Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio on OD Master (Kerio fails to connect to LDAP)
  •  
ragob66

Messages: 2
Karma: 0
Send a private message to this user
Hi,

first of all, I want to introduce myself. I am ragob and I am really happy to be here. Wink

Second thing, I want to apologize because this topic has been widely discussed everywhere on related sites, but unfortunately I never found a solution that worked for me.

Problem:

My customer wants his Kerio Connect to be installed on the OD Master (same machine).

Because of that the well known port conflict appeared. I used an alternative port for the kerio ldap service to avoid it (8389). But the LDAP configuration just doesn't work.
If I enter just the hostname as directory server for the domain the connection test works great but if I select Users under the domain preferences I just get an error message: "Error: LDAP Operation failed. Check that you have installed the directory extensions properly." I've done that quite often to be honest.
If I enter the host with the alternative port number as directory server for the domain even the connection test fails (invalid credentials) (but they are correct indeed (using Workgroup Manager is no problem)).

What I already tried:

Installing and deinstalling directory extensions quite a few times.
Manually include kerio-mailserver.schema (that nearly wrecked my OD)
Setting different ports in the Kerio LDAP Service
Connecting to the OD Master via Directory Access Tool using the alternative port in addidtion to a connection to the standard port or as standalone connection.
Setting everything to default except the Port of the Kerio LDAP Service
Start and stop LDAP service via command line after changing anything.
Reboot after changing the config.
Using 127.0.0.1, localhost, IP-Address and fully qualified domain name with and without alternative port as directory server for the domain.

My System (Test Environment)
Dual G5 1,8 GHz, 2GB Ram
Mac OS X Server 10.5.8
Kerio Connect 7.0.2 build 1676 as a trial version in the test environment

I have no more ideas. That's why I need help of the Kerio experts in this forum. Please help me and make me happy with it.

Thanks a lot!

Best wishes!

Ragob
  •  
HoosierMac

Messages: 1215
Karma: 35
Send a private message to this user
Make sure the search bases match up between OD and Kerio in the binding page.

-
HoosierMac Consulting
Kerio Certified Reseller and Hosted Provider
http://www.hoosiermac.com
  •  
p0ddie

Messages: 238
Karma: 0
Send a private message to this user
Hey,

I think there is some misunderstanding abut the LDAP port in Kerio.

The LDAP settings on the services page for LDAP concerns Kerio's internal LDAP server (used for clients to look up addresses in the Kerio address book). It has absolutely nothing to do with the directory extension plugin.

- First off, make sure you install the OD plugins, not the AD plugins ^^

- secondly, make sure your OD is running fine: sudo changeip -checkhostname in terminal should return "there is nothing to change". Server Admin.app should show Kerberos to be started. Write down your Kerberos realm and the server's primary domain name. (Kerberos is optional of course, but I highly recommend it).

let's say your server's domain name (and Kerberos realm) is server.your.mom and you connect to the directory with the diradmin (useful for testing as you can be sure that account can do everything)

In Kerio, click the domain, go to directory services, and enter:

- hostname: the hostname of your server (make sure it resolves correctly)
- user name: uid=diradmin,cn=users,dc=server,dc=your,dc=mom
- password: obviously...the diradmin password
- ldap search suffix: (you can get this from server admin.app) dc=server,dc=your,dc=mom

Now, switch to the advanced panel in the domain settings and configure the correct Kerberos realm in caps (SERVER.YOUR.MOM) server admin.app is showing you.

You should be done, and if your OD, Kerberos and DNS is in order, you should be able to connect to your server with any activated OD accounts. Be advised tho the login name of the OD user (and his primary email address) is the first OD user name.

If you can't connect with some users from your OD but with a freshly created user: pick a non-working user, change his password from OD to shadow, save, switch it back to OD (this re-generates his Kerberos entry and directory password bla).

