Chapter 11 Managing Instant Messaging's LDAP Access Configuration

This chapter describes how Instant Messaging uses LDAP in deployments with and without Access Manager in the following sections:

• Overview of how Instant Messaging Uses LDAP

• Searching the Directory Anonymously

• Configuring Instant Messaging to Use LDAP Dynamic Groups

Overview of how Instant Messaging Uses LDAP

All deployments of Instant Messaging require a directory server. In a deployment without Sun Java^TM System Access Manager, the Instant Messaging server uses the directory server to perform end-user authentication and to search for end users.

In a deployment with Sun Java System Portal Server, the Instant Messaging server uses the directory used by Sun Java System Portal Server. When installed in an Access Manager deployment environment, the Instant Messaging server uses the directory used by the Access Manager to search for end users, and not for end-user authentication. In an Access Manager deployment, Access Manager performs the authentication.

If you use an LDAP directory to maintain your user namespace, the default configuration makes the following assumptions regarding the schema used by this directory:

• End user entries are identified by the inetOrgPerson object class.

• Group entries are identified by the groupOfUniqueNames or groupofURLs object class.

• Instant Messenger user ID attribute of an end user is provided by the uid attribute (from inetOrgPerson objectclass).

• The email address of an end user is provided by the mail attribute.

• The display name of an end user or group is provided by the cn attribute.

• The list of members of a group is provided by the uniqueMember attribute (groupOfUniqueNames object class).

You can change these default settings by editing the iim.conf file. See iim.conf File Syntax.

Some user attributes may contain confidential information. Ensure that your directory access control is set up to prevent unauthorized access by non-privileged users. Refer to your directory documentation for more information.

Searching the Directory Anonymously

Instant Messaging needs to be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, Instant Messaging has the capability to search the directory. If the directory is not readable or searchable by anonymous users, you must take additional steps to configure iim.conf with the credentials of a user ID that has at least read access to the directory. These credentials consist of:

• A distinguished name (dn)

• The password of the above dn

To Enable the Server to Conduct Directory Searches as a Specific End User

1. Identify values for the following parameters in iim.conf:

   • iim_ldap.usergroupbinddn - Specifies the distinguished name (dn) to use to bind to the directory for searches.

   • iim_ldap.usergroupbindcred - Specifies the password to use with the distinguished name (dn).

   For example:

   iim_ldap.usergroupbinddn="cn=iim server,o=i-zed.com"

   iim_ldap.usergroupbindcred=secret

   ---

   Note –

   You do not have to use administrator-level credentials with write level access, as all that is necessary is read access to the domain tree. Thus, if there is an LDAP user with read level access, use its credentials instead. This is a safer alternative as it does not force you to disseminate the administrator-level credentials.

   ---

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. In a deployment with Sun Java System Access Manager, if the directory is not searchable by anonymous users:

   • Set the iim_ldap.useidentityadmin configuration parameter to true.

   • Also, you can delete or comment out the following configuration parameters:

     • iim_ldap.usergroupbinddn

     • iim_ldap.usergroupbindcred

3. Edit iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

   If the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred parameters do not appear in iim.conf, you can add them anywhere in the file.

Configuring Instant Messaging to Use LDAP Dynamic Groups

In the Sun Java System Directory Server and some other LDAP servers, dynamic groups filter end users based on their DN and include them in a single group. The dynamic groups are defined in Directory Server by the groupOfUrls objectclass.

To enable end users to view the dynamic groups in search results and add them to their contact list, you need to include groupOfUrls objects in search results.

The following modifications need to be made to iim.conf:

To Configure Instant Messaging to Use Dynamic Groups

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Add the following three lines to iim.conf:

   iim_ldap.usergroupbynamesearchfilter=(|(&(| (objectclass=groupofuniquenames) (objectclass=groupofurls))) (cn={0}))(&(objectclass=inetorgperson) (cn={0}))) iim_ldap.groupbrowsefilter=(| (objectclass=groupofuniquenames) (objectclass=groupofurls)) iim_ldap.groupclass=groupOfUniqueNames,groupOfURLs

   Do not include line breaks within a single line. The attribute and objectclass names are configurable. By default, the memberOfUrls attribute is used as the membership attribute of a dynamic group. If you want to use an attribute name other than memberOfUrls, set the iim_ldap.groupmemberurlattr option to the attribute name you want to use.