Overview
You want to integrate OpenLDAP with a Kerio Connect (KC) server so that users from OpenLDAP can be mapped directly to KC. This article provides the steps to do this basic integration using a Debian 10 machine. However, it should work for other Linux distributions as well.
NOTE: OpenLDAP configuration is not directly supported by Kerio Connect. So, you are using this feature at your own risk!
The directory services officially supported by KC are Microsoft Active Directory and Apple Open Directory. So, if you are not an experienced user, then, kindly reconsider your option and choose one of the 2 supported services.
Prerequisites
- Basic knowledge about Linux systems. Eg: how to install packages.
- The idea about the LDAP directory structure you want to implement.
- This example uses the non-secure LDAP binding. The Authentication mechanism used in this scenario sends plain text passwords over the network, so it is recommended to have both - OpenLDAP and KC on the same machine. In this example, both are installed on the same machine.
- LDAP browsers like LDAP Account Manager (LAM) or JXplorer for exploring and editing any LDAP entries.
- Knowledge about how to edit files in Linux using an editor. Eg: Using Vim or Nano editor.
- VMware Workstation, VMware Player, or VMware ESXi hypervisor installed. This example uses the VMware Player.
- Following packages to be installed on the Debian machine:
slapd
- OpenLDAP standalone LDAP daemon on Debian.ldap-utils
- Provides a number of utilities that can be used to perform queries on the LDAP server.
Solution
Below are the various steps to get the OpenLDAP setup running:
- Setting up a new Debian Virtual Machine (VM)
- Setting up the OpenLDAP server
- Setting up LDAP Account Manager (LAM)
- Setting up Kerio Connect
- Enabling Kerio Connect properties for LDAP Users and Groups
- Creating an LDAP User with Kerio Connect properties
- Creating an LDAP Group with Kerio Connect Properties
- Mapping Users with Groups
- Authentication with OpenLDAP
(A) Setting up a New Debian Virtual Machine (VM)
- Install Debian 10 on a VM using the Graphical Install option.
Debian 10 ISO used here is available on the official Debian website. The version of the ISO used is debian-10.7.0-amd64-netinst.iso.
- During the install, a hostname will be asked. Enter an appropriate value, since it will be used later in the OpenLDAP setup:
- Proceed with the default options for the rest of the installation
- After the Debian operating system is successfully installed and the VM is booted, install Open-VM-Tools using the command
sudo apt-get install open-vm-tools
and then reboot the VM.
Note: When running the command, if you run into an error "<username> is not in the sudoers file. This incident will be reported.", then follow the steps in this solution article to resolve the issue and then run the command.
(B) Setting up the OpenLDAP Server
If the hostname of the Debian VM was not set up correctly, then, this is the best time in the process to fix it, since this will be used during the OpenLDAP setup. Refer to How to Change Hostname on Debian 10 article in case you want to change the hostname of the Debian VM.
Below are the steps to setup OpenLDAP on the Debian VM:
- Run
sudo apt install slapd ldap-utils
to install the OpenLDAP daemon and other utilities. - After the installation is complete, run
sudo /usr/sbin/slapcat
to verify that the installation of the LDAP server was successful. Below is an example of the output of theslapcat
command when the OpenLDAP installation is successful:
dn: dc=ldaptest,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: ldaptest.com
dc: ldaptest
structuralObjectClass: organization
entryUUID: 84d7c2f0-d963-103a-88e3-a7bde69fa370
creatorsName: cn=admin,dc=ldaptest,dc=com
createTimestamp: 20201223120957Z
entryCSN: 20201223120957.793971Z#000000#000#000000
modifiersName: cn=admin,dc=ldaptest,dc=com
modifyTimestamp: 20201223120957Z
dn: cn=admin,dc=ldaptest,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9RUxTSGlGb0ZMOC9ZOFhYWWJJR25EeG1SbnNab3h2bG0=
structuralObjectClass: organizationalRole
entryUUID: 84d7f734-d963-103a-88e4-a7bde69fa370
creatorsName: cn=admin,dc=ldaptest,dc=com
createTimestamp: 20201223120957Z
entryCSN: 20201223120957.795369Z#000000#000#000000
modifiersName: cn=admin,dc=ldaptest,dc=com
modifyTimestamp: 20201223120957Z
- Check the status of LDAP using
sudo systemctl status slapd
. It should be active.
