3 Using LDAP with Instant Messaging Server

This chapter covers aspects of using LDAP with Oracle Communications Instant Messaging Server.

Managing LDAP Access Configuration for Instant Messaging Server

This section describes how Instant Messaging Server uses LDAP.

Overview of How Instant Messaging Server Uses LDAP

All deployments of Instant Messaging Server require an Oracle Directory Server Enterprise Edition (Directory Server). Instant Messaging Server uses the Directory Server to perform end-user authentication and to search for end users.

The default Instant Messaging Server configuration makes the following assumptions regarding the LDAP schema used by Directory Server:

End user entries are identified by the inetOrgPerson object class.
Group entries are identified by the groupOfUniqueNames or groupofURLs object class.
The email address of an end user is provided by the mail attribute.
The display name of an end user or group is provided by the cn attribute.
The list of members of a group is provided by the uniqueMember attribute (groupOfUniqueNames object class).

You can change these default settings by running the imconfutil command to modify the appropriate configuration properties.

Caution:

Some user attributes might contain confidential information. Ensure that your directory access control is set up to prevent unauthorized access by non-privileged users. Refer to your directory documentation for more information.

Searching the Directory Anonymously

Instant Messaging Server must be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, Instant Messaging Server has the capability to search the directory. If the directory is not readable or searchable by anonymous users, you must take additional steps to configure the iim.conf.xml file with the credentials of a user ID that has at least read access to the directory. These credentials consist of:

A distinguished name (dn)
The password of the distinguished name (dn)

Enabling the Server to Conduct Directory Searches as a Specific End User

To enable Instant Messaging Server to conduct directory searches as a specific end user:

Identify values for the following Instant Messaging Server configuration properties.
- iim_ldap.usergroupbinddn - Specifies the distinguished name (dn) to use to bind to the directory for searches.
- iim_ldap.usergroupbindcred - Specifies the password to use with the distinguished name (dn).
For example:
```
iim_ldap.usergroupbinddn="cn=iim server,o=i-zed.com"
iim_ldap.usergroupbindcred=secret
```
Note:
You do not have to use administrator-level credentials with write-level access. All that is necessary is read access to the domain tree. Thus, if there is an LDAP user with read-level access, use its credentials instead. This is a safer alternative as it does not force you to disseminate the administrator-level credentials.
Run the imconfutil command to modify the configuration properties.

If the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred properties do not appear in the iim.conf.xml file, add them.

For example:
```
imconfutil set-prop iim_ldap.usergroupbinddn="cn=Directory Manager" iim_ldap.usergroupbindcred=password -c InstantMessaging_home/config/iim.conf.xml
```

Using the mail Attribute for User Authentication

By default, Instant Messaging Server uses the uid attribute for user authentication. You can change the default so that users can authenticate based on their email address.

To configure Instant Messaging Server to enable user authentication by using the mail attribute:

Use the imconfutil command to set the mail attribute to use for user IDs as the value for the iim_ldap.useruidattr property:
```
imconfutil -c InstantMessaging_home/config/iim.conf.xml iim_ldap.useruidattr=mail
```
Add the index directive to the indexing rules in LDAP:
```
index mail eq
```

Using LDAP Groups

You can configure Instant Messaging Server so that end users can send a message to an LDAP group, which can be either dynamic or static. Also, you can assign/affiliate LDAP groups as members of a restricted chat room.

LDAP distinguishes between dynamic and static groups as follows:

LDAP dynamic group: Membership, rather than being maintained explicitly in a list, is determined by search criteria using an LDAP URL. Dynamic groups use the groupOfURLs object class and the memberURL attribute to define LDAP URLs with the criteria (search base, scope, and filter) to be used for determining members of the group.
LDAP static group: A static group is one whose entry contains a membership list of explicit DNs. You can define a static group by using the groupOfUniqueNames object class and by explicitly specifying the member DNs using the uniqueMember attribute.

In Directory Server and some other LDAP servers, dynamic groups filter end users based on their DN and include them in a single group. The dynamic groups are defined in Directory Server by the groupOfUrls object class.

To enable end users to view the dynamic groups in search results and add them to their contact list, you must include groupOfUrls objects in search results.

You can assign or affiliate LDAP groups as members of a restricted chat room. When Instant Messaging Server creates the multiuser chat room, it loads the chat room's affiliations from LDAP. Instant Messaging Server determines if the user is a member of any of the groups authorized for the multiuser chat room. Instant Messaging Server then allows the users to join if they are members and otherwise forbids users from joining. You use the iim_server.enablegroupsinconference property to enable and disable multiuser chat. When set to true, this property enables groups for multiuser chat. When set to false, this property disables groups for multiuser chat. By default, groups for multiuser chat is disabled.

