Sametime 8.5.x LDAP: Domino vs. Active Directory

While I was working on the upgrade of our existing Sametime environment to Sametime 8.5.1 (soon 8.5.2) I have run across an interesting question that I considered worth sharing: Will I use Domino LDAP or connect to Active Directory.

There are good and not so good reasons for either option:

  • To get the discussion started there seems to be the obvious choice to keep on using the Domino Directory when switching to LDAP. This way users can work in their familiar directory structure without the need to impose the rather technical structure of (our) AD.
  • On the other hand it appears to be quite reasonable to also implement SPNEGO.  This however requires the use of Active Directory as a LDAP source.
  • On the flip-side there is the obvious issue of the non-hierarchic structure of the Domino groups. Combine this with the requirement to have a base entry for LDAP defined as mentioned by Gabriella Davis and you are left with yet another point for consideration. Especially if you are reluctant to make existing groups in the Domino Directory hierarchic – who is doing that anyhow?

I am wondering how other environments have designed their solution. Did you really append an organisation to the name of groups just to make them available in an LDAP tree?
How did you maintain group entries in the vpuserinfo.nsf when moving between directories? Person entries are easily managed utilising the name change task but groups are rarely replicated between directories, hence the benefit of previously added public groups to the contact list is just gone.
Is there any way to use Domino as a LDAP source but still provide SSO in a Windows environment? I am wondering whether there is the possibility to have the Websphere server connecting to two directories, one for authentication, the other one for online awareness. Similar to the portal configuration described here. Or maybe utilising a Domino server for authentication with shared LTPA keys between Websphere and Domino?

I am sorry for everyone who expected any answers to their own questions in here. Do not hesitate though to leave a comment if you are having a suggestion for any of the questions raised in here or below.

2 thoughts on “Sametime 8.5.x LDAP: Domino vs. Active Directory

  1. “Combine this with the requirement to have a base entry for LDAP”

    FYI That was a requirement in 8.5, not in 8.5.1 and later.

  2. Thanks Carl, I’ll definitely give it a try. Maybe I am misunderstanding this passage in the 8.5.1 information centre:

    Note: A dropdown list typically displays from which you select a base DN that is detected by the guided activity; however, the list does not display when Domino® LDAP is being used. Additionally, Domino LDAP is the only LDAP that uses a blank base DN, while WebSphere® requires a base DN for federating repositories. Since WebSphere does not let you federate an LDAP directory with an empty base DN, it sets the base DN to C=US. The LDAP repositories are listed by base DN after they are federated.
    Failure to specify a base distinguished name will prevent authenticated users from creating and attending meetings on the Lotus Sametime Meeting Server.

    If your site uses single sign-on (SSO) for awareness, you must manually modify the base DN in both the Lotus Sametime Community Server and Lotus Sametime Meeting Server so they match. Update the Sametime Community Server’s LDAP connections in the stconfig.nsf and da.nsf to use the same base DN that the Sametime Meeting Server will be using: C=US. The Sametime System Console does not overwrite any manual changes that you make.

    Reading above comment I understood that while it is not mandatory to have a base DN specified, a base DN is required to get SSO for awareness in online meetings working.

Leave a Reply

Your email address will not be published. Required fields are marked *