(C) Setting up LDAP Account Manager (LAM)
Below are the steps to install LAM on the Debian VM:
- Download the Debian package of LAM on the Debian VM
- On the command line, go to the location where it's downloaded and install it using
sudo apt --fix-broken install ./ldap-account-manager_7.4-1_all.deb
- This will use Apache (for LDAP management via browser) with the default 8080 port. This port has to be changed so that it doesn't conflict later with the Kerio Connect's 8080 port. We can change the Apache port to 8081 (or any other unused valid port number of your choice) using the steps in the How to Change Apache Port to a Customer Port.
- After LAM is installed and the port is changed, in a browser on the Debian VM, go to
http://localhost:8081/lam
and you will see the LAM login page:
The next steps are to configure some settings for the OpenLDAP server using LAM:
- Click on LAM Configuration at the top-right corner of the LAM login page:
- Click on Edit Server Profiles:
- It will ask for a password. The default password is lam.
- After logging in successfully, under Server settings, change the Tree Suffix with the first dn value as seen in step (B) after successful installation of the OpenLDAP server:
- Under Security settings, change the List of valid users to the second dn value as seen in step (B) after successful installation of the OpenLDAP server:
- Now, change the Profile password:
- Switch to Account Types tab from the top of the page:
- Under Active account types, set the LDAP Suffix for Users and Groups. For Users, the value of the ou parameter should be Users, and the dc values the same as in the previous steps. For Groups, the value of the ou parameter should be Groups, and the dc values the same as in the previous steps. This is required since Kerio Connect looks for these ou values by default for Users and Groups.
- Click on Save:
- You will be taken back to the login page with a Your settings were successfully saved message:
- Login to LAM and it will ask you to create the Users and Groups related suffixes for you. Click on Create to get them created:
- Click on Tree View to see the newly created suffixes:
This completes the initial setup for LAM. Now, we will add an OpenLDAP test user from the Debian VM's command line and verify from the LAM that it is created successfully. Below are the steps for this:
- Download the attached
test_user.ldif
file. - Run the
ldapadd
command to add a test user.
Below is what a successful output of the run would look like:
# ldapadd -f test_user.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W
Enter LDAP Password:
adding new entry "uid=test_user,dc=ldaptest,dc=com" - Login to LAM and verify that the user appears in the tree:
(D) Setting up Kerio Connect
- Install Kerio Connect on the Debian VM.
- After the command-line installation is completed successfully, during the Kerio Connect setup on the user interface, it is recommended to keep the Internet hostname and Email domain unchanged:
- Change the LDAP port to 399 (or any other valid unused port) to avoid a conflict with the OpenLDAP server's port.
- Go to Configuration > Domains, select the domain and click on Edit:
- Go to the Directory Service tab.
- Check Map user accounts and groups from a directory service to this domain.
- For the Directory service type dropdown, select Apple® Open Directory (Kerberos™ 5 authentication), since that is the closest implementation to OpenLDAP.
- Enter the Hostname, Username, and Password of the OpenLDAP server. The Hostname is the IP address of your Debian VM. The Username may get overwritten with some value. This can be ignored for now. The Password is the OpenLDAP password that was setup in step (C) previously. Note: In this example, we will only be using LDAP and not LDAPS. So, keep the Secure connection (LDAPS) checkbox unchecked.
- Click on Test Connection.
- You will receive a Cannot bind to LDAP server (invalid credentials) error, which can be ignored for now:
- Save the domain configuration by clicking on OK.
