Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Password Policy
  •  
scsc_tech

Messages: 46
Karma: 0
Send a private message to this user
Is it possible to implement a password policy in kerio?
ie. require a number of characters of certain type?
  •  
forum69

Messages: 62
Karma: -1
Send a private message to this user
I ve'just downloaded and installed the lastest kerio V7 (kerio connect).

I find the release has very poor improvements.

No password policy. THis is incredible there is no such option in the lastest versio,. We are blocked with this point.

No possibility to connect to an ldap server different from AD et OD. We are blocked with this point.

No IM service.

No improvement in many services except the domain policy.

I'm very disappointed about it.


  •  
bruggles

Messages: 125
Karma: 1
Send a private message to this user
I am as well, a good overhaul is long overdue.

Additional Items

WEBMAIL Client
- Allow the ability to search thru body of emails
- Allow user to drag an email to a Calendar (creating an event)
- Allow users to select large amounts of email messages that carry over more than one display page so you can quickly rearrange your email folders.
- ALLOW INDIVIDUAL change of LABEL items or at least allow INDIVIDUAL additions of new LABELS
- OTHER Competitors GROUPWARE platforms offers IM, this is long overdue

ADMIN INTERFACE
Security ITEMS
- Disallow Access to WEBMAIL by a user or group, limit time of access individually as well as automatic logout time individually
- Current Connections - Allow ADMIN to kill or logoff a connection.

Hope we don't have to wait until version 10
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
scsc_tech wrote on Wed, 16 December 2009 20:44
Is it possible to implement a password policy in kerio?
ie. require a number of characters of certain type?


Password policy is very well handled by directory services like Active Directory or Open Directory. Kerio MailServer has an option to use these directory services for managing users. (Even with OpenLDAP if you look into the Kerio Knowledgebase).
  •  
forum69

Messages: 62
Karma: -1
Send a private message to this user
I do not accept such response about openldap linking.

here is a copy of the technote "Mapping users/groups from OpenLDAP or Generic LDAP server
Solution"

Reading carefully this technote, i pointed out that it was not supported by Kerio.
Sorry not using AD or OD...

This article describes how to setup basic OpenLDAP integration with Kerio MailServer. Please note this is not directly supported by Technical Support and you are using this feature at your own risk!!

  •  
scsc_tech

Messages: 46
Karma: 0
Send a private message to this user
I have had no luck trying to link our OD to Kerio...just doesnt play well
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
69, Gosh. Why so angry? If you bought it because a sales rep told you OpenLDAP was a supported solution that anger would have some backing. Go to the rep and ask for a refund.
Hopefully you didn't buy it, as it obviously doesn't integrate with your environment (in a Kerio supported fashion). You're clearly frustrated and I empathize. However, I don't think you'll get the desired result with the antagonistic stance. No offense intended and best wishes.

scsc, back to your topic.... We're running Kerio in an OD environment with few problems. We use OD to handle the password policies. It was very simple to configure by following the manual. Are you unable to link KMS to your established OD server? Or, is it already connected and authenticating, but policy enforcement isn't working as expected? Can you provide any details about your configuration and the steps you're taking with expected/received results? It will be difficult for anyone here to assist without some details.

Regards.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
@scsc_tech: We run Kerio with Open Directory as well, and have no problems with that. What's not running/working???

Only issue I can think of: Kerio does not (shame on you!) support Nested Groups from the OD/AD!

PS: We run it with Password Server, not Kerberos...

[Updated on: Sat, 19 December 2009 14:48]


Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
scsc_tech

Messages: 46
Karma: 0
Send a private message to this user
I am a new hire and the Kerio server was built by the last tech. According to our network admin the setup and communication between the OD and Kerio just didnt work. Our kerio user database is just a standalone within Kerio. Clunky I know. I will see if my net admin wants to give it another shot with my help.
If we tie it to the OD, will it remove the current Kerio standalone users? Will it auto-create email addresses for all the OD users?

just trying to wrap my head around it a little.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Hi scsc_tech,

The mailserver.cfg file and the user's mail folder on the server hold what you need for a relatively easy transition.

