Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Integrating with Secure LDAP in Cloud Identity

Overview

The secure LDAP service allows you to connect Jamf Pro to Cloud Identity. To manually add the secure LDAP server to Jamf Pro, you must configure and manage Jamf Pro as an LDAP client to the secure LDAP service and use Stunnel as a proxy to provide the client certificate to the secure LDAP server.

By integrating secure LDAP with Jamf Pro, you can do the following:

  • Look up and populate user information from the secure LDAP service for inventory purposes.
  • Add Jamf Pro user accounts or groups from the secure LDAP service.
  • Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.
  • Require users to log in during mobile device setup using their LDAP directory accounts.
  • Base the scope of remote management tasks on users or groups from the secure LDAP service.

Requirements

  • User with an administrator account in Jamf Pro
  • User with a super administrator account in the Google Admin console

Procedure

This procedure involves the following steps:

  1. Configure and Manage Secure LDAP from the Google Admin Console
  2. Install and Configure Stunnel
  3. Configure Jamf Pro to use Google Secure LDAP

Step 1: Configure and Manage Secure LDAP from the Google Admin Console

For instructions about how to add Jamf Pro as an LDAP client to the secure LDAP service, configure access permissions, and download the generated certificate, see the following documentation from Google: https://support.google.com/cloudidentity/answer/9048516

Step 2: Install and Configure Stunnel

Stunnel can be used as a proxy to provide the client certificate to the secure LDAP server. It is recommended that you run Stunnel on the Jamf Pro server. For instructions about how to install and configure Stunnel, see the following documentation from Google: https://support.google.com/cloudidentity/answer/9098476.

Step 3: Configure Jamf Pro to use Google Secure LDAP

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click System Settings.
  4. Click LDAP Servers.
  5. Click New.
  6. Select Configure Manually and click Next.
  7. Click the Connection tab and configure the following settings: a. Enter a display name for the server in the Display Name field. b. Choose "Configure Manually" from the Directory Service pop-up menu. c. Enter the server and port where Stunnel is running in the Server and Port field. d. Choose "Simple" from the Authentication Type pop-up menu e. Enter the username and password generated in the Google Admin console in the Distinguished Username and Password fields.
  8. Click the Mappings tab to configure the user mapping attributes.
  9. Click the User Mappings tab and configure the following settings: a. Enter "top,person,uid,ou" in the Object Class(es) field. b. Enter your domain name in DN (distinguished name) format in the Search Base field. For example, the DN format for example.com is "dc=example,dc=com". c. Enter "mail" in the User ID field. d. Enter "uid" in the Username field. e. Enter "displayName" in the Real Name field. f. Enter "mail" in the Email Address field. g. Enter "uid" in the User UUID field.
  10. Click the User Group Mappings tab and configure the following settings: a. Enter "groupOfNames" in the Object Class(es) field. b. Enter your domain name in DN (distinguished name) format in the Search Base field. For example, the DN format for example.com is "dc=example,dc=com". c. Enter "cn" in the Group ID field. d. Enter "displayName" in the Group Name field. e. Enter "entryUUID" in the Group UUID field.
  11. Configure the User Group Membership Mappings tab as follows: a. Choose "User Object" from the Membership Location pop-up menu. b. Enter "memberOf" in the Group Membership Mapping field. c. Select the Use distinguished name of user groups when searching checkbox.
  12. Click Save.
Like Comment
SOLVED Posted: by rob.hernandez

For anyone following this guide, there is a step that could be considered missing in Step 9 - User Mappings.

Under Mappings - User Mappings - Object Class Limitations, make sure you select "Any ObjectClass Values". Otherwise, user searches may not return a value correctly. I spent a great deal of time troubleshooting until I stumbled upon this little nugget of information. Hopefully someone else finds it helpful.

Like