Troubleshooting Instant Messaging and LDAP

The following LDAP issues might arise in a given deployment. Change the LDAP parameters in iim.conf accordingly.

Using a Directory That Does not Permit Anonymous Bind

By default, Instant Messaging server performs an anonymous search of the LDAP directory. However, it is common for sites to prevent anonymous searches in their directory so that any random person cannot do a search and retrieve all the information. If your site’s directory is configured to prevent such anonymous searches, and you didn't provide bind credentials during post-installation configuration, you need to configure the Instant Messaging server needs with a user ID and password it can use to bind and perform searches.

Use the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred parameters to configure the necessary credentials.

To Configure Bind Credentials for the Instant Messaging Server

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Specify the DN you want the server to use to bind to the directory as the value for iim_ldap.usergroupbinddn.

   iim_ldap.usergroupbinddn=bind-DN

3. Specify the password that corresponds to the bind DN as the value for iim_ldap.usergroupbindcred

   iim_ldap.usergroupbindcred=password

4. Save and close the file.

Displaying Contact Names Using an Attribute Other than cn

You can customize how Instant Messenger displays contact names. The default attribute used byInstant Messenger to display contact names is cn. Contact names appear as First Name, Last Name. For example, Frank Smith, Mary Jones, and so on.

Use the iim_ldap.userdisplay and iim_ldap.groupdisplay parameters to specify which attribute to use to display contact names.

To Change the Attribute Used to Display Contact Names

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Specify the attribute you want to use to display user names as the value for iim_ldap.userdisplay.

   iim_ldap.userdisplay=user-name-attribute

3. Specify the attribute you want to use to display group names as the value for iim_ldap.groupdisplay

   iim_ldap.groupdisplay=group-name-attribute

4. Save and close the file.

Searching the Directory Using Wildcards

If your directory is indexed to allow the use of wildcards, and you want to be able to use wildcards while searching for contact names, you need to configure the Instant Messaging server to allow wildcard searches. However, allowing wildcard searches can impact performance unless User IDs are indexed for substring search. See Modifying How Client Users Search for Contacts for instructions on allowing wildcard searches in Instant Messaging.

Using Nonstandard Objectclasses for Users and Groups

If your directory uses nonstandard objectclasses to define users and groups you need to change the appropriate iim_ldap.* parameters, replacing inetorgperson and groupofuniquenames with your values.

See LDAP and User Registration Configuration Parameters for a list of LDAP parameters.

To Change the Objectclasses Used to Specify Users and Groups

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Search for and replace inetorgperson with the object class used to define users in your directory.

3. Search for and replace groupofuniquenames with the object class used to define groups in your directory.

4. Save and close the file.

Using an Attribute Other than uid for User Authentication

If your directory does not use the uid attribute for user authentication, you need to configure the Instant Messaging server with the attribute used by your directory. By default, Instant Messaging uses uid. You also need to change each filter parameter that contains uid in its value.

Use the iim_ldap.loginfilter parameter to specify which attribute to use for user authentication.

To Change the Attribute Used for User Authentication

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Search for and replace uid with the attribute you want to use for user authentication in the following parameters:

   • iim_ldap.loginfilter

   • iim_ldap.usergroupbyidsearchfilter

3. Save and close the file.

Using an Attribute Other than uid for User IDs

If your directory does not use the uid attribute for user IDs, you need to configure the Instant Messaging server with the attribute used by your directory. By default, Instant Messaging uses uid. In addition, you should index the attribute in the directory to help offset any performance degradation caused by searching on unindexed attributes.

Use the iim_ldap.user.uidattr parameter to specify which attribute to use for user IDs.

To Change the Attribute Used for User IDs

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Specify the attribute you want to use for user IDs as the value for iim_ldap.user.uidattr.

   The default value is uid.

   For example, to use the loginname attribute, set the iim_ldap.user.uidattr attribute as follows:

   iim_ldap.user.uidattr=loginname

3. Save and close the file.

4. Add the index directive to the indexing rules in LDAP:

   index loginname eq