Once you have the OS X server part of your Kerio system bound to the OD server and the mail domain properly configured (the hard parts) you can easily transition user accounts to OD (potentially time consuming).

Of course, you may want to use a test account for you first transition (better still, a test bed server). Basically, if you delete a local account from the admin console (choosing to SAVE the user's folder structure), you can then create an OD account with a short name that matches the account of the deleted local account. You then log in with the OD credentials and it should point you to the folders of that user.

For your test user, make sure you test all the bells and whistles (out of office msg, forwarding, etc) to ensure they make the transition. I never tested that nor recall where those settings are stored and I don't want you to have any surprises.

Also, make sure your OD users only have one short name and that everything is basic ASCII. Most of this is detailed in the admin guide, but it's worth mentioning again.

Back to domain-to-OD linking, be very careful to test your connection to OD prior to exiting the admin console. We had to replace a failing OD server last night. The mail server was the replica until replication broke. During the mess, the search suffix was corrupted with an extra "dc=." For some reason that made our local admin account fail. Fortunately, it was fixable by correcting the error in mailserver.cfg.

Pay special attention to OD first. Make certain you have a perfectly stable and redundant OD setup. I recommend not having the mail server as the replica - however, it does have to bind to OD. Read the manually carefully. There are some gotchas with the Kerio OD extensions that are important to know - especially regarding OD replicas.

Good luck,
Lyle Millander
  •  
dvarsam

Messages: 7
Karma: 0
Send a private message to this user
Look how beatifully Mr. "Kerio_pdobry" contradicts "Mr. Kerio_psilar".

As stated by Mr. "Kerio_pdobry" (higher in this post):
-----------------------------------------------------
From: Kerio_pdobry » Thu, 17 December 2009 15:26 [message #66077]
scsc_tech wrote on Wed, 16 December 2009 20:44

>>> Is it possible to implement a password policy in kerio?
>>> ie. require a number of characters of certain type?

Password policy is very well handled by directory services like Active Directory or Open Directory. Kerio MailServer has an option to use these directory services for managing users. (Even with OpenLDAP if you look into the Kerio Knowledgebase).

-----------------------------------------------------
Now. compare the above with another post in the following link:
http://forums.kerio.com/index.php?t=msg&th=16843&pre vloaded=1&S=352d08b89d1fa87d7f64a0c7de4167db&start=1 5
Look under Page 2, a post by "Mr. Kerio_psilar" (pasted below):

From: Kerio_psilar » Fri, 12 February 2010 23:09 [message #67613]
From information we gathered from you, it seems there is a problem with NTLM authentication.
Please switch from "Secure Password Authentication" to "Manual Authentication" and use user name and password on main page of configuration of Kerio Outlook Connector (Offline Edition).
-----------------------------------------------------

The First guy is claiming: "Password policy is very well handled by directory services..."

The 2nd guy is suggesting: "Please switch from 'Secure Password Authentication' to 'Manual Authentication'".

IF PASSWORD POLICY IS SO BEAUTIFULLY HANDLED, WHY OR EARTH ARE YOU SUGGESTING USERS TO DISABLE A.D. OR O.D. AUTHENTICATION?

Conclusion: KERIO PEOPLE can you please implement what users are asking & STOP contradicting each other?

People in this forum seem to like their Kerio Server & try hard to keep things running smoothly, but your product is full of bugs especially when it comes to "Mac" or "Outlook" connectivity.
Better design your own "Outlook" Client than to supply contradicting suggestions.

Thank you very much,

Varsamis D.

[Updated on: Sat, 13 March 2010 15:48]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
There is no contradiction. Please do not mix authentication methods and password policy.
NTLM is authentication method. If you don't use NTLM (or SPA as it is called in Outlook) and use username/password instead then you still use Active Directory or Open Directory for authentication. Password policy is about forcing password length, complexity or password renewal period. It does not define authentication methods.

