Mapping users from directory services
10.1 Active Directory
Practically, mapping accounts from Active Directory provides the following benefits:
Easy account administration
Kerio Connect can (apart from its internal user account database) use also accounts and groups saved in the LDAP database (in Microsoft Active Directory). Using LDAP, user accounts can be managed from one location. This reduces possible errors and simplifies administration.
10.1 Active Directory
Central contact management
All domain or the entire Kerio Connect users (depending on settings) will be allowed to access the public Contacts folder where all Active Directory user contacts can be found.
Note: If there are users not supposed to be shown in the public contact folder, then go to the Kerio Connect’s section Accounts → Users and uncheck the Publish in Global Address List option.
Online cooperation of Kerio Connect with Microsoft Active Directory
Additions, modifications or removals of user accounts/groups in the Microsoft Active Directory database are applied to Kerio Connect immediately.
Warning:
• Accounts created in Kerio Connect Administration will be created only locally — such accounts will not be copied into the Active Directory database.
• If the Active Directory server is not available it will not be possible to access Kerio Connect. It is therefore recommended to create at least one local account with read/write permissions.
• When creating a user account, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
To make account mapping work, you will need to enable mapping in the administration interface and to install the special module Kerio Active Directory Extension on the domain server. Guidelines for these settings are provided in the following sections.
10.1.1 Setting mapping in the administration interface
In the Kerio Connect’s administration interface, go to Domains, select a corresponding domain and open its settings. Now go to the Directory Service tab:
Map user accounts and groups...
Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).
Type
Type of LDAP database that will be used by this domain (Active Directory).
Hostname
DNS name orIP addressof the server where the LDAP database is running.
For communication, the LDAP service uses port 389 as default (port 636 is used as default
Mapping users from directory services
Figure 10.1 Domain settings — Active Directory
Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate’s verification.
Username
Name of the user that has read rights for the LDAP database in the following form:
Password
Password of the user that have read rights for the LDAP database.
Secured connection (LDAPS)
Within the communication of the LDAP database with Kerio Connect, sensitive data may be transmitted (such as user passwords). For this reason, it is recommended to secure such traffic by using SSL. To enable LDAPS in Active Directory, it is necessary to run a certification authority on the domain controller that is considered as trustworthy by
10.1 Active Directory
Kerio Connect.
Warning:
SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connections are established between the LDAP database and Kerio Connect or a great amount of users are included in the LDAP database, the traffic might be slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
Backup directory server
DNS name orIP addressof the backup server with the same LDAP database.
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate’s verification.
Warning:
If the domain has also an alternate directory sever, it is necessary to open the Kerberos configuration file (krb5.conf or edu.mit.Kerberos) and define another KDC record.
Active Directory domain name
If the domain name differs from the name defined in Active Directory, match this option and insert a corresponding name into the Different from this mail domain name text field.
Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server), username and password (if authentication can be performed) and if Kerio Active Directory Extension are installed on the server with Active directory (see chapter10.1.2).
Note: Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details refer to the chapter20). If Kerio Connect is installed on the same computer as the Active Directory, it is necessary to avoid collisions by changing a port number for the LDAP service (Configuration → Services).
10.1.2 Kerio Active Directory Extension
Kerio Active Directory Extension is an extension to the Microsoft Active Directory service (Active Directory from now on) with items that include specific information for Kerio Connect. By installation of the extension you can integrate part of Kerio Connect into Active Directory.
This will simplify actions related to user administration.
Mapping users from directory services
Installation
Use the wizard to install Kerio Active Directory Extension. After you confirm the licensing policy, select a destination directory. In the next step a window showing the installation process will be displayed. At the left bottom corner you will find buttons that can be used either to view the installation log (the View Log button) or to save the log to file (the Save Log to File button).
Figure 10.2 Installation process
Note:
1. According to the version of Microsoft Internet Explorer that you use, installation of the Microsoft XML Parser component may be required. If the installation is required you must install Microsoft XML Parser first, otherwise the Kerio Active Directory Extension installation cannot be finished.
2. Only the English version of Kerio Active Directory Extension is available.
System requirements
Kerio Active Directory Extension in Windows 2000 Server supports both Active Directory NT compatible and 2000 native types. In Windows 2003, Active Directory 2000 native and Active Directory 2003 are supported.
Active Directory
Active Directory is a service that stores information about objects (users, groups, hosts, etc.) in Microsoft Networks. Applications that support Active Directory use the service to learn about parameters and rights of the objects. Active Directory is based on a structured database.
Users and groups in the domain are connected to the LDAP Active Directory database. Using LDAP, user accounts can be managed from one location. This reduces possible errors and
10.1 Active Directory
simplifies administration. To add users and groups, use MMC (Microsoft Management Console).
New users or groups added to the domain connected to Active Directory with Kerio Connect Administration will be stored into the local database of Kerio Connect only.
Run MMC from the menu Start → Settings → Control Panel → Administrative tools → Active Directory Users And Computers.
User Account Definition
In Active Directory Users And Computers select the Users section. Choose the New → User option to run the wizard for creating a new account.
Warning:
When creating a user account, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
The standard version of the wizard is extended with a folder that will be used to create a new account within Kerio Connect.
Figure 10.3 Kerio Connect account configuration
Now, check the Create a Kerio Connect mailbox option to create in the database all items that Kerio Connect will need to work with. Define the basic email address of a user with the Alias item (the user login name defined during the first step of the wizard will be used automatically).
Other account parameters may be defined in Properties. Click on the new user account with the right mouse button and select Properties in the context menu. Open the Kerio Connect Account folder. This folder provides the following options:
Mail Account Enabled
Mapping users from directory services
Figure 10.4 Kerio Connect Account tab
E-mail Addresses
Definition of email addresses (aliases) for a particular user. Under the default settings, each user has an email address created from the username and the name of the domain where the account has been defined.
Forwarding
Here, forwarding of mail to the desired email address may be defined. The Forward to:
option can be used to forward mail addressed to the user to all addresses defined in this entry.
The Deliver messages to both option can be used to forward the mail and to store it into the local mailbox (copies of the messages will be sent to defined addresses).
Mailbox Limits
Mailbox limitations according to the Storage size and Number of messages may be defined.
Each limit option may be switched off by the Do not limit... option, thus the limitation will be ignored within the mailbox.