27.3  Kerio MailServer on Mac OS X

Authentication against Active Directory

If Kerio MailServer is installed on Mac OS X and user accounts are mapped from the Active Directory, perform the following settings:

DNS configuration

To ensure that Mac OS X can access the Active Directory, enable resolving of DNS name from Active Directory. For this reason, it is also necessary to set Active Directory as the primary DNS server:

DNS configuration

Figure 27.3. DNS configuration


  1. Open the System Preferences application and click on Network (see figure 27.3  DNS configuration)

  2. to open the Network dialog box. On the TCP/IP tab, specify the IP address of the Active Directory server in the DNS servers entry.

    If the network configuration requires authentication against multiple domain controllers at a time, add all domain controllers where Kerio MailServer will be authenticated as DNS servers.

Connection of the Kerio MailServer host to the Active Directory domain

To connect the computer to the Active Directory domain, use the Directory Access utility (Applications → Utilities) which is included in all basic Apple Mac OS X systems. For the configuration, follow these instructions:

  1. Run the Directory Access application and enable the Active Directory service in the Services section (see figure 27.4  Directory Access — Services). Enter authentication name and password. The user who makes changes in the application needs administration rights for the system.

    Directory Access — Services

    Figure 27.4. Directory Access — Services


  2. Enable the service, click on Configure and specify the Active Directory domain name (see figure 27.5  Directory Access — configuration).

    Directory Access — configuration

    Figure 27.5. Directory Access — configuration


  3. Click on Bind and set username and password for the Active Directory, administrator. The administrator will be allowed to add computers to the Active Directory domain (see figure 27.6  Directory Access — specification of administrator's login data).

    Directory Access — specification of administrator's login data

    Figure 27.6. Directory Access — specification of administrator's login data


If all settings are done correctly, it will take only a few seconds to connect the computer to the domain.

Kerberos settings

Once Mac OS X is successfully connected to the Active Directory domain, the special edu.mit.Kerberos file is created in the /Library/Preferences/ directory. Make sure that the file has been created correctly. You can use the following example for comparison:

# WARNING This file is automatically created by Active Directory
# do not make changes to this file;
# autogenerated from : /Active Directory/company.com
# generation_id : 0
[libdefaults]
        default_realm = COMPANY.COM
		  ticket_lifetime = 600
        dns_fallback = no
[realms]
        COMPANY.CZ = {
                   kdc = server.company.com. :88
                   admin_server = server.company.com.
        } 

Using the kinit utility, it is possible to test whether Kerio MailServer is able to authenticate against the Active Directory Simply open the prompt line and use the following command:

kinit -S host/name_KMS@KERBEROS_REALM user_name

for example:

kinit -S host/mail.company.com@COMPANY.COM wsmith

If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.

Authentication against Open Directory

Kerio MailServer can either be installed on the server with the Apple Open Directory directory service or on another server.

If Kerio MailServer is installed on the same server as Open Directory, it is not necessary to perform any additional configuration besides installation of the Kerio Open Directory Extension installation. If it is installed on another computer, external authentication through Kerberos to Open Directory must be set.

Kerio MailServer can be installed on servers with Mac OS X 10.3 and higher. The settings are similar for both versions. The following description applies to configuration on Mac OS X 10.4, any discrepancies will be mentioned.

External authentication is configured with a special application, Directory Access. The application can be found under Applications → Utilities → Directory Access. This application is used to create the special edu.mit.Kerberos authentication file which is located under /Library/Preferences. The following settings must be performed to make the authentication work properly:

  1. Start the Directory Access application.

  2. On the Services tab, check the LDAPv3 item (see figure 27.7  Directory Access — checking LDAP).

    Directory Access — checking LDAP

    Figure 27.7. Directory Access — checking LDAP


  3. On the Services tab, use the mouse pointer to park the DAPv3 item and click on Configure.

  4. In the next dialog, click New.

  5. This will open a dialog box where IP address and name of the server can be specified. Enter IP address or DNS name of the server where the Apple Open Directory service is running. Once the server is specified, click on the Manual button (not necessary in the Mac OS X 10.3 version) and enter a name in the Configuration name text box (this item is used for reference only).

