 |
Sametime LDAPServer document
|
| | | | Question | | There are many fields in the Sametime® server LDAPServer document. What do they mean and what should they be set to? | | | | | Answer | Sample of the LDAPServer document
Lightweight Directory Access Protocol (LDAP) Server settings:
Connection Settings
Organization Name:
Network Address of LDAP Connection:
Port number for LDAP Connection: 389
Login Name for LDAP Connection:
Password for LDAP Connection:
SSL Enabled: false
SSL Port: 636
Search Order: 1
Search Filters
Search filter for resolving person names:(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%s*)
(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name: (&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)
(mail=%s)))
Search filter for resolving group names: (&(objectclass=groupOfNames)(cn=%s*))
Search Base and Scope
Base Objects
Base object when searching for person entries:
Base object when searching for group entries:
Scope
Scope for searching for a person: recursive
Scope for searching for groups: recursive
Schema Settings
People
The attribute of the person entry that defines the internal ID of a Sametime user:
The attribute of the person entry that defines the person's name: cn
Attribute used to distinguish between two similar person names:
Attribute of the persion entry that defines the person's e-mail address:
The person object class used to determine if an entry is a person: organizationalPerson
Groups
Attribute used to distinguish between two similar group names:
The attribute of the group entry that defines the group’s name: cn
Attribute in the group object class that has the names of the group members: member
The group object class used to determine if an entry is a group: groupOfNames
Home Server
Name of the Home Server Attribute:
Connection Settings
| Organization Name: | Leave as blank unless advised by IBM Support. | | Network Address of LDAP Connection: | Enter in the Fully-Qualified Name or IP of the LDAP Server. If the LDAP environment is load-balanced, enter in the name of the load balancing device. | | Port number for LDAP Connection: | Default: 389
This is the port on which Sametime will attempt to communicate with the LDAP server for non-SSL connections.
The default port for most LDAP environments is 389. However, if the Sametime server is connecting to an Active Directory environment, the Global Catalog should be used on port 3268 on the Primary Domain Controller. | | Login Name for LDAP Connection: | (optional) Enter in the name which should be used to bind to the LDAP server. In certain LDAP environments, bind credentials may be necessary to retrieve all fields and atrributes for of a person/group record.
The LDAP credentials provided should be in the Cannotical format, such as:
CN=Administrator,OU=OrgUnit,O=Org | | Password for LDAP Connection: | (optional) Bind password for the Login Name specified above. | | SSL Enabled: | Default: false
Set to reflect if SSL should used for the Sametime community connection | | SSL Port: | Default: 636
LDAP Server Port which LDAPS services are listening for inbound connection.
The default port for most LDAPS environments is 636. However, if the Sametime server is connecting to an Active Directory environment, the Global Catalog should be used on port 3269 on the Primary Domain Controller. | | Search Order: | Default: 1
Multiple LDAP servers can be used with a single Sametime server provided provided that the LDAP servers are not replicas of each other.
Make sure that the search order is number consecutively otherwise some Sametime services may not start successfully. |
Search Filters
When configuring LDAP search filters, please note that as more attributes are specified in the search string, the LDAP search will take longer to complete. A minimal set of attributes should be specified to minimize the search time.
The search filters can also be dynamically configured using LDAP Classes. Please see Technote #1308532, "Using Java to customize Sametime LDAP settings."
| Search filter for resolving person names: | Default:
(&(objectclass=organizationalPerson)(|(cn=%s*)
(givenname=%s*)(sn=%s*)(mail=%s*)))
The search filter used here is used to perform a search for a person when a request is made to find a person in the directory or when browsing the Inbox in the Notes client. The search filter is configurable so if a custom attribute like uid is used, the search filter would look like:
(&(objectclass=organizationalPerson)(|(cn=%s*)
(givenname=%s*)(sn=%s*)(uid=%s*)(mail=%s*)))
The search filter above will allow a user to search for another user by their Common Name, Given Name, UID identifier or Email Address. | | Search filter to use when resolving a user name to a distinguished name: | Default:
(&(objectclass=organizationalPerson)(|(cn=%s)
(givenname=%s)(sn=%s)(mail=%s)))
This search filter used to resolve the username provided at the login prompt to an Exact user record for authentication. | | Search filter for resolving group names: | Default:
(&(objectclass=groupOfNames)(cn=%s*))
This search filter is used to resolve group names in the LDAP. |
Search Base and Scope: Base Objects
| Base object when searching for person entries: | This entry is used to determine where to start searching for people entries when using the search filters above.
