Mapping of accounts from the Apple Open Directory provides you with the benefit of working interlinking of Kerio MailServer and Apple Open Directory. Additions, modifications or removals of user accounts/groups in the Open Directory database are applied to Kerio MailServer immediately.
If an account is created in Kerio Administration Console, it will be created only locally, it will not be copied into Open Directory database.
Warning 2: If Open Directory server is unavailable, logging in to Kerio MailServer will be impossible. It is therefore recommended to create at least one local account with read/write permissions.
When creating a user account in Apple Open Directory, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
To make account mapping work, you will need to enable mapping in the administration interface and to install the special module Kerio Open Directory Extension on the domain server. Guidelines for these settings are provided in the following sections.
In the Kerio MailServer's administration interface, go to Domains, select a corresponding domain and open its settings. Now go to the Directory Service tab:
Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).
Type of LDAP database that will be used by this domain. There are two alternatives of mapping of Apple Open Directory accounts that differ in authentication method. Two authentication methods can be used in Apple Open Directory: authentication against the password server and Kerberos authentication.
The first method (authentication against the password server) provides the following benefit. It is not necessary to perform any special settings at the server where Kerio MailServer is installed. However, there are also certain disadvantages:
This authentication method is obsolete and less secure.
Users are not allowed to change their user passwords on their own (in the Kerio WebMail interface).
The Apple company has ended support for this authentication method.
This authentication method is enabled only if Kerio MailServer is installed on Mac OS X.
Still, authentication against the Kerberos server is more modern and secure. On the other hand, this authentication method requires additional settings at the server where Kerio MailServer is installed. For detailed information on these settings, see chapter 27 Kerberos Authentication.
It should be also remembered that in the domain settings on the Advanced tab under in the Kerio MailServer's administration console, name of the Kerberos area must be specified against which the mailserver will be authenticated. It is necessary that the name matches the name of Kerberos area specified in the /Library/Preferences/edu.mit.Kerberos
file, otherwise the settings will not function properly. For detailed description on authentication against the Kerberos server on Mac OS X operating systems, see chapter 27.3 Kerio MailServer on Mac OS X).
DNS name or IP address of the server where the LDAP database is running.
For communication, the LDAP service uses port 389 as default (port 636 is used as default for the secured version). If a non-standard port is used for communication of Kerio MailServer with the LDAP database, it is necessary to add it to the DNS name or the IP address of the server (e.g. mail1.company.com:12345
or 212.100.12.5:12345
).
Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
Name of the user that have read rights for the LDAP database, either of the root
user or of the Open Directory administrator (admin
for Mac OS X 10.3 or diradmin
for Mac OS X 10.4 and higher). In case that the administrator's username is used, it is necessary to make sure the user is an OpenDirectory Administrator, not just a local administrator on the OpenDirectory computer.
To connect to the Apple OpenDirectory database insert an appropriate username in the following form:
uid=xxx,cn=xxx,dc=xxx
uid
— username that you use to connect to the system.
cn
— name of the users container (typically the users
file).
dc
— names of the domain and of all its subdomains (i.e. mail.company.com → dc=mail1,dc=company,dc=com
)
Password of the user that have read rights for the LDAP database.
Within the communication of the LDAP database with Kerio MailServer, sensitive data may be transmitted (such as user passwords). It is possible to secure the communication by using an SSL tunnel.
SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connection are established between the LDAP database and Kerio MailServer or when too many users are included in the LDAP database, the communication might get slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
DNS name or IP address of the backup server with the same LDAP database.
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
If the Apple OpenDirectory option is selected in the Directory service type entry, insert a suffix in the following form: dc=subdomain,dc=domain
.
Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server) as well as the username and password (if authentication can be performed).
Note: Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details refer to the chapter 21 LDAP server). However, if the MailServer is installed on an Apple Open Directory server the LDAP listening port in the MailServer's Configuration → Services must be changed to an alternate port to avoid a port conflict.
Kerio Open Directory Extension is an extension to Apple Open Directory service that allows mapping of the accounts to Kerio MailServer (Kerio MailServer items are added to the LDAP database scheme). When user accounts are created, edited or deleted in Apple Open Directory database, the changes are also made in Kerio MailServer. In addition to that, Kerio MailServer users can access Apple Open Directory LDAP database contacts from their mailboxes (via the public Contacts folder).
The installation package with Kerio Open Directory Extension can be downloaded from product web pages of Kerio Technologies.
A standard wizard is used for installation of Kerio Open Directory Extension.
When using configurations of Mac OS X servers of Master/Replica type, Kerio Open Directory Extension must be installed to the master server, as well as to all replica servers, otherwise the account mapping will not work.
If the configuration is as follows:
you use Kerio Open Directory Extension 6.6 and higher,
servers run on OS X 10.5.3 and higher,
Replica servers were created after installation of Kerio Open Directory Extension on the Master server,
then Replica servers download the extension automatically from the Master server during the creation process.
If you install Kerio Open Directory Extension on Replica servers by hand, the configuration will not be affected.
Kerio Open Directory Extension can be installed to Mac OS X 10.3 Tiger and later versions.
Apple Open Directory is a directory service shipped with Mac OS X Server systems. This directory service is an equivalent to Active Directory created by Microsoft. As in Active Directory, it allows to store object information in a network (about users, groups, workstations, etc.), authenticate users, etc.
The information about users and groups in Apple Open Directory are stored in Open LDAP database. When mapping accounts to Kerio MailServer, all user accounts are stored in one place and it is not necessary to import and administer them in both Apple Open Directory and Kerio MailServer. Only definitions of mailbox-specific configurations have to be done in Kerio MailServer (see chapter 8 Users).
When creating a user account in Apple Open Directory, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
In Mac OS X Server, no other settings than Kerio Open Directory Extension installation are usually necessary. It is only necessary to save usernames in ASCII. If the username includes special characters or symbols, it might happen that the user cannot log in.
In Kerio MailServer the following settings must be specified:
Mapping of user accounts from Apple Open Directory must be enabled and defined in domain settings.
User authentication via Kerberos must be set in domain settings (for more information, see chapter 7.7 Authentication of domain users).
User authentication via Kerberos must be set in user settings (for more information, see chapter 8.2 Creating a user account).
If a contact is supposed not to be shown in the public Contacts folder, then go to the user settings in Kerio MailServer's section and uncheck the Publish in Global Address List option.