Practically, mapping accounts from Active Directory provides the following benefits:
Kerio MailServer can (apart from its internal user account database) use also accounts and groups saved in the LDAP database (in Microsoft Active Directory). Using LDAP, user accounts can be managed from one location. This reduces possible errors and simplifies administration.
All domain or the entire Kerio MailServer users (depending on settings) will be allowed to access the public Contacts folder where all Active Directory user contacts can be found.
Note: If there are users not supposed to be shown in the public contact folder, then go to the Kerio MailServer's section Domain Settings → Users and uncheck the Publish in Global Address List option.
Additions, modifications or removals of user accounts/groups in the Microsoft Active Directory database are applied to Kerio MailServer immediately.
Accounts created in Kerio Administration Console will be created only locally — such accounts will not be copied into the Active Directory database.
If the Active Directory server is not available it will not be possible to access Kerio MailServer. It is therefore recommended to create at least one local account with read/write permissions.
When creating a user account, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
To make account mapping work, you will need to enable mapping in the administration interface and to install the special module Kerio Active Directory Extension on the domain server. Guidelines for these settings are provided in the following sections.
In the Kerio MailServer's administration interface, go to Domains, select a corresponding domain and open its settings. Now go to the Directory Service tab:
Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).
Type of LDAP database that will be used by this domain (Active Directory).
DNS name or IP address of the server where the LDAP database is running.
For communication, the LDAP service uses port 389 as default (port 636 is used as default for the secured version). If a non-standard port is used for communication of Kerio MailServer with the LDAP database, it is necessary to add it to the DNS name or the IP address of the server (e.g. mail1.company.com:12345
or 212.100.12.5:12345
).
Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
Name of the user that has read rights for the LDAP database in the following form: xxxxx@company.com
.
Password of the user that have read rights for the LDAP database.
Within the communication of the LDAP database with Kerio MailServer, sensitive data may be transmitted (such as user passwords). For this reason, it is recommended to secure such traffic by using SSL. To enable LDAPS in Active Directory, it is necessary to run a certification authority on the domain controller that is considered as trustworthy by Kerio MailServer.
SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connections are established between the LDAP database and Kerio MailServer or a great amount of users are included in the LDAP database, the traffic might be slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
DNS name or IP address of the backup server with the same LDAP database.
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
If the domain name differs from the name defined in Active Directory, match this option and insert a corresponding name into the Active Directory Domain Name text field.
Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server), username and password (if authentication can be performed) and if Kerio Active Directory Extension are installed on the server with Active directory (see chapter 10.1.2 Kerio Active Directory Extension).
Note: Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details refer to the chapter 21 LDAP server). If Kerio MailServer is installed on the same computer as the Active Directory, it is necessary to avoid collisions by changing a port number for the LDAP service ( ).
Kerio Active Directory Extension is an extension to the Active Directory service (under Windows 2000 and newer versions) with items that include specific information for Kerio MailServer. By installation of the extension you can integrate part of Kerio MailServer into Active Directory. This will simplify actions related to user administration.
Use the wizard to install Kerio Active Directory Extension. After you confirm the licensing policy, select a destination directory. In the next step a window showing the installation process will be displayed. At the left bottom corner you will find buttons that can be used either to view the installation log (the View Log button) or to save the log to file (the Save Log to File button).
Note:
According to the version of Microsoft Internet Explorer that you use, installation of the Microsoft XML Parser component may be required. If the installation is required you must install Microsoft XML Parser first, otherwise the Kerio Active Directory Extension installation cannot be finished.
Only the English version of Kerio Active Directory Extension is available.
Kerio Active Directory Extension in Windows 2000 Server supports both Active Directory NT compatible and 2000 native types. In Windows 2003, Active Directory 2000 native and Active Directory 2003 are supported.
Active Directory is a service that stores information about objects (users, groups, hosts, etc.) in Microsoft Networks. Applications that support Active Directory use the service to learn about parameters and rights of the objects. Active Directory is based on a structured database.
Users and groups in the domain are connected to the LDAP Active Directory database. Using LDAP, user accounts can be managed from one location. This reduces possible errors and simplifies administration. To add users and groups, use MMC (Microsoft Management Console). New users or groups added to the domain connected to Active Directory with Kerio Administration Console will be stored into the local database of Kerio MailServer only.
Run MMC from the menu .
In Active Directory Users And Computers select the Users section. Choose the New → User option to run the wizard for creating a new account.
When creating a user account, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
The standard version of the wizard is extended with a folder that will be used to create a new account within Kerio MailServer.
Now, tick the Create a Kerio MailServer mailbox option to create in the database all items that Kerio MailServer will need to work with. Define the basic email address of a user with the Alias item (the user login name defined during the first step of the wizard will be used automatically).
Other account parameters may be defined in Properties. Click on the new user account with the right mouse button and select Properties in the context menu. Open the Kerio MailServer Account folder. This folder provides the following options:
Activating this option you will allow the email account to be available in Kerio MailServer. If the option is off, the user account will be ignored by Kerio MailServer.
Definition of email addresses (aliases) for a particular user. Under the default settings, each user has an email address created from the username and the name of the domain where the account has been defined.
Here, forwarding of mail to the desired email address may be defined. The Forward to: option can be used to forward mail addressed to the user to all addresses defined in this entry.
The Deliver messages to both option can be used to forward the mail and to store it into the local mailbox (copies of the messages will be sent to defined addresses).
Mailbox limitations according to the Storage size and Number of messages may be defined. Each limit option may be switched off by the Do not limit... option, thus the limitation will be ignored within the mailbox.
Definition of Kerio MailServer administration rights. The menu provides the following options to select from:
No access to administration — no access the administration. This option is used by default. We recommend creating a local account for the Kerio MailServer administration (see chapter 8.2 Creating a user account). In case the Active Directory server is not accessible, administration of KMS will still be possible if the account is managed internally to KMS.
Read only access to administration — user is allowed to access the administration only to read it. User can connect to the server with Kerio Administration Console and view the settings, however, he/she is not allowed to edit the administration.
Read/write access to administration — full access to the administration. User is allowed to read and write in the administration. As few users as possible should be granted these rights for security reasons.
Within Kerio Active Directory Extension, group definition is almost identical to user account definition; however, the wizard for creating new groups is extended by one step. This step enables the administrator to define a primary email address that will be used by the group.
The Kerio MailServer Account bookmark allows the administrator to define email addresses of the group (the button) as well as access rights to Kerio MailServer administration (the button).