Setting Up LDAP Authentication in Jamf School

By using LDAP authentication, you can allow users to log in with their existing Microsoft Active Directory (AD) or Apple Open Directory (OD) credentials.

Integrating with an LDAP directory service allows you to:

  • Authenticate users with their username and password from AD or OD (available for Jamf Teacher, Jamf Parent, Automated Device Enrollment (formerly DEP), Apple Configurator 2 Enrollment, User Enrollment, and on-device enrollment)

  • Create users and groups in Jamf School

  • Update users and groups that already exist in Jamf School (only if the properties in Jamf School do not match the properties in the remote directory)

Note: LDAP authentication cannot read nested groups from AD or OD. In addition, it cannot synchronize your complete AD or OD to Jamf School. (Users and groups are only created or updated when a user tries to authenticate “on the fly”.)

General Requirements

To set up LDAP authentication in Jamf School, you must safelist the necessary IP addresses in your firewall. For more information, see Firewall Ports, IP Addresses, and URLs Used by Jamf School.

It is recommended you use SSL to encrypt the traffic to and from your LDAP server. For more information on enabling LDAP over SSL for Active Directory, see the following article from Microsoft's support website: For more information on enabling LDAP over SSL for Open Directory, see Open Directory: Enabling SSL for Open Directory with Replicas from Apple's support website.

Schema Mapping (Directory Service > Jamf School)

Active Directory

  • sAMAccountName > Username

  • mail > E-mail address

  • cn > First and Last name

  • memberOf > Group Membership

  • description > Notes

Open Directory

  • uid > Username

  • mail > E-mail address

  • cn > First and Last name

  • description > Notes

  • jpegPhoto > User photo

  • The filter “(&(objectClass=posixGroup)(memberUid=USERNAME))” is used to fetch Group Membership

Setting Up LDAP Authentication

  1. In Jamf School, navigate to Organization > Settings in the sidebar.

  2. Select the Authentication payload.

  3. Choose “LDAP(s)” from the Authentication Method pop-up menu.

  4. If you want users and groups to be created or updated automatically when a user tries to log in, Select the Automatically create users that don’t exist locally checkbox.

  5. If you do not want Jamf Parent to use the LDAP server for authentication, select the Force local authentication for Jamf School Parent checkbox. If this option is selected, Jamf Parent will use “Local” authentication.

  6. Enter the LDAP server IP or FQDN and port. 389 is default for LDAP, and 636 is default for LDAP over SSL.

  7. (Recommended) To secure the communication using SSL, select the Use SSL checkbox.

  8. Choose the directory type from the Directory Type pop-up menu. Jamf School supports Microsoft Active Directory and Apple Open Directory.

  9. Enter the base DN of your LDAP server in the Base DN field. For example: “dc=myschool,dc=com”.

  10. If your server supports anonymous binding, select the Bind to this LDAP server anonymously checkbox.

    Note: Active Directory does not support authentication when binding anonymously.

    • Enter the full DN of the user you want to bind with. For example: “CN=ldap_proxy, OU=users, DC=myschool, DC=com”.

    • Enter the password for the bind user.

  11. Click Test Connection to test the connection to your LDAP server.

  12. If the connection is successful, click the Save button.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.