Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory
This article explains how to configure the Jamf Pro server to perform authentication with Active Directory (AD) using LDAP over SSL (LDAPS) instead of LDAP.
The general process is as follows:
- AD administrator generates a certificate request and sends it to the certificate authority (CA)
- CA generates a certificate from the request and sends the certificate chain to the AD administrator
- AD administrator installs the signed certificate and root certificate on the domain controller queried by Jamf Pro
- Jamf Pro administrator installs root certificate into Java keystore and restarts Tomcat (only if using Jamf Pro 9.93 or earlier)
- Jamf Pro administrator configures Jamf Pro to use SSL
The following components are required to complete the steps in this article:
- Access to certificates from your CA
- Access to the Jamf Pro server
- Terminal application or command prompt (only if using Jamf Pro 9.93 or earlier)
Generate a certificate for the AD server that is signed by your CA and accept the issued certificate. Follow the guidelines outlined in the Microsoft article, How to enable LDAP over SSL with a third-party certification authority, available at:
If the domain controller already has the root certificate installed in the list of Trusted Root Certification Authorities, skip to the next step. If not, you will need to import it by following the instructions provided by Microsoft, available at:
Step 3: (Only for versions earlier than 9.96 )
Import the root certificate of the CA into the Java truststore.
On the Jamf Pro host server, navigate to the Java security directory.
For Java 8, the directory is located in:
Red Hat Enterprise Linux
- Import the root certificate into the Java truststore by executing:
When prompted with the message "Trust this certificate?", type “Yes” and press the Enter key. The result should be "Certificate was added to keystore".
Note: If prompted for a keystore password, the default password will be either “changeme” or “changeit”, depending on your operating system and the version of Java installed on the Jamf Pro host server.
sudo keytool -import -trustcacerts -alias RootCA -keystore cacerts -file /Users/admin/Desktop/RootCA.cer
- Restart Tomcat. For complete instructions, see Starting and Stopping Tomcat.
(Optional) Log in to Jamf Pro and configure an LDAP server connection. For more information, see the Jamf Pro Administrator’s Guide
Once you have configured an LDAP server connection, verify that the LDAP server queries are working by logging in to Jamf Pro with an Active Directory user.
Configure Jamf Pro to use SSL.
Version 9.0 or Later
- Log in to Jamf Pro.
- In the top-right corner of the page, click Settings.
- Click System Settings.
- Click LDAP Servers.
- Click the LDAP server you want to use LDAPS for.
- Click Edit.
- Select the Use SSL checkbox.
- (Version 9.96 or later only) Upload your root certificate using the Upload Certificate button.
- Click Save.
- Test LDAP attribute mappings to ensure that LDAP over SSL is working:
a. Click Test.
b. Click the appropriate tab and enter information in the field(s) provided.
c. Click Test again.
- Repeat steps 5-9 for each LDAP server.
Version 8.7 or Earlier
- Log in to the JSS with a web browser.
- Click Settings.
- Click LDAP Server Connections.
- Click Edit across from a defined LDAP Server.
- Select the Encrypt using SSL checkbox.
- Select the Use custom port checkbox and specify the port on which the AD Server is accepting LDAPS requests. The default port is 636.
- Click Save.
- On the LDAP Server Connections pane, click Test across from the server and look up a user to verify that the LDAP over SSL is working.
- Repeat steps 4-8 for each defined LDAP Server.