Mapping different name from Active Directory
IMPORTANT
This solution is done at customers own risk. Even if it works and it is tested solution, we cannot guarantee its compatibility across all released versions in the future. We strongly recommend that you backup all modified configuration files in case a future upgrade overwrites them. Tested for Kerio Connect 8.4 and newer.
The AD mapping is based on a special mapping file named ads.map which is located in the installation directory of Kerio Connect in folder ldapmap. We map the short (pre Windows 2000) name by default, because it is the most commonly used name by Active Directory users.
It is possible to slightly modify this mapping file to map another property from Active Directory as a user name in Kerio Connect. The following text briefly describes the solution and discusses possible aspects of it as the following solution is not directly supported by Technical Support.
This solution maps a different attribute from the Active Directory structure. The attribute is named userPrincipalName (User Logon Name in Active Directory settings) and has following format: user.name@domain.name.The attribute Kerio Connect maps by default is named sAMAccountName (User Logon Name (pre-Windows 2000) in Active Directory settings) and has following format: shortname (it is used as DOMAIN shortname). Both attributes have a different format. However both attributes can be used for authentication in Active Directory as they are aliases for the same username. Users can use the sAMAccountName attribute for the authentication to the Active Directory domain (eg. to their computer), and userPrincipalName attribute as Kerio Connect username and email address (the attribute has an email address type format).
There are two possibilities for how the mapped attribute is represented in Kerio Connect. The first possibility is attribute mapping (it is the information displayed in the administration console of Kerio Connect - read operation). This is done using so called map file and the map file can be easily modified according to our needs. The second possible representation of a mapped attribute is the access to the LDAPLightweight Directory Access Protocol - A protocol that enables users to access centrally managed contacts. server of Active Directory (search operation). The search is done to retrieve user attributes or, for example, when new email is received by your Kerio Connect server.
In this solution we are going to modify the userPrincipalName in the map file, it is important both operations (search and read, from Active Directory LDAP server) works properly. The following example shows one more complication. It is the difference between the Active Directory domain name and the Kerio Connect's email domain name:
userPrincipalName attribute is: name.surname@domain.com
.
The attribute mapped by Kerio Connect would be the username part: name.surname
.
Kerio Connect would ask for: name.surname@email.domain.com
If the Active Directory domain name differs from the email domain name, the user would not be found in the LDAP server of the Active Directory. The mapping is split into two parts as described above. The search and the read operations. It is important to properly define the search operation in the mapping file according to your Active Directory domain name settings.
Active Directory name is the same as the email domain name
Replace the following part in the mapping files ads.map
and gal_ads.map
:
<variable>
<name>Name</name>
<value><attribute>sAMAccountName</attribute></value>
</variable>
with the following text:
<variable>
<name>Name</name>
<value><attribute regex="(.*)@(.*)"
result="\1">userPrincipalName</attribute></value>
<search name="userPrincipalName">${Name}@${Domain}</search>
</variable>
Active Directory name is different to the email domain name
In this case, you need to specify the correct Active Directory name in the mapping files ads.map
and gal_ads.map
according to the following example:
<variable>
<name>Name</name>
<value><attribute regex="(.*)@(.*)"
result="\1">userPrincipalName</attribute></value>
<search name="userPrincipalName">${Name}@active.directory.name</search >
</variable>
IMPORTANT
The map file is used for all domain mappings defined in Kerio Connect. If you need to specify more email domains and you need to use multiple different mappings, per domain map files need to be used as described below.
Per domain map files
It is possible to change the map file Kerio Connect uses for each email domain in the configuration file. The following steps are an example for the email domain test.lab and for the custom map file named ads-custom.map
.
- Create a custom map file for each domain (the filename is not important, in our example lets use ads-custom.map)
- Stop the Kerio Connect engine
- Open the mailserver.cfg configuration file in a text editor
- Locate following section:
<list name="Ldap">
<listitem>
<variable name="Domain">test.lab</variable>
<variable name="ServerName">test.kerio.local</variable>
<variable name="ServerPort">389</variable>
<variable name="BindDn">test@kerio.local</variable>
<variable
name="BindPassword">D3S:225a4a0449dd6ea9b49a33b85fa29b2a82eb363e4a62714b
</variable>
<variable name="MapFile">ads-custom.map</variable>
.....
- Modify the MapFile attribute according to the file created for this specific domain, in our example it is
ads-custom.map
. - Start Kerio Connect server