Restrict users from accessing Sametime server

5 pts.
Tags:
IBM Lotus SameTime
Lotus
Lotus Administration
User restrictions
how can i restrict users from accessing the sametime server

Answer Wiki

Thanks. We'll let you know when a new response is added.

In the Server document you have restricted access to the server to a limited number of users by setting the following fields:

Security tab -> Who can Access Server
Security tab -> Who can NOT Access Server

This works as expected for most Sametime functions in that it refuses access to any users not named in the Server Access field. However, users using Sametime Connect can still access the server for chat functionality.

Answer
The “Who can Access Server” and “Who can NOT Access Server” fields are working as designed. For Sametime Connect instant messaging, the only authorization required is to have an entry in the Domino Directory, which has an HTTP password.
The following information describes some recommendations on how to secure the server to prevent unauthorized users from accessing the server. It is broken into four parts.

Part I – Changes to stconf.nsf
Part II – Changes to stcenter.nsf
Part III – Preventing usage of Instant Meeting functionality and Sametime Connect for Browsers
Part IV – Preventing usage of Sametime Connect
Part V – Workaround for LDAP implementations
Part VI – Restricting specific Sametime Connect client versions

Part I: Changes to stconf.nsf
There are two databases that should be locked down from public viewing. The first one is the Sametime Conference (stconf.nsf) database. This is where all of the meeting information such as Meeting Details and whiteboard attachments are kept. To secure this database you can modify the Access Control List settings (ACL) and change Anonymous to “No access”. By changing the anonymous access to no access and unchecking the “Read public documents” and “Write public documents” options, users will be prompted to login before creating and editing meetings.

Note:
To further restrict who can create and attend meetings on the Sametime server:

* create a Multipurpose or ACL group in the Domino Directory (example: STMeetingUsers)
* add authorized users to the group
* modify the ACL of the stconf.nsf
* set Default to No Access
* add the STMeetingUsers group as Person Group with Author access with “Read public documents” and “Write public documents.”

If you want to allow Default users to join on-line meetings but not allow them to create meetings, you should set the ACL of the Default user access to “Reader” with “Read public documents”. If you use “Author” access with “Read public documents”, users will be unable to attend meetings.

Part II: Changes to stcenter.nsf
The second database which cannot be secured as much as the stconf.nsf database is the Sametime Center database. The Sametime Center (stcenter.nsf) database basically contains links to all of the different areas of Sametime such as the Java connect client, Meeting Center, and downloads for Sametime Print Capture and Sametime Connect.

Modifying the Access Control List (ACL)

In Sametime 2.5, it was possible to set the ACL of this database to No access. This way, the user would be prompted to login. With the move to SSO in Sametime 3.0 and higher, this is no longer possible. There is a form in the stcenter.nsf called STLoginForm which produces the page presented to users to login and use the Meeting Center.

The access control level for Anonymous in this database must be at least Reader or above. If you set the ACL to “no access”, you will see a pink “Server Login” page opposed to the regular Sametime Login page.

By design, and by default, all users have access to the Sametime server’s home page. If you would like to have only certain users access the Sametime server and if you would like to prevent users from logging in twice, this can be accomplished by changing the ACL for STCenter.nsf as follows:

a. Change Default to No Access and remove the “Read Public Documents” option, as well as the “Write Public Documents” option.
b. Change Anonymous to No Access and remove the “Read Public Documents” option, as well as the “Write Public Documents” option.
c. Add to the ACL a Group for the users who should have access to the Sametime server. Give the group Author access.
d. Create a new entry in the ACL – Sametime Development/Lotus Notes Companion Products. This must be set to Unspecified – Manager. Make sure this exists for the Meeting Center, as well (STConf.nsf).

Part III: Preventing usage of Instant Meeting functionality and Sametime Connect for Browsers
It is possible to restrict access to instant meetings and Sametime Connect for Browsers (Java Connect) by restricting access to the stsrc.nsf database. This database is used to hold design elements for the Java Connect client and instant meetings loaded via Connect clients.

Please note that this method should not be used if users connect using Sametime Connect for Browsers (Java Connect).

Edit the Access Control List (ACL) of the stsrc.nsf database on the Sametime server.

a. Change Default to No Access and remove the “Read Public Documents” option, as well as the “Write Public Documents” option.

b. Change Anonymous to No Access and remove the “Read Public Documents” option, as well as the “Write Public Documents” option.

c. Add a Group to the ACL that contains the users who should have access to the Sametime server. Give the Group Author access.

d. Create a new entry in the ACL: Sametime Development/Lotus Notes Companion Products. This must be set to Unspecified – Manager. Make sure this entry exists for the Meeting Center, as well STConf.nsf.

Users attempting to join an instant meeting or launch Sametime Connect for Browsers will be presented with a login screen, but will see the error “You are not authorized to perform that operation” after entering their credentials.

