Kerio MailServer can also work with accounts or groups that are managed through an LDAP database (currently, Microsoft Active Directory and Apple OpenDirectory database — a database for Apple Mac OS X — are supported). Using LDAP, user accounts can be managed from one location. This reduces possible errors and simplifies administration.
Example: A company uses a Windows 2000 domain with Active Directory as well as Kerio MailServer. A new employee was introduced to the company. This is what has been done until now:
A new account has been created in Active Directory.
The user has been imported to Kerio MailServer (or an account using the same name has been created and this name was verified by the Kerberos system).
If LDAP database is used, only the step 1 would be followed.
Note: Kerio MailServer allows internally managed user accounts (stored in LDAP database) to be added within the same email domain as Active Directory users. This can be helpful when creating an administrator account that will be available even when the directory server cannot be accessed.
In the Directory service tab, LDAP parameters can be defined.
To enable Kerio MailServer to cooperate fully with Active Directory (i.e. to enable the database to store all data about user accounts — see chapter 13.2 Creating a user account), install Kerio Active Directory Extensions on the Active Directory server. For details see the chapter 29 Kerio Active Directory Extensions.
- Map user accounts and groups...
Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).
- Type
Type of LDAP database that will be used by this domain (Active Directory).
- Hostname
DNS name or IP address of the server where the LDAP database is running
For communication, the LDAP service uses port 389 as default (port 636 is used as default for the secured version). If a non-standard port is used for communication of Kerio MailServer with the LDAP database, it is necessary to add it to the DNS name or the IP address of the server (e.g.
mail1.company.com:12345or212.100.12.5:12345).Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
- Username
Name of the user that has read rights for the LDAP database in the following form:
xxxxx@company.com.- Password
Password of the user that have read rights for the LDAP database.
- Secured connection (LDAPS)
Within the communication of the LDAP database with Kerio MailServer, sensitive data may be transmitted (such as user passwords). For this reason, it is recommended to secure such traffic by using SSL. To enable LDAPS in Active Directory, it is necessary to run a certification authority on the domain controller that is considered as trustworthy by Kerio MailServer.
Warning: SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connections are established between the LDAP database and Kerio MailServer or a great amount of users are included in the LDAP database, the traffic might be slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
- Backup directory server
DNS name or IP address of the backup server with the same LDAP database.
Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
- Active Directory Domain Name
If the domain name differs from the name defined in Active Directory, match this option and insert a corresponding name into the Active Directory Domain Name text field.
Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server), username and password (if authentication can be performed) and if Kerio Active Directory Extensions are installed on the server with Active directory (see chapter 29 Kerio Active Directory Extensions).
Note: Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details refer to the chapter 19 LDAP server). If Kerio MailServer is installed on the same computer as the Active Directory, it is necessary to avoid collisions by changing a port number for the LDAP service ().
To enable Kerio MailServer to cooperate fully with Open Directory (i.e. to enable the database to store all data about user accounts — see chapter 13.2 Creating a user account), install the Kerio Open Directory Extensions on the Open Directory Master and all replica servers. For details see the chapter 30 Kerio Open Directory Extensions.
- Map user accounts and groups...
Use this option to enable/disable cooperation with the LDAP database (if this option is inactive, only local accounts can be created in the domain).
- Type
Type of LDAP database that will be used by this domain. There are two alternatives of mapping of Apple Open Directory accounts that differ in authentication method. Two authentication methods can be used in Apple Open Directory: authentication against the password server and Kerberos authentication.
The first method (authentication against the password server) provides the following benefit. It is not necessary to perform any special settings at the server where Kerio MailServer is installed. However, there are also certain disadvantages:
This authentication method is obsolete and less secure.
Users are not allowed to change their user passwords on their own (in the Kerio WebMail interface).
The Apple company has ended support for this authentication method.
This authentication method is enabled only if Kerio MailServer is installed on Mac OS X.
Still, authentication against the Kerberos server is more modern and secure. On the other hand, this authentication method requires additional settings at the server where Kerio MailServer is installed. For detailed information on these settings, see chapter 24 Kerberos Authentication.
Up to 6.1.3, Kerio MailServer used authentication against the password server by default. Since Kerio MailServer 6.1.4 it is possible to choose an authentication method.
It should be also remembered that in the domain settings on the Advanced tab under in the Kerio MailServer's administration console, name of the Kerberos area must be specified against which the mailserver will be authenticated. It is necessary that the name matches the name of Kerberos area specified in the
/Library/Preferences/edu.mit.Kerberosfile, otherwise the settings will not function properly. For detailed description on authentication against the Kerberos server on Mac OS X operating systems, see chapter 24.3 Kerio MailServer on Mac OS).- Hostname
DNS name or IP address of the server where the LDAP database is running
For communication, the LDAP service uses port 389 as default (port 636 is used as default for the secured version). If a non-standard port is used for communication of Kerio MailServer with the LDAP database, it is necessary to add it to the DNS name or the IP address of the server (e.g.
mail1.company.com:12345or212.100.12.5:12345).Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
- Username
Name of the user that have read rights for the LDAP database, either of the
rootuser or of the Open Directory administrator (adminfor Mac OS X 10.3 ordiradminfor Mac OS X 10.4). In case that the administrator's username is used, it is necessary to make sure the user is an OpenDirectory Administrator, not just a local administrator on the OpenDirectory computer.To connect to the Apple OpenDirectory database insert an appropriate username in the following form:
uid=xxx,cn=xxx,dc=xxxuid— username that you use to connect to the system.cn— name of the users container (typically theusersfile).dc— names of the domain and of all its subdomains (i.e. mail.company.com →dc=mail1,dc=company,dc=com)
- Password
Password of the user that have read rights for the LDAP database.
- Secured connection (LDAPS)
Within the communication of the LDAP database with Kerio MailServer, sensitive data may be transmitted (such as user passwords). It is possible to secure the communication by using an SSL tunnel.
Warning: SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connection are established between the LDAP database and Kerio MailServer or when too many users are included in the LDAP database, the communication might get slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
- Domain controller failover
DNS name or IP address of the backup server with the same LDAP database.
Note: If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
- LDAP search suffix
If the Apple OpenDirectory option is selected in the Directory service type entry, insert a suffix in the following form:
dc=subdomain,dc=domain.
Click the Test connection button to check the defined parameters. The test is performed on the server name and address (if it is possible to establish a connection with the server) as well as the username and password (if authentication can be performed).
Note: Cooperation with the LDAP database that has been described above has nothing to do with the built-in LDAP server. The built-in LDAP server is used to access contact lists from mail clients (for details refer to the chapter 19 LDAP server). However, if the MailServer is installed on an Apple Open Directory server the LDAP listening port in the MailServer's Configuration → Services must be changed to an alternate port to avoid a port conflict.