How to map users from a specific Organizational Unit (ou) only

There are two or more domains on Kerio Connect server mapping users from the same directory service. Both email domains on Kerio Connect server contains same users. There is a need to differ between users according to email domain to which the user belongs.

The LDAPLightweight Directory Access Protocol - A protocol that enables users to access centrally managed contacts. database can use containers to differ between objects. These containers are commonly used to differ between groups, organizations, or departments for example.

Active Directory use following description of such container, which is also the most common container used for such purpose - Organizational units. According to previous description each email domain on Kerio Connect can map users only from a specific container.

Organizational Unit is a full name of the LDAP object. To use organizational units with the Kerio Connect domain mapping you need its Distinguished Name (DN) . DN name for this unit is ou=...

Kerio Connect map users from the default LDAP location by default. This location is defined by the DN name in follwoing format:


So by default the Kerio Connect map all users from all containers in the Active Directory as this is the top level structure of the Active Directory tree.

To differ between additonal Active Directory / LDAP containers

  1. Configure Active Directory mapping according to our manual.
  2. Stop Kerio Connect service.
  3. Open configuration file mailserver.cfg, which is lcoated in installation directory.
  4. Locate following part of configuration file: <list name="Ldap">
  5. In this section of the configuration file locate your domain definition - in our example


<variable name="Domain"></variable>

<variable name="ServerName"></variable>

<variable name="ServerPort">389</variable>

<variable name="BindDn">Administrator@test.lab</variable>

<variable name="BindPassword">DE3:f4cc0ffcf...1d0</variable>

<variable name="MapFile"></variable>

<variable name="Filter"></variable>

<variable name="UserBaseDn">dc=domain,dc=com</variable>

<variable name="GroupBaseDn">dc=domain,dc=com</variable>

<variable name="Description"></variable>

<variable name="Enabled">1</variable>

<variable name="PrimaryRefreshInt">30</variable>

<variable name="LdapNetworkTimeout">10</variable>

<variable name="SecureConnection">0</variable>


  1. Change the UserBaseDN and GroupBasedDN search locations according to your path. In our example we change the location to Support department for example.

<variable name="UserBaseDn">ou=Support,dc=domain,dc=com>/variable>

<variable name="GroupBaseDn">ou=Support,dc=domain,dc=com>/variable>

  1. Save the configuration file.
  2. Start Kerio Connect service.