IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
      
     Home      Products      Services & solutions      Support & downloads      My account     

developerWorks > Lotus
developerWorks
Lotus Instant Messaging and LDAP directory interactions
e-mail it!
Contents:
Our example setup
LDAP calls during a typical Domino authentication
LDAP calls during a typical Lotus Instant Messaging connect authentication
LDAP calls for adding a contact in Lotus Instant Messaging
LDAP calls for logging in and attending a meeting
LDAP calls for changing the moderator during meeting creation
Conclusion
Resources
About the author
Rate this article
Related content:
LDAP related Notes.ini variables
Netegrity SiteMinder and Domino-based collaborative services
A tour of Sametime toolkits
Subscriptions:
dW newsletters
dW Subscription
(CDs and downloads)

Level: Intermediate

Raj Balasubramanian (Raj_Balasubramanian@us.ibm.com)
Consulting IT Architect, IBM
17 February 2004

If you're a large Lotus Instant Messaging site, there's a good chance you also use LDAP for your directory services. Learn how Lotus Instant Messaging interacts with LDAP, and how you can help ensure they work together smoothly.

Lotus Instant Messaging and Web Conferencing (Sametime) is an industry leader for providing real-time collaboration services to large corporations. These services include chat, presence awareness, and Web conferencing. Many Lotus Instant Messaging customers are also considering establishing a corporate LDAP directory as their single source for user data and user authentication. Therefore, it is imperative for these sites to understand how Lotus Instant Messaging interacts with an LDAP directory for user/group lookups and user authentication.

This article investigates how Lotus Instant Messaging services interact with an LDAP directory. We cover the basics of how these interactions occur at the application level and how they map to configurations set on the Lotus Instant Messaging server. Our goal is to help you understand these interactions, enabling you to configure Lotus Instant Messaging services to work with a custom LDAP directory schema as well as assist you in troubleshooting login, awareness, and lookup issues. We assume that you're an experienced Lotus Instant Messaging administrator and are familiar with LDAP.

Our example setup
The following diagram illustrates the setup for our example Lotus Instant Messaging and LDAP environment:

Figure 1. Example Lotus Instant Messaging/LDAP setup
Figure 1. Example Lotus Instant Messaging/LDAP setup

In the preceding illustration, our configuration includes:

  • OpenLDAP version 2.1.21 running on Linux (Red Hat 7.2)
  • Lotus Instant Messaging (Sametime) 3.0 SP1
  • Domino 5.0.10 running on Windows 2000 SP4

In our example, the Lotus Instant Messaging server is configured to use the OpenLDAP Directory as the user repository.

LDAP schema
Our example LDAP schema includes the following:

  • Base DN (Distinguished Name) for user and group search follows this format: dc=rajtest,dc=com.
  • Object Class for all valid users is testPerson.
  • Object Class for all valid groups is groupOfNames.

A sample entry and its accompanying attributes for a user from our OpenLDAP Directory are as follows:

dn=abcid=w007009,ou=users,dc=rajtest,dc=com
objectClass=testPerson
cn=Raj Bala
sn=Bala
managerName=Albert Einstein
abcid=w007009
uid=rajbala 
userPassword=ldaprules

In our test setup, the LDAP user password is stored in clear text. In real world practice, this would almost always be encrypted.

The following is a sample entry for a group user from the OpenLDAP Directory:

dn=cn=group2,dc=rajtest,dc=com
objectClass=groupOfNames
cn=group2
member=abcid=w007009,ou=users,dc=rajtest,dc=com
member=abcid=w007007,ou=users,dc=rajtest,dc=com

LDAP calls during a typical Domino authentication
When a Domino user logs into an LDAP directory, the following steps usually occur:

  1. The user logs into Domino by entering the appropriate user name and password.
  2. Domino issues a BindRequest call to LDAP. BindRequest is used to authenticate users to LDAP. (This operation is called “bindingâ€_ in LDAP terminology). In this case, the initial BindRequest sent by Domino does not include user ID and password information (because the Directory Assistance database is configured with no user ID/password for this LDAP server). The LDAP server (which has been set to allow anonymous access) binds the user anonymously by issuing a successful BindResult to Domino.
  3. Domino searches the LDAP directory for the user, using the supplied user ID. To do this, Domino issues a SearchRequest string to LDAP. In Domino 5, this string is preset; in Domino 6, it is customizable via the Directory Assistance database. For instance, the SearchRequest string includes the argument BaseDN, which is obtained from the "Base DN for search" field in the LDAP tab of the Directory Assistance document. The SearchRequest also includes the search filter and the attributes to return; these are contained in a non-customizable string supplied by Domino.
  4. If the search is successful, LDAP issues a BindResult informing Domino that the user has been found. The returning value is the user's Distinguished Name (DN in LDAP parlance) and any other attribute requested by Domino.
  5. When this operation is complete, Domino issues a UnBindRequest to disconnect from LDAP.
  6. Domino then uses the user DN obtained in Step 4 and the password supplied by the user in Step 1 and binds to LDAP as the user. To do this, Domino issues a BindRequest to send the DN and password information to LDAP.
  7. LDAP validates the DN and password, then issues a BindResult to return a success result code to Domino.
  8. Domino issues an UnBindRequest to disconnect from LDAP.

