This article explains LDAP server connections in Jamf Pro and how to troubleshoot them.
To allow Jamf Pro to connect to your LDAP server, you must provide the following information:
- the appropriate DNS (recommended) or IP address of the server hostname and the listening port number
- LDAP server account (user distinguished name that is used to connect to the LDAP server) and the associated password.
LDAP connections can be established in an SSL session. This ensures data that is sent between the LDAP client (Jamf Pro) and the LDAP server is encrypted. LDAP server connections over SSL use the communication port TCP 636 by default. Custom LDAP server configuration can use other ports. A successful connection requires that the LDAP server is configured to issue the server certificate when a client requests an SSL connection, and the client needs to be configured with the trusted root certificate of the CA that issued the server certificate. When configuring Jamf Pro to use the secure LDAP connections, ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by Jamf Pro. After you install an instance of the Infrastructure Manager, Jamf Pro allows you to enable an LDAP proxy connection if you have an LDAP server set up in Jamf Pro. For more information, see Jamf Infrastructure Manager Instances in the Jamf Pro Administrator's Guide. The connection between your infrastructure manager instance and the LDAP server over SSL needs to be verified. This may take some time depending on the Recurring Check-In Frequency setting of your infrastructure manager instance configuration. LDAP connections will work only after the successful verification. To find out the status of the verification, see the Jamf Pro Notifications section.
If you are unable to save your LDAP server configurations or the connection failure notification is displayed in Jamf Pro, it could be caused by one of the following issues:
|Server name does not match the name on the certificate||Ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).|
|Invalid certificate trust chain||Ensure that the issuing Certificate Authority (CA) or one of its parents is in the client's certificate list of trusted root CAs.|
|No CA certificate, expired CA certificate, not yet valid CA certificate, or revoked CA certificate||Ensure that you have uploaded a valid CA certificate that falls within the issuer's validity period.|
|Certificate is not in the DER or PEM format||Ensure that your CA certificate is in the .der or .pem format. You may want to use openssl commands in the Terminal application or other tools to convert your certificate to the proper format.|