Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » How to deploy iCal-settings to 200 users?

Messages: 90
Karma: 0
Send a private message to this user
Hi all.

I have over 200 users.
None is admin on their computer, only standard users. Mixed Leo and Snow leo.
We now want to use Kerios caldav server.
iPhones is easy, done.
iCal, problems. I have to manually install ical config tool on all 200 users.
And the user has to standby with their personal password because the ical config tool (!) require it twice (!).
Its a timeconsuming mess and waste precious time. Really boring too.

I can add account directly in both Leo and Snow leo some will say. Yes, but then the autofill and resources wont work. This setup has tendencies to glitch a lot too, no go.

How can i do this in a better way? Contacted Kerio support for some help regarding the package. I took a peek in the scripts in ical config tool .pkgs and it doesn't seem impossible to make an deploy version?

Unfortually i don't have the right skills for it. Maybe anyone has solved this?


Messages: 57
Karma: 0
Send a private message to this user
The OP has a really good point here. We also have a large number of users that we would like to setup for CalDav use, but we do not wish to touch every desk/user or ask for their passwords. Also we do not want to give users an admin password just so they can set up iCal.

Anyone had any thoughts on packaging/deployment?


[Updated on: Fri, 15 October 2010 18:47]


Messages: 45
Karma: 10
Send a private message to this user
Kerio, I am going to chime in on this one as well, I am a Kerio Reseller and this is something that has put the breaks on a couple of installs I was pitching

You can roll out the preferences required for ical via Managed preferences if bound to a domain. For those that are not you could use login hooks

The issue as suggested is that you need to bind the machine's to there LDAP server in order for auto-fill and resources to work

I will take that one step further and add that in a multiple user enviroment where multiple people log into the same computer using mobile accounts or OD users then this gets even worse to manage

The only solution I have at this stage is to create a user on the server with very little writes so login name and password if compromised in a script are not a massive issue. Basically this user has the ability to look at resources and can view the public calendar but can't send email out of the domain and has a limited mailbox size. I then bind the machines to the Kerio Mail server using the auto ical config program and it set's up in the Directory the connection string to the Kerio LDAP

As users login, managed prefs or a login hook will setup your ical using https://your.kerio.server/caldav

The downside here is that while they can now use auto completion and resources in ical, they can only use the public address book for this and not there personal one

I am going to say the real issue lies in they way ical works and not Kerio here as this is where it pulls this info as this is not required for entourage.

However if Kerio you have a solution for this I would love to here it

Theoretically it should be viable under some login hook that would remove the current bind to the mail server and then creates a new bind to the mail server using the credentials and user name passed in the login window. It seems Kerio does not bind to the Directory using the standard OD way

Initial thoughts would be

/usr/sbin/dsconfigldap -f -a "your.kerio.server" -u diradmin -p passwordhere
# no need to define dscl /Search -create / SearchPolicy CSPSearchPath as Kerio only required contacts
sleep 10
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"your.kerio.server"

If anyone has ever done anything to do with autosetup of Kerio users in a Managed enviroment that works for the trinity, ical, address book and mail I would love to hear about it

To be fair to Kerio, I don't think this is something they can fix as issue with they way ical is written, but could give us some more techie info on above

However the problem you are actually going to see as a bigger issue is Address book in a 10.6 OS as this is something Kerio need to fix as lack of support for this product. The only way to do this in 10.6 is using the Kerio Sync Connector or via the native protocol CardDAV which can not be done manually for some reason via Kerio and must use the wizard


Messages: 90
Karma: 0
Send a private message to this user
Update since there is two interested in this:

I did manage to do a ugly hack. We use ldap (osx server) here so i tried to put in all resources (emailadresses) in the server and it seems to work pretty good.

Its a trick to "fool" Kerio to show availability for the resources in question and it does just that. The only downside (not a big one either) is that you can't write resource name in the field Place. Who cares at this stage...

So it works like this:

1. Config the account in iCal (Its so easy, the user can do it themselves)
2. Config ldap, somehow, the suggestion above is greate, i did this thru ARD:

dsconfigldap -s -a -n "My Company"
sudo killall DirectoryService
sleep 5
dscl localhost -create /Search SearchPolicy CSPSearchPath
dscl localhost -create /Contact SearchPolicy CSPSearchPath
dscl localhost -append /Contact CSPSearchPath '/LDAPv3/'

Only tried it on one computer yesterday but it did work.

This is a shortterm solution - i'm looking forward to a permanent, more optimal solution from Kerio.


[Updated on: Tue, 19 October 2010 15:10]


Messages: 14
Karma: 0
Send a private message to this user
We have this problem as well. We are now requiring our users to change their password (on our Open Directory server) every 90 days, and for our Mac users, this is a real pain. The issue is that, after using the iCal Config Utility from Kerio, they have an LDAP mapping in Directory Utility that is set up with their credentials for doing LDAP lookups when creating iCal events. When they change their OD password, their Kerio account password changes as well, but the Directory Utility credentials are still using the previous password.

I've set up a static account on our Kerio server to use just for these LDAP lookups, but I've got over 150 users that I need to push that change out to. I'm trying to figure out a way, like you all, to push this using a script that I can send through Apple Remote Desktop.

Giobbi's suggestion below does not work for me. First line for me would look something like this:

sudo dsconfigldap -s -a -n "Tauri LDAP" is our Kerio server

When I try this command, I get this result:

Could not use mappings supplied to query directory.

I've also tried mapping to our OD server, but when I do that my iCal events try to get addressed to bad e-mail addresses (like </principals/__uids__/720C40A6-FBBF-4890-A504-013237DE2DC3/>)

Anybody have any suggestions?
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Thanks all for the scripting suggestions. It will be interesting to see what else develops.

Here's a related thread:

Previous Topic: Kerio 7.2Beta 3 Calendar and Contacts
Next Topic: Bes Sync Option
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 08:18:31 CET 2017

Total time taken to generate the page: 0.00404 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.