  6. Save the configuration and select Open Directory Server in the LDAP Mappings menu.

  7. Once Open Directory Server is selected, the dialog for specification of the search suffix is opened (Search Base Suffix). The suffix must be entered as shown in the example in figure 27.8  Directory Access — configuration of the Open Directory server:

    od.company.com → dc=od,dc=company,dc=com

    Directory Access — configuration of the Open Directory server

    Figure 27.8. Directory Access — configuration of the Open Directory server


    The figure implies that the suffix must be specified as follows: dc=subdomain,dc=domain. Number of subdomains in the suffix must meet the number of subdomains in the server's name.

  8. Now, authentication will be set for the Open Directory server. Switch to the Authentication tab (see figure 27.9  Directory Access — Authentication settings).

    Directory Access — Authentication settings

    Figure 27.9. Directory Access — Authentication settings


  9. In the Search menu, it is necessary to select Custom path.

  10. Enter the name of the Open Directory server to the Directory Domains list. Click on Add. The Directory Access application automatically enters the Open Directory name specified on the previous tab. Simply confirm the offer.

  11. Save the settings by the Apply button.

Directory Access creates the edu.mit.Kerberos file in the /Library/Preferences directory. Check if the file includes correct data. The following parameters should be included:

			 # WARNING This file is automatically created by Open Directory
    # do not make changes to this file;
    # autogenerated from : /Open Directory/company.com
    # generation_id : 0
    [libdefaults]
           default_realm = COMPANY.COM
			        ticket_lifetime = 600
           dns_fallback = no
    [realms]
           COMPANY.CZ = {
                    kdc = server.company.com. :88
                    admin_server = server.company.com.
           } 

Using the kinit utility, it is possible to test whether Kerio MailServer is able to authenticate against Kerberos. Simply open the prompt line and use the following command:

kinit -S host/KMS_hostname@KERBEROS_REALM username@REALM

for example:

kinit -S host/od.company.com@COMPANY.COM thenry@COMPANY.COM

If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.

Now, simply change configuration in Kerio MailServer:

  • In the Domains section in the Kerio MailServer's administration console, specify parameters on the Directory Service and the Advanced tabs (the Apple Open Directory realm must be specified in the Kerberos 5 entry)

    Warning

    Kerberos realm specified on the Advanced tab must be identical with the name of the Kerberos realm specified in the /Library/Preferences/edu.mit.Kerberos file. In particular, it must match the default_realm value in this file. By result, the line may be for example default_realm = COMPANY.COM

  • In theKerio MailServer's administration console, the Apple Open Directory authentication type must be set for user accounts

Authentication against a stand-alone Kerberos server (KDC)

To use authentication against a stand-alone Kerberos server (Key Distribution Center), it is necessary to maintain the username and password database both in Key Distribution Center and in Kerio MailServer.

Before setting Kerberos user authentication at Kerio MailServer, it is recommended to check that authentication against the Kerberos area functions correctly (check this by logging in the system using an account defined in the Key Distribution Center at the host where Kerio MailServer will be installed). If the attempt fails, check out the following issues:

  1. Kerio MailServer is a member of the Kerberos area to be authenticated against:

    • the Kerberos client must be installed on the computer,

    • usernames and passwords of all users created in Kerio MailServer must be defined in the Key Distribution Center (required for authentication in Kerberos).

  2. the DNS service must be set correctly at Kerio MailServer's host (Key Distribution Center uses DNS queries).

  3. Time of Kerio MailServer and Key Distribution Center (all hosts included in the Kerberos area) must be synchronized.

Kerberos functionality can be tested by checking the /Library/Preferences/edu.mit.Kerberos file. The following parameters should be included:

# WARNING This file is automatically created by KERBEROS
# do not make changes to this file;
# autogenerated from : /KERBEROS/company.com
# generation_id : 0
    [libdefaults]
            default_realm = COMPANY.COM
			   ticket_lifetime = 600
            dns_fallback = no
    [realms]
            COMPANY.CZ = {
                     kdc = server.company.com. :88
                     admin_server = server.company.com.
           } 

Using the kinit utility, it is possible to test whether Kerio MailServer is able to authenticate against Kerberos. Simply open the prompt line and use the following command:

kinit -S host/KMS_hostname@KERBEROS_REALM username@REALM

for example:

kinit -S host/mail.company.com@COMPANY.COM

If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.

When the previous steps are followed successfully, set authentication in Kerio MailServer on the Advanced tab under Configuration → Domains, (see chapter 7.7  Authentication of domain users).