Overview
The AD (Active Directory) mapping is based on a special mapping file named ads.map which is located in the installation directory of Kerio Connect in folder ldapmap.
We map the short name by default because it is the most commonly used name by Active Directory users.
It is possible to slightly modify this mapping file to map another property from Active Directory as a username in Kerio Connect.
This solution maps a different attribute from the Active Directory structure. The attribute is named userPrincipalName (User Login Name in Active Directory settings) and has the following format: user.name@domain.name.The attribute Kerio Connect maps by default is named sAMAccountName (User Login Name (pre-Windows 2000) in Active Directory settings) and has the following format: shortname (it is used as DOMAIN short name). Both attributes have a different format. However, both attributes can be used for authentication in Active Directory as they are aliases for the same username. Users can use the sAMAccountName attribute for the authentication to the Active Directory domain (eg. to their computer), and userPrincipalName attribute as Kerio Connect username and email address (the attribute has an email address type format).
IMPORTANT
This solution is done at customers own risk. Even if it works and it is a tested solution, we cannot guarantee its compatibility across all released versions in the future. We strongly recommend that you backup all modified configuration files in case a future upgrade overwrites them. Tested for Kerio Connect 8.4 and newer.
There are two possibilities for how the mapped attribute is represented in Kerio Connect.
- The first possibility is the attribute mapping (the information displayed in the administration console of Kerio Connect - read operation). This is done using the so-called map file and the map file can be easily modified according to our needs.
- The second possible representation of a mapped attribute is the access to the LDAP server of the Active Directory (search operation). The search is done to retrieve user attributes or, for example, when a new email is received by your Kerio Connect server.
In this solution we are going to modify the userPrincipalName in the map file, it is important that both operations (search and read), from the Active Directory LDAP server, work properly.
The following example shows one more complication that is the difference between the Active Directory domain name and the Kerio Connect's email domain name:
userPrincipalName attribute is: name.surname@domain.com
The attribute mapped by Kerio Connect would be the username part: name.surname.
Kerio Connect would ask for name.surname@email.domain.com
If the Active Directory domain name differs from the email domain name, the user would not be found in the LDAP server of the Active Directory. The mapping is split into two parts as described above. The search and the read operations. It is important to properly define the search operation in the mapping file according to your Active Directory domain name settings.
The Active Directory name is the same as the email domain name
Replace the following part in the mapping files, ads.map and gal_ads.map:
<variable>
<name>Name</name>
<value><attribute>sAMAccountName</attribute></value>
</variable>
with the following text:
<variable>
<name>Name</name>
<value><attribute regex="(.*)@(.*)"
result="\1">userPrincipalName</attribute></value>
<search name="userPrincipalName">${Name}@${Domain}</search>
</variable>
The Active Directory name is different to the email domain name
In this case, you need to specify the correct Active Directory name in the mapping files ads.map and gal_ads.map according to the following example:
<variable>
<name>Name</name>
<value><attribute regex="(.*)@(.*)"
result="\1">userPrincipalName</attribute></value>
<search name="userPrincipalName">${Name}@active.directory.name</search >
</variable>
Note
The map file is used for all domain mappings defined in Kerio Connect. If you need to specify more email domains and you need to use multiple different mappings, per domain map files need to be used as described below.
Per-domain map files
It is possible to change the map file Kerio Connect uses for each email domain in the configuration file. The following steps are an example of the email domain test.lab and for the custom map file named ads-custom.map.
Step-By-Step Guide
- Create a custom map file for each domain (the filename is not important, in our example lets use ads-custom.map)
- Stop the Kerio Connect engine.
- Open the mailserver.cfg configuration file in a text editor
- Locate the following section:
<list name="Ldap">
<listitem>
<variable name="Domain">test.lab</variable>
<variable name="ServerName">test.kerio.local</variable>
<variable name="ServerPort">389</variable>
<variable name="BindDn">test@kerio.local</variable>
<variable
name="BindPassword">D3S:225a4a0449dd6ea9b49a33b85fa29b2a82eb363e4a62714b
</variable>
<variable name="MapFile">ads-custom.map</variable>
5. Modify the MapFile attribute according to the file created for this specific domain, in our example it is ads-custom.map.