test

Sun Java System Instant Messaging 7.2 Administration Guide

Chapter 14 Administering Instant Messaging End Users

Instant Messaging does not provide bulk user provisioning tools. You need to use a directory bulk provisioning tool for provisioning multiple Instant Messaging end users. By default, Instant Messaging does not provide specific commands to add, modify, or delete Instant Messaging end users. However, you can customize Instant Messenger to allow users to add themselves to the directory.

Likewise in an LDAP-only deployment, you cannot prevent an end user from using Instant Messenger. In an LDAP-only deployment, the only way to prevent end users from using Instant Messaging is to delete them from the directory or inactivate their user accounts in the directory. Keep in mind that doing this also prevents the user from binding to the directory. In a deployment using Sun JavaTM System Access Manager policy attributes, you can prevent an end user from accessing only Instant Messenger. In addition, if you deploy Instant Messaging with Access Manager, you should use the provisioning tools provided with Access Manager instead of allowing users to register themselves.

The administrator can manage Instant Messaging end users, using the Instant Messaging Administrator Access Control mechanism. For more information on Instant Messaging Administrator Access Control, see Overview of Privacy, Security, and Site Policies, then the Access Manager is used for provisioning Instant Messaging end users. For more information, see the Sun Java Communications Suite 5 Deployment Planning Guide.

Caution – Caution –

If you deny end users the privilege to set up watches on other end users by editing the sysWatch.acl file, the Instant Messenger’s Main window is not displayed for these end users. This effectively denies end users the ability to send instant messages. However, end users would still be able to see alerts and news channels.

This chapter contains the following sections:

Disabling End User Access to Instant Messenger

If you are using Instant Messaging with Access Manager, you can deny user access to Instant Messenger services as described in this section.

ProcedureTo Disable Instant Messaging End Users

  1. Open iim.conf.

    See iim.conf File Syntax for instructions on locating and modifying iim.conf.

  2. Modify the following values as shown:


    iim_ldap.useidentityadmin="true"
iim_server.usesso=1The value for this parameter may also be 0
iim.policy.modules="identity"
iim.userprops.store="ldap"

  3. Save and close iim.conf.

  4. Refresh the Instant Messaging server.


    imadmin refresh server

    SeeRefreshing Component Configuration for more information. If you are using Instant Messaging in an HA environment, do not use imadmin, instead use the Sun Cluster tools to refresh the server.

  5. Use the Access Manager console (amconsole) to remove Instant Messaging services from the user for which you want to disable access.

Registering New Instant Messaging Users

You can customize Instant Messenger to allow new user registration. When a user registers, the Instant Messaging server uses the information provided during registration to perform an ldapadd operation to create a user entry in the directory.

Note –

If you are using Instant Messaging with Sun Java System Access Manager, you should not allow users to register using this method. Instead, you should use the provisioning tools provided with Access Manager.

To allow new user registration, you need to configure the server to allow registration and then customize Instant Messenger resources by adding an argument to the im.jnlp.template and im.html.template files, running the configure utility, then (if necessary) redeploying the resource files.

This section describes:

See Chapter 15, Managing Instant Messenger for more information about customizing resource files.

Configuring the Instant Messaging Server to Allow New User Registration

In order to configure the Instant Messaging server to allow new user registration you need to add configuration parameters to iim.conf. Table 14–1 lists the parameters you need to add and a brief description of each.

Table 14–1 Instant Messaging Server New User Registration Configuration Parameters

Parameter 

Description 

iim.register.enable

If TRUE, the server allows new Instant Messaging end users to register themselves (add themselves to the directory) using Instant Messenger.

iim_ldap.register.basedn

If self-registration is enabled, the value of this parameter is the DN of the location in the LDAP directory in which person entries are stored. For example:

"ou=people,dc=siroe,dc=com"

iim_ldap.register.domain

The domain to which new users will be added. For example, directory.siroe.com.

ProcedureTo Configure the Instant Messaging Server to Allow New User Registration

  1. Open iim.conf.

    See iim.conf File Syntax for instructions on locating and modifying iim.conf.

