Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio With Apple Open Directory
  •  
johnakeating

Messages: 9

Karma: 0
Send a private message to this user
No Message Body

[Updated on: Fri, 04 October 2013 17:09]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Hi,
Kerio Open Directory extension itself cannot destroy/remove/update/modify any user password. It is an extension to the LDAP server used in the Open Directory. It just adds few new attributes to existing user account. Passwords are managed by Open Directory Kerberos server. Replication is managed by Open Directory itself, neither KMS nor OD extension can make any change in that.
KMS can't change or define how the password is stored/replicated in OpenDirectory.

The basic questions is: Do the passwords replicate if you change it via other Kerberos tools (like kinit, kpasswd)?
  •  
dczward

Messages: 2
Karma: 0
Send a private message to this user
I'll admit that the first poster of this thread is a little over the top, but this thread did catch my eye, as I just went through a frustrating experience with Kerio and Open Directory plugin this past weekend. Here's the scenario, and I hope readers can point me towards something we may have overlooked.

Installed a fresh, new version of Mac OS X Server 10.5.3 onto a 2.8 Ghz Mac Pro. Installed as a Standalone server using Advanced mode. Configured DNS first, and made sure it resolved properly (# sudo changeip -checkhostname, domain name was mail.clientname.com)). All was well. Promoted the server to Open Directory master without error, and created several users in the OD domain. Enabled file sharing, and connected with Kerberos authentication to the shares, mounted and connected fine. Installed the latest KMS 6.5.1 downloaded from Kerio's site, entered licenses, created a few local mail users in Kerio, and was able to connect send/recive mail from inside and outside LAN no prblem, POP, IMAP, SMTP, with the Kerio generated SSL cert, etc. Then we installed the Kerio Open DIrectory plug-in/extension. Configured the default domain to use Open Directory, and it connected to the LDAP fine. Went ahead and added some users from the LDAP/Open Directory domain, and that was fine. Checking email for those new OD users accounts when fine... and then after several minutes, it didn't go fine. I couldn't check email: the OD user's passwords were "incorrect". Looking at the users in Workgroup Manager revealed that the entire OD domain was deleted. The diradmin users, and the whole domain was empty! We tried to demote the server to standalone, which went fine, then re-promote it to OD master, but that process wouldn't complete while KMS was running. We had to remove the LaunchDaemons, and kill the mailserver process, in order to promote back to OD Master. After re-starting KMS, re-creating users, the process would happen again: the domain kept getting corrupted/destroyed. We tried re-installing the Server OS from scratch, rebuilding in various combinations (installing KMS and the OD plugin before promoting to OD Master, etc), and in every case, everything worked great until we installed the KMS OD plugin.

There were no forum posts of anyone else talking about this issue, nothing in the knowledgebase or FAQs, and so I'm posting here. What do you think we're doing wrong, or is KMS + OD plugin not supported on OS X Server 10.5.3?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I would recommend removing whole content of /private/etc/openldap/slapd.d directory before installing KMS OD extensions. It will be re-created after ODExt installation. I don't know any way how could KMS block OD promotion except port conflict - note that KMS has own LDAP server for contact which could cause conflict with OD LDAP.

Anyway, good start is to send OD logs to our technical support.
  •  
johnakeating

Messages: 9

Karma: 0
Send a private message to this user
Hey,

I have since had some help from kerio and a fellow technician and we are currently running kerio with 10.5.3 with a few less problems.

1 How are you importing the users? are you getting them from an OD archive?

If you are restoring an archive from a tiger server with OD Ext installed on to leopard then will not be able to upgrade the accounts and the users will not be able to do anything.

I would suggest getting a export from workgroup manager and restore it into leopard.
This removes all of the kerio extension off the users and allows leopard to upgrade them.

2 I have seen this where the ODM get destroyed when kerio extension is removed but never just by its self.

3 make sure it says Kerberos running on the overview pane.

4 build a test lab of iMacs or something and try getting running o a test network because it I take a lot of work to get it done so it works ok.

5 are you using replicas? do they have the extension installed?


our current issue is creating a users in the open directory we get a lot of errors and sometimes the user will never be able to be activated in kerio so we make them local account. and when seem to need to restart the kerio mail and the odm every couple of days because it stops authenticating it happens mostly when we do directory updates


let me know if the help you.


