Today i finished the setup of Sametime for a client in my city. The MS AD administrator asked about how to prevent users from loggin in based on a Group.
Sametime doesn’t have this kind of police. If you use the TN 1166845 the solution is to add a new attribute for every user. :-(.
This workaround doesn’t meet our requirements (restricting using groups). I change the LDAP search filter in stconfig.nsf from;
Search filter for resolving person names: (&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s*)
(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name: (&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)
(sn=%s)(mail=%s)))
To:
Search filter for resolving person names: (&(objectclass=organizationalPerson)(memberOf=CN=GroupName,OU=OUName,DC=domain,DC=com,DC=br)(|(cn=%s*)(givenname=%s*)
(sn=%s*)(mail=%s*)))
Search filter to use when resolving a user name to a distinguished name: (&(objectclass=organizationalPerson)(memberOf=CN=GroupName,OU=OUName,DC=domain,DC=com,DC=br)(|(cn=%s)(givenname=%s)
(sn=%s)(mail=%s)))
Reboot the Sametime and it will work.