| Oracle® Communications Instant Messaging Server System Administrator's Guide Release 9.0.2 E52523-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Communications Instant Messaging Server System Administrator's Guide Release 9.0.2 E52523-01 |
|
|
PDF · Mobi · ePub |
This chapter covers aspects of using LDAP with Oracle Communications Instant Messaging Server. It contains the following sections:
This section describes how Instant Messaging Server uses LDAP.
All deployments of Instant Messaging Server require a Directory Server. Instant Messaging Server uses the Directory Server to perform end-user authentication and to search for end users.
The default Instant Messaging Server configuration makes the following assumptions regarding the LDAP schema used by Directory Server:
End user entries are identified by the inetOrgPerson object class.
Group entries are identified by the groupOfUniqueNames or groupofURLs object class.
Instant Messenger user ID attribute of an end user is provided by the uid attribute (from inetOrgPerson object class).
The email address of an end user is provided by the mail attribute.
The display name of an end user or group is provided by the cn attribute.
The list of members of a group is provided by the uniqueMember attribute (groupOfUniqueNames object class).
You can change these default settings by running the imconfutil command to modify the appropriate configuration properties.
Caution:
Some user attributes might contain confidential information. Ensure that your directory access control is set up to prevent unauthorized access by non-privileged users. Refer to your directory documentation for more information.Instant Messaging Server must be able to search the directory to function correctly. If your directory is configured to be searchable by anonymous users, Instant Messaging Server has the capability to search the directory. If the directory is not readable or searchable by anonymous users, you must take additional steps to configure the iim.conf.xml file with the credentials of a user ID that has at least read access to the directory. These credentials consist of:
A distinguished name (dn)
The password of the distinguished name (dn)
Identify values for the following Instant Messaging Server configuration properties.
iim_ldap.usergroupbinddn - Specifies the distinguished name (dn) to use to bind to the directory for searches.
iim_ldap.usergroupbindcred - Specifies the password to use with the distinguished name (dn).
For example:
iim_ldap.usergroupbinddn="cn=iim server,o=i-zed.com" iim_ldap.usergroupbindcred=secret
Note:
You do not have to use administrator-level credentials with write-level access. All that is necessary is read access to the domain tree. Thus, if there is an LDAP user with read-level access, use its credentials instead. This is a safer alternative as it does not force you to disseminate the administrator-level credentials.Run the imconfutil command to modify the configuration properties.
If the iim_ldap.usergroupbinddn and iim_ldap.usergroupbindcred properties do not appear in the iim.conf.xml file, add them.
For example:
imconfutil set-prop iim_ldap.usergroupbinddn="cn=Directory Manager" iim_ldap.usergroupbindcred=password -c /opt/sun/comms/im/config/iim.conf.xml
You can configure Instant Messaging Server so that end users can send a message to an LDAP group, which can be either dynamic or static. Also, you can assign/affiliate LDAP groups as members of a restricted chat room.
LDAP distinguishes between dynamic and static groups as follows:
LDAP dynamic group: Membership, rather than being maintained explicitly in a list, is determined by search criteria using an LDAP URL. Dynamic groups use the groupOfURLs object class and the memberURL attribute to define LDAP URLs with the criteria (search base, scope, and filter) to be used for determining members of the group.
LDAP static group: A static group is one whose entry contains a membership list of explicit DNs. You can define a static group by using the groupOfUniqueNames object class and by explicitly specifying the member DNs using the uniqueMember attribute.
In Directory Server and some other LDAP servers, dynamic groups filter end users based on their DN and include them in a single group. The dynamic groups are defined in Directory Server by the groupOfUrls object class.
To enable end users to view the dynamic groups in search results and add them to their contact list, you need to include groupOfUrls objects in search results.
Starting with Instant Messaging Server 9.0.2.6.0, you can assign/affiliate LDAP groups as members of a restricted chat room. When Instant Messaging Server creates the multi-user chat room, it loads the chat room's affiliations from LDAP. Instant Messaging Server determines if the user is a member of any of the groups authorized for the multi-user chat room. Instant Messaging Server then allows the users to join if they are members and otherwise forbids users from joining. You use the iim_server.enablegroupsinconference property to enable and disable multi-user chat. When set to true, this property enables groups for multi-user chat. When set to false, this property disables groups for multi-user chat. By default, groups for multi-user chat is disabled.
