Home » Kerio User Forums » Kerio Control » How to: Configure Kerio Control VPN for Apple Open Directory Authentication
(Kerio Control - VPN Authentication - Apple Open Directory)
This information has been tested with OSX Server 10.6.8 and 10.10.5. I suspect it should also work with OSX Server 10.7,10.8,10.9. If you test it with OS X 10.11 and it works, please post back and let everyone know.
Abbreviations and terms used in this post:
I don't wish to long hand everything, so these are abbreviations I will use.
Kerio Control = KCTRL
Apple Open Directory = AOD
Domain Name Service = DNS
Lightweight Directory Access Protocol = LDAP
Terminal = Is the command line interface for OSX. You can launch it from Applications/Utilities.
Fully qualified domain name = FQDN
Something to consider:
Your Open Directory and DNS services have to be running correctly first. If they are broken, you have to fix them before you can continue. You should attempt to bind a machine to your AOD to verify it is working, then move to get Kerio Control reading from AOD.
Something to NOTE about KCTRL:
1. On the upper left hand corner of the screen under the Domain and User Login -> Directory Services tab, you will see a grey dot that reads "Not a member of any domain". This will stay that way, even after successfully reading from AOD. I suspect this is working as designed, and only becomes active when you have successfully joined a Microsoft Active Directory system. So, just ignore it when using AOD.
2. The "Test Connection" button located in the Directory Services tab does not provide a true indication that everything is working correctly. This feature simply tests that there is a directory server available, and that you have used an appropriate account to read from the directory. This button DOES NOT test that you are using the correct LDAP search base (suffix).
Sites which I used and references:
-Find the search base in OSX-
-OSX Setting up and testing Open Directory-
How to get KCRTL to correctly read from AOD:
1. First thing you need to do is go find your AOD server's LDAP search base (suffix)
From terminal, use the following command: sudo serveradmin settings dirserv:LDAPSettings:LDAPSearchBase
If AOD is working correctly, it should return the LDAP search base...for example:
dirserv:LDAPSettings:LDAPSearchBase = "dc=orion,dc=stargazer,dc=com"
This is essentially the break down of the servers FQDN. Orion = the server name, Stargazer = the domain name, Com = the top level domain.
2. Take the search base and insert it into the Directory Services Tab -> Advanced button -> Custom LDAP Search Suffix box. Based on the example above, it should look like this: dc=orion,dc=stargazer,dc=com
3. Next you need to fill in the "Custom Kerberos 5 realm name". This is located in the same place as the Custom LDAP Search Suffix box. This has to be your server's FQDN all in CAPITAL LETTERS. It is very important the name is in all capital letters, or it wont work. Based on the example server above, the Custom Kerberos 5 realm name would be ORION.STARGAZER.COM.
If everything is working properly, you should now be able to go to either Users or Groups, and from the Domain: drop down at the top, choose your domain. It should return and show all the users or groups that have been registered in AOD.
That is it, that is all you need. The biggest problem is making sure you have the correct settings. AOD does not have all the LDAP search suffix attributes you would otherwise find in Open LDAP or Microsoft AD. So attributes like ou= will caused an error, and cn= will not cause an error but will still cause authentication not to work properly. At this point you should download the Kerio Control VPN client, and test the connection from an external source. All you need is the IP address or FQDN of the VPN Control host, the short name of the user in AOD, and the network password.
Remember the following:
You have to enable VPN access for each user. If you are reading from AOD, the user template cannot be modified by KCTRL. This is because KCTRL only allows you to modify the VPN access setting for users in the Local User Database. So...in AOD you need to go create a VPN Access group. Add the users who need VPN access to this group, then go back to Groups in KCTRL. Make sure the domain is selected from the drop down at the top, and double click the VPN Access group, go to the Rights tab, and check the option for "User can connect using VPN".
If running into problems, check the Security Logs:
I got the following error when I was using a incorrect LDAP search base.
Authentication: VPN Client: Client: 220.127.116.11: Invalid password for NT/Kerberos user XXXXX.
[Updated on: Fri, 15 July 2016 19:52]
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of
Current Time: Fri Sep 22 19:04:48 CEST 2017
Total time taken to generate the page: 0.00384 seconds