Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Directory app search reveals non-published user account details
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi Kerio forum folks.

We've started looking at using the shared calendar features of Kerio in KMS 6.6.1.

We've setup client machines using the built-in app for configuring iCal. As a result though, when staff use the 'auto-complete' feature in iCal or in the mac "Directory" application, *all* of our Kerio Mail Server accounts are listed, including our Admin accounts. This includes contacts / accounts that are *not* published officially when the accounts were created.

e.g. Doing a search for "Bob" should only show "Bob Smith" (the user's account)

But instead it shows "BobAdmin", "BobSpecial" and plain "Bob".
(Bob's special and admin accounts, which are not published).

So, to clarify, these accounts have their contacts published:

  • Bob

And these accounts exist:

  • BobAdmin
  • BobSpecial
  • Bob

Any ideas on how to get ONLY Public PUBLISHED contacts listed in ical / Directory App, rather than every "live" account on our server listed via LDAP?

Many thanks,
Derek

[Updated on: Mon, 12 January 2009 03:57]


  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
This is correct. Directory Utility lists all user accounts on the server in a similar way as it would be an OpenDirectory server. It does not list published contacts but it is searching in user database.
We are considering some changes in this searching, including proposals to hide some user accounts but it is hard to "change" it since it is a core of Apple Directory service integration.
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi there.

Ah, that explains it well Smile.

Is there a way to configure the LDAP lookup path so that it looks only at the 'published' list of users?

We have achieved it for devices like our Fuji Xero photocopiers (for Scan to Email functionality -- so only published users are avaialble), but we haven't been able to get this to work for the Directory Utility / Directory lookup app / iCal lookups.

Any ideas (e.g. correct syntax / schema)?

The schema we used in our photocopiers is along these lines:
fn=Contacts,fn=Public,Folders,cn=accountname<_a.t_>mailexampledomain.xxx.xxx,fn=ContactRoot

Cheers,
Derek

  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Hi Derek,

I'm a little confused. My understanding is that Apple's Directory application points to the directory that's referenced in the Apple Directory Utility - typically a direct connection to your Open Directory server.

I've never tried to have Directory.app point to the Kerio public contacts folder. It is easy to do with Address Book.app and Entourage. If Directory.app is pointing to OD and not KMS, that would explain why you are seeing those accounts.

I'm not 100% sure how to hide OD accounts from Directory.app. I believe anything with a uid under 500 won't show up.

Good luck,
Lyle Millander
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi Lyle and forum folks.

Just to clarify... We are looking up the email accounts listed on the Kerio Mail Server, with Directory Utility configured to point to the KMS.

(As setup by the Auto-configure iCal application, available from the KMS web mail interface).

So, we're not trying to get the email accounts list from an Open Directory Apple server.

We have found that when you use the Kerio Mail Server as a 'directory' for iCal look-ups, all enabled accounts are shown, not just the ones that you select to be 'published'.

So, we want to hide these KMS-listed accounts, from directory services, so that users/staff only see the accounts they are meant to see, not admin accounts etc.

Or, in other words, query only the Published list, not the enabled user account list.

I'm sure it's possible, since we can get the "published only" list of email addresses via LDAP for our photocopiers (scan to email function) from KMS. But the syntax for querying via Directory Utility of the KMS LDAP list is the tricky bit Smile.

I'm sure other people are in the same boat, wanting their admin + test account details NOT to be published to staff. (Or am I the only one Razz )

Cheers,
Derek

  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
I would be surprised if the iCal Auto-Configure application was capable of altering the the settings controlled by Directory Utility.
The manual does not indicate this as a feature of iCal Auto-Conf, and none of the workstations on which we've run the utility has had their global LDAP contact references altered.

http://www.kerio.com/manual/kms/en/sect-caldavical.html#d0e2 7944

I might be able to help, but would like to get a little more clarification.

1. Is KMS getting it's users from an external directory service, OD or AD?
2. If yes, is the service running on a separate server, or the KMS system?
3. On what port number is KMS running LDAP?
4. What servers are listed on the client's Directory Utility and what are the notes displayed to their right?
5. In Directory Utility, under Search Policy/Contacts, what do you see?

Please note that I have never been able to get Directory.app to display results for anything other than an Apple OD server. I have Directory Utility setup to talk to KMS for contacts. However, only Address Book.app is able to display those results.

Regards,
Lyle Millander
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi Lyle and Forum folks.

No, I'm not looking to have the iCal Auto-configure app, change the settings in Directory Utility.

All I'm saying is that the settings in Directory Utility could be changed after using the iCal auto-configure app, to change the KMS LDAP query path to query the published names/accounts list, not just the whole list of active accounts (default).

(We are happy to configure the Directory Utility to point with a specific schema/path, to get the published-only user list.)

