Overview

You want to integrate OpenLDAP with a Kerio Connect (KC) server so that users from OpenLDAP can be mapped directly to KC. This article provides the steps to do this basic integration using a Debian 10 machine. However, it should work for other Linux distributions as well.

Prerequisites

• Basic knowledge about Linux systems. Eg: how to install packages.
• The idea about the LDAP directory structure you want to implement.
• This example uses the non-secure LDAP binding. The Authentication mechanism used in this scenario sends plain text passwords over the network, so it is recommended to have both - OpenLDAP and KC on the same machine. In this example, both are installed on the same machine.
• LDAP browsers like LDAP Account Manager (LAM) or JXplorer for exploring and editing any LDAP entries.
• Knowledge about how to edit files in Linux using an editor. Eg: Using Vim or Nano editor.
• VMware Workstation, VMware Player, or VMware ESXi hypervisor installed. This example uses the VMware Player.
• Following packages to be installed on the Debian machine:
  • slapd - OpenLDAP standalone LDAP daemon on Debian.
  • ldap-utils - Provides a number of utilities that can be used to perform queries on the LDAP server.

Solution

Below are the various steps to get the OpenLDAP setup running:

1. Setting up a new Debian Virtual Machine (VM)
2. Setting up the OpenLDAP server
3. Setting up LDAP Account Manager (LAM)
4. Setting up Kerio Connect
5. Enabling Kerio Connect properties for LDAP Users and Groups
6. Creating an LDAP User with Kerio Connect properties
7. Creating an LDAP Group with Kerio Connect Properties
8. Mapping Users with Groups
9. Authentication with OpenLDAP

(A) Setting up a New Debian Virtual Machine (VM)

1. Install Debian 10 on a VM using the Graphical Install option.
   Debian 10 ISO used here is available on the official Debian website. The version of the ISO used is debian-10.7.0-amd64-netinst.iso.

2. During the install, a hostname will be asked. Enter an appropriate value, since it will be used later in the OpenLDAP setup:

3. Proceed with the default options for the rest of the installation
4. After the Debian operating system is successfully installed and the VM is booted, install Open-VM-Tools using the command sudo apt-get install open-vm-tools and then reboot the VM.
   Note: When running the command, if you run into an error "<username> is not in the sudoers file. This incident will be reported.", then follow the steps in this solution article to resolve the issue and then run the command.

(B) Setting up the OpenLDAP Server

If the hostname of the Debian VM was not set up correctly, then, this is the best time in the process to fix it, since this will be used during the OpenLDAP setup. Refer to How to Change Hostname on Debian 10 article in case you want to change the hostname of the Debian VM.

Below are the steps to setup OpenLDAP on the Debian VM:

1. Run sudo apt install slapd ldap-utils to install the OpenLDAP daemon and other utilities.
2. After the installation is complete, run sudo /usr/sbin/slapcat to verify that the installation of the LDAP server was successful. Below is an example of the output of the slapcat command when the OpenLDAP installation is successful:

dn: dc=ldaptest,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: ldaptest.com
dc: ldaptest
structuralObjectClass: organization
entryUUID: 84d7c2f0-d963-103a-88e3-a7bde69fa370
creatorsName: cn=admin,dc=ldaptest,dc=com
createTimestamp: 20201223120957Z
entryCSN: 20201223120957.793971Z#000000#000#000000
modifiersName: cn=admin,dc=ldaptest,dc=com
modifyTimestamp: 20201223120957Z

dn: cn=admin,dc=ldaptest,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9RUxTSGlGb0ZMOC9ZOFhYWWJJR25EeG1SbnNab3h2bG0=
structuralObjectClass: organizationalRole
entryUUID: 84d7f734-d963-103a-88e4-a7bde69fa370
creatorsName: cn=admin,dc=ldaptest,dc=com
createTimestamp: 20201223120957Z
entryCSN: 20201223120957.795369Z#000000#000#000000
modifiersName: cn=admin,dc=ldaptest,dc=com
modifyTimestamp: 20201223120957Z

3. Check the status of LDAP using sudo systemctl status slapd. It should be active.

(C) Setting up LDAP Account Manager (LAM)

Below are the steps to install LAM on the Debian VM:

1. Download the Debian package of LAM on the Debian VM
2. On the command line, go to the location where it's downloaded and install it using sudo apt --fix-broken install ./ldap-account-manager_7.4-1_all.deb
3. This will use Apache (for LDAP management via browser) with the default 8080 port. This port has to be changed so that it doesn't conflict later with the Kerio Connect's 8080 port. We can change the Apache port to 8081 (or any other unused valid port number of your choice) using the steps in the How to Change Apache Port to a Customer Port.
4. After LAM is installed and the port is changed, in a browser on the Debian VM, go to http://localhost:8081/lam and you will see the LAM login page:

The next steps are to configure some settings for the OpenLDAP server using LAM:

