Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

LDAP Server Connections in Jamf Pro

Overview

This article explains LDAP server connections in Jamf Pro and how to troubleshoot them.

LDAP Connections

To allow Jamf Pro to connect to your LDAP server, you must provide the following information:
- the appropriate DNS (recommended) or IP address of the server hostname and the listening port number
- LDAP server account (user distinguished name that is used to connect to the LDAP server) and the associated password.

LDAP over SSL Connections

LDAP connections can be established in an SSL session. This ensures data that is sent between the LDAP client (Jamf Pro) and the LDAP server is encrypted. LDAP server connections over SSL use the communication port TCP 636 by default. Custom LDAP server configuration can use other ports. A successful connection requires that the LDAP server is configured to issue the server certificate when a client requests an SSL connection, and the client needs to be configured with the trusted root certificate of the CA that issued the server certificate. When configuring Jamf Pro to use the secure LDAP connections, ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).

LDAP Server Proxy Connections

The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by Jamf Pro. After you install an instance of the Infrastructure Manager, Jamf Pro allows you to enable an LDAP proxy connection if you have an LDAP server set up in Jamf Pro. For more information, see Jamf Infrastructure Manager Instances in the Jamf Pro Administrator's Guide. The connection between your infrastructure manager instance and the LDAP server over SSL needs to be verified. This may take some time depending on the Recurring Check-In Frequency setting of your infrastructure manager instance configuration. LDAP connections will work only after the successful verification. To find out the status of the verification, see the Jamf Pro Notifications section.

Common LDAP Connection Issues

If you are unable to save your LDAP server configurations or the connection failure notification is displayed in Jamf Pro, it could be caused by one of the following issues:

Issue Resolution
Server name does not match the name on the certificate Ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
Invalid certificate trust chain Ensure that the issuing Certificate Authority (CA) or one of its parents is in the client's certificate list of trusted root CAs.
No CA certificate, expired CA certificate, not yet valid CA certificate, or revoked CA certificate Ensure that you have uploaded a valid CA certificate that falls within the issuer's validity period.
Certificate is not in the DER or PEM format Ensure that your CA certificate is in the .der or .pem format. You may want to use openssl commands in the Terminal application or other tools to convert your certificate to the proper format.

Note: Keep in mind that each LDAP server configuration is dependent on your LDAP service provider, which may result in additional issues. For information on troubleshooting a specific issue, see your service provider's help documentation.

Like Comment
Order by:
SOLVED Posted: by erict

If you're on prem or you have access to your server, you might find other useful information here:0

/usr/local/tomcat/logs# tail -f JAMFSoftwareServer.log

Depending on where your tomcat logs are. This told me immediately that I was having a credential error with my LDAP account.

Like
SOLVED Posted: by piotr.oszenda

This article has been updated as follows:
• Changed title (previous: "Troubleshooting LDAP over SSL Connection Issues in Jamf Pro")
• Added information about connection types

Like