10.2  Apple Open Directory

10.2.1  Setting mapping in the administration interface
10.2.2  Kerio Open Directory Extension

Mapping of accounts from the Apple Open Directory provides you with the benefit of working interlinking of Kerio MailServer and Apple Open Directory. Additions, modifications or removals of user accounts/groups in the Open Directory database are applied to Kerio MailServer immediately.

Warning

  • If an account is created in Kerio Administration Console, it will be created only locally, it will not be copied into Open Directory database.

  • Warning 2: If Open Directory server is unavailable, logging in to Kerio MailServer will be impossible. It is therefore recommended to create at least one local account with read/write permissions.

  • When creating a user account in Apple Open Directory, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.

To make account mapping work, you will need to enable mapping in the administration interface and to install the special module Kerio Open Directory Extension on the domain server. Guidelines for these settings are provided in the following sections.

10.2.1  Setting mapping in the administration interface

In the Kerio MailServer's administration interface, go to Domains, select a corresponding domain and open its settings. Now go to the Directory Service tab:

Domain settings — Apple Open Directory

Figure 10.6. Domain settings — Apple Open Directory


Map user accounts and groups...

Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).

Type

Type of LDAP database that will be used by this domain. There are two alternatives of mapping of Apple Open Directory accounts that differ in authentication method. Two authentication methods can be used in Apple Open Directory: authentication against the password server and Kerberos authentication.

The first method (authentication against the password server) provides the following benefit. It is not necessary to perform any special settings at the server where Kerio MailServer is installed. However, there are also certain disadvantages:

  • This authentication method is obsolete and less secure.

  • Users are not allowed to change their user passwords on their own (in the Kerio WebMail interface).

  • The Apple company has ended support for this authentication method.

  • This authentication method is enabled only if Kerio MailServer is installed on Mac OS X.

Still, authentication against the Kerberos server is more modern and secure. On the other hand, this authentication method requires additional settings at the server where Kerio MailServer is installed. For detailed information on these settings, see chapter 27  Kerberos Authentication.

It should be also remembered that in the domain settings on the Advanced tab under Configuration → Domains in the Kerio MailServer's administration console, name of the Kerberos area must be specified against which the mailserver will be authenticated. It is necessary that the name matches the name of Kerberos area specified in the /Library/Preferences/edu.mit.Kerberos file, otherwise the settings will not function properly. For detailed description on authentication against the Kerberos server on Mac OS X operating systems, see chapter 27.3  Kerio MailServer on Mac OS X).

Hostname

DNS name or IP address of the server where the LDAP database is running.

For communication, the LDAP service uses port 389 as default (port 636 is used as default for the secured version). If a non-standard port is used for communication of Kerio MailServer with the LDAP database, it is necessary to add it to the DNS name or the IP address of the server (e.g. mail1.company.com:12345 or 212.100.12.5:12345).

Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.

Username

Name of the user that have read rights for the LDAP database, either of the root user or of the Open Directory administrator (admin for Mac OS X 10.3 or diradmin for Mac OS X 10.4 and higher). In case that the administrator's username is used, it is necessary to make sure the user is an OpenDirectory Administrator, not just a local administrator on the OpenDirectory computer.

To connect to the Apple OpenDirectory database insert an appropriate username in the following form:

uid=xxx,cn=xxx,dc=xxx

  • uid — username that you use to connect to the system.

  • cn — name of the users container (typically the users file).

  • dc — names of the domain and of all its subdomains (i.e. mail.company.comdc=mail1,dc=company,dc=com)

Password

Password of the user that have read rights for the LDAP database.

Secured connection (LDAPS)

Within the communication of the LDAP database with Kerio MailServer, sensitive data may be transmitted (such as user passwords). It is possible to secure the communication by using an SSL tunnel.

Warning

SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connection are established between the LDAP database and Kerio MailServer or when too many users are included in the LDAP database, the communication might get slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.

Domain controller failover

DNS name or IP address of the backup server with the same LDAP database.

If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.

LDAP search suffix

If the Apple OpenDirectory option is selected in the Directory service type entry, insert a suffix in the following form: dc=subdomain,dc=domain.

Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server) as well as the username and password (if authentication can be performed).

Note: Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details refer to the chapter 21  LDAP server). However, if the MailServer is installed on an Apple Open Directory server the LDAP listening port in the MailServer's Configuration → Services must be changed to an alternate port to avoid a port conflict.

10.2.2  Kerio Open Directory Extension

Kerio Open Directory Extension is an extension to Apple Open Directory service that allows mapping of the accounts to Kerio MailServer (Kerio MailServer items are added to the LDAP database scheme). When user accounts are created, edited or deleted in Apple Open Directory database, the changes are also made in Kerio MailServer. In addition to that, Kerio MailServer users can access Apple Open Directory LDAP database contacts from their mailboxes (via the public Contacts folder).

Installation

The installation package with Kerio Open Directory Extension can be downloaded from product web pages of Kerio Technologies.

A standard wizard is used for installation of Kerio Open Directory Extension.

Warning

When using configurations of Mac OS X servers of Master/Replica type, Kerio Open Directory Extension must be installed to the master server, as well as to all replica servers, otherwise the account mapping will not work.

If the configuration is as follows:

  • you use Kerio Open Directory Extension 6.6 and higher,

  • servers run on OS X 10.5.3 and higher,

  • Replica servers were created after installation of Kerio Open Directory Extension on the Master server,

then Replica servers download the extension automatically from the Master server during the creation process.

If you install Kerio Open Directory Extension on Replica servers by hand, the configuration will not be affected.

System requirements

Kerio Open Directory Extension can be installed to Mac OS X 10.3 Tiger and later versions.

Apple Open Directory

Apple Open Directory is a directory service shipped with Mac OS X Server systems. This directory service is an equivalent to Active Directory created by Microsoft. As in Active Directory, it allows to store object information in a network (about users, groups, workstations, etc.), authenticate users, etc.

The information about users and groups in Apple Open Directory are stored in Open LDAP database. When mapping accounts to Kerio MailServer, all user accounts are stored in one place and it is not necessary to import and administer them in both Apple Open Directory and Kerio MailServer. Only definitions of mailbox-specific configurations have to be done in Kerio MailServer (see chapter 8  Users).

Warning

When creating a user account in Apple Open Directory, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.

User accounts mapping in Kerio MailServer

In Mac OS X Server, no other settings than Kerio Open Directory Extension installation are usually necessary. It is only necessary to save usernames in ASCII. If the username includes special characters or symbols, it might happen that the user cannot log in.

In Kerio MailServer the following settings must be specified:

  1. Mapping of user accounts from Apple Open Directory must be enabled and defined in domain settings.

  2. User authentication via Kerberos must be set in domain settings (for more information, see chapter 7.7  Authentication of domain users).

  3. User authentication via Kerberos must be set in user settings (for more information, see chapter 8.2  Creating a user account).

  4. If a contact is supposed not to be shown in the public Contacts folder, then go to the user settings in Kerio MailServer's section Domain Settings → Users and uncheck the Publish in Global Address List option.