Part IV: Preventing usage of Sametime Connect
Preventing users from downloading/running Sametime Connect

It is currently not possible to prevent the downloading of the Sametime Connect client; essentially everyone who is listed in the Domino directory can download and use the Connect client. There are many corporations that have a concern about this and do not wish to allow this type of activity. There are multiple ways to prevent this.

a. Disable download links on home page

You can disable the links that allow users to run the Java Connect Client and also disable users’ ability to download the Sametime Connect client for Desktops. This is done by going into the “Administer the Server” link on the stcenter.nsf page and then clicking into “Configuration – Community Services”. In this section, uncheck the boxes that are labeled:

– Display the “Launch Sametime Connect for the desktop” link on the Sametime Home page, and
– Display the “Launch Sametime Connect for browsers” link on the Sametime Home page (Stcenter.nsf).

b. Fill in the Sametime server field with a bogus server name

Note: this solution is for use with Domino directories, or Domino LDAP directories. For other LDAP implementations, see Part IV below.

Use an agent to populate the “Home Sametime Server” field with a valid Sametime Server name for authorized users. Fill in all of the other users’ Sametime Server fields with a rogue (bogus) name such as Foo/Foo. Users may receive a confusing error message if they attempt to Chat when an invalid Sametime server name is entered in the Sametime Server field of their Person document.

c. Selective replication

Note: this solution is for use with Domino directories, or Domino LDAP directories. For other LDAP implementations, see Part IV below.

Perform a selective replication so that only users are listed in the Domino directory on the Sametime server are able to authenticate. The replication formula which you would need to place on the Sametime server’s Domino directory is “SELECT @If(SametimeServer= “”; NULL; @Success)”. If you fill in the field of the Sametime users in the Person documents, the forumula will allow those to replicate, otherwise, the document will be ignored if the Sametime server is left blank.

To setup the selective replication, do the following:

– Select File, Replication, Settings.
– Open the Advanced tab.
– Check the box “Replicate a subset of documents.”
– Check the box “Select by Formula.”
– Copy and paste the following formula:

—————————<Copy contents below>————————-
SELECT @If(form=”Person” SametimeServer=””; NULL; @Success)
—————————<Copy contents above>————————-

– Click OK.
– Your server should now be setup to replicate the necessary documents to run the Domino server and only the users’ documents which have a populated Sametime server field.

In order to replicate the documents, you must choose at least one field which is populated. In order to ensure that only the people authorized to use the Sametime server’s Person documents are replicated correctly, populate the Sametime Server field on the Person document. Below is a list of the fields which are populated and allow the selective replication to take place.

SametimeServer -> Person Documents for those authorized to use the Sametime server
ServerName -> Server Documents
ListName -> Group Documents
ConnectionType ->Connection Documents
LDAPFieldACL -> Configuration Type Documents

Part V: Workaround for LDAP implementations
If your organization uses LDAP for authentication and you would like to limit access to the Sametime server, you have two options:

Option 1
Extend the schema and put the Sametime server field in, and put bogus values in the non-authorized users. Note: make sure you know that the SametimeServer field is being rendered; use the Bind account, or anonymous (if enabled) and do an LDIF dump to see if this displays. The attribute used for home Sametime Server will also need to be added to the LDAPServer document in stconfig.nsf.

Option 2 (Domino 6 only)
1. Create a special Object Class for the users who should have access to the server and then use the object class as part of the authentication/search filter in stconfig.nsf. For example, objectclass=stuser (extends organizationalPerson) gets added to all the authorized users LDAP entries.

2. Modify the LDAPServer document in stconfig.nsf.
Note: this is an example, the actual object class name can be different, and the search filters can vary by vendor.

Search Filters
Search filter for resolving person names:(&(objectclass=stuser)(|(cn=%s*)(givenname=%s*)(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name: (&(objectclass=stuser)(|(cn=%s)(givenname=%s)(sn=%s)(mail=%s)))
Search filter for resolving group names: (&(objectclass=groupOfNames)(cn=%s*))

3. Changes need to be done to the Directory Assistance (da.nsf).
Open the Directory Assistance database.
Open the LDAP document, click on the LDAP tab and scroll down. Change the type of search filter to Custom. Then add the custom filter.

4. Save all the changes and restart Domino.

An enhancement request has been submitted as SPR #FJAD74UEPN to restrict access to a Sametime server at an individual or group level.

Part VI: Restricting specific Sametime Connect client versions

Sametime uses a Client ID to determine the type and version of client connecting to the Sametime server. If you need to restrict access so that only Sametime clients above a certain version are allowed to connect, you can do so by using the following parameter in the sametime.ini:

[Config]
VPS_ALLOWED_LOGIN_TYPES=

To use this parameter, specify a comma separated list of client types which are allowed to connect. A full list of client types can be found in Technote 1114318.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following