I. Introduction to LDAP
  a. Brief intro on the differences in domino directory versus LDAP.
  Formatting differences, LDAP directory is served from the LDAP task running on domino or a 3rd party directory.

 
 
  b. Differences in the naming convention for domino directory versus ldap.  Instead of a forward slash a comma will be used to separate the values.  In the general naming convention for the domino directory an entry might look like the following cn=name/o=organization whereas in  ldap it would look like cn=name,o=organization.  Because of this, entries are stored differently in the vpususerinfo.nsf(buddylist) for these users.
 
II. Flavors of LDAP
  a. Domino LDAP
  Uses the regular naming convention of domino ldap and all the forward slashes are essentially commas and because this is   
  the domino directory any needed attribute will already be there for notes or sametime.  EX: Shortname, displayname, etc
 
  b. AD(Active Directory)
  This LDAP directory uses a different naming convention and different attributes exist for this user.  Commonly used attribute is sAMAccountname.
 
  c. Sun One
  This follows the normal convention of ldap directories and has no special consideration or uniqueness to the attributes.
 
III. There are several differences and consideration when configuring sametime to use one of the above LDAPs.
In earlier releases of sametime it was sufficient to use the domino directory however beginning in sametime 8.5 it will require ldap so here are some specific differences.
  a. The use of dominouid in domino ldaps.
  b. The use of the ldap attribute samaccoutname for active directory.
  c. Directory assistance will require a different configuration based on directory types.
  d. The names/attributes will be formatted differently.
  e. Search filter for resolving person names:
     (&(objectclass=organizationalPerson)(|(cn=%s*)(uid=%s*)(mail=%s*)))
    
     In searching it is preferred to have an * as this allows for the searching to include a much wider range of entries for maximum results.  Any entry that a user needs to search on would need to be configured in this ldap setting.
    
  f. Search filter to use when resolving a user name to a distinguished name:
     (&(objectclass=organizationalPerson)(|(mail=%s)(cn=%s)(uid=%s)))
    
     In authentication if a specific attribute is required be sure it is included here.  For example if in a domino ldap a user would like to log in with his shortname the adminstrator needs to ensure that the appropriate attribute is include in this search filter.
    
  g. In make modifications be sure and keep the syntax and formatting the same.  An incorrect filter can prevent searches and authentications from occurring or being able to find people period.

IV. Discuss the considerations or common problems when using LDAP.
  a. Converting to LDAP(buddy list, etc)
  Because of the way information is stored in vpuserinfo careful planning and considerations should go into the  setup and install of sametime and what is used for authentication.  
   
  b. LDAP referrals are not supported in sametime.
  c. Directory browsing limitation and considerations(not enabled by default, not recommended to be used due to   
     performance issues/concerns)  It is not recommended by IBM to to use directory browsing and can cause performance issues that in some cases can be a real hindrance.
      
Additional considerations and resources.
 
    The TO-DO list for converting to ldap from domino directory for sametime authentication.
    1366499
    
    
    1)  Replace the Domino Directory with an LDAP directory in the sametime configuration.
    Option 1:  Reinstall sametime
    
    Which files should be backed up before reinstalling a Sametime server
[Here]
    
    Option 2:  Change the setup/install manually without having to reinstall.
    [Here]
    
    Option 3(i5/OS): Replace the Domino Directory with an LDAP directory for i5/OS
    This option is specific instructions for the i5/OS.
    [Here]
    
    2)  Run the Sametime Name Change Task-  This will allows an administrator to convert the vpuserinfo to the correct format so that users do not lose their buddy list.
    This procedure is associated with enabling Sametime® to connect to an LDAP server if you have selected the Domino® directory during the server installation.
    [Here]  Note: If the buddylist is not converted to LDAP format then users will lose their buddy list and will have to rebuild the list  anew.
    