This section contains the following topics:
If you have not already done so, create the LDAP group to be used for group messaging. See "Managing Groups" in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide at:
http://docs.oracle.com/cd/E19693-01/819-0995/bcajq/index.html
Set the iim_server.group.servicename property, if the service name for group messaging is to be changed from the default name groups.
For example:
imconfutil set-prop iim_server.group.servicename=mygroups -c $IM_BASE_DIR/config/iim.conf.xml
Set the appropriate configuration property, depending on if you want to search for dynamic or static groups.
To search for dynamic groups, set the following properties:
imconfutil set-prop iim_ldap.groupbrowsefilter="(|(&((objectclass=groupofurls)(cn={0}))" -c $IM_BASE_DIR/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupclass=groupofurls -c $IM_BASE_DIR/config/iim.conf.xml
To search for static groups, set the following properties:
imconfutil set-prop iim_ldap.groupbrowsefilter="(|(&(objectclass=groupofuniquenames)(cn={0}))" -c $IM_BASE_DIR/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupclass=groupofuniquenames -c $IM_BASE_DIR/config/iim.conf.xml
Note:
Static groups can also be inherited from groupofnames object class, and their members listed using member attribute. However, the search filters for static groups must be modified accordingly. By default, the member attribute is not used as the membership attribute of a static group. Hence, the parameter must be set to iim_ldap.groupmemberattr=member to use member attribute.Do not include line breaks within a single line. The attribute and object class names are configurable. By default, the memberOfUrls attribute is used as the membership attribute of a dynamic group. If you want to use an attribute name other than memberOfUrls, set the iim_ldap.groupmemberurlattr option to the attribute name you want to use.
To search for both dynamic and static groups, set the following properties:
imconfutil set-prop iim_ldap.groupbrowsefilter="(|(&(objectclass=groupofuniquenames)(cn={0}))(&(objectclass=groupofurls)(cn={0})))" -c $IM_BASE_DIR/config/iim.conf.xml
$IM_BASE_DIR/sbin/imconfutil set-prop iim_ldap.groupclass=groupofurls,groupofuniquenames -c $IM_BASE_DIR/config/iim.conf.xml
To search for static groups having groupofnames object class, set the following properties:
imconfutil set-prop iim_ldap.groupbrowsefilter="(&(objectclass=groupofnames)(cn={0}))" -c $IM_BASE_DIR/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupclass=groupofnames -c $IM_BASE_DIR/config/iim.conf.xml
imconfutil set-prop iim_ldap.groupmemberattr=member -c $IM_BASE_DIR/config/iim.conf.xml
To send a message to a group, see "To Use Group Messaging".
In the client's chat window, type the group's full Jabber ID in the form groupName@group.domainname in the To tab. For example:
testGroup@mygroups.example.com
Type the message and click send.
To configure chat room membership based on LDAP group membership:
See "To Configure Instant Messaging Server to Use LDAP Groups" for instructions on how to create an LDAP group to use for the chat room.
To enable LDAP groups for multi-user chat, set the iim_server.enablegroupsinconference property to true.
imconfutil set-prop im_server.enablegroupsinconference=true -c $IM_BASE_DIR/config/iim.conf.xml
To use LDAP group-based chat rooms:
Create a persistent member-only chat room.
Member-only chat rooms enable only those users who are part of the chat room's member list to join the chat room. Create a new chat room and configure the chat room to be a persistent member-only chat room by selecting Persistent and Restricted options in the chat room configuration window.
Assign a group affiliation to the chat room.
To enable members of a particular group to join and participate in a member-only room, the group must be affiliated to the room. To do so, the chat room administrator adds the group to the chat room's member list. By default, the creator of the chat room is its administrator.
To add the group to the chat room's member list, run the following command in the chat window:
/affiliate member testGroup@mygroups.example.com
To verify that the group was added successfully to the member list, run the following command:
/affiliate member
Users of the group should now be able to join and participate in the chat room.
|
 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|