Example:
OU=People,O=IBM | | Base object when searching for group entries: | This entry is used to determine where to start searching for group entries when using the search filters above.
Example:
OU=Groups,O=IBM |
Search Base and Scope: Scope
| Scope for searching for a person: | Default: recursive
Leave this as the default of recursive to search at the base defined above for person entries and below. | | Scope for searching for groups | Default: recursive
Leave this as the default of recursive to search at the base defined above for groups entries and below. |
Schema Settings: People
| The attribute of the person entry that defines the internal ID of a Sametime user: | Leave this field blank. Only fill in at the request of IBM Support. | | The attribute of the person entry that defines the person's name: | Default: cn
This attribute defined here will be used to determine the display name in the contact list. | | Attribute used to distinguish between two similar person names: | You can leave it blank or supply an attribute that exists for person entries in the directory, such as the description attribute. | | Attribute of the persion entry that defines the person's e-mail address: | Fill in the name of the attribute which contains the person's email address. This is typically "mail" in most LDAP directories.
This is only used in SIP/RTC configurations. If SIP/RTC is not being used, this field may be left blank. | | The person object class used to determine if an entry is a person: | Default: organizationalPerson
Used mostly by the directory black box to determine if a entry is a person or a group. |
Schema Settings: Groups
| Attribute used to distinguish between two similar group names: | Leave empty or supply the attribute in group entries that describes the group, such as description. | | The attribute of the group entry that defines the group’s name: | Default: cn
This attribute defined here will be used to determine the display name in the contact list. | | Attribute in the group object class that has the names of the group members: | Default: member
Used to determine the member names which are part of a group | | The group object class used to determine if an entry is a group: | Default: groupOfNames
Used mostly by the directory black box to determine if a entry is a person or a group. |
Schema Settings: Home Server
| Name of the Home Server Attribute: | For distributed installations, where multiple Sametime servers are connected as one community, it is recommended that all users have a fixed home server or home cluster. Authenticating users will be redirected to this server, or to a server in this cluster, even if they change the server name in the client application connectivity preferences. This helps the administrator in load-balancing the server, and ensures server-side storage consistency of buddy-list and privacy settings.
The only LDAP server with a built-in attribute for the home server is Domino, using SametimeServer as the attribute name. Other LDAP servers require extending the schema by adding a new object class for Sametime users, and adding a new attribute to this object class for the home server.
Populate this field with the name of the attribute which is defined in the LDAP schema for the Home Sametime Server name.
Example: SametimeServer
The LDAP entry should have the name of the Sametime server in cannotical format (ex. CN=Server,O=ORG) or the Sametime Cluster Name (ex. STCluster) | | | | | | | | | | |
|
|
| IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. |
|
|
|
|
| Please take a moment to complete this form to help us better serve you. |
|
 |
|
|
|
|
|
|
| Product categories: |
|
| | Software | |
| | Organizational Productivity, Portals & Collaboration | |
| | Real-time & Team Collaboration | |
| | Lotus Sametime | |
| | Directory Services/LDAP | |
|
| Operating system(s): |
| |
AIX, Solaris, Windows
|
|
| Software version: |
| |
7.0, 7.5, 7.5.1, 8.0, 8.0.1, 8.0.2
|
|
| Software edition: |
| |
All Editions
|
|
| Reference #: |
| |
1240710
|
|
| IBM Group: |
| | Software Group |
|
| Modified date: |
| | 2008-10-20 |
|
|
