Google Secure LDAP Integration

When integrating Jamf Pro with Google's Secure LDAP, consider the following:

  • Jamf Pro allows you to integrate with Google's secure LDAP service that is a part of G Suite Enterprise and Cloud Identity Premium. The service can be used with Jamf Pro for user authentication and group syncing. Cloud Identity Free or G Suite Basic/Business assigned users display in user lookup results and you can add them as Jamf Pro LDAP accounts.

    Note: Users assigned to Cloud Identity Free or G Suite Basic/Business licenses are not allowed to authenticate in Jamf Pro. When such a user tries to authenticate, the INSUFFICIENT_ACCESS_RIGHTS (50) error code is displayed in Jamf Pro logs. For information on Secure LDAP service error codes, see the following documentation from Google: https://support.google.com/a/answer/9167101.

Configuring a Google Cloud Identity Provider Connection

When a server connection is added, it is enabled by default. You can configure multiple connections and choose which configuration to use. Disabling the connection prevents Jamf Pro from querying data from this server. This means you can add a different configuration without deleting the current connection. To disable the connection, use the switch.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/86475548/Settings_Icon.png .

  3. Click System Settings.

  4. Click Cloud Identity Providers images/download/thumbnails/86475548/icon-CloudIdentityProviders.png .

  5. Click New images/download/thumbnails/86475548/Icon_New_Button.png .

  6. Choose Google and click Next.

  7. Configure the settings on the tab. Consider the following limitations:

    • The display name for the configuration must be unique.

    • The Domain name value automatically populates the Search Base dc values on the User Mappings and User Groups Mapping tabs.

  8. Use the Mappings tab to specify object class and search base data, and map attributes. When configuring the search base, structure the server query in the order that reflects the hierarchical structure of your directory tree to ensure the search returns correct results. See the "Default Attribute Mappings for Google Secure LDAP" section below for default mappings reference and use it while troubleshooting the connection.

  9. Click Save images/download/thumbnails/86475548/floppy-disk.png .

Saving a server connection triggers automatic verification of the hostname, port, and domain. The verification process must succeed before the connection is ready to use.

Important: In large environments, the verification process for valid configurations may fail. Ensure the values in the form are correct and try saving the configuration again.

After your configuration is saved, you can test the mappings. For more information, see Testing Attribute Mappings.

To troubleshoot a failed connection, navigate to Reports in your Google Admin console, and check the LDAP audit log.

Default Attribute Mappings for Google Secure LDAP

The following table lists the default Jamf Pro mappings and the corresponding cloud identity provider attributes:

Jamf Pro Attribute Mapping Name

Cloud Identity Provider Attribute Mapping Value

objectClassLimitation

ANY_OBJECT_CLASSES

objectClasses

inetOrgPerson

searchBase

ou=Users

searchScope

ALL_SUBTREES

additionalSearchBase

 

userID

mail

username

uid

realName

displayName

emailAddress

mail

department

departmentNumber

building

 

room

 

phone

 

position

title

userUuid

uid

objectClassLimitation

ANY_OBJECT_CLASSES

objectClasses

groupOfNames

searchBase

ou=Groups

searchScope

ALL_SUBTREES

groupID

cn

groupName

cn

groupUuid

gidNumber

groupMembershipMapping

memberOf

groupMappings

 

objectClassLimitation

ANY_OBJECT_CLASSES

For more information on the Secure LDAP schema, see the following documentation from Google: Secure LDAP schema.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.