Troubleshooting User Access & Display in Domino Directory in Sametime 3.1

Mindwatering Incorporated

Author: Tripp W Black

Created: 02/12/2004 at 07:45 PM

 

Category:
Domino Server Issues Troubleshooting
Directory Assistance & Catalog, LDAP, Sametime

Issues:
You have multiple Notes domains or multiple external directories to integrate so that all users can access Domino.

LDAP DIRECTORY SAMETIME SETUP:
With LDAP Sametime installation (using LDAP rather than the Domino Directory) and Directory Assistance, you seem to be limited really to ONE LDAP resource. The first directory (priority 1) seems to access okay, but the second, third, etc. can login via HTTP in a web browser but cannot to Sametime. The key seems to be to have your LDAP servers feed one main LDAP directory server and then have Sametime connect to it.

You may also run into issues setting up SSL via LDAP, as the Sametime server has to have the same SSL key as the host LDAP server. The result is that you have to use the IBM Key Manager program on the Sametime server to cross authenticate (locally on the Sametime server) the SSL key. This proved highly problematic for me to install and configure successfully.

DOMINO DIRECTORY SAMETIME SETUP:
With the Domino Directory specified for Domino authentication, you have an issue once again with how to bring in multiple domains. If you are lucky enough to have no LDAP directories and only multiple Domino directories, you can use Directory Assistance again. However, once again with Sametime 3.1 (with or without SP1 for it), I found myself limited with only users the first (in priority) Directory Assistance Domino Directory successfully able to login to Sametime. (Once again web-based (browser) login using multiple directories to the Domino server was successful.)

I tried using a Directory Catalog unsuccessfully. I resorted to writing an agent to moving/updating users, which worked. However, if users were renamed or were deleted and/or recreated, that left me with the possibility of orphans. I then stumbled onto one of two pages I found in the Administrative Help database:
--> How to configure a server for Extended Directory Catalog where you use the main address book to collectt/aggregate your users/Directories. <--

This was awesome and worked great! Follow the instructions within the manual keeping the following tips in mind:
1. To simply your configuration, make your primary Directory (names.nsf) on the Sametime server the "First Server in the Domain" -- not a replica of any of the other Domino Directories you are going accregate into this Directory.
2. Create a replica of each different Domain directory from the other servers. (I also set the ACL on the other servers for the Sametime server to only have Reader access to these directories.) I then created a Pull only replication settings document for each server I was replicating with to bring over the Directories specifying only those directories.
3. As described in the Administrative help, create the Directory setup documents. Do the configuration/setup one first and then do the settings one (where you enable and set scheduling). Follow the steps in the Help file and you should not have any problems here. NOTE THE GOTCHAS BELOW
3a. When completing the configuration/setup document and specifying Directories to include, DO NOT include the Sametime server's Directory (names.nsf). Otherwise, you will wipe out the existing documents and replace them with each run. Why you ask? --> If you have the default fields to aggregate still set, you will find your Sametime server document is hosed without even a public key. Or if you told it not to do servers, you may find it missing completely!
3b. I suggest you turn off Servers from being imported. As the servers probably won't be logging into Sametime, they're just clutter.
3c. Watch groups -- If you are setup to remove duplicate entries (part of the config/setup doc's options), the last group of the set wins -- Phrase differently, if each server has multiple groups, instead of adding all the users from that group in each Directory, the only ones left are the last Directory imported. If you allow duplicate entries then you might end up with the same person from a couple Directories, and definitely multiple group! I ended up turning off groups.

List of Fields to Move Over (for step 3a):
FirstName
MiddleInitial
LastName
FullName
Location
MailAddress
Shortname
MailDomain
MailSystem
InternetAddress
MessageStorage
Members
AltFullName
AltFullNameLanguage
HTTPPassword
CheckPassword
Certificate
CertificateDisplay
SametimeServer


To load initial run, type: load dircat.names.nsf

To set the schedule of when it runs, do not update notes.ini and add it there. You add it to the Server document --> Server Tasks tab --> Directory Cataloger tab.

You update the Directory Catalog via Configuration tab --> Directory twistie --> Directory Catalog.



previous page