In other words, changing the specific search path that D.U. looks at, from the main KMS "all accounts" list, to the KMS "published account details" list (as per my earlier post).

To answer your specific queries...

1. NO, we enter our users into KMS directly. They are not looked up from AD or OD. User accounts are manually typed into KMS.
2. Because we enter the users manually, KMS becomes an LDAP contacts server.
3. LDAP 389, SLDAP 636
4. We have two servers listed in Directory Utility. One is our Open Directory, used for login accounts, and Portable Home Directory syncing. It's only used for authentication. Text is "This server is responding normally".
Other is mail server, used for Contacts only. Text is: "This server is responding normally. This server is not in your authentication search policy."
That's all fine. We have no problems with that setup.
5. The usual suspects (/Local/Default, /BSD/local), then /LDAPv3/our-mailserverIP.com
Again, that setting is fine, and working well.

We happily are getting search results from the KMS via the Directory.app. (If you are not, the likely culprit, is a setting within Directory Utility).

That iCal Auto-configure app took care of that. (And we ensured that the Directory Utility has only the KMS set as the 'contacts' server).

So, what I am seeking, is the correct schema syntax, in the 'LDAP Mappings' field of Directory Utility, to query the Published listed of users, not the complete list of users (default for LDAP servers).

As mentioned in my earlier post, the schema syntax that works for our Fuji Xerox photocopiers is, for name / email lookups is:

fn=Contacts,fn=Public Folders,cn=accountname<_a.t_>mailexampledomain.xxx.xxx,fn=ContactRoot

So, if our photocopiers can do a "published only" username search, based on a person's name, and pull out the email address, direct from our KMS, I can't see why Directory Utility can't have a custom schema/path entered in, to achieve the same effect.

They (a Fuji Xerox photocopier, and Directory Utility / Directory.app) are both simply performing an LDAP lookup afterall.

Does that make my question clearer?

FYI I determined that custom schema for the photocopiers scan-to-email function, by using an LDAP lookup app on my Mac, to query different search paths on KMS, until I found the contacts folder that only contained the 'published' users list. Note that for this to work on our photocopiers, we had to save a username and password on the copiers, to "allow" them to perform the LDAP search, whenever a user wanted to look up their email address.

Cheers,
Derek

[Updated on: Fri, 23 January 2009 05:11]


  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Very interesting stuff!

While running the iCal Config Tool Installer I received a warning to close Directory Utility! Cool, I like surprises. That gave me the basis for the next step now that Directory.app shows me my personal contact list. It turns out that I never ran the iCal Config tool on my own workstation - I had setup CalDAV manually.

In Directory Utility I noted that Search&Mappings for the newly created KMS entry uses Open Directory Server as its basis and has the search base suffix of dc=mydomain.com. I changed the access setting to RFC 2307 and entered the search base of fn=public,fn=ContactRoot. Now Directory.app only shows me the contents of my public contacts folder (and the folders nested within it).

With further experimentation, I selected Access this LDAPv3 server using "From Server" and that worked too.

My previous failure to get Directory.app working was due to my using a non-SSL connection in Directory Utility. The iCal Config Tool resolved that mystery - Thanks for the tip. That's either missing from the documentation, or I had my eyes closed.

Hope this helps.

Cheers,
Lyle Millander
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
lylehm wrote on Fri, 23 January 2009 17:21

Very interesting stuff!

In Directory Utility I noted that Search&Mappings for the newly created KMS entry uses Open Directory Server as its basis and has the search base suffix of dc=mydomain.com. I changed the access setting to RFC 2307 and entered the search base of fn=public,fn=ContactRoot. Now Directory.app only shows me the contents of my public contacts folder (and the folders nested within it).



This is cool but Directory Utility is doing much more than only searching users. It also search for resources (autocomplete of Location in iCal) and user accounts available for delegation. By changing mapping to custom (published contacts) iCal no longer can autocomplete Locations and could be confused and offer external contact for calendar delegation (which obviously fails).
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
So, would it be possible to hide the admin users by sticking them in another domain?
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi Folks.

I can confirm that by sticking Admin users in another domain, that you can then "hide" those users, and prevent users from seeing them via iCal. And still administer your original domains.

Just make sure you don't delete the secondary domain, or, make sure you have your own email account as an Admin account as well. (Just in case).

So, I've tried this method successfully... I think with a little bit of Alias changing etc. (for old addresses etc.), we should have our problem solved! No more admin / private addresses listed during a lookup in iCal.

Thanks everyone.
Cheers,
Derek

  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Glad I could help. It was an education for me as well - thanks Pavel!

All the best,
Lyle

[Updated on: Thu, 29 January 2009 14:21]

Previous Topic: Kerio With VPN / Mobile Email
Next Topic: AD Groups expanded to zero recipients ==> Can't mail them
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 11:28:22 CEST 2017

Total time taken to generate the page: 0.00512 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.