1. Click on LAM Configuration at the top-right corner of the LAM login page:

2. Click on Edit Server Profiles:

3. It will ask for a password. The default password is lam.
4. After logging in successfully, under Server settings, change the Tree Suffix with the first dn value as seen in step (B) after successful installation of the OpenLDAP server:

5. Under Security settings, change the List of valid users to the second dn value as seen in step (B) after successful installation of the OpenLDAP server:

6. Now, change the Profile password:

7. Switch to Account Types tab from the top of the page:

8. Under Active account types, set the LDAP Suffix for Users and Groups. For Users, the value of the ou parameter should be Users, and the dc values the same as in the previous steps. For Groups, the value of the ou parameter should be Groups, and the dc values the same as in the previous steps. This is required since Kerio Connect looks for these ou values by default for Users and Groups.
9. Click on Save:

10. You will be taken back to the login page with a Your settings were successfully saved message:

11. Login to LAM and it will ask you to create the Users and Groups related suffixes for you. Click on Create to get them created:

12. Click on Tree View to see the newly created suffixes:

This completes the initial setup for LAM. Now, we will add an OpenLDAP test user from the Debian VM's command line and verify from the LAM that it is created successfully. Below are the steps for this:

1. Download the attached test_user.ldif file.
2. Run the ldapadd command to add a test user.
   Below is what a successful output of the run would look like:
   

   # ldapadd -f test_user.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W
   Enter LDAP Password:
   adding new entry "uid=test_user,dc=ldaptest,dc=com"

3. Login to LAM and verify that the user appears in the tree:

(D) Setting up Kerio Connect

1. Install Kerio Connect on the Debian VM.
2. After the command-line installation is completed successfully, during the Kerio Connect setup on the user interface, it is recommended to keep the Internet hostname and Email domain unchanged:

3. Change the LDAP port to 399 (or any other valid unused port) to avoid a conflict with the OpenLDAP server's port.
4. Go to Configuration > Domains, select the domain and click on Edit:

5. Go to the Directory Service tab.
6. Check Map user accounts and groups from a directory service to this domain.
7. For the Directory service type dropdown, select Apple® Open Directory (Kerberos™ 5 authentication), since that is the closest implementation to OpenLDAP.
8. Enter the Hostname, Username, and Password of the OpenLDAP server. The Hostname is the IP address of your Debian VM. The Username may get overwritten with some value. This can be ignored for now. The Password is the OpenLDAP password that was setup in step (C) previously. Note: In this example, we will only be using LDAP and not LDAPS. So, keep the Secure connection (LDAPS) checkbox unchecked.
9. Click on Test Connection.

10. You will receive a Cannot bind to LDAP server (invalid credentials) error, which can be ignored for now:

11. Save the domain configuration by clicking on OK.

The next steps are to fix the Invalid Credentials error received previously:

1. Stop the Kerio Connect service using sudo systemctl stop kerio-connect
2. Go to /opt/kerio/mailserver/
3. Download the attached openldap.map file to /opt/kerio/mailserver/
4. Change the ownership of the openldap.map file using the commands chown root openldap.map and chgrp root openldap.map
5. Open the /opt/kerio/mailserver/mailserver.cfg file for editing
6. Search for the text list name="Ldap"
7. Under that, update the BindDn parameter value to what was being tried to be added for the Username value in the previous set of steps. The value after modification will look something like <variable name="BindDn">cn=admin,dc=ldaptest,dc=com</variable>
8. Update the MapFile parameter value to openldap.map. It will look like this <variable name="MapFile">openldap.map</variable>
9. Save the file and exit the editor.
10. Go to /etc/ldap/schema/
11. Copy the attached kerio-mailserver.schema file under /etc/ldap/schema/
12. Change the ownership of the /etc/ldap/schema/kerio-mailserver.schema file using the commands chown root kerio-mailserver.schema and chgrp root kerio-mailserver.schema.
13. Start the Kerio Connect service using sudo systemctl start kerio-connect
14. Login to Kerio Connect and run the Test Connection (as in the previous set of steps) without any editing of any parameters. It will succeed this time.

(E) Enabling Kerio Connect Properties for LDAP Users and Groups

Below steps are for enabling properties related to Kerio Connect, so that the LDAP users and groups can be maintained in a way that Kerio Connect and LDAP are always in sync:

1. Download the attached kerio-mailserver.conf config file to your Debian VM.
2. Create a directory using mkdir /tmp/slapd.d
3. Verify that the config file is correct using the command sudo /usr/sbin/slaptest -f kerio-mailserver.conf -F /tmp/slapd.d/. Below is what a successful output will look like:

   # /usr/sbin/slaptest -f kerio-mailserver.conf -F /tmp/slapd.d/
   config file testing succeeded

4. Run cp "/tmp/slapd.d/cn=config/cn=schema/cn={4}kerio-mailserver.ldif" "/etc/ldap/slapd.d/cn=config/cn=schema"
5. Run openldap: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}kerio-mailserver.ldif'
6. Stop slapd using sudo systemctl stop slapd
7. Start slapd using sudo systemctl start slapd
8. Verify that kerio-mailserver appears in ldapsearch using the command ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn. Below is how the kerio-mailserver entry will appear:
   

   # ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn
   dn: cn=schema,cn=config
   dn: cn={0}core,cn=schema,cn=config
   dn: cn={1}cosine,cn=schema,cn=config
   dn: cn={2}nis,cn=schema,cn=config
   dn: cn={3}inetorgperson,cn=schema,cn=config
   dn: cn={4}kerio-mailserver,cn=schema,cn=config

(F) Creating an LDAP User with Kerio Connect Properties

The next steps are to create an LDAP user who will appear on the Kerio Connect interface and then verify that this new user is able to send emails:

1. Download the attached kerio_user.ldif file to your Debian VM. This file has the information required for creating the user along with the Kerio Connect attributes information required for identifying the user on the Kerio Connect server. More information related to the Kerio Connect User attributes can be found in the additional information section.
2. Run the ldapadd command to create this user. Below is a successful output of this user's creation:
   

   # ldapadd -f kerio_user.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W
   Enter LDAP Password:
   adding new entry "uid=kerio_ldap_user_one,ou=Users,dc=ldaptest,dc=com"

   Note: The password for this user is 12345 which is specified in the kerio_user.ldif file
3. This user will now be visible in LAM:

3. On the Kerio Connect interface, go to Accounts > Users > Add > Activate an existing user from Directory Service...:

4. The newly created user will appear in the next Activate Users from Directory Service pop-up, which can be then added to Kerio Connect by checking it and clicking on OK:

5. The user now appears in the list of Users for that domain:

6. You can now login using this User's email kerio_ldap_user_one@ldaptest.com and password 12345

7. The user can also send emails and once sent, this can be verified on the Kerio Administrator interface under Logs > Mail:

(G) Creating an LDAP Group with Kerio Connect Properties

The steps to create an LDAP group that will appear on the Kerio Connect interface are similar to the creation of Users. Below are the steps:

1. Download the attached kerio_group.ldif file to your Debian VM. This file has the information required for creating the group along with the Kerio Connect attributes information required for identifying the group on the Kerio Connect server. More information related to the Kerio Connect Group attributes can be found in the additional information section.
2. Run the ldapadd command to create this group. Below is a successful output of this group's creation:
   

   #ldapadd -f kerio_group.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W
   Enter LDAP Password:
   adding new entry "cn=KerioGroup,ou=Groups,dc=ldaptest,dc=com"

3. The group will now be visible in LAM:

4. On the Kerio Connect interface, go to Accounts > Groups > Add > Activate an existing Group from Directory Service...:

5. The newly created group will appear in the next Activate Groups from Directory Service pop-up, which can be then added to Kerio Connect by checking it and clicking on OK:

6. The group now appears in the list of Groups for that domain:

(H) Mapping Users with Groups

The LDAP Users can be associated with LDAP Groups. This is done with the help of a special groupMemberShip attribute that has been created. Below example shows the steps to accomplish this association:

1. Consider the above-created user kerio_ldap_user_one and group KerioGroup. We will make this user a part of this group.
2. Download the attached kerio_user_modify.ldif file to your Debian VM. This file has the groupMemberShip attribute for the user.
3. Run the command ldapmodify to modify the properties of the user. Below is the output of a successful run of this command:
   

   # ldapmodify -f kerio_user_modify.ldif -h 127.0.0.1 -D "cn=admin,dc=ldaptest,dc=com" -x -W
   Enter LDAP Password:
   modifying entry "uid=kerio_ldap_user_one,ou=Users,dc=ldaptest,dc=com"

4. Now, the user kerio_ldap_user_one belongs to the group KerioGroup.

(I) Authentication with OpenLDAP

The authentication mechanism used for authenticating users added to Kerio Connect with OpenLDAP is specified in the /opt/kerio/mailserver/openldap.map file with the parameter Auth_type:

<variable>
  <name>Auth_type</name>
  <value>5</value>
</variable>

The possible values for this parameter with their description are below:

Additional Information

Kerio Connect User Attributes

Below is the information related to various Kerio Connect user attributes that can be used when creating/modifying users in LDAP:

An example of creating a user with the above property is in the attached kerio_user.ldif file. Below are the other optional attributes:

Kerio Connect Group Attributes

Below is the information related to various Kerio Connect group attributes that can be used when creating/modifying groups in LDAP:

An example of creating a group with the above property is in the attached kerio_group.ldif file. Below are the other optional attributes:

Other Helpful Links

• OpenLDAP installation and configuration on Debian
• OpenLDAP setup on Debian

Attachments