The next steps are to fix the Invalid Credentials error received previously:
- Stop the Kerio Connect service using
sudo systemctl stop kerio-connect
- Go to
/opt/kerio/mailserver/
- Download the attached
openldap.map
file to/opt/kerio/mailserver/
- Change the ownership of the
openldap.map
file using the commandschown root openldap.map
andchgrp root openldap.map
- Open the
/opt/kerio/mailserver/mailserver.cfg
file for editing - Search for the text
list name="Ldap"
- Under that, update the
BindDn
parameter value to what was being tried to be added for the Username value in the previous set of steps. The value after modification will look something like<variable name="BindDn">cn=admin,dc=ldaptest,dc=com</variable>
- Update the
MapFile
parameter value toopenldap.map
. It will look like this<variable name="MapFile">openldap.map</variable>
- Save the file and exit the editor.
- Go to
/etc/ldap/schema/
- Copy the attached
kerio-mailserver.schema
file under/etc/ldap/schema/
- Change the ownership of the
/etc/ldap/schema/kerio-mailserver.schema
file using the commandschown root kerio-mailserver.schema
andchgrp root kerio-mailserver.schema
. - Start the Kerio Connect service using
sudo systemctl start kerio-connect
- Login to Kerio Connect and run the Test Connection (as in the previous set of steps) without any editing of any parameters. It will succeed this time.
(E) Enabling Kerio Connect Properties for LDAP Users and Groups
Below steps are for enabling properties related to Kerio Connect, so that the LDAP users and groups can be maintained in a way that Kerio Connect and LDAP are always in sync:
- Download the attached
kerio-mailserver.conf
config file to your Debian VM. - Create a directory using
mkdir /tmp/slapd.d
- Verify that the config file is correct using the command
sudo /usr/sbin/slaptest -f kerio-mailserver.conf -F /tmp/slapd.d/
. Below is what a successful output will look like:# /usr/sbin/slaptest -f kerio-mailserver.conf -F /tmp/slapd.d/
config file testing succeeded - Run
cp "/tmp/slapd.d/cn=config/cn=schema/cn={4}kerio-mailserver.ldif" "/etc/ldap/slapd.d/cn=config/cn=schema"
- Run
openldap: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}kerio-mailserver.ldif'
- Stop slapd using
sudo systemctl stop slapd
- Start slapd using
sudo systemctl start slapd
- Verify that
kerio-mailserver
appears inldapsearch
using the commandldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn
. Below is how thekerio-mailserver
entry will appear:
# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: cn={4}kerio-mailserver,cn=schema,cn=config
(F) Creating an LDAP User with Kerio Connect Properties
The next steps are to create an LDAP user who will appear on the Kerio Connect interface and then verify that this new user is able to send emails:
- Download the attached
kerio_user.ldif
file to your Debian VM. This file has the information required for creating the user along with the Kerio Connect attributes information required for identifying the user on the Kerio Connect server. More information related to the Kerio Connect User attributes can be found in the additional information section. - Run the
ldapadd
command to create this user. Below is a successful output of this user's creation:
# ldapadd -f kerio_user.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W Enter LDAP Password: adding new entry "uid=kerio_ldap_user_one,ou=Users,dc=ldaptest,dc=com"
Note: The password for this user is12345
which is specified in thekerio_user.ldif
file - This user will now be visible in LAM:
- On the Kerio Connect interface, go to Accounts > Users > Add > Activate an existing user from Directory Service...:
- The newly created user will appear in the next Activate Users from Directory Service pop-up, which can be then added to Kerio Connect by checking it and clicking on OK:
- The user now appears in the list of Users for that domain:
- You can now login using this User's email
kerio_ldap_user_one@ldaptest.com
and password12345
- The user can also send emails and once sent, this can be verified on the Kerio Administrator interface under Logs > Mail:
(G) Creating an LDAP Group with Kerio Connect Properties
The steps to create an LDAP group that will appear on the Kerio Connect interface are similar to the creation of Users. Below are the steps:
- Download the attached
kerio_group.ldif
file to your Debian VM. This file has the information required for creating the group along with the Kerio Connect attributes information required for identifying the group on the Kerio Connect server. More information related to the Kerio Connect Group attributes can be found in the additional information section. - Run the