Moreover, the suggestion from Kerio_psilar is a workaround for certain authentication issue (which is described in his post).
  •  
dvarsam

Messages: 7
Karma: 0
Send a private message to this user
The User that Started this post asked for something Specific:

He asked to be able to "Force Password Change" when in "Manual Authentication".

You suggested him that he moves from "Manual Authentication" to "A.D. Authentication" or "O.D. Authentication" & Create a Policy in A.D. or O.D. to enforce users to Change their Passwords frequently.In this manner all Password Change Policies would be forced from A.D. or O.D. Policy.

But when a Kerio Collegue comes in and suggests to diff People to Disable "A.D. Authentication" or "O.D. Authentication" for their Outlook Connection to be able to work properly, don't you think that it "exterminates" your whole suggestion?

Conclusion:
If I want my Outlook to Connect I loose "Force Password Change" through A.D. or O.D. ...
If I want "Force Password Change" through A.D. or O.D., then sorry NO Outlook Connection guys!!!

Am I right OR wrong?

Don't you think that you need to Design things better?

Kindly,
dvarsam

P.S.> I love my KMS too, but too many flaws/restrictions man!
As I said, If you want, DO design your own KMS Client & charge me (I don't care), but don't tell people that IF they go one way other stuff won't work & IF they choose other way diff stuff won't work.
People are looking for solutions not a LABYRINTH man.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
You're wrong. The original post was about password policy for users in internal user database. This does not mean "manual authentication". "Manual authentication" (username/password) can be used with any user source such as internal database, Active Directory, Open Directory or any Kerberos server.

Kerio_psilar was not suggesting "do not use AD/OD". He was suggesting to use password-based authentication instead of SPA in Outlook. There is absolutely nothing about ActiveDirectory or OpenDirectory mentioned in our posts. Please read it carefully again.
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
dvarsam wrote on Sat, 13 March 2010 17:30
The User that Started this post asked for something Specific:

He asked to be able to "Force Password Change" when in "Manual Authentication".

Not true. Read the original post again. It's not about "manual" authentication but about users in local database.
Quote:

You suggested him that he moves from "Manual Authentication" to "A.D. Authentication" or "O.D. Authentication" & Create a Policy in A.D. or O.D. to enforce users to Change their Passwords frequently.In this manner all Password Change Policies would be forced from A.D. or O.D. Policy.

Not true. The suggestion is "switch from SPA (NTLM) to password-based authentication". No need to not use AD/OD service.
Quote:


But when a Kerio Collegue comes in and suggests to diff People to Disable "A.D. Authentication" or "O.D. Authentication" for their Outlook Connection to be able to work properly, don't you think that it "exterminates" your whole suggestion?

No. There is no such statement. Read it again please.
Quote:

Conclusion:
If I want my Outlook to Connect I loose "Force Password Change" through A.D. or O.D. ...
If I want "Force Password Change" through A.D. or O.D., then sorry NO Outlook Connection guys!!!

Am I right OR wrong?

Described in previous post.
Quote:

Don't you think that you need to Design things better?

Kindly,
dvarsam

P.S.> I love my KMS too, but too many flaws/restrictions man!
As I said, If you want, DO design your own KMS Client & charge me (I don't care), but don't tell people that IF they go one way other stuff won't work & IF they choose other way diff stuff won't work.
People are looking for solutions not a LABYRINTH man.


I understand. To be honest, I'm afraid the bill will have 6 (maybe 7) digits Smile. Rest of the world requires support for Outlook, Apple Mail or web-based clients like WebMail.
Previous Topic: Editable Calendar Sharing in Apple iCal
Next Topic: How to support multiple contact folders in Apple Address Book
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 23 06:17:54 CEST 2017

Total time taken to generate the page: 0.00637 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.