Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Allow LDAP group members to access the API

I'm developing an app that handles a lot of basic functions to remove some human error when handling machines. It interacts with the API, and I had my admin account in the JSS by itself and everything was working fine. I removed my account since I had the LDAP groups that it's a part of in the JSS Users & Groups as well, and it was redundant. What happened when I did that, was I started getting 401 responses when trying to load the program and it went to read the sites and computer info etc.

Playing around, I found that I can login with my admin account to the JSS webpage and can get to the static computer groups and everywhere else just fine. However when I navigate manually to the JSS API webpage and try to run a GET request with the same LDAP ID on computer groups, it fails there as well and I get the 401 response.

The point of this is so as techs are hired and added to the LDAP group for admins they should be able to launch the app without any issues and with no manual intervention of adding them to the JSS User & Groups. I also don't want to create a standalone API account and store the credentials within the app that has read/write permissions to my JSS as that is very insecure. The JSS website handles LDAP users fine now, and this functionality should be extended to the API as well.

Comment
Order by:

Posted: by marklamont

an alternative is, if your apps are script based, to run them from the jss using selfservice as a launcher so the staff have to login to that with their ldap account. the script can then have api account info passed as variables to the script. with a bit of clever stuff the username and password can be scrambled to reduce visibility if they can login to the jss.

that said the FR is a good idea

Like

Posted: by beckerbm

LDAP users/groups are a supported method for interacting with the Jamf Pro API so this workflow should be functional. I tested this and wasn't able to replicate a failure with a LDAP user hitting the API. I would recommend opening a support ticket so we can investigate this further.

Like

Posted: by marklamont

actually I remembered we also use ldap as well (we have a lot of api scripts interactive and non interactive), typical example

curl -vko "$WORKDIR/xml/computerrecord.xml" -u "$username":"$pass" $jssaddress/JSSResource/computers/udid/$udid -X GET
Like

Posted: by PhillyPhoto

@beckerbm I contacted support, and found out there's a known issue for this (PI-002742). It turns out the special characters in my password were causing the issue and the devs are aware of the problem with no ETA for a fix.

Like