Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory

Overview

This article explains how to configure the Jamf Pro server to perform authentication with Active Directory (AD) using LDAP over SSL (LDAPS) instead of LDAP.

The general process is as follows:

  1. AD administrator generates a certificate request and sends it to the certificate authority (CA)
  2. CA generates a certificate from the request and sends the certificate chain to the AD administrator
  3. AD administrator installs the signed certificate and root certificate on the domain controller queried by Jamf Pro
  4. Jamf Pro administrator installs root certificate into Java keystore and restarts Tomcat (not applicable on Jamf Cloud shared instances)
  5. Jamf Pro administrator configures Jamf Pro to use SSL

Requirements

The following components are required to complete the steps in this article:

  • Access to certificates from your CA
  • Access to the Jamf Pro server
  • Terminal application or command prompt (only if using Jamf Pro 9.93 or earlier)

Procedure

Step 1:

Generate a certificate for the AD server that is signed by your CA and accept the issued certificate. Follow the guidelines outlined in the Microsoft article, How to enable LDAP over SSL with a third-party certification authority, available at: http://support.microsoft.com/kb/321051

Step 2:

If the domain controller already has the root certificate installed in the list of Trusted Root Certification Authorities, skip to the next step. If not, you will need to import it by following the instructions provided by Microsoft, available at:
http://technet.microsoft.com/en-us/library/aa995734.aspx

Step 3: (For certificates issued by a private or untrusted CA)

Import the root certificate of the CA into the Java truststore.

On the Jamf Pro host server, navigate to the Java security directory. For Java 8, the directory is located in:

Mac

/Library/Java/JavaVirtualMachines/jdk1.8.0_xx.jdk/Contents/Home/jre/lib/security/

Windows

C:\Program Files\Java\jre8\lib\security\

Ubuntu

/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/

Red Hat Enterprise Linux

/usr/lib/jvm/jre-1.8.0-openjdk.x86_64/lib/security/

  1. Import the root certificate into the Java truststore by executing:
    sudo keytool -import -trustcacerts -alias RootCA -keystore cacerts -file /Users/admin/Desktop/RootCA.cer
    When prompted with the message "Trust this certificate?", type “Yes” and press the Enter key. The result should be "Certificate was added to keystore". Note: If prompted for a keystore password, the default password will be either “changeme” or “changeit”, depending on your operating system and the version of Java installed on the Jamf Pro host server.
  2. Restart Tomcat. For complete instructions, see Starting and Stopping Tomcat.
  3. (Optional) Log in to Jamf Pro and configure an LDAP server connection. For more information, see the Jamf Pro Administrator’s Guide.

  4. Once you have configured an LDAP server connection, verify that the LDAP server queries are working by logging in to Jamf Pro with an Active Directory user.

Step 4:

Configure Jamf Pro to use SSL.

Version 9.0 or Later

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click System Settings.
  4. Click LDAP Servers.
  5. Click the LDAP server you want to use LDAPS for.
  6. Click Edit.
  7. Select the Use SSL checkbox. Ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
  8. (Version 9.96 or later only) Upload the certificate using the Upload Certificate button.
  9. Click Save.
  10. Test LDAP attribute mappings to ensure that LDAP over SSL is working: a. Click Test. b. Click the appropriate tab and enter information in the field(s) provided. c. Click Test again.
  11. Repeat steps 5-9 for each LDAP server.

Version 8.7 or Earlier

  1. Log in to the JSS with a web browser.
  2. Click Settings.
  3. Click LDAP Server Connections.
  4. Click Edit across from a defined LDAP Server.
  5. Select the Encrypt using SSL checkbox.
  6. Select the Use custom port checkbox and specify the port on which the AD Server is accepting LDAPS requests. The default port is 636.
  7. Click Save.
  8. On the LDAP Server Connections pane, click Test across from the server and look up a user to verify that the LDAP over SSL is working.
  9. Repeat steps 4-8 for each defined LDAP Server.

For information on common connection issues that can occur when configuring LDAP over SSL in Jamf Pro, see the LDAP Server Connections in Jamf Pro Knowledge Base article.

Like Comment
Order by:
SOLVED Posted: by matt.jamison

How about for people running JSS on Linux and who had used the installer?

Like
SOLVED Posted: by charliwest

Where in the JSS do you tell it the password for the cacert? Thanks

Like
SOLVED Posted: by bluebox

We had trouble with step 3 when we had to import the root ca of cacert.org into Java so that our jss trusts our email server again. The provided paths for the keystore command appear to be different on fresh installs of the latest Java in OS X Mavericks. What worked is the following:

sudo keytool -import -alias youraliasname -file /PATH/TO/YOUR/CERT/CERTNAME.cer -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit

Alex

Like
SOLVED Posted: by afunk

oneloveamaru:

I also am running this software on Linux. From the path in Mac land, I inferred that it's using the system's java keystore. So, on my system, that's located at: /usr/lib64/jvm/java-1.6.0-openjdk-1.6.0/jre/lib/security. From there, I imported the CA certs as you'd expect:
keytool -import -trustcacerts -alias ecmc-ca-a -keystore cacerts -file /etc/ssl/certs/ecmc-ca-a.pem
keytool -import -trustcacerts -alias ecmc-ca-a1 -keystore cacerts -file /etc/ssl/certs/ecmc-ca-a1.pem
If you want, you can verify with:
keytool -list -v -alias ecmc-ca-a -keystore cacerts
keytool -list -v -alias ecmc-ca-a1 -keystore cacerts

Note: I have two certificates, because our company has a primary CA, and an intermediate CA. Java isn't picky about the alias, so you can make it whatever you'd like to identify your cert, and import as many as you need. Best of luck!

