Connecting Kerio Control to directory service

Which directory services are supported

• Microsoft Active DirectoryA directory service for Windows domain networks.
• Apple Open DirectoryA directory service for Apple based networks.

What is the connection used for

Advantages	Description
Easy account administration	Apart from the internal database of user accounts, Kerio Control can also import accounts and groups from an LDAPLightweight Directory Access Protocol - A protocol that enables users to access centrally managed contacts. database. Using LDAP, user accounts can be managed from a single location. This reduces possible errors and simplifies the administration.
Online cooperation of Kerio Control and directory service	Additions, modifications or removals of user accounts/groups in the LDAP database are applied to Kerio Control immediately.
Using domain name and password for login	Users may use the same credentials for the domain login.

Microsoft Active Directory

Conditions for mapping from Active Directory domains

• Hosts in the local network (user workstations) should use the Kerio Control's DNSDomain Name System - A database enables the translation of hostnames to IP addresses and provides other domain related information. module as the primary DNS server, because it can process queries for Active Directory and forward them to the corresponding domain server. If another DNS server is used, user authentication in the Active Directory may not work correctly.
• The Kerio Control host must be a member of the mapped domain. Otherwise, authentication in the Active Directory may not work correctly.
• In case of mapping multiple domains, the Kerio Control host must be a member of one of the mapped domains (primary domain). The primary domain must trust all other domains mapped in Kerio Control.

Connecting to Microsoft Active Directory

1. In the administration interface, go to Domains and User Login > Directory Services.
2. You have to be a member of the Active Directory domain. If the firewall is not a member of the domain, click Join Domain.
3. In the Join Domain dialog, type the domain name and credentials with rights to join the computer to the Active Directory domain. If you are successfully connected to the domain, you can see a green icon with the name of your domain on the Directory Services tab.
4. Check Map user accounts and groups from a directory service and select Microsoft Active Directory.
5. Type Domain name.
6. Type the username and password of a user with at least read rights for Microsoft Active Directory database. Username format is user@domain.
7. Click Test Connection. In the Users section, you can select the new domain and display all users from the Active Directory domain.

Connecting to Apple Open Directory

1. In the administration interface, go to Domains and User Login > Directory Services.
2. Check Map user accounts and groups from a directory service and select Apple Open Directory.
3. Type the domain name.
4. Type the username and password of a user with at least read rights for Apple Open Directory database. Username format is user@domain.
5. In Primary server/Secondary server, type IP addresses or DNS names of the primary and secondary domain servers.
6. Click Test Connection. In the Users section, you can select the new domain and display all users from the Open Directory domain.

Connecting to other domains

You are successfully connected to the primary domain.

If you want to connect more domains:

1. In Domains and User Login > Directory Services, click Advanced.
2. In Advanced Settings dialog, go to Additional Mapping.
3. Click Add.
4. In the Add New Domain dialog, select Microsoft Active Directory or Apple Open Directory.
5. Type the domain name.
6. Type the username and password of a user with at least read rights for the database. Username format is user@domain.
7. In Primary server/Secondary server, type IP addresses or DNS names of the primary and secondary domain servers.
8. Click Test Connection. In the Users section, you can select the new domain and display all users from the domain.

Configuring encrypted connection (LDAPS)

You can enable encrypted connection for the communication between Kerio Control and the directory service.

1. Go to Domains and User Login > Directory Services.
2. Click Advanced.
3. Check Use encrypted connection.

Collision of directory service with the local database and conversion of accounts

If a user with an identical name exists in both the domain and the local database, a collision occurs.

If a collision occurs, a warning is displayed at the bottom of the Users tab. Click the link in the warning to replace local accounts by corresponding directory service accounts.

The following operations will be performed automatically within each conversion:

• substitution of any appearance of the local account in the Kerio Control configuration (in traffic rules, URL rules, FTPFile Transfer Protocol - Protocol for transferring computer files from a server. rules, etc.) by a corresponding account from the directory service domain
• combination of local and domain account rights
• removal of the account from the local user database

Accounts not selected for the conversion are kept in the local database. Colliding accounts can be used — the accounts are considered as two independent accounts. However, directory service accounts must be always specified including the domain (even though it belongs to the primary domain); username without the domain specified represents an account from the local database. We recommend to remove all collisions by the conversion.