Mapping users from directory services
10.2 Apple Open Directory
Group Definition
Within Kerio Active Directory Extension, group definition is almost identical to user account definition; however, the wizard for creating new groups is extended by one step. This step enables the administrator to define a primary email address that will be used by the group.
The Kerio MailServer Account bookmark allows the administrator to define email addresses of the group (the E-Mail Addresses button) as well as access rights to Kerio MailServer adminis-tration (the Adminisadminis-tration Rights button).
10.2 Apple Open Directory
Mapping of accounts from the Apple Open Directory provides you with the benefit of work-ing interlinkwork-ing of Kerio MailServer and Apple Open Directory. Additions, modifications or re-movals of user accounts/groups in the Open Directory database are applied to Kerio MailServer immediately.
Warning
• If an account is created in Kerio Administration Console, it will be created only locally, it will not be copied into Open Directory database.
• Warning 2: If Open Directory server is unavailable, logging in to Kerio MailServer will be impossible. It is therefore recommended to create at least one local account with read/write permissions.
• When creating a user account in Apple Open Directory, ASCII must be used to specify username. If the username includes special characters or symbols, it might happen that the user cannot log in.
To make account mapping work, you will need to enable mapping in the administration inter-face and to install the special module Kerio Open Directory Extension on the domain server.
Guidelines for these settings are provided in the following sections.
10.2.1 Setting mapping in the administration interface
In the Kerio MailServer’s administration interface, go to Domains, select a corresponding do-main and open its settings. Now go to the Directory Service tab:
Map user accounts and groups...
Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).
Type
Type of LDAP database that will be used by this domain. There are two alternatives of mapping of Apple Open Directory accounts that differ in authentication method. Two authentication methods can be used in Apple Open Directory: authentication against the password server and Kerberos authentication.
Chapter 10 Mapping users from directory services
Figure 10.6 Domain settings — Apple Open Directory
The first method (authentication against the password server) provides the following benefit. It is not necessary to perform any special settings at the server where Kerio MailServer is installed. However, there are also certain disadvantages:
• This authentication method is obsolete and less secure.
• Users are not allowed to change their user passwords on their own (in the Kerio WebMail interface).
• The Apple company has ended support for this authentication method.
• This authentication method is enabled only if Kerio MailServer is installed on Mac OS X.
Still, authentication against the Kerberos server is more modern and secure. On the other hand, this authentication method requires additional settings at the server where Kerio MailServer is installed. For detailed information on these settings, see chapter27.
It should be also remembered that in the domain settings on the Advanced tab un-der Configuration → Domains in the Kerio MailServer’s administration console, name of the Kerberos area must be specified against which the mailserver will be authenti-cated. It is necessary that the name matches the name of Kerberos area specified in the /Library/Preferences/edu.mit.Kerberos file, otherwise the settings will not
func-10.2 Apple Open Directory
tion properly. For detailed description on authentication against the Kerberos server on Mac OS X operating systems, see chapter27.3).
Hostname
DNS name orIP addressof the server where the LDAP database is running.
For communication, the LDAP service uses port 389 as default (port 636 is used as default for the secured version). If a non-standard port is used for communication of Kerio MailServer with the LDAP database, it is necessary to add it to the DNS name or the IP address of the server (e.g. mail1.company.com:12345 or 212.100.12.5:12345).
Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate’s verification.
Username
Name of the user that have read rights for the LDAP database, either of the root user or of the Open Directory administrator (admin for Mac OS X 10.3 or diradmin for Mac OS X 10.4 and higher). In case that the administrator’s username is used, it is necessary to make sure the user is an OpenDirectory Administrator, not just a local administrator on the OpenDirectory computer.
To connect to the Apple OpenDirectory database insert an appropriate username in the following form:
uid=xxx,cn=xxx,dc=xxx
• uid— username that you use to connect to the system.
• cn— name of the users container (typically the users file).
• dc — names of the domain and of all its subdomains (i.e. mail.company.com → dc=mail1,dc=company,dc=com)
Password
Password of the user that have read rights for the LDAP database.
