Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » KMS 6 & AD integration -- Hacks and fixes
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
Just a head's up:

I was having problems getting KMS 6 to work with Active Directory integration. I was getting LDAP errors and "message size exceeded" errors. Oddly, I was not having this problem with KMS 5.

I "talked" with _____ at Kerio (name removed to protect the guilty) and they said:

The problem might be from AD in w2k3 if you have more than 1000 users or if there would be more than 1000 LDAP responses... is that the case? There's an MSKB article about it -- http://support.microsoft.com/default.aspx?scid=kb;EN-US;315071#2

I upped the MaxPageSize variable with ntdsutil to something greater than our number of users and it then worked fine.

Another cool, but apparently undocumented hack are the UserBaseDn and GroupBaseDn variables in mailserver.cfg. They allow you to provide, obviously, base DN's. This works in 6.0 and I'm too lazy to see if it's in 5.7, as well.

This is handy for two purposes:

1.) It allows you to speed up AD searches and reduce load on your DC's by only querying a specific OU tree, instead of the entire domain each time.

2.) It makes using multiple domains easier. For example, you could have "<at>sales.foo.com" email addresses pointing to the "OU=Sales,DC=foo,DC=com" DN, and "<at>techs.foo.com" pointing to "OU=Techs,DC=foo,DC=com".

This means that jjones in the Techs OU would be jjones<at>techs.foo.com, and troberts in the Sales OU would be troberts<at>sales.foo.com. But, unlike currently, jjones<at>sales.foo.com would not be delivered, because he doesn't sit under the Sales OU.

<list name="Ldap">
<listitem>
<variable name="Domain">test.foo.com</variable>
<variable name="ServerName">dc1.foo.com</variable>
<variable name="ServerPort">389</variable>
<variable name="BindDn">administrator<at>foo.com</variable>
<variable name="BindPassword"> DES:031494b30068399e1eee92431ed8b38f27c8a28b4b8b56a1b954f8bb 7209 </variable>
<variable name="MapFile">ads.map</variable>
<variable name="Filter"></variable>
<variable name="UserBaseDn">ou=District,dc=foo,dc=com</variable>
<variable name="GroupBaseDn">ou=District,dc=foo,dc=com</variable>
<variable name="Description"></variable>
<variable name="Enabled">1</variable>
</listitem>
<listitem>

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
Even though you shouldn't be using KMS 6.0 in production, you can at least test custom spam rules, eh? ;)

Fetch a whole bunch of useless SpamAssassin rules from this site:

http://www.rulesemporium.com/rules.htm

And put them in your KMS\spamassassin\rules directory. These are community-created rules that really really complement the default SA rules. I definitely catch a lot more spam using these on our forward MX box, than with just the default SA rules.

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
innuit12

Messages: 13
Karma: 0
Send a private message to this user
Thanks for this post.
You saved me a helluva-lot of time troubleshooting.
This problem occurs in Build 5.7.10 also.
I never had any problems with this in the test domain I set up because it only had 15 users.
But now that I'm getting ready to move to production it was choking on the 10K users I need to activate.
Now that I've up'd the MaxPageSize it works like a charm.
Previous Topic: notification script required
Next Topic: KMS 6.0 & Whitelists
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 03:42:00 CET 2017

Total time taken to generate the page: 0.00413 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.