Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory

This article explains how to configure the Jamf Pro server to perform authentication with Active Directory (AD) using LDAP over SSL (LDAPS) instead of LDAP.

The general process is as follows:

  1. AD administrator generates a certificate request and sends it to the certificate authority (CA).

  2. AD administrator installs the signed certificate and root certificate on the domain controller queried by Jamf Pro.

  3. Jamf Pro administrator installs root certificate into Java keystore and restarts Tomcat (not applicable on Jamf Cloud shared instances).

  4. Jamf Pro administrator configures Jamf Pro to use SSL.

General Requirements

The following components are required to complete the steps in this article:
  • Access to certificates from your CA
  • Access to the Jamf Pro server
  • Terminal application or command prompt (only if using Jamf Pro 9.93 or earlier)

Step 2: Installing the Root Certificate on the Domain Controller

If the domain controller already has the root certificate installed in the list of Trusted Root Certification Authorities, skip to the next step. If not, you will need to import it by following the instructions from Microsoft: http://technet.microsoft.com/en-us/library/aa995734.aspx.

Step 3: Importing the Root Certificate of the CA into the Java Truststore

This step only applies to certificates issued by a private or untrusted CA. It is not applicable to Jamf Cloud shared instances.

  1. On the Jamf Pro host server, navigate to the Java security directory. For Java 8, the directory is located in:
    • Red Hat Enterprise Linux:
      /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/lib/security/
    • Ubuntu:
      /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/
    • Windows:
      C:\Program Files\Java\jre8\lib\security\
    • Mac:
      /Library/Java/JavaVirtualMachines/jdk1.8.0_xx.jdk/Contents/Home/jre/lib/security/
  2. Import the root certificate into the Java truststore by executing:
    sudo keytool -import -trustcacerts -alias RootCA -keystore cacerts -file /Users/admin/Desktop/RootCA.cer

    When prompted with the message "Trust this certificate?", type Yes and press the Enter key. The result should be "Certificate was added to keystore".

    Note:

    If prompted for a keystore password, the default password will be either "changeme" or "changeit", depending on your operating system and the version of Java installed on the Jamf Pro host server.

  3. Restart Tomcat. For complete instructions, see Starting and Stopping Tomcat.
  4. (Optional) Log in to Jamf Pro and configure an LDAP server connection. For more information, see Integrating with LDAP Directory Services in the Jamf Pro Administrator's Guide.
  5. Once you have configured an LDAP server connection, verify that the LDAP server queries are working by logging in to Jamf Pro with an Active Directory user.

Step 4: Configuring Jamf Pro to Use SSL

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click System Settings.
  4. Click LDAP Servers.
  5. Click the LDAP server you want to use LDAPS for.
  6. Click Edit.
  7. Select the Use SSL checkbox. Ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
  8. Upload the certificate using the Upload Certificate button.
  9. Click Save.
  10. Test LDAP attribute mappings to ensure that LDAP over SSL is working:
    1. Click Test.
    2. Click the appropriate tab and enter information in the field(s) provided.
    3. Click Test again.
  11. Repeat steps 5-9 for each LDAP server.

For information on common connection issues that can occur when configuring LDAP over SSL in Jamf Pro, see LDAP Server Connections in Jamf Pro.