Copyright 2005 by Akeni System. Please do not reproduce without
permission.
Overview
Active Directory or LDAP Integration
Message logging and Auditing
Web Client for Live Help, Live Support and Helpdesk
Overview
In this guide, the process of implementing the Enterprise Instant Messaging
(Enterprise IM) will be discussed. The following are some of the issues that
will be discussed:
Encyption: The type of encryption scheme selected will affect the
compatibility, performance, and security of a system. For example, the Enterprise Instant
Messaging uses SSL for encryption and by default the client will connect to the server
using either 56-bit encryption or 128 bit for maximum compatibility.
Alternatively, the server can be configured so that the client must connect to it using 128 bit
equivalent 3DES for maximum security.
Active Directory or LDAP(Lightweight Directory Access Protocol): The process
of integrating your existing Active Directory or LDAP is simplified by using
the Installation Wizard. You only need to input the account information for one user
into the installation wizard and during the process you should press the
"verify" button to test if your active directory integration is working
correctly.
Message Logging: Currently, the Enterprise Instant Messaging Server
can log the messages using flat files or to a database using SQLite or
MySQL. You can use any SQLite or MySQL compatible query software to search
for messages. There is an optional auditing tool available for the
Enterprise IM version.
Web Chat Client: The optional Web Client module is useful whenever
your corporattion have many users and you do not wish to install the
standalone client. The main advantage is that users can use any Internet
Explorer 5+ or Firefox 1.0 browser to access the server. The Web Client
module has a built-in http server so you do not need to install apache, Java,
Flash, etc. In addition, you can use the Web Client to host your own Live
Help, Live Support and Helpdesk solution.
Active Directory or LDAP(Lightweight
Directory Access Protocol)
During the installation of the Enterprise Instant Messaging Server, the AD (Active Directory) / LDAP Wizard will be launched automatically (Please make sure that you do not click on the Enterprise Server desktop icon and launch the server before you have finished running this wizard.)
For security reason, it is best to run the server with LDAP encryption set to LDAPS (LDAP over SSL) or StartSSL. If for some reason you can not get SSL to work then it is best to run the server on the same computer as your AD / LDAP server so that the password is not transmitted in the clear over the network.
The hostname should be the FQDN (Fully Qualified Domain Name) of your AD/LDAP server. This must be the same as the FQDN on your LDAP/AD server's SSL certificate or the SSL server certificate verification will fail. If you are not using any encryption then it is OK to set it to the numeric IP address as well. If you are running the server on the same computer as your AD/LDAP without encryption then you can also set it to "localhost".
If you are running on Microsoft Windows and you want to run the LDAP session over SSL then you must install the public key of the SSL certificate of your AD on the machine that is running the Enterprise Messaging server. The easiest way to do this is to point your Internet Explorer Web Browser to your AD server and then use it to import the certificate. For example, suppose your AD server is at ldap.yourcompany.com, then you should type "https://ldap.yourcompany.com:636" (note that it is "https" not "http") into the address bar of your browser and then tell the browser to accept the certificate offered by the server.
In order to make sure that the host information you just entered is correct, you need to enter the DN (Distinguishing Name) of an user on your AD/LDAP that you know the password of.
If you are using MS Active Directory, you can add the ADSI snap-in to the management console (MMC) to help you get the DN of the users. You can find the snap-in in the support folder of your Windows 2000/2003 server installer CD.
The procedure is discussed in an article at http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbe_ext_jand.asp
There is also more information at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/8c76ff67-9e9d-4fc7-bfac-ffedee8a04d4.mspx
You may also want to download a free LDAP browser from
http://www.ldapbrowser.com to help you figure out the structure of you LDAP /
AD server. Note that you can install the browser on any Windows 2000/XP
machine that can connect to your LDAP server via TCP/IP.
When using Active Directory, the DN for someone whose user name is mark is probably CN=mark,CN=Users,DC=yourdomain,DC=com or CN=mark,OU=Office Users,DC=yourdomain,DC=com.
Once you have entered the correct LDAP/AD host parameter you can now go to
the next page, where you need to enter the following information:
* The DN and the password of the account that will be used to lookup
contact information (such as the name, phone number, email address, etc.)
for each user. It is recommended that you create a special account with
read only access to this information just for this purpose. Please also
note that the password for this account will stored in the clear, so make
sure that the ldap.conf file is readable only by the account used to run
this server
* The search base (container) for all the user objects. This is the DN from which the search should begin. For Active Directory, this would be the container where all your users resides. If your LDAP database is very large, then you will get better performance if the search is done using a base DN that has more depth. You can also try to set the search scope to One Level if all the users are only one level deep from the base DN.