Like
SOLVED Posted: by matt.jamison

@afunk Thanks for the instructions. It appears you are using Ubuntu? I'm using RHEL and don't have those files. I would also like JAMF to send me the instructions so I know it's their supported way.

Like
SOLVED Posted: by afunk

@oneloveamaru I'm actually using SLES 11 SP3. I had to twist it's arm to get open JDK on there :) The ecmc-ca-a(1)?.pem certificates are my company's internal CA's, and those were placed in /etc/ssl/certs manually by me. You can alter that path to wherever your internal CA's certificate is. The jre/lib/security path may be somewhere else, depending on which JDK you're using, and how it's installed. Just search your system for a file named "cacerts", and you should find a similar path. Or, you can use 'which java', and chase down the symlinks to find out where java is actually kept on your system.

Like
SOLVED Posted: by tkimpton

need proper instructions for RHEL

Like
SOLVED Posted: by Kyuubi

Yes please. RHEL instructions would be great

Like
SOLVED Posted: by RobertHammen

Also needs instructions for Windows. I can figure it out, but not everyone should.

In general, these Knowledge Base articles should never assume OS X and should be revised with instructions for each supported OS. I'm sure this is old enough that it was written when the JSS only ran on OS X, but that's been a few years.

Like
SOLVED Posted: by matt.jamison

@Kyubbi @tkimpton][/url][/url and other people who need RHEL Instructions.

I am running OpenJDK 7u71. The jvm directory should be symlinked if you are using something else.

cd to /usr/lib/jvm/java/jre/lib/security/ and verify you see cacerts. It should be a file symlink to /etc/pki/java/cacerts.

cd to /etc/pki/java/ and make a copy of cacerts first, so you have a backup. Then make sure you have your CA cert on the system so we can import it.

keytool -import -alias <alias> -keystore cacerts -trustcacerts -file <certificate_filename> | Alias whatever you want, I put my CA server name. Password: "changeit" w/o quotes.

You should see a message that says "Certificate was added to keystore"

After you run that guy, restart tomcat and you should be good.

Let me know if you run into any problems.

Like
SOLVED Posted: by tkimpton

Thanks I worked it out a different way. Thanks though good to know this :)

Like
SOLVED Posted: by matt.jamison

@tkimpton I had it working another way as well. I created a keystore with just my CA cert in it and specified it in Tomcat using JAVA_OPTS.

However, doing it this way stopped Tomcat from using the default cacerts, so Tomcat was unable to connect to anything SSL based, except my LDAPS server. I learned this the hard way. Even JAMF Support couldn't figure out what was wrong.

Just a caution to anyone.

Like
SOLVED Posted: by jyergatian

FYI. Manually importing the internal certificate(s) to this particular keystore on RHEL (and likely Ubuntu) will cause issues down the road. Updating ca-certificates causes the keystore to be rebuilt with an automatic call of update-ca-trust extract. This will remove the internal certificate(s) and cause authentication over LDAPS to fail.

The correct method dictated by ca-certificates is placing your certificate(s) in it's anchors directory found at /etc/pki/ca-trust/source/anchors/. update-ca-trust extract automatically includes all certificates found within this folder, so when ca-certificates is updated, your internal certificate(s) will be included in the rebuild. Once manually placing your certificate(s) in the anchors directly, simply run update-ca-trust extract to force the rebuild process.

This build process completes with the same end-result as importing the certificate(s) manually using keytool.

Like
SOLVED Posted: by robo

@jyergatian - at least on Ubuntu (haven't checked RHEL), updating ca-certificates adds and removes specific certificates from the Java trust store. It doesn't overwrite the entire file, and it leaves additional certs, such as user-added ones, in place.

Like
SOLVED Posted: by jason.bracy

Is this any different with JAMF-Pro 10.8?

Like
SOLVED Posted: by spgsitsupport

Anybody any idea how to get JIM to use SSL?

I can connect to my LDAP from JIM machine using JXplorer after importing RootCA certificate

So I did edit as per above installed Java cacerts, still does NOT connect & worse, as I get no meaningful error in any logs

NO SSL (389) works perfectly fine from jamfcloud.com

Seb

Like
SOLVED Posted: by wakco
8. (Version 9.96 or later only) Upload your root certificate using the Upload Certificate button.

I have a test server (running 10.9) working without an uploaded root certificate, is this required?

Like
SOLVED Posted: by piotr.oszenda

This article has been updated as follows:

  • Added important note in the Requirements section
  • Revised procedure steps for configuring Jamf Pro to use SSL
Like
SOLVED Posted: by piotr.oszenda

This article has been updated. The important note about not supporting untrusted certificates was removed from the Requirements section.

Like