Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Directory Utility port number
  •  
nulldev06

Messages: 9
Karma: 0
Send a private message to this user
I'm trying to use the new delegation and what ports do you need open so Directory Utility in 10.5 will connect to the LDAP server.

I've tried 3268, 636.

The server Kerio is running on is a ODM but Kerio is running on another IP on the same computer.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Hi,

We have the same issue here, and on a few customer sites as well.

What we have come to conclude right now, is these facts:

1: Open Directory Server can't be forced to stay on 1 or 2 IP's. It will ALWAYS bind to ALL IP's on the machine it's running on. That is a big issue since:

2: Directory Utillity seems to have a bug in, at least, 10.5.5 where it does not use the settings from the Custom Port. It will Always use port 389 to connect to.

So you are stuck in a situation where you can ask Kerio to use non-default ports, but DI on the client will not listen to what you tell it. Test with 'dscl' in Terminal - you will be surpriced!

3: It seems that checking the 'Use SSL' option in DI does not move you to port 636, but uses StartTLS on port 389 - still stuck there...

So, please use bugreporter.apple.com if you can reproduce this!

And, if anyone can find info on how to force the ODM (OpenLDAP) to only bind to specified IP's, I would be Very happy!

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
nulldev06

Messages: 9
Karma: 0
Send a private message to this user
Using Little Snitch while on the internal network. Directory utility needs access to ports 389 and 636 for it to work. What doesn't make sense is that LDAP service in Kerio has been changed to 3268 so Kerio shouldn't be responding on 389.

I have a call into Kerio tech support related to this.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Feel free to call them, but this is not a Kerio issue - it's a OS X Client issue.

Try change the LDAP entrys port# to your correct one, 3268, and in my testing, you will not see a difference. It will still try to use port 389... Sad

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
nulldev06

Messages: 9
Karma: 0
Send a private message to this user
If I switch LDAP to 389, the service won't start.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Are you changing it on Kerio?

That will not work, if you have a OD Master running there as well!
You need to change Kerio to something not-389. I used 390 in my tests.
Then on the OS X Client, change the port number in Directory Utility. Smile

You can check what DI is seeing, in Terminal with the 'dscl' command.
Like this:
JAP.local [~] >dscl
Entering interactive mode... (type "help" for commands)
 > ls
BSD
LDAPv3
Local

Search
Contact
 > cd LDAPv3/
/LDAPv3 > ls
srv01.domain.dk
10.0.0.22
mail.humac.dk


cd into an LDAP server:
cd srv01.domain.dk/
/LDAPv3/srv01.domain.dk > ls
AccessControls
Augments
Automount
AutomountMap
AutoServerSetup
CertificateAuthorities
ComputerGroups
ComputerLists
Computers
Config
FileMakerServers
Groups
Locations
Machines
Maps
Mounts
Neighborhoods
OLCBDBConfig
OLCFrontEndConfig
OLCGlobalConfig
OLCOverlayDynamicID
OLCSchemaConfig
People
Places
PresetComputerGroups
PresetComputerLists
PresetComputers
PresetGroups
PresetUsers
Printers
Resources
Users


If you see a structure like the above, you see an OD Master! And Kerio lookup will not work.. Sad

In the above ex. my server 'srv01.domain.dk' is set to use port 390 in DU, but the reply you see there is from the OD Master on port 389.. go figure!

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Hmm, and suddently it starts working on that server.. Now I'm puzzeled!

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
nulldev06

Messages: 9
Karma: 0
Send a private message to this user
When you cd into the LDAP section of the mail server using DSCL, look at what users are in the "Users" section.

The list of users on mine are the people in the Kerio address book on the server.
  •  
chad.mcdonald

Messages: 12
Karma: 0
Send a private message to this user
It appears that this all works correctly when a user is on the internal network. The problem comes when the user leaves the office. While they can see their appointments in iCal and create new ones without a problem, the lookup of other users (in the delegation section) fails. In address book if you search for a user that you know is in the Kerio directory under "Directories" that lookup will fail as well.

My theory is this. Even though we've told Kerio that we want it to run on port 636 or 390 or 3268 (or anything other than 389), the Mac OSX client still wants to use port 389 to make the initial connection to the LDAP server even if after that point it will send further requests over the correct (636,3268,390, etc) port. For some reason it's able to do this when it is on the local network but not when off site. I should mention that we've forwarded ports 389,3268,636 to our Kerio server in our firewall just to make sure that the firewall wasn't blocking something Kerio needed and the results have not changed.


  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
I've been looking into a similar problem with laptop users (when they bring their machines back on-site, the iCal lookups don't work).

Is there a particular service that could be re-started on the Mac laptop client, that would force the laptop to re-establish the connection with the LDAP servers?

(Rather than having to log the client out + restart)?

Cheers,
Derek

[Updated on: Mon, 11 May 2009 08:53]


  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Found a quick and easy solution (at least for restarting LDAP on the client machine)...

Use ACTIVITY MONITOR to Force-Quit the DIRECTORYSERVICES process.

It should auto-restart itself within a few seconds.

LDAP lookups work successfully again.

You could probably script it if you wanted every-day users to do this.

Hope this helps someone else Smile.
Derek

Previous Topic: Bulk Remove Addresses From Mailing List
Next Topic: A virus definition (DAT)
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 08:22:37 CET 2017

Total time taken to generate the page: 0.00474 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.