+

Search Tips   |   Advanced Search


Configure SSO if Lotus Sametime authenticates with Domino LDAP

If WebSphere Portal authenticates against an LDAP directory such as Microsoft Windows Active Directory and IBM Lotus Sametime authenticates against Domino LDAP, follow the steps described here to synchronize users' names in the directories.

  1. Import the LTPA token into Sametime.

    Ensure that you have correctly imported the WebSphere LTPA key into the Sametime server. For more detailed instructions on this step, refer to technote #1158269, Troubleshooting WebSphere Portal, Domino Extended Products, and Domino SSO Issues. Next, configure the LDAP Directory on the Sametime server by using one of two methods:

    • For Sametime 7.5.1 CF1 or higher, the instructions in step 2 are recommended for performance reasons.

    • For Sametime 7.5.1 or lower, use the instructions in step 3.

  2. Add the portal LDAP DN to the Short Name field of the Person document in Domino.

    For example, if the WebSphere Portal user directory is IBM Directory Server (IDS), and a user's Distinguished Name (DN) from IDS is:

    uid=tuser,cn=users,dc=acme,dc=com

    add the following to the Short Name field of the Person document for Test User:

    uid=tuser/cn=users/dc=acme/dc=com

    Save and close the document. At this point, you should be able to run the following LDAP search command and receive Test User's results:

    ldapsearch -h ldapserver.domain.com -D <bind user if needed>

    -w <bind user's password> "uid=uid=tuser/cn=users/dc=acme/dc=com"

    Continue to step 4. You do not need to complete step 3.

  3. Add the portal LDAP DN to the User Name field and dereference alias names in the Domino LDAP Directory:

    The Domino server and directory release must be 6.5.2 or higher.

    1. Synchronize the user name in the Domino Directory with the names that WebSphere Portal uses to authenticate a user.

      For example, if WebSphere Portal uses IBM Directory Server (IDS) as its user directory, and a user's Distinguished Name (DN) from IDS is:

      uid=tuser,cn=users,dc=acme,dc=com

      add the following to either the User Name field or the Short Name field of the Person document for Test User in Domino:

      uid=tuser/cn=users/dc=acme/dc=com Add this entry below the Domino canonical name (which should be the line of the User Name field) and common name (CN) (which should be the second line). Following the example used here, the User Name field should be as follows:

      Element Value
      First name Test
      Middle name  
      Last name User
      User name Test User/acme Test User uid=tuser/cn=users/dc=acme/dc=com

    2. Update the Domino Server configuration document to dereference alias names:

      1. In the Domino Directory, go to the Configuration\Servers\Configurations view and open the Configuration document for [All Servers].

      2. On the LDAP tab of the Configuration document, set Allow dereferencing of aliases on search requests to Yes.

    3. Shut down the LDAP task, then update the Domino Directory views for the settings to take effect:

      1. Run the following commands from the Domino Server console:

        tell ldap q

        load updall names.nsf -r

      2. After the previous tasks complete, run this command:

        load ldap

      At this point, you should be able to run the following LDAP search command and receive Test User's results:

      ldapsearch -h ldapserver.domain.com -D <bind user if necessary>

      -w <bind user's password> -a always -b "uid=tuser,cn=users,dc=acme,dc=com"

      objectclass=*

    If your server is running Sametime 6.5.1, ensure that you have Interim Fix 1 (IF1) installed directly from IBM Lotus Technical Support before you continue to the next step.

  4. Configure the Sametime server to remap users' DNs (distinguished names) when passed with an LTPA token: . First, configure Sametime to search the uid field for alias names. The steps perform depend on whether you completed step 3 or step 4 above.

    1. If you completed step 3 above:

      1. Update the notes.ini file as follows:

        ST_UID_PREFIX=*

        ST_UID_POSTFIX=*

      2. Update the sametime.ini file, adding the following under the [Directory] section:

        ST_DB_LDAP_ALTERNATE_ALIAS_FIELD=uid

        ST_DB_LDAP_ALIAS_BASE=the base dn of names coming from ids  (dc=ibm,dc=com in our example)

      3. Open stconfig.nsf on the Sametime server, then open the LDAP document and ensure that the following fields are populated:

        • Search Base and Scope

        • Base Objects

        • Base object when searching for person entries

        • Base object when searching for group entries

    2. If you completed step 4 above:

      1. Update the notes.ini file as follows:

        ST_UID_PREFIX=*

        ST_UID_POSTFIX=*

      2. Open stconfig.nsf on the Sametime server, then open the LDAP document and ensure that the following fields are empty:

        • Search Base and Scope

        • Base Objects

        • Base object when searching for person entries

        • Base object when searching for group entries

  5. To enable awareness, check that you have already enabled Sametime in WebSphere Portal and then update CSEnvironment.properties as follows:

    CS_SERVER_SAMETIME_1.useLTPAToken=true

    CS_SERVER_SAMETIME_1.nameFormatForResolve=dn


Parent topic:

Configure single sign-on


Related information


Troubleshooting WebSphere Portal, Domino Extended Products, and Domino SSO Issues.