Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Integrating with Secure LDAP in Cloud Identity

Overview

The secure LDAP service allows you to connect Jamf Pro to Cloud Identity. To manually add the secure LDAP server to Jamf Pro, you must configure and manage Jamf Pro as an LDAP client to the secure LDAP service and use Stunnel as a proxy to provide the client certificate to the secure LDAP server.

By integrating secure LDAP with Jamf Pro, you can do the following:

  • Look up and populate user information from the secure LDAP service for inventory purposes.
  • Add Jamf Pro user accounts or groups from the secure LDAP service.
  • Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.
  • Require users to log in during mobile device setup using their LDAP directory accounts.
  • Base the scope of remote management tasks on users or groups from the secure LDAP service.

Requirements

  • User with an administrator account in Jamf Pro
  • User with a super administrator account in the Google Admin console

Procedure

This procedure involves the following steps:

  1. Configure and Manage Secure LDAP from the Google Admin Console
  2. Install and Configure Stunnel
  3. Configure Jamf Pro to use Google Secure LDAP

Step 1: Configure and Manage Secure LDAP from the Google Admin Console

For instructions about how to add Jamf Pro as an LDAP client to the secure LDAP service, configure access permissions, and download the generated certificate, see the following documentation from Google: https://support.google.com/cloudidentity/answer/9048516

Step 2: Install and Configure Stunnel

Stunnel can be used as a proxy to provide the client certificate to the secure LDAP server. It is recommended that you run Stunnel on the Jamf Pro server. For instructions about how to install and configure Stunnel, see the following documentation from Google: https://support.google.com/cloudidentity/answer/9098476.

Step 3: Configure Jamf Pro to use Google Secure LDAP

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click System Settings.
  4. Click LDAP Servers.
  5. Click New.
  6. Select Configure Manually and click Next.
  7. Click the Connection tab and configure the following settings: a. Enter a display name for the server in the Display Name field. b. Choose "Configure Manually" from the Directory Service pop-up menu. c. Enter the server and port where Stunnel is running in the Server and Port field. d. Choose "Simple" from the Authentication Type pop-up menu e. Enter the username and password generated in the Google Admin console in the Distinguished Username and Password fields.
  8. Click the Mappings tab to configure the user mapping attributes.
  9. Click the User Mappings tab and configure the following settings: a. Enter "top,person,uid,ou" in the Object Class(es) field. b. Enter your domain name in DN (distinguished name) format in the Search Base field. For example, the DN format for example.com is "dc=example,dc=com". c. Enter "mail" in the User ID field. d. Enter "uid" in the Username field. e. Enter "displayName" in the Real Name field. f. Enter "mail" in the Email Address field. g. Enter "uid" in the User UUID field.
  10. Click the User Group Mappings tab and configure the following settings: a. Enter "groupOfNames" in the Object Class(es) field. b. Enter your domain name in DN (distinguished name) format in the Search Base field. For example, the DN format for example.com is "dc=example,dc=com". c. Enter "cn" in the Group ID field. d. Enter "displayName" in the Group Name field. e. Enter "entryUUID" in the Group UUID field.
  11. Configure the User Group Membership Mappings tab as follows: a. Choose "User Object" from the Membership Location pop-up menu. b. Enter "memberOf" in the Group Membership Mapping field. c. Select the Use distinguished name of user groups when searching checkbox.
  12. Click Save.
Like Comment
Order by:
SOLVED Posted: by rob.hernandez

For anyone following this guide, there is a step that could be considered missing in Step 9 - User Mappings.

Under Mappings - User Mappings - Object Class Limitations, make sure you select "Any ObjectClass Values". Otherwise, user searches may not return a value correctly. I spent a great deal of time troubleshooting until I stumbled upon this little nugget of information. Hopefully someone else finds it helpful.

Like
SOLVED Posted: by alexmacfbn

I've got this working to the point where the test option on jamf pro can lookup usernames - but when I try logging into the self service app using my username and password it does not work, any ideas? the google secure ldap logs say credentials invalid, but I'm pasting the same password I use to login to gsuite with so it should be ok

Like
SOLVED Posted: by justein

Good post overall, but since my instance is hosted in Jamf Cloud, I can't use Stunnel to create a tunnel. Any way to do this without Stunnel? Right now, I get no LDAP errors, but I also get no results when searching for users I know exist... For the record, I have cat'ed the public and private key and uploaded them to Jamf (cat pub.crt priv.key > google.pem, uploaded google.pem to Jamf).

Like
SOLVED Posted: by mainelysteve

@alexmacfbn Stupid question but I assume you're not adding your domain to the username, correct? That threw me off initially. For us we use last.first@example.com in gsuite so that would mean for secure ldap it would just be last.first.

@justein I'm on jamf Cloud as well but I also have an area carved out in one of my esxi hosts so that I can spin up a test instance of jamf Pro on premise. Less messy that way and doesn't effect my production environment.

Like
SOLVED Posted: by justein

@mainelysteve I actually had Jamf set up a dev instance for us in Jamf Cloud as well, so I'm not affecting production as it is at the moment. I also want to mimic the setup in production as closely as possible, which is why I would rather get this working then test on prem. Hopefully Jamf writes an official guide that doesn't use Stunnel.