* The search filter is useful when you have different LDAP object
mixed together with your user object. The filter will limit the
search so that only user object will be returned. A good filter is to
use is "(&(objectclass=organizationalPerson)(CN=%s))
* The user name of the account that will map to the "admin" account used by Enterprise Messenger. For example, suppose Alice Smith with LDAP password "secret" has been assigned as the administrator of Enterprise Messenger System. Then you should enter "Alice Smith" in there, assuming that Alice's DN is CN=Alice Smith, OU=users,DC=akeni,DC=com (assuming that you have already set the search base to OU=users,DC=akeni,DC=com)
The third step in the LDAP wizard is to setup the mapping of the field from your LDAP / AD to the fields used by Enterprise Messenger. All the field names are optional and you can leave them blank.
The last step in the LDAP Wizard is to create the accounts from the values that the system can find from your LDAP/AD using the parameters you have entered in step 2. You can delete users that you do not wish to have access to the messaging system by deleting their names from the list. You can use the control and shift key to select multiple entries. If you deleted a user by mistake then simply reload the page again.
The user name used by the message system needs to be lower case alphanumeric plus the special characters [. + - _ - @], but can not include any spaces. This means that in order to bind to the LDAP / AD you need to change a mixed case user name to all lower case and replace the space with '+'. For example "Alice Smith" will have the user name "alice+smith".
Please note that by default, any user who have a valid account on your LDAP / AD will have access to Enterprise Messenger because the account is created automatically when the user's account information have been authenticated against the LDAP/AD. If you do not want this behavior then you need to go to the Enterprise Messenger Server Console, choose (Files | Configuration) and disable the option Allow anyone with a valid LDAP account to sign-on.
Message Logging and Auditing
The Enterprise Instant Messaging has the capability to log the messages in
either flat files, SQLite or MySql databases. The optional auditing tool is
for SQLite only, thus for MySql database you will need to use a third party
tool to do the auditing of the messages.
To use MySQL database on a Windows server, the following are the setup procedure:
use the MySQL client to create a new database called "xpserverdb". Set the
appropriate username/password to access the database.
Go to the server administration console and select (File | Configuration)
Make sure both "Messages are saved by the server for auditing purpose" and
"Messages are saved into a database" are both checked.
Click on "Advanced" and set the following entries:
SecondaryDatabaseClass: mysqlmessagedatabase
SecondaryDatabaseUserName: ????? (it is "root" by default)
SecondaryDatabasePassword: ????? (it is "" by default)
Restart the server. Examing the server console output during startup.
You should see lines like these:
audit logs saved under directory D:\Akeni\LiveHelp123ServerData\auditlog
saving messages to primary database sqlite:
D:\Akeni\LiveHelp123ServerData\auditlog\xpserver.db
saving messages to secondary database MySQL: root@localhost xpserver
You can now try to send some chat message, then look at the "message" table
in the xpserver database and see if they are saved properly. A good utility
to use is the MySQL Control Center.
For Linux Servers, the following are the procedures for setting up the MySQL database.
download the file python-mysql-0.9.2-52.i586.rpm from this link:
ftp://fr2.rpmfind.net/linux/SuSE-Linux/i386/9.0/suse/i586/python-mysql-0.9.2-52.i586.rpm
Install the RPM using
rpm -vi --force --nodeps python-mysql-0.9.2-52.i586.rpm
Copy the file to the installation directory
cp /usr/lib/python2.3/site-packages/_mysql.so /usr/local/bin/akxpserver
assuming that the xp server is installed into /usr/local/bin/akxpserver
use the MySQL client to create a new database called "xpserverdb". Set the
appropriate username/password to access the database.
Go to the server administration console and select (File |
Configuration). Make sure both "Messages are saved by the server for auditing
purpose" and "Messages are saved into a database" are both checked.
Click on "Advanced" and set the following entries:
SecondaryDatabaseClass: mysqlmessagedatabase
SecondaryDatabaseUserName: ????? (it is "root" by default)
SecondaryDatabasePassword: ????? (it is "" by default)
Restart the server. Examing the server console output during startup. You should see lines like these:
audit logs saved under directory D:\Akeni\LiveHelp123ServerData\auditlog
saving messages to primary database sqlite:
D:\Akeni\LiveHelp123ServerData\auditlog\xpserver.db
saving messages to secondary database MySQL: root@localhost xpserver
You can now try to send some chat message, then look at the "message" table
in the xpserver database and see if they are saved properly. A good utility
to use is the MySQL Control Center.
Web Client for Live Help, Live Support, and Helpdesk
The optional Web Client module for the Enterprise IM server will
allow your company to host your own Live Help, Live Support, and Helpdesk
system. Your clients or web site visitor will only need a web browser to
contact your support staff. There is no need for your clients or web site
visitors to install of Java, Flash, Active-X, etc.
Although Enterprise IM has a standalone client software for Windows
and some Linux versions but If your company have Apple Mac, Palm, or any portable device
that has a web browser compatible with Firefox 1.x, then you might be able to
access the instant messaging server.
The Web Client is not a replacement for the standalone client but it allows
for universal accesibility to the server. It is convenient for users that
are travelling on business trips but who also need to contact co-workers
using the internet. The Web Client has most of the features found in the standard client such as text chat, conference, notification, forum, etc.
Appendix 1. Copyright
Copyright 2005 by Akeni Systems. All Rights
Reserved.