Mapping of accounts from the Apple Open Directory provides you with the benefit of working interlinking of Kerio Connect and Apple Open Directory. Additions, modifications or removals of user accounts/groups in the Open Directory database are applied to Kerio Connect immediately.
Warning
If an account is created in the Kerio Connect's administration interface, it will be created only locally, it will not be copied into Open Directory database.
If the Open Directory server is not available it will not be possible to access Kerio Connect. It is therefore recommended to create at least one local account with read/write permissions.
When creating a user account in Apple Open Directory, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
To make account mapping work, you will need to enable mapping in the administration interface and to install the special module Kerio Open Directory Extension on the domain server. Guidelines for these settings are provided in the following sections.
In the Kerio Connect's administration interface, go to Domains, select a corresponding domain and open its settings. Now go to the Directory Service tab:
- Map user accounts and groups...
Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).
- Type
Type of LDAP database that will be used by this domain. There are two alternatives of mapping of Apple Open Directory accounts that differ in authentication method. authentication against the password server and Kerberos authentication.
The first method (authentication against the password server) provides the following benefit. It is not necessary to perform any special settings at the server where Kerio Connect is installed. However, there are also certain disadvantages:
This authentication method is obsolete and less secure.
Users are not allowed to change their user passwords on their own (in the Kerio WebMail interface).
The Apple company has ended support for this authentication method.
This authentication method is enabled only if Kerio Connect is installed on Mac OS X.
Still, authentication against the Kerberos server is more modern and secure. On the other hand, this authentication method requires additional settings at the server where Kerio Connect is installed. For detailed information on these settings, see chapter 26 Kerberos Authentication.
It should be also remembered that in the domain settings on the Advanced tab under in the Kerio Connect's administration interface, name of the Kerberos area must be specified against which the mailserver will be authenticated. It is necessary that the name matches the name of Kerberos area specified in the
/Library/Preferences/edu.mit.Kerberosfile, otherwise the settings will not function properly. For detailed description on authentication against the Kerberos server on Mac OS X operating systems, see chapter 26.3 Kerio Connect on Mac OS X).- Hostname
DNS name or IP address of the server where the LDAP database is running
For communication, the LDAP service uses port 389 as default (port 636 is used as default for the secured version). If anon-standard port is used for communication of Kerio Connect with the LDAP database, it is necessary to add it to the DNS name or the IP address of the server (e.g.
mail1.company.com:12345or212.100.12.5:12345).Note
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
- Username
Username of a user with full (read and write) rights for the LDAP database. either of the
rootuser or of the Open Directory administrator (adminfor Mac OS X 10.3 ordiradminfor Mac OS X 10.4 and higher). In case that the administrator's username is used, it is necessary to make sure the user is an Apple Open Directory Administrator, not just a local administrator on the Apple Open Directory computer.To connect to the Apple Open Directory database insert an appropriate username following this pattern:
uid=xxx,cn=xxx,dc=xxxuid— username that you use to connect to the system.cn— name of the users container (typically theusersfile).dc— names of the domain and of all its subdomains (i.e. mail.company.com →dc=mail1,dc=company,dc=com)
- Password
Password of the user that have full (read and write) rights for the LDAP database.
- Secured connection (LDAPS)
Within the communication of the LDAP database with Kerio Connect, sensitive data may be transmitted (such as user passwords). It is possible to secure the communication by using an SSL tunnel.
Warning
SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connection are established between the LDAP database and Kerio Connect or when too many users are included in the LDAP database, the communication might get slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
- Domain controller failover
DNS name or IP address of the backup server with the same LDAP database.
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
- LDAP search suffix
If the Apple OpenDirectory option is selected in the Directory service type entry, insert a suffix in the following form:
dc=subdomain,dc=domain.
Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server) as well as the username and password (if authentication can be performed).
Note
Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details, refer to the chapter 20 LDAP server). However, if the Kerio Connect is installed on an Apple Open Directory server the LDAP listening port in must be changed to an alternate port to avoid a port conflict.
Kerio Open Directory Extension is an extension to Apple Open Directory service that allows mapping of the accounts to Kerio Connect (Kerio Connect items are added to the LDAP database scheme). When user accounts are created, edited or deleted in Apple Open Directory database, the changes are also made in Kerio Connect. In addition to that, Kerio Connect users can access Apple Open Directory LDAP database contacts from their mailboxes (via the public Contacts folder).
The installation package with Kerio Open Directory Extension can be downloaded from product web pages of Kerio Technologies.
A standard wizard is used for installation of Kerio Open Directory Extension.
Warning
When using configurations of Mac OS X servers of Master/Replica type, Kerio Open Directory Extension must be installed to the master server, as well as to all replica servers, otherwise the account mapping will not work.
If the configuration is as follows:
you use Kerio Open Directory Extension 6.6 and higher,
servers run on OS X 10.5.3 and higher,
Replica servers were created after installation of Kerio Open Directory Extension on the Master server,
then Replica servers download the extension automatically from the Master server during the creation process.
If you install Kerio Open Directory Extension on Replica servers by hand, the configuration will not be affected.
Kerio Open Directory Extension can be installed to Mac OS X 10.5 Leopard and later versions.
Apple Open Directory is a directory service shipped with Mac OS X Server systems. This directory service is an equivalent to Active Directory created by Microsoft. As in Active Directory, it allows to store object information in a network (about users, groups, workstations, etc.), authenticate users, etc.
The information about users and groups in Apple Open Directory are stored in Open LDAP database. When mapping accounts to Kerio Connect, all user accounts are stored in one place and it is not necessary to import and administer them in both Apple Open Directory and Kerio Connect. Only definitions of mailbox-specific configurations have to be done in Kerio Connect (see chapter 8 User accounts).
Warning
When creating a user account in Apple Open Directory, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
In Mac OS X Server, no other settings than Kerio Open Directory Extension installation are usually necessary. It is only necessary to save usernames in ASCII. If the username includes special characters or symbols, it might happen that the user cannot log in.
In Kerio Connect the following settings must be specified:
Mapping of user accounts from Apple Open Directory must be enabled and defined in domain settings.
User authentication via Kerberos must be set in domain settings (for more information, see chapter 7.7 Authentication of domain users).
User authentication via Kerberos must be set in user settings (for more information, see chapter 8.2 Creating a user account).
If a contact is supposed not to be shown in the public Contacts folder, then go to the user settings in Kerio Connect's section and uncheck the Publish in Global Address List option.