You cannot successfully integrate with an Active Directory (AD) server using the LDAP Server Connection Assistant in Jamf Pro.
Apache Directory Studio is useful for troubleshooting an LDAP connection to AD. It is available for free at:
To use Apache Directory Studio to troubleshoot an LDAP connection to AD:
- Open Apache Directory Studio.
- Add a new LDAP connection.
Enter a connection name.
Enter the host name of the AD server.
- If you have a custom environment, modify the port and encryption method as needed.
Note: Using an encryption method allows Jamf Pro to perform authentication with AD using LDAP over SSL (LDAPS). For more information, see "Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory".
Click Check Network Parameter and verify that the host name resolves correctly.
If the connection fails, see the "Additional Information" section.
Once the connection is established successfully, click OK, and then click Next.
Choose an authentication method.
Note: Jamf Pro supports Simple, CRAM-MD5, and DIGEST-MD5 authentication types only.
Enter credentials for a bind user in AD (an AD user with permissions to browse LDAP).
There are three formats you can use for the bind DN or username:
Distinguished name (DN)
The full path to the common name of the object. For example, "(CN=Administrator,OU=Users,DC=ad,DC=jamfsw,DC=corp)".
- Domain and sAMAccountName
For example, "AD\administrator".
For example, "email@example.com".
For more information on how to find the DN or username for the bind user, see the "Additional Information" section.
- Click Check Authentication to verify the credentials.
If the authentication fails, see the "Additional Information" section.
- Once the correct credentials are entered and verified, click OK, and then click Finish.
- Log in to Jamf Pro.
- In the top-right corner of the page, click Settings.
- Click System Settings.
- Click LDAP Server, and then click New.
- Select Microsoft's Active Directory and then click Next.
- Enter the hostname or IP address of the LDAP server, and then click Next.
- Enter the domain of the LDAP server.
The domain is the value for the "dc" attribute in Apache Directory Studio.
- Enter credentials for a bind user in AD (an AD user with permissions to browse LDAP). The username must be value for the sAMAccountName attribute in Apache Directory Studio.
After you enter the username, Jamf Pro automatically adds "ad\" to the beginning so that it is in the "domain\username" format.
- Enter two users to verify attribute mappings for, and then click Next. The usernames must be the values for the sAMAccountName attributes in Apache Directory Studio.
Jamf Pro will use these usernames to determine the search base for the LDAP server connection. You will be able to use the LDAP server connection to search for users that share the lowest common denominator of these two usernames. For example, if you want to be able to search for users in two different organizational units (OUs), you must enter a username from each OU.
- Verify the attribute mappings for the users and click Next.
These mappings are based on settings in ADUC. If you want to use custom mappings, you can enter them here or wait until later. Click the ellipsis (...) button to edit mappings.
- Enter two groups to verify group membership mappings for, and then click Next. The groups must be the values for the sAMAccountName attributes in Apache Directory Studio.
You should choose two groups that the users from step 20 are members of.
- Verify the group membership mappings and click Next.
- Click Save.
After you finish creating the LDAP server connection, you should view the mappings and verify that the search bases are correct. If the users search base is OU=Test,OU=JAMFSW,DC=ad,DC=jamfsw,DC=corp, you can only search users in the “Test” folder.
You can modify the search base to include a wider search range. For example, if you change the search base to DC=ad,DC=jamfsw,DC=corp, you can search all computers in the domain.
This section explains how to:
- Troubleshoot a failed connection to the AD server
- Find the DN or username for the bind user in Active Directory Users and Computers (ADUC)
- Troubleshoot failed authentication with the bind DN or username
Troubleshooting a Failed Connection
The connection to the AD server may fail if:
- Apache Directory Studio cannot reach the AD server
- The port entered in Apache Directory Studio is incorrect
- The encryption method in Apache Directory Studio does not match the encryption method of the AD server
To ensure that you can reach the server, execute the following command and verify that you receive a response:
To verify that the server uses the port that you entered in Apache Directory Studio, execute a command similar to the following and verify that you receive a connected status:
telnet ad.jamfsw.corp 389
To verify the encryption method of the AD server, contact your AD administrator.
Finding the DN or Username for the Bind User
You can find the DN or username for the bind user by opening ADUC, right-clicking a user, and choosing Properties.
To find the distinguished name, click the Attribute Editor tab.
To find the domain and sAMAccountName or the userPrincipalName, click the Account tab. The domain and sAMAccountName is in the User logon name (pre-Windows 2000) fields. The userPrincipalName is in the User logon name field.
Troubleshooting Failed Authentication with the Bind DN or Username
Authentication with the bind DN or username may fail if:
- The bind user entered does not exist in AD
- The bind user entered does not have permission to browse LDAP
- The DN or username is not formatted properly
Contact your AD administrator.