Setting Up LDAP Authentication in Jamf School

With the use of LDAP authentication, you can allow users to log in with their existing Microsoft Active Directory (AD) or Apple Open Directory (OD) credentials.

Integrating with an LDAP directory service allows you to:

  • Authenticate users with their username and password from AD or OD (available for Jamf School Teacher, Jamf School Parent, Automated Device Enrollment (formerly DEP, Apple Configurator Enrollment, and On-Device Enrollment)

  • Create users and groups in Jamf School

  • Update users and groups that already exist in Jamf School (only if the properties in Jamf School don’t match the properties in the remote directory)

Note: LDAP authentication cannot read nested groups from AD or OD. In addition, it cannot synchronize your complete AD or OD to Jamf School. (Users and groups are only created or updated when a user tries to authenticate “on the fly”.)

IP Addresses to Whitelist

IP addresses to whitelist in your firewall:



Schema Mapping (Directory Service > Jamf School)

Active Directory

  • sAMAccountName > Username

  • mail > E-mail address

  • cn > First and Last name

  • memberOf > Group Membership

  • description > Notes

Open Directory

  • uid > Username

  • mail > E-mail address

  • cn > First and Last name

  • description > Notes

  • jpegPhoto > User photo

  • The filter “(&(objectClass=posixGroup)(memberUid=USERNAME))” is used to fetch Group Membership

SSL Encryption

We strongly recommend you to use SSL to encrypt the traffic that flows from and to your LDAP server.

Setting Up LDAP Authentication

  1. In Jamf School, navigate to Organization > Settings.

  2. Select the Authentication payload.

  3. Choose “LDAP(s)” as the Authentication Method.

  4. Select the Automatically create users that don’t exist locally checkbox if you want users and groups to be created or updated automatically when a user tries to log in.

  5. Select the Force local authentication for Jamf School Parent checkbox if you don’t want the Parent app to use the LDAP server for authentication. If this option is selected, Jamf School Parent will use “Local” authentication.

  6. Enter the LDAP server IP or FQDN and port (389 is default for LDAP, and 636 is default for LDAP over SSL).

  7. Select the Use SSL checkbox if you want to secure the communication using SSL (recommended).

  8. Choose the Directory Type. Jamf School supports Microsoft Active Directory and Apple Open Directory.

  9. Enter the Base DN of your LDAP server, for example: “dc=myschool,dc=com”.

  10. If your server supports anonymous binding, select the Bind to this LDAP server anonymously checkbox.
    Note: Active Directory does not support authentication when binding anonymously.

    • Enter the full DN of the user you want to bind with, for example: “CN=ldap_proxy, OU=users, DC=myschool, DC=com”.

    • Enter the password for the bind user.

  11. Click the Test Connection button to test the connection to your LDAP server.

  12. If the connection is successful, click the Save button.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.