The following chart shows this process graphically:

Figure 2: LDAP authentication in Domino
Figure 2: LDAP authentication in Domino

In the preceding example, if we compute the user name value using the @UserName formula, the value would be abcid=w007007/ou=users/dc=rajtest/dc=com. This string needs to be set in the ACL to provide access to any Domino resources for this user.

LDAP calls during a typical Lotus Instant Messaging connect authentication
When a Lotus Instant Messaging user logs into an LDAP environment, the sequence of LDAP-related calls executed are similar to those made when a Domino user logs in:

  1. The user logs into Lotus Instant Messaging.
  2. Lotus Instant Messaging issues a BindRequest call to LDAP. In our example, because we have allowed Anonymous binds to LDAP Directory and configured the same in stconfig.nsf this BindRequest does not include user ID and password information; LDAP binds anonymously.
  3. Lotus Instant Messaging searches the LDAP directory for the user, using the supplied user ID. To do this, it issues a SearchRequest string to LDAP. The SearchRequest includes the argument BaseDN, which is obtained from the Base Objects setting in stconfig.nsf. The SearchRequest also includes the search filter, obtained from the Search Filter setting in stconfig.nsf. Other search attributes are derived from the Schema Settings property in the same database.
  4. If the search is successful, LDAP issues a BindResult informing Lotus Instant Messaging that the user has been found. The returning value is the user's DN and any other requested attributes.
  5. When this operation is complete, Lotus Instant Messaging issues an UnBindRequest to disconnect with LDAP.
  6. Lotus Instant Messaging then uses the user DN obtained in Step 4 and the password supplied by the user in Step 1 and binds to LDAP as the user.
  7. LDAP validates the DN and password, then issues a BindResult to return a success result code.
  8. Lotus Instant Messaging issues an UnBindRequest to disconnect from LDAP.

As a result of the preceding authentication, Lotus Instant Messaging knows the authenticated user as abcid=w007007,ou=users,dc=rajtest,dc=com. This string is used to create and manage Buddy lists for the user in vpuserinfo.nsf. To allow the user to log into Lotus Instant Messaging using the uid attribute (similar to the Domino instance shown previously), modify the Search Filter field in stconfig.nsf to include uid in addition to abcid:

Figure 3. Search Filters information in stconfig.nsf
Figure 3. Search Filters information in stconfig.nsf

LDAP calls for adding a contact in Lotus Instant Messaging
The sequence of LDAP calls made when a user adds a person to a Buddy list is similar to the LDAP calls made when a user logs into Lotus Instant Messaging. For example, let's assume the user has already logged into Lotus Instant Messaging. The user tries to add another user using the person's first name (for instance, James). The Lotus Instant Messaging client responds with a message stating that user James is not found. The user then tries the person's last name (for example, Bond). The user is found and added to the list successfully. Internally, this process works as follows:

  1. Lotus Instant Messaging issues a BindRequest call to LDAP. As with the procedures for logging a user into Domino and Lotus Instant Messaging, LDAP binds anonymously.
  2. Lotus Instant Messaging searches the LDAP directory for user James, issuing a SearchRequest string to LDAP. The SearchRequest includes arguments for BaseDN and the search filter contained in stconfig.nsf.
  3. If the search is unsuccessful, LDAP issues a BindResult with a null result. The user can then search on another variation of the user's name, repeating the preceding step. If this is successful, LDAP issues another SearchResult, returning the user's DN and any other requested attributes.
  4. When this operation is complete, Lotus Instant Messaging issues an UnBindRequest to disconnect with LDAP.

To search for a user's first name, you must modify the Search Filter setting in stconfig.nsf to include the first name attribute (in this instance, givenname).

LDAP calls for logging in and attending a meeting
The sequence of LDAP calls required for logging in and attending a Lotus Instant Messaging meeting is more complex than the sequence for logging into Lotus Instant Messaging or for adding a name to your Buddy list:

  1. The user logs into the meeting.
  2. Lotus Instant Messaging issues a BindRequest call to LDAP. LDAP binds anonymously.
  3. Lotus Instant Messaging searches the LDAP directory for the user, issuing a SearchRequest string to LDAP. The SearchRequest includes arguments for BaseDN and the search filter contained in stconfig.nsf.
  4. If the search is successful, LDAP issues a BindResult informing Lotus Instant Messaging that the user has been found. The returning value is the user's DN and any other requested attributes.
  5. When this operation is complete, Lotus Instant Messaging issues an UnBindRequest to disconnect with LDAP.
  6. Lotus Instant Messaging then uses the user DN obtained in Step 4 and the password supplied by the user in Step 1 and binds to LDAP as the user.
  7. LDAP validates the DN and password, then issues a BindResult to return a success result code.
  8. Lotus Instant Messaging issues an UnBindRequest to disconnect from LDAP.
  9. After the user has been successfully validated, Lotus Instant Messaging searches LDAP for any group the user belongs to. It does this by issuing a BindRequest to bind the user anonymously, then issuing another SearchRequest to LDAP. This call obtains all groups the user belongs to, including any nested groups.
  10. Step 9 is repeated for any nested groups the user belongs to.
  11. Finally, Lotus Instant Messaging searches LDAP for the key attributes (used for display) of the user. These attributes are as defined in stconfig.nsf. The BaseDN used for search in this case is the DN of the user as handed over by LDAP after successful validation.

