LDAP Directory Service Integration

Integrating with an LDAP directory service allows you to do the following:

  • Look up and populate user information from the directory service for inventory purposes.

  • Add Jamf Pro user accounts or groups from the directory service.

  • Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.

  • Require users to log in during mobile device setup using their LDAP directory accounts.

  • Base the scope of remote management tasks on users or groups from the directory service.

Note:

Jamf Pro may experience performance issues if too many LDAP groups are included in the scope of an object. If you need to use multiple LDAP criteria within a scope, consider creating a smart group with those criteria, and then scope to that smart group instead.

To integrate with an LDAP directory service, you need to add the LDAP server to Jamf Pro. There are two ways to add LDAP servers to Jamf Pro: using the LDAP Server Assistant or manually.

The LDAP Server Assistant guides you through the process of entering information about the LDAP server and ensuring that LDAP attributes are mapped properly. It allows you to integrate with the following directory services:

  • Apple’s Open Directory

  • Microsoft’s Active Directory

  • NetIQ eDirectory

Note:

When your configuration uses SSL, the LDAP server must be configured to issue the server certificate when Jamf Pro requests an SSL connection. If the server certificate is not natively trusted, in Jamf Pro, you need to add the trusted root certificate of the CA that issued the server certificate.

Manually adding an LDAP server involves entering detailed information about the LDAP server and manually configuring attribute mappings. This allows you to integrate with additional directory services.

Adding an LDAP Server Using the LDAP Server Assistant

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click LDAP Servers .
  3. Click New .
  4. Follow the onscreen instructions to add the LDAP server.

Manually Adding an LDAP Server

Before manually adding an LDAP server, it is important that you are familiar with search bases, object classes, and attributes. If you are not familiar with these concepts, use the LDAP Server Assistant to ensure that attributes are mapped correctly.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click LDAP Servers .
  3. Click New .
  4. Select Configure Manually and click Next.
  5. Use the Connection pane to configure how Jamf Pro connects to the LDAP server.
  6. Use the Mappings pane to specify object class and search base data, and map attributes.
  7. Click Save .

Testing LDAP Attribute Mappings

You can test the following LDAP attribute mappings:

  • User mappings

  • User group mappings

  • User group membership mappings

If Jamf Pro returns the appropriate information, the attributes are mapped correctly.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click LDAP Servers .
  3. Click the LDAP server you want to test.
  4. Click Test .
  5. Click the appropriate tab and enter information in the fields provided.
  6. Click Test again.