You cannot successfully integrate with an Active Directory (AD) server using the LDAP Server Connection Assistant in the JSS.
Apache Directory Studio is useful for troubleshooting an LDAP connection to AD. It is available for free at:
To use Apache Directory Studio to troubleshoot an LDAP connection to AD:
Enter a connection name.
Enter the host name of the AD server.
Click Check Network Parameter and verify that the host name resolves correctly.
If the connection fails, see the "Additional Information" section.
Once the connection is established successfully, click OK, and then click Next.
Choose an authentication method.
Enter credentials for a bind user in AD (an AD user with permissions to browse LDAP).
There are three formats you can use for the bind DN or username:
Distinguished name (DN)
The full path to the common name of the object. For example, "(CN=Administrator,OU=Users,DC=ad,DC=jamfsw,DC=corp)".
For more information on how to find the DN or username for the bind user, see the "Additional Information" section.
In the JSS, enter the hostname and domain of the AD server, and then click Continue.
The domain is the value for the "dc" attribute in Apache Directory Studio.
In the JSS, enter credentials for a bind user in AD (an AD user with permissions to browse LDAP). The username must be value for the sAMAccountName attribute in Apache Directory Studio.
After you enter the username, the JSS automatically adds "ad\" to the beginning so that it is in the "domain\username" format.
After you finish creating the LDAP server connection, you should view the mappings and verify that the search bases are correct. If the users search base is OU=Test,OU=JAMFSW,DC=ad,DC=jamfsw,DC=corp, you can only search users in the “Test” folder.
You can modify the search base to include a wider search range. For example, if you change the search base to DC=ad,DC=jamfsw,DC=corp, you can search all computers in the domain.
This section explains how to:
The connection to the AD server may fail if:
To ensure that you can reach the server, execute the following command and verify that you receive a response:
To verify that the server uses the port that you entered in Apache Directory Studio, execute a command similar to the following and verify that you receive a connected status:
telnet ad.jamfsw.corp 389
To verify the encryption method of the AD server, contact your AD administrator.
You can find the DN or username for the bind user by opening ADUC, right-clicking a user, and choosing Properties.
To find the distinguished name, click the Attribute Editor tab.
To find the domain and sAMAccountName or the userPrincipalName, click the Account tab. The domain and sAMAccountName is in the User logon name (pre-Windows 2000) fields. The userPrincipalName is in the User logon name field.
Authentication with the bind DN or username may fail if:
Contact your AD administrator.