I needed to set a new HCL Sametime policy just for a handful of users, so I have decided to do this via an explicit Sametime policy, assigned to the users via a new user group in LDAP user repository.
This process is simple and very well documented, check out the official documentation if you have to do this:
https://help.hcltechsw.com/sametime/11.5/admin/creating_new_policy.html
After creating, setting the policy and restarting the HCL Sametime Community server, I ran into a problem, the settings in the newly created policy didn’t have any impact on the Sametime clients.
In order to find the cause for the problem, I have set the following debug settings in the “sametime.ini” (in the [Debug] section) file:
POLICY_DEBUG_LEVEL=5
ST_POLICY_NOTES_GROUPS=1
“POLICY_DEBUG_LEVEL” can be set to ‘1’, ‘3’ or ‘5’, depending on the log information you want, ‘5’ being the most verbose.
After setting the debug level I found the following Entries in the Log:
[ 08:36:02.756 | 15.04.2021 | INFO | 15 ] : FilterSyntaxAdapter : replaceSubStrings : replaceSubStringsInFilter replacing %s with <dominounid> result is :(&(objectclass=inetOrgPerson)(|(mail= <dominounid> )(cn= <dominounid> )(uid= <dominounid> )))
[ 08:36:02.756 | 15.04.2021 | INFO | 15 ] : DirLdapBlackBox : resolveUser : authFilter=(&(objectclass=inetOrgPerson)(|(mail= <dominounid> )(cn= <dominounid> )(uid= <dominounid> )))
[ 08:36:02.756 | 15.04.2021 | FINEST | 15 ] : DirLdapBlackBox : resolveUser : authFilter = (&(objectclass=inetOrgPerson)(|(mail= <dominounid> )(cn= <dominounid> )(uid= <dominounid> )))
[ 08:36:02.756 | 15.04.2021 | FINEST | 15 ] : DirLdapBlackBox : resolveUser : resolveBase =
[ 08:36:02.756 | 15.04.2021 | FINEST | 15 ] : DirLdapBlackBox : executeQuery : Ldap bb: executing LDAP query
[ 08:36:02.758 | 15.04.2021 | FINEST | 15 ] : DirLdapBlackBox : executeQuery : Ldap bb: LDAP query returned
[ 08:36:02.758 | 15.04.2021 | FINEST | 15 ] : DirLdapBlackBox : resolveUser : DN is not found for a user 4BD5D68A8A47FFA9C1258599002E9F47
[ 08:36:02.758 | 15.04.2021 | FINEST | 15 ] : SscPolicyRequestHandler : calculateUserPolicyByHisDirectoryUnitPolicy : 4BD5D68A8A47FFA9C1258599002E9F47 name is resolved to DN:
[ 08:36:02.758 | 15.04.2021 | INFO | 15 ] : DirLdapBlackBox : polulateEnvTableForLDAPServer : ldapHost =
[ 08:36:02.758 | 15.04.2021 | INFO | 15 ] : DirLdapBlackBox : getContextFromPool : A context has been retrieved from the conection pool for LDAP server
[ 08:36:02.758 | 15.04.2021 | SEVERE | 15 ] : DirLdapBlackBox : groupSearchByName : searchFilterGenerator is null, returning empty group list
Seeing this, the solution for the issue was pretty straightforward. The Sametime Internal User ID was set to “dominounid”, and it this parameter was missing from the LDAP Search filter used when resolving the user distinguished name to Sametime internal username. In order to solve this I had to modify the value of the LDAP search filter, used for resolving usernames to distinguished names, to include the “dominounid” parameter.
This can be done in the “stconfig.nsf” database, you just need to restart the HCL Community Server afterwards. Take a look at the screenshot after the configuration change:
After that the HCL Sametime policy mechanism could be used as intended. Please do note that the issue was not a software defect, but rather the environment specific circumstances which ultimately resulted in a configuration error.
Thoughts about HCL Connections, Domino and Sametime 