Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Issues with the Apple Mail, iCal and Address Book combination
  •  
renefn

Messages: 158
Karma: 0
Send a private message to this user
Hi,

I'm trying to find the best way to configure our Mac's to work with KMS. We wish to stop using Entourage and instead use Apple Mail, iCal and Address Book, since they are faster, cleaner looking and free.

I have tested this combination for a while, while all other Mac users have been using Entourage 2004 and all the Windows users Outlook 2003.

Generally it works ok, but I have seen some issues and I would like to know if I'm the only one:

1. The Kerio iCal Config Tool is a quick and nice way to setup your Mac if you're a local administrator and the only user on your Mac. That's not the case here, where users are not administrators and there can be several users on a Mac. We use rotating passwords and since the users need to be administrators to change the settings in Directory Utility and they're not, that's a big problem. Is there a downside to just use the Kerio admin account to authenticate to the LDAP? That way I could configure all the Mac's with the same account.

I haven't figured out how to configure Directory Utility manually to get it to work with Kerio's LDAP. I have tried many things but it just won't work. Only if I use the iCal Config Tool it works. Does anyone have a hint about how to do it?

2. It seems like iCal works perfectly with KMS, but when I log into the webmail or log into my account with Outlook, then it seems like iCal has never marked any appointments or tasks as finished and I'm confronted with a huge list of overdue tasks. What's with that?

3. When a user changes passwords, then with the default way of configuring your Mac to work with KMS, the user has to enter his new password in Directory Utility (if he/she can), in iCal, in Mail and in Kerio Sync Connector. That's very annoying. If KMS supported Kerberos authentification between the server and the client, then that wasn't necessary. Is there any solution to this? In Mail I can use NTLM authentication and avoid typing in the password there and if I can use the admin account for authentication against the LDAP in Directory Utility that's one less place to change password.

4. I've tried the new version 6.7 RC1 and the Kerio Sync Connector creates a copy of the Global Address List in Address Book (i didn't see that with the previous versions). In one way that's a nice addition because then it's possible to browse the GAL and not just have LDAP lookups. What are yours take on this?

Regards,
René Frej Nielsen

Regards,
Rene Frej Nielsen
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi René and forum folks.

I'll have a go with question 1...

I would suggest NOT using your Kerio admin account as the authentication method in Directory Utility. That's very dangerous. I won't go into the exact reasons why (as that would reveal how someone could take advantage), but I'd suggest just creating a generic account, non-admin account, that stays "active" all the time. For conversation sake, let's called it "ldap". You might have a more creative name for it Smile.

In this "ldap" account, set a specific password, and divert all email messages for that account, to your admin account or similar, in Kerio Mail Server. Just in case!

Even though this is still just a "user" account, do not disclose the password to any customers... Just your IT staff.

Setup using Directory Utility is fairly straight forward. You could just use the iCal setup tool (for the "ldap" account), and then change the iCal setup after that (change the username and password).

If you want to setup using D.U. regardless, open D.U. and unlock the app. Then delete any existing instances of your mail server from the list.

Then make sure 'Advanced' mode is showing.

Next, go to Services, and double-click on LDAPv3.

Click New

Enter the Server IP address, and select only for 'Contacts'. Click Continue, and follow the setup from there. You will want to set it up as a Open Directory Server.

(You can always go back and modify the server afterwards, by clicking on your server from the LDAP list, and once highlighted, press the Edit... button.)

If you're looking back at your setup (using the Edit...) button, the screens need information such as:

-Connection tab: configuration name, and your server name/IP (don't necessarily need SSL enabled just yet)
-Search & Mappings: just setup as Open Directory Server, with no Search Base specified
-Security: tick authentication when connecting, use a full email address as the distinguished name (e.g. ldap<_a.t_>yourdomain.com) + the password

That should get you started Smile.

I'd recommend testing using the Directory app, to try and do a sample LDAP-based search after that.

Hope that helps Smile.
Cheers.
D.

  •  
renefn

Messages: 158
Karma: 0
Send a private message to this user
Hi,

Thank you for your comments to my first question... I have previously tried to configure Directory Utility manually without success, just as you described it.

It didn't work this time either, but I finally figured out what was wrong: The default search path that is suggested is "fn=ContactRoot", but when the iCal Config Tool configures Directory Utility then it uses "dc=domain.tld" (where domain.tld is just an example).

This makes Directory.app work and iCal meeting times lookup works, but it's not really perfect since ALL accounts are visible, even the admin and ldap account (that I just created) and they are not published in the GAL. Can I modify the search path to avoid seeing these users? Directory.app and Address Book (when making LDAP queries) displays all users twice... a problem that I have had with Kerio LDAP from the beginning. Any suggestions there?

Maybe I should mention that we manage our users through Active Directory.

Regards,
René Frej Nielsen

Regards,
Rene Frej Nielsen
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi there.

This thread has info about hiding the Admin account...
http://forums.kerio.com/index.php?t=msg&goto=59291

Cheers,
Derek

[Updated on: Tue, 12 May 2009 01:22]


  •  
renefn

Messages: 158
Karma: 0
Send a private message to this user
Hi,

This is usefull but is not the final solution. I can hide the admin account, but the LDAP account can't be hidden because if I move it to a different domain, then it would not be able to look up the addresses in the right domain. Or that's how I think it would work.

We have other accounts that would be nice to hide and that aren't published in the GAL that I have difficulty seeing how could be moved to another domain.

It's also strange - and very annoying - that all users that are mapped from Active Directory are listed twice! The few local accounts that we have in KMS are only listed once, so to me it looks like a bug... Are anyone else experiencing this? I only have KMS listed on the Contacs search path in Directory Utility.

Regards,
René Frej Nielsen

Regards,
Rene Frej Nielsen
Previous Topic: Setting mail rules for public folders
Next Topic: Kerio MailServer 6.7.0 released
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 03:10:25 CET 2017

Total time taken to generate the page: 0.00441 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.