John



  •  
dczward

Messages: 2
Karma: 0
Send a private message to this user
Hi John,

Answers...

1) Creating them by hand into OD. This is a sort of trial balloon/test, so we're creating the 10 users from scratch. (Obviously, if this works well, we can import lots of users, but we're trying to keep this simple for now). This is a first time 10.5.3 Server, KMS 6.5.1, clean OS install, nothing imported from any old version of anything.

2) Yeah, well, it did.

3) It was. And we tested Kerberos by authenticating OD users to a file share too. After this setup breaks, Kerberos is hosed, and the users, including the diradmin, are gone from the directory

4) This is a test lab sort of setup: 10 OD users, 1 x Mac Pro 10.5.3 Server, 2 x MacBook Pros (10.5.3) and 1 x iMac (10.4.11).

5) No replicas (yet), just the one OD Master.

We didn't try your earlier suggestion of "removing whole content of /private/etc/openldap/slapd.d directory before installing KMS OD extensions". Possibly that will work. When we get a change to test that, we'll report back.

--Douglas
  •  
johnakeating

Messages: 9

Karma: 0
Send a private message to this user
We have it setup a little differently.


We have a mac pro that is just the ODM and this is all it does.

Then we have about 6 replicas servers one for each site and for the website authentication.

and then a mac pro for the mail server that is not a replica or a master but is "Connected to a directory system" this mail server is running leopard server and is bound to the master. If you have an extra mac pro around I would suggest trying this configuration.


Good luck!

John
  •  
na_tech

Messages: 13
Karma: 0
Send a private message to this user
Virtually every one of my 750-some users are Kerio-enabled accounts. I am still running 10.4.11 server, as I'm waiting for a good year on Leopard Server before I take the plunge.

In the past when I migrated us from our PowerMac G4 server to a proper Xeon Xserve, I followed Apple's migration steps for OD and ended up with only half my users - at best.

I initially patched both machines to the latest patches at the time, set up the new Xserve properly (with DNS working, tested and re-tested), performed an OD archive on the old server and restored to the new server via OD restore. Initially, this yielded me with only non-Kerio-activated users. So I wiped the Xserve and tried again - but this time I installed the Kerio OD extensions before my OD restore. Better....now I had 400-some users. Still 300+ unaccounted for. I contacted Kerio and they claimed their OD extensions would never cause that. Furthermore, Apple wiped their hands of the whole affair (3rd party LDAP extensions? Not our fault!)....

Since then, I've exported my users the old-fashioned way(sans passwords) and had everyone change their passwords. It was a huge inconvenience, but at least I have all my accounts "intact" and on a decent server.

I'd love to finally get to the bottom of this issue once and for all....
  •  
johnakeating

Messages: 9

Karma: 0
Send a private message to this user
This is what the replica status looks like on our open directory system..

it seems to be working right now its just giving off tons of errors in each of the logs about the ext.
Laughing




  • Attachment: Picture 7.png
    (Size: 23.21KB, Downloaded 498 times)

[Updated on: Wed, 25 June 2008 18:54]

  •  
syntaxcollector

Messages: 7

Karma: 0
Send a private message to this user
Hi all

Yes, I would with a lot of the strange problems happening but it's NOT the ldap extensions its the installer. No offense kerio but like my mother said to me regarding my first wife: you can do better!

The installer sucks ass, it blew my server right out of the water. I got fed up with it and just grabbed the .schema file and installed the damn thing manually. WAAAAYY better, I out line some directions here

http://forums.kerio.com/index.php?t=msg&th=13577

Using a mac is a little different then using a pc. Its not so much operating a computer as it is tricking it, fooling it into what you want it to do. You kinda have to sneak up on a mac.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Actually, the installed does DO exactly same steps from your description. But there is one important step that has to be done when OD uses customized schema (and this step is missing in the described steps as well): slapd.d directory should be empty before installing Kerio OD Extension or running slaptest command.

[Updated on: Sat, 28 June 2008 01:04]

Previous Topic: Log outgoing emails
Next Topic: Kerio Open Directory Extension Issues
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 01:17:06 CET 2017

Total time taken to generate the page: 0.00510 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.