Overview
This article provides detailed steps to map users from a specific Organizational Unit in Kerio Connect, which may be useful in cases when you want to differentiate between additional Active Directory and LDAP (Lightweight Directory Access Protocol) containers.
Information
The LDAP database can use containers to differentiate between objects. An Organizational Unit is the full name of the LDAP object. To use Organizational Units with the Kerio Connect domain mapping, you need its Distinguished Name (DN).
Kerio Connect maps users from the default LDAP location, which is defined by the DN in this format: dc=domain,dc=com
.
There are two (at least) domains on the Kerio Connect server mapping users from the same directory service. Both email domains on the Kerio Connect server contain the same users. There is a need to differentiate between users according to the email domain to which the user belongs.
By default, Kerio Connect maps all users from all containers in the Active Directory, as this is the top-level structure of the Active Directory tree.
Solution
There are 2 ways to map the users from a specific Organizational Unit (OU). You can follow either of them:
-
Changing the Values from the Kerio Connect UI
- Login to Kerio Connect
- Go to Configuration > Domains and double-click the domain where the OU change needs to be made:
- Go to the Directory Service tab, check Different from this mail domain name and enter the DN value of the OU and then click on OK. Eg: If the OU name is support, then the value here will be support.example.com:
-
Changing the Values Manually
Warning: The instructions below include changing the configuration file. If the instructions are not followed correctly, they may cause problems with the functioning of the product. Only proceed if you are comfortable doing so. It is also good practice to take a backup before making any changes.
-
Configure Active Directory mapping. For additional information, refer to Connecting Kerio Control to Active Directory Service.
-
Stop the Kerio Connect service (Windows / Linux or macOS).
- Go to the Kerio Connect installation directory:
Windows: C:\Program Files\Kerio\MailServer
Linux: /opt/kerio/mailserver
macOS: /usr/local/kerio/mailserver -
Open the mailserver.cfg configuration file.
-
Locate the
<list name="Ldap">
value in the configuration file. -
In this section of the configuration file, locate your domain definition as highlighted in the below example:
<listitem>
<variable name="Domain">demo.domain.com</variable>
<variable name="ServerName">192.168.65.5</variable>
<variable name="ServerPort">389</variable>
<variable name="BindDn">Administrator@test.lab</variable>
<variable name="BindPassword">DE3:f4cc0ffcf...1d0</variable>
<variable name="MapFile">ads.map</variable>
<variable name="Filter"></variable>
<variable name="UserBaseDn">dc=domain,dc=com</variable>
<variable name="GroupBaseDn">dc=domain,dc=com</variable>
<variable name="Description"></variable>
<variable name="Enabled">1</variable>
<variable name="PrimaryRefreshInt">30</variable>
<variable name="LdapNetworkTimeout">10</variable>
<variable name="SecureConnection">0</variable>
</listitem> -
Change the
UserBaseDN
andGroupBasedDN
search locations according to your path. In this example, the location was changed to the Support department:<variable name="UserBaseDn">ou=Support,dc=domain,dc=com>/variable>
<variable name="GroupBaseDn">ou=Support,dc=domain,dc=com>/variable> -
Save the configuration file.
-
Start the Kerio Connect service (Windows / Linux or macOS).
-
Confirmation
Kerio Connect now differentiates between additional Active Directory and LDAP containers.