAP format for use with Sametime. For information, see Replacing the Domino Directory with an LDAP directory in the Sametime wiki.

Performance

To avoid resource conflicts that may degrade performance and result in LDAP lookup failures, do not host the directory on the same computer as the Sametime Community Server.

LDAP performance is critical to a successful deployment. Sametime is going to put a heavy load on LDAP. Consider the performance requirements of all Sametime LDAP traffic:
  • Client lookups
  • Authentication
  • Contact list management
  • Invitations to meetings
  • Business card features
  • Mobile clients
  • Policy assignment
Part of your deployment plan may include adding more cluster members to the LDAP cluster.

To minimize the burden on LDAP, use minimal search filters wherever possible. Login choices such as name, email address, employee ID, and so on, create longer search filters and greater performance loads on LDAP.

When planning for LDAP, don't forget Single Sign-On (SSO). Talk to your company's application teams about SSO. Propose a standard way that you allow people to log in to keep logins simple and minimal. All applications should LDAP in the same way. If applications have different search filters, then this creates search problems and authentication problems.

Mail attribute

Sametime requires the LDAP mail attribute in each person record.

The mail attribute provides performance advantages since translation between attributes is not required; it also provides consistency and integrity by using a common and well-understood attribute.

This attribute is not required for anonymous (guest) users. The attribute must be a unique string, which preferably follows the syntax and length restrictions of email addresses. In addition, the mail attribute must be populated for every user to support audio and video communications,

The mail attribute is not used for email purposes, and does not have to be assigned as a user name for logging into Sametime. Instead, it serves as a common attribute between the various Sametime subsystems, such as Calendar Integration, Business Cards, LDAP, and REST APIs. This attribute is also used when generating a URL for a user's persistent meeting room (for example, http://meetings.company.com/stmeetings/room/user@company.com/users-room.)

Multiple directory support

Multiple directories are supported with the following restrictions:
  • Groups may only contain members present in the same directory server and base DN specified in the LDAP Server document. Sametime does not support mixed groups at this time.
  • Multiple replicas of the same directory in the stconfig.nsf database are not supported. For effective load balancing, you should route LDAP traffic through a load balancer.
  • If the browse feature is enabled on the server, certain features such as LDAP time-outs or the maximum number of search results returned may need to be disabled.

  • If you use multiple LDAP repositories, you must ensure that the base entries do not overlap, as that causes problems when Secure Socket Layer (SSL) is enabled. For example, the following base entries have a field in common, so they overlap:

    o=renovations
o=sales,o=renovations

    These base entries use different fields and are acceptable:

    o=renovations,c=us
o=sales

An LDAP server connection is a prerequisite for all Sametime server installations.

Contact lists

Sametime might experience difficulties when users include large public groups in their contact lists. To avoid problems, limit the size of public groups used with Sametime to 1000 users.

Upgrade considerations

If you used a Domino Directory in its native format with a release prior to Sametime 8.5, you have two options for setting up your user directory:
  • Convert the existing Domino Directory to LDAP format. The LDAP service and the community server must run on separate Domino servers.
  • Set up a dedicated LDAP directory for use with Sametime.

Policy assignments use the UUID

Policy assignments use UUID (Universally Unique ID) LDAP attribute by default. After upgrading servers, you must upgrade policies to use the UUID attribute before they can be used.

The LDAP attribute used for UUID is different for every LDAP Server type. For example, Domino Directory (LDAP format) uses a String attribute named Dominounid and Active Directory uses a Binary attribute named objectguid. If the UUID attribute does not exist or is invalid, then the DN can also be used by selecting to use the DN by creating or editing the LDAP Deployment Plan's Advanced Person Settings.

New and existing custom Java™ classes for searching the Community Server's LDAP directory must include the appropriate UUID attribute for the LDAP directory if UUID is used with policy assignments or Sametime user login IDs:
  • Domino Directory (LDAP format only): Dominounid
  • IBM Security Directory Server: ibm-entryuuid
  • Microsoft™ Active Directory: objectguid
  • Novell eDirectory: guid

Best Practices

The Community article Best Practices for using LDAP with Sametime on the Sametime wiki contains an overview of LDAP components and describes how the Sametime Community Server works with LDAP to provide authentication, name lookups, and name resolution. The article describes best practices for creating search filters, setting sametime.ini parameters, and enhancing Sametime and LDAP performance.