Using LDAP instead of MAPI for name resolutions on BlackBerry Enterprise Server

Article ID: KB15951

Type: Support Content

Last Modified: 07-25-2014

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Domino
CollapseEnvironment
  • BlackBerry Enterprise Server
  • Microsoft Active Directory
CollapseOverview

BlackBerry Enterprise Server for IBM Lotus Domino

By default, the BlackBerry Enterprise Server performs address lookups against the local Domino Directory only, but additional directories can be configured by the Domino Administrator using Directory Assistance. To configure the Lotus Domino server to query an LDAP directory in addition to the Domino Directory, a new Directory Assistance record must be created with Domain type set to LDAP:

Once the Domain type has been set, the remaining information such as Hostname, Vendor type, and Port can be configured on the LDAP tab.


BlackBerry Enterprise Server for Microsoft Exchange

By default, BlackBerry Enterprise Server for Microsoft Exchange uses the Messaging Application Programming Interface (MAPI) subsystem to perform address lookup functions via Microsoft Exchange. When BlackBerry Enterprise Server or Microsoft Exchange performance indicators suggest that this load should be reduced, the BlackBerry Enterprise Server can be configured to use Lightweight Directory Access Protocol (LDAP) instead. This will direct address lookup requests directly to Microsoft Active Directory.

Using LDAP for address lookup produces a similar amount of traffic to using MAPI, although the actual traffic will differ in composition and steps required to obtain the requested data.

Benefits of LDAP search on BlackBerry Enterprise Server

  • Using LDAP reduces the load on the MAPI subsystem, especially where the MAPI subsystem is saturated
  • LDAP uses cleaner and more efficient queries to obtain data, and the queries can be customized to search only specific Global Catalog servers or Microsoft Active Directory Organizational Units
  • LDAP attributes, rather than MAPI attributes, are returned, which require less data to be transferred, which improves efficiency
  • Global Catalog server failover when using LDAP can be explicitly defined if desired, to ensure that only appropriate Global Catalogs are used

Considerations for LDAP search on BlackBerry Enterprise Server

  • Since LDAP queries are made directly against the Microsoft Active Directory, performance concerns within that environment will have a more significant impact once LDAP search is enabled
  • LDAP search does not use the Global Catalog referral mechanism which is used by MAPI, so the list of Global Catalog servers configured for use should be reviewed prior to implementation

How LDAP search is accomplished on BlackBerry Enterprise Server

  • LDAP affects the ResolveProxy and ScanGAL functions when implemented
  • When using MAPI for address lookup functions, the MAPI subsystem on the BlackBerry Enterprise Server sends requests to Microsoft Exchange, which then sends the request to Microsoft Active Directory. When using LDAP for address lookup functions, the BlackBerry Enterprise Server sends requests directly to Microsoft Active Directory for a response
  • LDAP failover, when configured, is initiated specifically for failed attempts to contact a host in the LDAPDomain sequence. Failed search attempts do not trigger failover
  • If no hosts are specified in LDAPDomain, a blank BaseDN query is performed to identify an LDAP server to be used for the next query
  • If every attempt to resolve information through LDAP fails, the BlackBerry Enterprise Server is designed to switch to MAPI as a fallback

How to enable LDAP search on BlackBerry Enterprise Server

  1. On the computer that hosts the BlackBerry Enterprise Server, click Start > Run
  2. Type regedit and click OK. If a User Account Control dialog appears, click Yes to continue.
  3. Navigate to the appropriate location:

    32-bit: HKEY_LOCAL_MACHINE\Software\Research In Motion\BlackBerry Enterprise Server\Agents
    64-bit: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Research In Motion\BlackBerry Enterprise Server\Agents

  4. Right-click on the Agents key in the left-hand pane and select Export
  5. Save the exported key in an accessible location in case it is needed for reference or rollback
  6. Set the contents of the LDAPSearch value to 1. If this value does not exist, create a new DWORD value named LDAPSearch, and set its value to 1

    Note: Setting LDAPSearch to 1 will also enable the Mailstore service to utilize LDAP instead of MAPI when creating the local cache of the Global Address List.

Additional configuration options can be specified using the keys below:

LDAPALPSearch
DWORD value

Setting this value to 1 enables LDAP for resolving address lookups from BlackBerry smartphones

LDAPPIMSearch
DWORD value

Setting this value to 1 enables LDAP for resolving organizer data that is stored within the Global Catalogue (GC) Server

LDAPDomain
String value

Used to specify an individual domain or individual Global Catalog server for LDAP search requests. If not present or blank, the BlackBerry Enterprise Server will query Microsoft Active Directory to obtain a Global Catalog server to use. Multiple servers or domains can be specified, with each separated by a space. When multiple entries are provided, they will be used for failover in the order entered.

Data should be formatted as follows:

server01.example.com:3268 server02.example.com:3268 domain.example.com

The server address should be the Fully-Qualified Domain Name (FQDN) for a domain or server. Specifying a server via IP Address is not valid. The port setting is optional. If the same port is to be used across all servers, see the LDAPport value, below.

LDAPport
DWORD value

Set this value to the desired port for LDAP connections. If not present or blank, the BlackBerry Enterprise Server will negotiate the port to be used when initiating the request.

Note: Ensure that the Decimal radio button is selected when entering port numbers to avoid errors due to conversion from hexadecimal. If port 3268 is specified this will allow the BlackBerry Enterprise Server to search the entire Directory instead of just the Domain.

LDAPssl
DWORD value

Setting this value to 1 enforces LDAPS for all connections to Microsoft Active Directory.

LDAPBaseDN
String value

Change the value to the BaseDN that you want the BlackBerry Enterprise Server to use (for example, OU=department,DC=domain,DC=net).

LDAPTimeout
DWORD value

Set this value to the time, in seconds, that the BlackBerry Enterprise Server should wait for a response from Microsoft Active Directory. Default value of 10 seconds will be used if this value is not present.

Note: Ensure that the Decimal radio button is selected when entering this value to avoid errors due to conversion from hexadecimal.

After adding or changing any of the keys above, a restart of the BlackBerry Controller service will be required for changes to take effect.

CollapseAdditional Information

For more information on the settings and steps described above, please refer to the Administration Guide for the appropriate BlackBerry Enterprise Server version, which can be found at docs.blackberry.com

The following log lines can be used to confirm that the LDAP settings have been applied.

In the Messaging Agent (MAGT) log:

[41120] (12/02 13:51:03.929):{0x13D4} [CFG] Address Lookup is enabled
[41122] (12/02 13:51:03.929):{0x13D4} [CFG] LDAP search is enabled, LDAP PIM search is enabled, LDAP ALP search is enabled
[35035] (12/02 13:51:04.195):{0x13D4} LDAP: Create 0x00c10a8c
[30460] (12/02 13:51:04.195):{0x13D4} [CFG] LDAP Info: Host Name = domain.example.com

In the Mailstore service (MAST) log:

[30000] (02/22 11:44:52.783):{0xBC8} RefreshAddressLookupEntries called
[30000] (02/22 11:44:52.892):{0xBC8} RefreshAddressLookupEntries successful

[30000] (02/22 11:44:55.981):{0x1674} MailStoreExchange::GetScanGalPropsWithLDAP - page 1 total read - 29 total inserted - 13
[30000] (02/22 11:44:55.981):{0x1674} MailStoreExchange::GetScanGalPropsWithLDAP - page 1 grand total read - 29 grand total inserted 13

This article contains content previously documented in KB25196 and KB05174.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.