Kerio Connect and Apple Open Directory Part 2


I spent the better part of a day playing with Apple Open Directory on Mountain Lion Server 10.8. The purpose of spending that time was to try to gain a better understanding of Open Directory, LDAP and Kerberos as described in Notes on Kerberos troubleshooting (Kerio).

I've emerged from my testing bloodied and more confused than I was going in.

This isn't the first time that I've been confused by LDAP. The documentation is awful, the implementations vary widely and it's not at all uncommon to find written examples that simply do not work. I've been through this before and have emerged victorious, so I'm sure that will eventually be the case here. It may just be a matter of older documentation that doesn't apply to 10.8 and of course there could be some bugs in there too.

Or it could just be me. This is my first dance with Apple Server, and although I think I have been careful in my testing, I may have fat-fingered or neglected something and helped confuse myself. I think I must have, because my results have thoroughly baffled me!


As mentioned in previous articles, I made use of a Parallels Virtual Machine and snapshots for my testing. The snapshots make it easy for me to revert back and start over again, both to fix mistakes and to deliberately create some (learn by destroying approach).

Here are the snapshots I worked with:


The first is just after installation, with purchased but not yet executed. This lets me branch off from there to multiple configurations, some of which I saved as snapshots themselves.

Let me say this first: the initial configuration was successful. That is, I was able to point a Kerio Connect server at it and get users from Open Directory. However, there were some very odd things that I noted.


First, there's a paragraph in Kerio's documentation that talks about a "Settings" section in Open Directory:

To correctly configure Kerberos, you must:

Open the Mac OS Server Admin tool on the Kerio MailServer machine.
In the OpenDirectory section, go to the "Settings" section and select "Connected to a Directory System"
After this, you must go through the necessary steps to be able to join your machine to Kerberos using the "Join Kerberos..." button. For details, see Apple documentation.

I don't believe that applies to Open Directory in 10.8. i found no "Settings" section and therefore did not do this part at all. My configuration worked, so this must not apply.

Kerio docs also mention messing with Kerberos on 10.7. None of that seems to apply to 10.8: I touched no Kerberos at all.

There were other oddities. First, one of the things Kerio docs seemed rather sure of is that you should be able to do "host `hostname`" in a Terminal window after configuring the Open Directory Master.

I could not. I could "ping `hostname`" from there and could ping that name from my hosting Mac (the Mac running Parallels). Obviously the Kerio directory configuration worked with that hostname also, so not being able to do that didn't actually matter. I checked DNS and found it was not running and that it had no entry for the server. I turned it on and added the entry, but nothing changed: I still could not do "host `hostname`".


So, at that point I was thinking that this is just some oddity of 10.8 Open Directory. Maybe it is, but it gets more strange: when I reverted back to my starting snapshot and went through the same configuration steps again but with a different hostname, it DID add the entry to DNS and I COULD do "host `hostname`"!

OK, I must have done something differently, right? Yeah, I agree, but it's not like there are fifty steps here: you run, answer its questions, download Kerio's Open Directory Extension and install that. Reboot and that's all. There aren't very many opportunities to do anything any other way!

And yet something sure as heck is different, because in addition to that little hostname/DNS oddity, I could not get Kerio Connect to talk to any of my subsequent configurations. I'm not going to go through all the kinit and klist testing I did, but rest assured that all worked as it should, and I could even get the domains to test correctly from the Kerio administration, but I never again was able to bring in users.

This COULD be Kerio. There may be some residual stuff gumming up my experimentation. However, I did all this with additional mail domains and deleted each after testing - you'd think that would be sufficient, but it might not be. That's an aspect I haven't yet investigated.

So that's where I am right now: somewhat confused by Open Directory oddities and unsure of why my initial configuration was successful but subsequent attempts were not. Understand that I'm happy they were not: I can't learn anything from things that just simply work as advertised!

My next step is to drop to the command line and look at this as a generic LDAP server. That should tell me much more about what actually does when you set it up and will also let me see where the Kerio config is getting bamboozled by it (or itself, if that's the case).

Next: Kerio Connect and Apple Open Directory Part 3.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Kerio Connect and Apple Open Directory Part 2


Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Thu Oct 11 21:37:04 2012: 11377   NickBarron


Yes 10.7/10.8 doesn't have the settings section since Server Admin was retired for

Strange behaviour, though Kerio does leave stuff behind when you remove domains so that may of been an issue?

Thu Oct 11 21:57:02 2012: 11379   TonyLawrence


No, I made sure Kerio was clean.. OD is seriously messed up..

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

privacy policy