Configuring Instant Messaging Server to Use LDAP Groups

To configure Instant Messaging Server to use LDAP groups:

If you have not already done so, create the LDAP group to be used for group messaging. See "Managing Groups" in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide at:

http://docs.oracle.com/cd/E19693-01/819-0995/bcajq/index.html
Set the iim_server.group.servicename property, if the service name for group messaging is to be changed from the default name groups.

For example:
```
imconfutil set-prop iim_server.group.servicename=mygroups -c InstantMessaging_home/config/iim.conf.xml
```
Set the appropriate configuration property, depending on if you want to search for dynamic or static groups.
- To search for dynamic groups, set the following properties:
```
imconfutil set-prop iim_ldap.groupbrowsefilter="(|(&((objectclass=groupofurls)(cn={0}))" -c InstantMessaging_home/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupclass=groupofurls -c InstantMessaging_home/config/iim.conf.xml
```
- To search for static groups, set the following properties:
```
imconfutil set-prop iim_ldap.groupbrowsefilter="(|(&(objectclass=groupofuniquenames)(cn={0}))" -c InstantMessaging_home/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupclass=groupofuniquenames -c InstantMessaging_home/config/iim.conf.xml
```
  Note:
  Static groups can also be inherited from groupofnames object class, and their members listed using member attribute. However, the search filters for static groups must be modified accordingly. By default, the member attribute is not used as the membership attribute of a static group. Hence, the property must be set to iim_ldap.groupmemberattr=member to use member attribute.
  
  Do not include line breaks within a single line. The attribute and object class names are configurable. By default, the memberOfUrls attribute is used as the membership attribute of a dynamic group. If you want to use an attribute name other than memberOfUrls, set the iim_ldap.groupmemberurlattr option to the attribute name you want to use.
- To search for both dynamic and static groups, set the following properties:
```
imconfutil set-prop iim_ldap.groupbrowsefilter="(|(&(objectclass=groupofuniquenames)(cn={0}))(&(objectclass=groupofurls)(cn={0})))" -c InstantMessaging_home/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupclass=groupofurls,groupofuniquenames -c InstantMessaging_home/config/iim.conf.xml
```

To search for static groups having groupofnames object class, set the following properties:

imconfutil set-prop iim_ldap.groupbrowsefilter="(&(objectclass=groupofnames)(cn={0}))" -c InstantMessaging_home/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupclass=groupofnames -c InstantMessaging_home/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupmemberattr=member -c InstantMessaging_home/config/iim.conf.xml

To send a message to a group, see "Using Group Messaging".

Using Group Messaging

To use group messaging:

In the client's chat window, type the group's full Jabber ID in the form groupName@group.domainname in the To tab. For example:
```
testGroup@mygroups.example.com
```
Type the message and click send.

Configuring Chat Room Membership Based on LDAP Group Membership

To configure chat room membership based on LDAP group membership:

See "Configuring Instant Messaging Server to Use LDAP Groups" for instructions on how to create an LDAP group to use for the chat room.

To enable LDAP groups for multiuser chat, set the iim_server.enablegroupsinconference property to true.

imconfutil set-prop iim_server.enablegroupsinconference=true -c InstantMessaging_home/config/iim.conf.xml

Using Chat Rooms Based on LDAP Group Membership

To use LDAP group-based chat rooms:

Create a persistent member-only chat room.

Member-only chat rooms enable only those users who are part of the chat room's member list to join the chat room. Create a new chat room and configure the chat room to be a persistent member-only chat room by selecting Persistent and Restricted options in the chat room configuration window.
Assign a group affiliation to the chat room.

To enable members of a particular group to join and participate in a member-only room, the group must be affiliated to the room. To do so, the chat room administrator adds the group to the chat room's member list. By default, the creator of the chat room is its administrator.
1. To add the group to the chat room's member list, run the following command in the chat window:
```
/affiliate member testGroup@mygroups.example.com
```
2. To verify that the group was added successfully to the member list, run the following command:
```
/affiliate member
```
Users of the group should now be able to join and participate in the chat room.

Converting Associated Domain to Canonical Domain

Directory Server can contain a domain entry with an associatedDomain attribute. If a user tries to login by using the associatedDomain, instead of using the canonical domain, Instant Messaging Server can convert the domain part as needed, from associated domain to canonical domain, before processing the request. Instant Messaging Server supports the following operations for this conversion:

Authentication
Presence subscription
Multiuser chat invite

To enable conversion of the associated domain to the canonical domain:

Configure the iim_server.inboundpacketfilters property:

imconfutil -c InstantMessaging_home/config/iim.conf.xml set-prop iim_server.inboundpacketfilters=oracle.communications.ucs.ocim.filters.impl.CannonicalDomainConversionFilter

Set the filter to be used for the associatedDomain attribute during an LDAP search:

imconfutil -c InstantMessaging_home/config/iim.conf.xml set-prop iim_ldap.schema2.domain_filter="(&(objectClass=sunManagedOrganization)(|(sunPreferredDomain={0})(associatedDomain={0})))"