Like
SOLVED Posted: by alexmacfbn

@mainelysteve I've tried both ways - I'm trying to debug it using plain old "ldapsearch" from the commandline - it might be a problem with the way we have the google side of things setup because I just get "Insufficient access" when using my personal account to try and connect (even though I'm listed on the cloud identity page as having a license for it)

ldapsearch -x -LLL -h 127.0.0.1 -D alex@example.com -p 63000 -W -b example.com -b dc=example.com '(mail=alex@example.com)'
Enter LDAP Password: 
ldap_bind: Insufficient access (50)

This is connecting to the stunnel I've setup that is able to talk to google

Like
SOLVED Posted: by mccaskill

The only solution (As of now) to make this work with JamfCloud is to configure the Stunnel on a private server you control then connect that to JAMF and G Suite. Until Jamf has a way to tunnel or work with the certificate, this is the only option we have at the moment.

Like
SOLVED Posted: by scottlep

We have this working on a local macOS JSS. Problem we are having is that when testing user/group lookups, it will only find users/groups in the top level organizational unit in G Suite and will not find any users or groups in any of the sub-orgs. Any suggestions? The sub-orgs are actually additional active domains, not aliases, in the same G Suite account. Do I have to set up LDAP for each domain?

Like
SOLVED Posted: by mainelysteve

@scottlep If the OU's are actual sub domains i.e. buildinga.example.com or buildingb.example.com then yes you would most likely need to configure two LDAP instances in both Google Admin and your jamfPro server. If they're just sub ou's under example.com then you most likely have your user and group read settings set on Selected Organization Units rather than Entire Domain.

Like
SOLVED Posted: by scottlep

The Access permissions are set for Entire domain for both verify user credentials and read user information. On the phone with Google now.....yay.

Like
SOLVED Posted: by alexwaddell

Has anyone managed to get this working from Jamf Cloud without using stunnel? I have configured it as per https://www.jamf.com/jamf-nation/articles/562/integrating-with-secure-ldap-in-cloud-identity. For the cert I concatenated the .crt and .key into a .pem file which (I think) should work... Jamf cloud appears to be able to connect but the ldap search returns nothing :

2019-03-20 10:47:48,984 [DEBUG] [ina-exec-22] [DefaultLDAPLookupService ] - Search LDAPServer [ID=2, Name=Google Secure LDAP] for alex.waddell with wildcards true
2019-03-20 10:47:48,985 [DEBUG] [ina-exec-22] [DefaultLDAPLookupService ] - Search Filter: (&(|(objectClass=top)(objectClass=person)(objectClass=uid)(objectClass=ou))(uid=alex.waddell))
2019-03-20 10:47:48,985 [DEBUG] [ina-exec-22] [DefaultLDAPLookupService ] - Open LDAP Connection to Google Secure LDAP
2019-03-20 10:47:48,985 [DEBUG] [ina-exec-22] [DefaultLDAPLookupService ] - Executing LDAP search on base 'dc=<ourdomain>,dc=com' with scope 2
2019-03-20 10:47:49,122 [DEBUG] [ina-exec-22] [DefaultLDAPLookupService ] - Finished LDAP lookup
2019-03-20 10:47:49,122 [DEBUG] [ina-exec-22] [DefaultLDAPLookupService ] - Closing LDAP Connect

Like
SOLVED Posted: by justein

That's the issue everyone else (me) is having... Still waiting for a solution on that one.

Like
SOLVED Posted: by mccaskill

Jamf is actively working on a solution for this! Hopefully we get something soon. Stay tuned!

Like
SOLVED Posted: by ralph.murphy

https://travellingtechguy.eu/jamf-pro-google-secure-ldap/

Like
SOLVED Posted: by rob.hernandez

We ran into an issue with our on-prem Jamf servers where Group lookups would fail with an ADMIN_LIMIT_EXCEEDED error, even when searching with known group names and wildcard searching turned off. If you are running into this issue, try changing the Group Name Attribute Mapping under User Group Mappings to CN instead of displayName.

I don't know why this worked for us but have reached out to Jamf and Google for assistance in determining where the issue might be.

Like
SOLVED Posted: by sharriston

Has anyone figured out how to get Jamf Pro to show the OU of a user. I have used ou and organizationalUnit as my mapping but neither work.

Like
SOLVED Posted: by pauljohnston

Any updates on this? Is stunnel still the only option? Going through the sales process for Jamf Cloud, at no point did they tell us "you are going to need to host your own stunnel server in-between our cloud and Google's cloud - good luck" - kinda defeats the point of cloud hosting

Like
SOLVED Posted: by mccaskill

@pauljohnston JAMF is actively working on integrating this into JAMF Pro. I worked with one of their wonderful UX developers to test this out couple months ago. I think it's just a "Stay Tuned" type of situation. They most likely will have it just no word officially yet.

Like
SOLVED Posted: by pauljohnston

@mccaskill Thanks for the feedback, hopefully it's soon!

Like