ldapadd
command to create this group. Below is a successful output of this group's creation:
#ldapadd -f kerio_group.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W
Enter LDAP Password:
adding new entry "cn=KerioGroup,ou=Groups,dc=ldaptest,dc=com" - The group will now be visible in LAM:
- On the Kerio Connect interface, go to Accounts > Groups > Add > Activate an existing Group from Directory Service...:
- The newly created group will appear in the next Activate Groups from Directory Service pop-up, which can be then added to Kerio Connect by checking it and clicking on OK:
- The group now appears in the list of Groups for that domain:
(H) Mapping Users with Groups
The LDAP Users can be associated with LDAP Groups. This is done with the help of a special groupMemberShip
attribute that has been created. Below example shows the steps to accomplish this association:
- Consider the above-created user
kerio_ldap_user_one
and groupKerioGroup
. We will make this user a part of this group. - Download the attached
kerio_user_modify.ldif
file to your Debian VM. This file has thegroupMemberShip
attribute for the user. - Run the command
ldapmodify
to modify the properties of the user. Below is the output of a successful run of this command:
# ldapmodify -f kerio_user_modify.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W
Enter LDAP Password:
modifying entry "uid=kerio_ldap_user_one,ou=Users,dc=ldaptest,dc=com" - Now, the user
kerio_ldap_user_one
belongs to the groupKerioGroup
.
(I) Authentication with OpenLDAP
The authentication mechanism used for authenticating users added to Kerio Connect with OpenLDAP is specified in the /opt/kerio/mailserver/openldap.map
file with the parameter Auth_type
:
<variable>
<name>Auth_type</name>
<value>5</value>
</variable>
The possible values for this parameter with their description are below:
Value | Description |
0 | Internal database authentication |
1 | NT domain authentication |
2 | LinuxPAM authentication method |
3 | Kerberos authentication (Requires Kerberos server) |
4 | Apple Password Server authentication method |
5 | Authentication against LDAP server (Used in this example) |
Additional Information
Kerio Connect User Attributes
Below is the information related to various Kerio Connect user attributes that can be used when creating/modifying users in LDAP:
Necessary Kerio Connect User Attributes | Description |
kerio-Mail-User | This option will extend the user attributes set for the Kerio Connect ones. It allows adding optional attributes like the Message Quota, Storage Quota, Address, etc. It does not activate the account, the account needs to be activated using the optional kerio-Mail-Active attribute. |
An example of creating a user with the above property is in the attached kerio_user.ldif
file. Below are the other optional attributes:
Optional Kerio Connect User Attributes | Description |
kerio-Mail-Active |
It activates the Kerio Connect account - 0 - not active; 1 - active |
kerio-Mail-AccountEnabled | It can enable/disable the account |
kerio-Mail-AdminRights | Admin rights |
kerio-Mail-Authorization | The authorization properties |
kerio-Mail-Address | User's email address |
kerio-Mail-ForwardMode | Forward mode |
kerio-Mail-ForwardAddress | Address to which email should be forwarded in case forward mode is enabled |
kerio-Mail-QuotaStorage | The user's storage quota |
kerio-Mail-QuotaMessage | The maximum number of emails user's quota |
kerio-Mail-MaxOutgoingMessageSize | Maximal outgoing message size |
kerio-Mail-WebReplyToAddress | Reply-to address used in the webmail interface |
Kerio Connect Group Attributes
Below is the information related to various Kerio Connect group attributes that can be used when creating/modifying groups in LDAP:
Necessary Kerio Connect Group Attributes | Description |
kerio-Mail-Group | This option will extend the Group attributes set for the Kerio Connect ones. It allows adding optional attributes like the below ones. |
An example of creating a group with the above property is in the attached kerio_group.ldif
file. Below are the other optional attributes:
Optional Kerio Connect Group Attributes | Description |
kerio-Mail-Active |
It activates the Kerio Connect group account - 0 - not active; 1 - active |
kerio-Mail-AdminRights | Admin rights |
kerio-Mail-Authorization | The authorization properties |
Other Helpful Links
Attachments