Secured connection (LDAPS)
Within the communication of the LDAP database with Kerio MailServer, sensitive data may be transmitted (such as user passwords). It is possible to secure the communication by using an SSL tunnel.
Warning
SSL encryption is demanding in respect of connection speed and processor operation. Es-pecially when too many connection are established between the LDAP database and Kerio MailServer or when too many users are included in the LDAP database, the communica-tion might get slow. If the SSL encrypcommunica-tion overloads the server, it is recommended to use the non-secured version of LDAP.
Domain controller failover
DNS name orIP addressof the backup server with the same LDAP database.
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate’s verification.
Chapter 10 Mapping users from directory services
LDAP search suffix
If the Apple OpenDirectory option is selected in the Directory service type entry, insert a suffix in the following form: dc=subdomain,dc=domain.
Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server) as well as the username and password (if authentication can be performed).
Note: Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details refer to the chapter 21). However, if the MailServer is installed on an Apple Open Directory server the LDAP listening port in the MailServer’s Configuration → Services must be changed to an alternate port to avoid a port conflict.
10.2.2 Kerio Open Directory Extension
Kerio Open Directory Extension is an extension to Apple Open Directory service that allows mapping of the accounts to Kerio MailServer (Kerio MailServer items are added to the LDAP database scheme). When user accounts are created, edited or deleted in Apple Open Directory database, the changes are also made in Kerio MailServer. In addition to that, Kerio MailServer users can access Apple Open Directory LDAP database contacts from their mailboxes (via the public Contacts folder).
Installation
The installation package with Kerio Open Directory Extension can be downloaded from product web pages of Kerio Technologies.
A standard wizard is used for installation of Kerio Open Directory Extension.
Warning
When using configurations of Mac OS X servers of Master/Replica type, Kerio Open Directory Extension must be installed to the master server, as well as to all replica servers, otherwise the account mapping will not work.
If the configuration is as follows:
• you use Kerio Open Directory Extension 6.6 and higher,
• servers run on OS X 10.5.3 and higher,
• Replica servers were created after installation of Kerio Open Directory Extension on the Master server,
then Replica servers download the extension automatically from the Master server during the creation process.
If you install Kerio Open Directory Extension on Replica servers by hand, the configuration will not be affected.
10.2 Apple Open Directory
System requirements
Kerio Open Directory Extension can be installed to Mac OS X 10.3 Tiger and later versions.
Apple Open Directory
Apple Open Directory is a directory service shipped with Mac OS X Server systems. This direc-tory service is an equivalent to Active Direcdirec-tory created by Microsoft. As in Active Direcdirec-tory, it allows to store object information in a network (about users, groups, workstations, etc.), authenticate users, etc.
The information about users and groups in Apple Open Directory are stored in Open LDAP database. When mapping accounts to Kerio MailServer, all user accounts are stored in one place and it is not necessary to import and administer them in both Apple Open Directory and Kerio MailServer. Only definitions of mailbox-specific configurations have to be done in Kerio MailServer (see chapter8).
Warning
When creating a user account in Apple Open Directory, ASCII must be used to specify user-name. If the username includes special characters or symbols, it might happen that the user cannot log in.
User accounts mapping in Kerio MailServer
In Mac OS X Server, no other settings than Kerio Open Directory Extension installation are usually necessary. It is only necessary to save usernames in ASCII. If the username includes special characters or symbols, it might happen that the user cannot log in.
In Kerio MailServer the following settings must be specified:
1. Mapping of user accounts from Apple Open Directory must be enabled and defined in domain settings.
2. User authentication via Kerberos must be set in domain settings (for more information, see chapter7.7).
3. User authentication via Kerberos must be set in user settings (for more information, see chapter8.2).
4. If a contact is supposed not to be shown in the public Contacts folder, then go to the user settings in Kerio MailServer’s section Domain Settings → Users and uncheck the Publish in Global Address List option.