  2. Add the configuration parameters and appropriate values as described in Table 14–1.

  3. Save and close iim.conf.

  4. Refresh the server configuration using the imadmin command.

    imadmin refresh server

Customizing Instant Messenger to Allow New User Registration

When you customize the resource files to allow new user registration, a new button appears on the Login dialog box. Users click this button to access the New User Registration dialog box where they can register. When a user registers, their information is added to the LDAP directory.

ProcedureTo Customize Instant Messenger to Allow New User Registration

  1. Open the im.jnlp.template file in a text editor.

    By default this file is stored in im-svr-base/html.

  2. Search for the line:


    <application-desc main-class="com.iplanet.im.client.iIM">

  3. Add the following argument to the end of the section:


    <argument>register=true</argument>

  4. Save and close im.jnlp.template.

  5. Open the im.html.template file in a text editor.

    By default this file is stored in im-svr-base/html.

  6. Add the register parameter to the file:


    <PARAM NAME="register" VALUE="true">

  7. Add the following parameter to the EMBED tag:


    register=true

  8. Save and close im.html.template.

  9. Run the configure utility, selecting the “Messenger Resources” component only when prompted for which components you want to configure.

    See Configuring Instant Messaging After Installing or Upgrading for instructions.

  10. If you are usingSun Java System Application Server or Sun Java System Web Server, redeploy the resource files.

    See Redeploying Resource Files for instructions.

  11. Launch Instant Messenger.

    The I am a New User button should appear on the Login dialog box.

Registering as a New Instant Messaging User

Once you have added the new user registration argument to the im.jnlp and im.html files and redeployed the resource files users can register themselves.

ProcedureTo Register as a New Instant Messaging User

  1. In a web browser, go to the Instant Messaging home page.

  2. Click Start or click Use Java Plug-in.

    The Login dialog box appears, displaying the I am a New User button.

  3. Click I am a New User.

    The New User Registration dialog box appears.

  4. Enter the information in the fields provided and click OK.

    The information is stored in the directory.

Storing Instant Messaging User Properties in LDAP

In a deployment without Sun Java System Access Manager, you can choose to store user properties in LDAP instead of a file (default). You need to run the imadmin assign_services command in order to add required objectclasses to user entries in the directory. These objectclasses are used by Instant Messaging to store user properties in user entries.

Caution – Caution –

Some user attributes may contain confidential information. Ensure that your directory access control is set up to prevent unauthorized access by non-privileged users. Refer to your directory documentation for more information.

ProcedureTo Store Instant Messaging User Properties in LDAP

  1. In iim.conf, ensure that the iim.policy.modules parameter has a value of iim_ldap.

    See iim.conf File Syntax for information on iim.conf.

  2. In iim.conf, ensure that the iim.userprops.store parameter has a value of ldap.

  3. From the command line, run imadmin with the assign_services option:


    imadmin assign_services

    imadmin checks the value of the iim.policy.modules parameter in iim.conf.

  4. Enter the Bind DN and password you want imadmin use to bind to the directory.

    The Bind DN should have sufficient credentials to modify the directory schema, for example the Directory Manager DN.

  5. Enter the Base DN under which user entries are stored.

    Next, imadmin adds sunIMUser, and sunPresenceUser objectclasses to the user entries in the organization you specified.

Assigning Instant Messaging and Presence Services to End Users

In a deployment with Sun Java System Access Manager, you can assign Instant Messaging and presence services to end users with the imadmin assign_services command. Alternatively, you can use the Access Manager console.

ProcedureTo Assign Instant Messaging and Presence Services to End Users

  1. In iim.conf, ensure that the iim.policy.modules parameter has a value of identity.

    See iim.conf File Syntax for information on iim.conf.

  2. From the command line, run imadmin with the assign_services option:


    imadmin assign_services

    imadmin checks the value of the iim.policy.modules parameter in iim.conf.

  3. Enter the Base DN of the organization under which user entries are stored.

    This is the organization that contains the user entries managed by Access Manager.

    Next, imadmin assigns Instant Messaging and presence services to the users in the organization you specify.