    3)  Verifying that the DA is accurate.  Example include of a DA document.
    If the sametime server is reinstalled the DA should be setup automatically and no additional configuration should be required.
    Title: Sample Sametime Directory Assistance document for a Domino LDAP environment                                                                     Doc #: 1244027                                                                  

    4)  Enable directory browsing to allow the user to search for names of users in the ldap directory
    Directory searching and browsing options - Browse function is disabled by default with LDAP
[]

    When Sametime is configured to use LDAP for name lookup, the community server may require you to use names in the canonical form cn=/ou=/o=org to resolve names for Inbox awareness in the Notes client. This may be configured using different methods, depending on the release of your Notes client.
    In Notes 6.x, 7.x, and 8.x Basic releases, the setting 'Use canonical name for instant messaging status lookup' can be configured in the Notes Client UI  in File > Preferences > User Preferences > Instant Messaging tab. This setting writes IM_USE_CANONICAL_NAMES=1 to the notes.ini and is recognized by all Basic client releases (including Notes 8.5 Basic) as well as Notes 8.0.x Standard, with the exception of Notes 8.0.0 (This was reported to Quality Engineering as SPR # DCHR77TS3E and fixed in Notes 8.0.1).  
    Beginning in Notes 8.5, the notes.ini parameter IM_USE_CANONICAL_NAMES= is no longer recognized.  A new setting, "Use canonical names for status lookup", exists in File > Preferences > Sametime > Server Communities > Server community > Options tab.
    
    6) Logging into the sametime server no longer seems to work.
    Use the first and lastname for authentication.  By default the first and last name should be listed however attributes like the shortname are not an entry in the ldap settings by default so in order to be able to use the shortname the attribute should be added to the ldap search and authentication filters. Any other attributes may be added in a similar way.  Note the different formats and how the search filters for resolving person names uses an '*' and the search filter for resolving a user name to a distinguished name does not.  When adding new entries to the search filters the formatting of the new entries with the parentheses syntax are very important.
    Example:
    Search filter for resolving person names: (&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)(sn=%
    s*)(mail=%s*)(shortname=%s*)))                                           
                                                                             
    Search filter to use when resolving a user name to a distinguished name:
    (&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)(sn=%s)(mail=
    %s)(shortname=%s)))                                                      
   
     Lotus Sametime Standard 8.0.2
   
Configure the LDAP Directory settings

Specify the LDAP Directory settings that enable the Sametime server to search the LDAP directory on the LDAP server and authenticate Sametime users against entries in the LDAP directory.
Before you begin
Configuring the LDAP Directory settings requires previous experience with LDAP; in particular you will need to know the following information:.

    * The structure (directory tree) of the LDAP directory the Sametime® server will access
    * The schema of Person and Group entries in the LDAP directory
    * How to construct LDAP search filters to access the attributes of Person and Group entries in the LDAP directory

About this task

You must configure the LDAP Directory settings on the LDAP document in the Configuration database to ensure that the Sametime server can search and authenticate against entries in the LDAP directory. Use the Sametime Administration Tool to enter LDAP Directory settings; the tool then writes the values to the LDAP document in the Sametime Configuration database (stconf,nsf).
Note: Once users are registered with Lotus Sametime, a copy of their user name is stored on the Lotus Sametime server. If you modify the user's name in the LDAP directory, you will need to use the Name Change feature to update the Lotus Sametime user registry and ensure continued access to Lotus Sametime. When choosing an LDAP field for authentication with Lotus Sametime, you should choose a field that will change infrequently. In addition, you should use a field that requires a unique value for each user (such as an e-mail address), or else additionally specify a field that can be used to disambiguate among users with similar names.

To configure the LDAP settings using the Sametime Administration Tool:

   1. In the Sametime server home page, click Administer the server.
   2. Click LDAP Directory.
   3. Enter the settings to enable your LDAP directory to access Sametime servers. For descriptions of the settings, see LDAP directory settings
   4. Click Save & Close.
   5. Restart the Sametime server to enable your settings.


http://www-01.ibm.com/support/docview.wss?rs=203&uid=swg21240886