Connecting Kerio Connect to directory service
Mapping accounts from a directory service provides these benefits:
- Easy account administration — You can manage user accounts from a single location. This reduces possible errors and simplifies administration.
- Online cooperation of Kerio Connect and directory service — Adding, modifying and removing user accounts/groups in the LDAPLightweight Directory Access Protocol - A protocol that enables users to access centrally managed contacts. database is applied to Kerio Connect immediately.
- Using domain name and password for login —Users can use the same credentials for Kerio Connect Client login and domain login.
NOTE
- Mapping is one-way only. Data is synchronized from a directory service to Kerio Connect. Adding new users/groups in Kerio Connect creates local accounts.
- If a directory server is unavailable, it is not possible to access Kerio Connect. Create at least one local administrator account or enable the built-in admin.
- Use ASCII for usernames when creating user accounts in a directory service.
Supported directory services
Kerio Connect supports:
Microsoft Active Directory
To connect Kerio Connect to Microsoft Active Directory:
- On the Microsoft Active Directory server, install the Kerio Active Directory Extension.
- In the Kerio Connect administration interface, go to Configuration > Domains.
- Double-click the domain and switch to the Directory Service tab.
- Select Map user accounts and groups from a directory service.
- As a Directory service type, select Microsoft Active Directory from the drop-down menu.
- In the Hostname field, type the DNSDomain Name System - Enables the translation of hostnames to IP addresses and provides other domain related information. name or IP addressAn identifier assigned to devices connected to a TCP/IP network. of the Microsoft Active Directory server. If you enable secure connection in step 8, use the DNS name. If a non-standard port is used for communication between Kerio Connect and Microsoft Active Directory, add the port number to the hostname.
- Type the Username and Password of a Microsoft Active Directory administrator with full access rights to the administration.
- To protect data, such as user passwords, sent from Microsoft Active Directory to Kerio Connect and vice versa, select Enable secured connection (LDAPS).
- Click Test connection to verify you typed the correct data.
- On the Advanced tab, specify the KerberosAn authentication protocol for client/server applications. realm. See the Kerberos authentication section below.
- Save the settings.
Now you can map users to Kerio Connect.
Apple Open Directory
- On the Apple Open Directory server, install the Kerio Open Directory Extension.
- In the Kerio Connect administration interface, go to Configuration > Domains.
- Double-click the domain and switch to the Directory Service tab.
- Select Map user accounts and groups from a directory service.
- As a Directory service type, select Apple Open Directory from the drop-down list.
- In the Hostname field, type the DNS name or IP address of the Microsoft Active Directory server. If you enable secure connection in step 8, use the DNS name. If a non-standard port is used for communication between Kerio Connect and Microsoft Active Directory, add the port number to the hostname.
- Type the Username and Password of an Apple Open Directory administrator with full access rights to the administration.
- To protect data, such as user passwords, sent from Microsoft Active Directory to Kerio Connect and vice versa, select Enable secured connection (LDAPS).
- Click Test connection to verify you entered the correct data.
- On the Advanced tab, specify the Kerberos realm. See the Kerberos authentication section below.
- Save the settings.
Now you can map users to Kerio Connect.
Kerberos authentication
To use the Kerberos authentication:
- Verify that Kerio Connect belongs to the Active Directory or Open Directory domain.
- In the administration interface, go to Configuration > Domains.
- Double-click a domain and switch to the Advanced tab.
- (For Linux installations only) Type the PAM service name. For more information refer to Authenticating users through PAM.
- Type the Kerberos realm name. The Kerberos realm name is your domain name and Kerio Connect specifies it automatically upon domain creation.
- If you are using the Windows NT domain, type the domain name.
- (Optional) Select Bind this domain to specific IP address and type the IP address . Users accessing Kerio Connect from this IP address use only their username (without the domain name) to log in.
- Click OK.
You can display a column with the Kerberos info in Configuration > Domains.
Mapping users from directory services
For more information refer to Mapping accounts from a directory service.
Migrating user accounts from local database to directory service
For more information refer to Migrating user accounts from local database to directory service.
Troubleshooting
All information about directory service can be found in the Debug and Warning logs.