Connecting Kerio Operator to directory service
Which directory services are supported in Kerio Operator
Kerio Operator supports the following directory services:
- Microsoft Active Directory
- Apple Open Directory
What is the connection used for
In practice, mapping accounts from a directory service provides the following benefits:
Easy account administration
Apart from the internal database of user accounts, Kerio Operator can also import accounts and groups from an LDAPLightweight Directory Access Protocol enables users to access centrally managed contacts. database. Using LDAP, user accounts can be managed from a single location. This reduces possible errors and simplifies administration.
Online cooperation of Kerio Operator and directory service
Additions, modifications or removals of user accounts/groups in the LDAP database are applied to Kerio Operator immediately.
Using domain name and password for login
Users may use the same credentials for Kerio Phone login and domain login.
WARNING
Mapping is one-way only, data are synchronized from directory service to Kerio Operator. Adding a new user in Kerio Operator createsa local account — it will not be duplicated into the directory service database.
When creating user accounts in a directory service, ASCII must be used to specify usernames. If the username includes special characters or symbols, user may not be able to login to Kerio Phone or the administration interface.
If you disable users in Microsoft Active Directory, they are also disabled in Kerio Operator (they will not be able to login to Kerio Phone, make or receive calls with their extensions).
If you disable users in Apple Open Directory, they stay enabled in Kerio Operator.
Phone extensions can be managed in a directory service (if available) or locally in Kerio Operator. Select the most convenient option.
Connecting to a directory service
To map users from a directory service:
- Connect to directory service in section Integration > Directory Service.
- Activate users.
All information about directory services can be found in the Config log.
Microsoft Active Directory
In the administration interface, go to Integration > Directory Service.
- Check the Map user accounts from a directory service option and select your directory service type.
- In the Domain name field, enter the name of your Microsoft Active Directory domain — the domain name is then copied in other necessary fields.
- In the Hostname field, enter the DNS name or IP address of the Microsoft Active Directory server. If you have a backup server, enter its name in the Secondary hostname filed.
- In the Username and
Password fields, enter the authentication data of a user
with at least read rights for Microsoft Active Directory database. Username
format is
user@domain. - Within the communication of the Microsoft Active Directory database with the PBXPrivate Branch Exchange - System that connects telephone extensions and switches calls., sensitive data may be transmitted (such as user passwords). For this reason, it is recommended to secure such traffic by using SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks.. To enable LDAPS in Microsoft Active Directory, it is necessary to run a certification authority on the domain controller that is considered as trustworthy by Kerio Operator.
- The rest of the items in the dialog are completed automatically. Do not change them unless you have a special reason to do so. These items are Microsoft Apple Open Directory domain name and Kerberos Realm which has to match the Microsoft Active Directory domain name, written in capital letters.
Apple Open Directory
In the administration interface, go to Integration > Directory Service.
- Check the Map user accounts from a directory service option and select your directory service type.
- In the Domain name field, enter the name of your Apple Open Directory domain — the domain name is then copied in other necessary fields.
- In the Hostname field, enter the DNS name or IP address of the Apple Open Directory server. If you have a backup server, enter its name in the Secondary hostname filed.
- In the Username and
Password fields, enter the authentication data of a user
with at least read rights for Apple Open Directory database. Username format is:
uid=root,cn=users,dc=domain,dc=tld. - Within the communication of the Apple Open Directory database with the PBX, sensitive data may be transmitted (such as user passwords). For this reason, it is recommended to secure such traffic by using SSL. To enable LDAPS in Apple Open Directory, it is necessary to run a certification authority on the domain controller that is considered as trustworthy by Kerio Operator.
- The rest of the items in the dialog are completed automatically. Do not change them unless you have a special reason to do so. These items are Apple Open Directory domain name and Kerberos Realm which has to match the Apple Open Directory domain name, written in capital letters.
Activating users from a directory service
Once the mapping is set, select individual users and map them to the PBX. This is how to map users:
- Open the Configuration > Users section.
- Click Import > Import from a Directory Service.
- In the dialog, select all users you wish to map (you can also add users later) and click Next.
- If users in the directory service have phone extensions assigned, you can either keep them or disable them. If you disable them, you have to assign new extensions. You can do it, for example, while changing your dial plan.
- Click on Finish. Activated users are displayed in section Configuration > Users.
NOTE
Only extensions in attributes telephoneNumber (Microsoft Active Directory, Apple Open Directory) and otherTelephone (Microsoft Active Directory) can be mapped (are displayed). If you create special attributes in a directory service for your phone numbers, you will not be able to map such extensions.