For the previous sequence, if we compute the user name value using the @UserName formula, the value would be abcid=w007007/ou=users/dc=rajtest/dc=com. This is the same as the Domino authenticated user due to the fact that meeting access is via Domino initially (through the stconfig.nsf database). Here is an illustration of the Meeting creation page showing the logged in user (note that the friendly common name is not displayed):

Figure 4. Meeting creation page
Figure 4. Meeting creation page

After the user joins the meeting, LDAP passes the user's DN to Lotus Instant Messaging, and the user is known as the following within Lotus Instant Messaging:

abcid=w007007,ou=users,dc=rajtest,dc=com

and displayed (in our example) as Mike Rodney.

Modifying stconfig.nsf to display common names
To display the appropriate common name in the Meeting center, you need to make the following changes to the stconfig.nsf database. The reason you need to do this is because our LDAP doesn’t have CN or UID tokens in the DN.

In the subform WebTitleLogin, change the last <Computed Value> (containing computed text) to:

userid := @Middle (@UserName; "abcid="; "/");
newsearch := userid + ") (abcid=" + userid;

ldapName := @NameLookup([NoUpdate];newsearch; "cn");
notesName := @Name([CN];@UserName);

@If(@Trim(ldapName)!=""; ldapName; notesName)

After you make this change, the following appears when the user logs into stconfig.nsf.

Figure 5. Common name displayed
Figure 5. Common name displayed

The search string in the LDAP call from the Lotus Instant Messaging server to the LDAP server appears as follows:

(|(cn=w007007)(abcid= w007007)(|(&(sn= w007007))(givenname=(abcid= w007007))
			(&(sn=abcid= w007007)(givenname= w007007)))))

This is a temporary fix. A better approach is to upgrade to Lotus Instant Messaging 3.1 supported by Domino 6. Domino 6 can map attribute and search strings (similar to stconfig.nsf) in Directory Assistance.

LDAP calls for changing the moderator during meeting creation
Finally, imagine a user who has already logged into Lotus Instant Messaging and changes the moderator of a meeting. Let's say the user wants to specify Doug Williams as the moderator. The user enters Williams in the user search field in the Directory applet. If the search is successful, Doug Williams is designated as moderator. The following is the sequence of the LDAP related calls from the Lotus Instant Messaging host server:

  1. Lotus Instant Messaging issues a BindRequest call to LDAP. LDAP binds anonymously.
  2. Lotus Instant Messaging searches the LDAP directory for Williams, using the SearchRequest call. The SearchRequest string includes the argument BaseDN, which is obtained from the Base Objects setting in stconfig.nsf. The SearchRequest also includes the search filter, obtained from the Search Filter setting in stconfig.nsf. Other search attributes are derived from the Schema Settings property in the same database.
  3. If the search is successful, LDAP issues a BindResult informing Lotus Instant Messaging that the user has been found. The returning value is the user's DN and any other requested attributes.
  4. After the user has been successfully validated, Lotus Instant Messaging searches LDAP for any group the user belongs to. It does this by issuing a BindRequest to bind the user anonymously, then issuing another SearchRequest to LDAP. This call obtains all groups the user belongs to.
  5. Lotus Instant Messaging issues an UnBindRequest to disconnect from LDAP.

Conclusion
This article has examined the LDAP-related calls from Lotus Instant Messaging and Domino servers to the LDAP server. This includes calls made when a user logs into Domino or Lotus Instant Messaging, when a user adds a person to a Buddy list, when a user joins a meeting, and when a user changes the moderator of a meeting. This "under the hood" view should help you better understand how Lotus Instant Messaging services interact with LDAP and what changes you can make in the Directory Assistance and stconfig.nsf databases to control these interactions. And we've shown you how to modify stconfig.nsf to have Lotus Instant Messaging display common names on the Meeting creation page. We hope this information allows you to more efficiently integrate LDAP into your Lotus Instant Messaging environment.

Resources

About the author
Raj Balasubramanian is a Consulting IT Architect for IBM Software Services for Lotus (ISSL). He works on customer engagements delivering application and infrastructure related projects. His interests range from anything technical to history and physics. During his copious spare time, he enjoys talking about robots with his sons.


e-mail it!

What do you think of this document?
Killer! (5)Good stuff (4)So-so; not bad (3)Needs work (2)Lame! (1)

Comments?



developerWorks > Lotus
developerWorks
  About IBM  |  Privacy  |  Terms of use  |  Contact