Lemme know if this works out for you.
  •  
blturner

Messages: 21
Karma: 0
Send a private message to this user
I don't know if it works with LDAP but I have heard of running two web servers on the same machine with each of them on a different IP address.
That is to say two IP addresses on one machine.
In System Preferences-Network you click the add to add the settings for the second IP. I don't know how to make the LDAP server pick which address they come up on.
  •  
p0ddie

Messages: 238
Karma: 0
Send a private message to this user
you refer to multi-homing. unfortunately, this is not possible with Kerio as you can't tell Kerio which IP to listen to and to ignore all the other IPs of the machine it is running on... to use LDAP on Kerio on the same machine as an OD master, you need to either use secure LDAP (port 636) or use a different port than 389 for Kerio's LDAP.

this, however, is not really of interest to the OP's question as he struggles to get the directory services integration running in Kerio Cool
  •  
Pavel Dobry (Kerio)

Messages: 4136
Karma: 118
Send a private message to this user
p0ddie wrote on Sat, 07 August 2010 17:11
you refer to multi-homing. unfortunately, this is not possible with Kerio as you can't tell Kerio which IP to listen to and to ignore all the other IPs of the machine it is running on... to use LDAP on Kerio on the same machine as an OD master, you need to either use secure LDAP (port 636) or use a different port than 389 for Kerio's LDAP.

this, however, is not really of interest to the OP's question as he struggles to get the directory services integration running in Kerio Cool


This is not true. You can specify the IP address where the service will listen for every Kerio service. Take a look into the manual. The question is if the other service (OpenDirectory) can be configured that way as well.

Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
ragob66

Messages: 2
Karma: 0
Send a private message to this user
Hi,

thanks for all your replies! I am really happy to see all those helpful people!

I understand the difference between the LDAP service and the OD connection now. Nevertheless I still have to get the OD connection to work.

Unfortunately I haven't access to my test environment until tomorrow. Here's what I can say without having it here.

1. DNS (tested with nslookup works in both directions) seems to work correctly.

2. The LDAP search base was checked up more than once to be equal between Kerio and the OD.

3. I installed the OD plugins, not the AD plugins (the file was named "Kerio Open Directory Extensions 7.0.2 patch 1")

4. All 3 Services under Open Directory of the Server Admin.app are "running" (LDAP, Password, Kerberos)

5. I haven't checked the Kerberos Realm to be correct, but it didn't work using the Password authentication either

6. The other settings (hostname, diradmin, password, ldap search suffix) were checked about a dozen times and should be correct. The connection test works like intended with these parameters.

Quote:

- secondly, make sure your OD is running fine: sudo changeip -checkhostname in terminal should return "there is nothing to change".


Quote:

If you can't connect with some users from your OD but with a freshly created user: pick a non-working user, change his password from OD to shadow, save, switch it back to OD (this re-generates his Kerberos entry and directory password bla).


These two points I can't test before tomorrow. Sorry.

@Bitburner and @Kerio_pdobry: Thanks for your suggestion but I don't think the customer will be pleased if I configure his server to use a second IP on the same network card (I think it is something like a second interface for the same physical network card, isn't it?)

Thansk a lot!

Best wishes

RaGob
  •  
thejoecarroll

Messages: 2
Karma: 0
Send a private message to this user
I recently successfully deployed Kerio 7.1 on a Mac Mini with Snow Leopard Server (10.6.6) and the trick I discovered to make it all work was to use two different hostnames as well as a custom port for LDAP services in Kerio (while it might be technically possible to get OD to run on nonstandard ports, it's not officially supported by Apple so it's a lot more hassle and I'd strongly recommend against it). The reason this is necessary is because you cannot bind a Mac to the two different directory services residing at the same DNS address. However, there is no problem with them being hosted at the same IP address (so long as the ports are different), so creating a CNAME record as well as an A record for your Mac OS X Server machine will make it possible to get the best of both worlds--Kerio's full features and OD's management of users and machines--with just one server. Additionally, the auto-configuration scripts served on the Integration page of your Kerio deployment's webmail are clever enough to specify custom ports and the hostname you've used to connect and download them.

BTW, the Kerio knowledgebase document entitled "How to connect Kerio MailServer to Apple OpenDirectory" is quite out of date and references schema files that are apparently not installed on Snow Leopard Server.
Previous Topic: Android Corp Sync worked for a while... now nothing
Next Topic: Suddenly outlook unstable and keeps crashing
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Sep 03 01:39:27 CEST 2014

Total time taken to generate the page: 0.00822 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.