Tips & tricks for installing and running IBM products

Configure Sametime System Console : LDAP configuration

Tom Bosmans  10 January 2014 12:14:32

Setup

Configuration

Make sure the Dmgr , nodeagent and STConsoleserver are started.


/opt/IBM/WAS/AppServer/profiles/Dmgr/bin/startManager.sh
/opt/IBM/WAS/AppServer/profiles/STSSC/bin/startNode.sh
/opt/IBM/WAS/AppServer/profiles/STSSC/bin/startServer.sh STConsoleServer

Login to the deployment manager : http://:8700/ibm/console .  You must use the wasadmin user from the local file repository you created by running the silent installation.  In this case, it's dmgrwasadmin.  Note that you must give this user a unique name : the cn must be unique and must not exist in the LDAP repositories that you want to connect later on.  So don't name it wasadmin - because that username is likely to exist in LDAP already .

Heapsize

Increase the max. heapsize of the deployment manager to 1024Mb.

See http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+9.0+documentation#action=openDocument&res_title=Increasing_the_heap_size_on_the_Sametime_System_Console_st9&content=pdcontent

LDAP guided activity

Configure LDAP security.

Now there's obviously some requirements here : you need an LDAP server.   I use IBM Directory Server in this case.  

See Install Tivoli Directory server.

This LDAP server would need to be used by all components you are going to integrate, except for Domino (mail).  So Portal, Connections, Sametime, Quickr, WebSeal should all use the same LDAP server or at least the same LDAP structure (meaning that the DN (distinguised names) for your users are the same everywhere).

Start the LDAP Guided Activity to create an LDAP deployment :

In the ISC

Sametime System Console > Sametime Prerequisites > Connect to LDAP servers.

Click "Add"

- Deployment name : Anything you want.  I used "LDAP"
- Port : 389
- Bind DN : the full dn of the user you want to use to login to LDAP , in my case : "cn=root" (that is not recommend, by the way).
- Password: enter your password

Click "Next"

- Select the correct base dn, or enter it yourself.  In my case : o=issc

- Mark "Advanced LDAP Properties"

Click "Next"

- accept the defaults for the user attributes

- (Optional) I did change the membership attribute to ibm-allGroups:  this is specific for IDS/TDS, and is a performance optimization.

Click "Next"

- accept the default for the group attributes

Click "Next"

Host name: ldap.tb.issc.ibm.com
Port: 389
Is anonymous? No
Bind name: cn=root
Is secure LDAP connection? No
LDAP base entry: o=issc
LDAP Type: Tivoli Directory
User object class: inetOrgPerson
LDAP user search base: o=issc
Policy ID for users and groups: ibm-entryuuid
Display name: cn
Email address: mail
Similar name distinguisher: uid
Membership attribute:  ibm-allGroups
Home Sametime server:
Authentication attributes: mail;cn;uid
Search attributes: mail;cn;uid
Group object class: groupOfNames
LDAP group search base: o=issc
Display name: cn
Similar name distinguisher: cn
Member attribute: member

Verify the settings here (my settings are shown for reference) and click finish.

Restart your complete environment (Deployment manager, nodes and node agent).

Security tweaks

Realm

Log back in to the ISC and go to the Security/Global Security section.

Configure the federated repositories.

Now the realm name is by default "defaultWIMFileBasedRealm".  I recommend you change this.

Furthermore, this realm needs to be the same for all systems you want to connect : Connections, Portal and the Domino systems, in addition to sharing the same LTPA key and being in the same dns domain.

So change the name of the realm, and save the setup.

Restart your complete environment.

LTPA


Comments
No Comments Found