Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory
This article explains how to configure the Jamf Pro server to perform authentication with Active Directory (AD) using LDAP over SSL (LDAPS) instead of LDAP.
The general process is as follows:
-
AD administrator generates a certificate request and sends it to the certificate authority (CA).
-
AD administrator installs the signed certificate and root certificate on the domain controller queried by Jamf Pro.
-
Jamf Pro administrator installs root certificate into Java keystore and restarts Tomcat (not applicable on Jamf Cloud shared instances).
-
Jamf Pro administrator configures Jamf Pro to use SSL.
General Requirements
- Access to certificates from your CA
- Access to the Jamf Pro server
- Terminal application or command prompt (only if using Jamf Pro 9.93 or earlier)
Step 1: Generating a Certificate and Sending it to the Certificate Authority
Generate a certificate for the AD server that is signed by your CA and accept the issued certificate. Follow the guidelines outlined in the following article from Microsoft: How to enable LDAP over SSL with a third-party certification authority.
Step 2: Installing the Root Certificate on the Domain Controller
If the domain controller already has the root certificate installed in the list of Trusted Root Certification Authorities, skip to the next step. If not, you will need to import it using the following instructions from Microsoft: How to Import the Digital Certificate for the Sender's Root CA into the Trusted Root Certification Authorities Folder in the Local Computer Certificate Store of the Recipient's Exchange Server
Step 3: Importing the Root Certificate of the CA into the Java Truststore
This step only applies to certificates issued by a private or untrusted CA. It is not applicable to Jamf Cloud shared instances.
Step 4: Configuring Jamf Pro to Use SSL
- Log in to Jamf Pro.
- In the top-right corner of the page, click Settings.
- Click System Settings.
- Click LDAP Servers.
- Click the LDAP server you want to use LDAPS for.
- Click Edit.
- Select the Use SSL checkbox. Ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
- Upload the certificate using the Upload Certificate button.
- Click Save.
- Test LDAP attribute mappings to ensure that LDAP over SSL is working:
- Click Test.
- Click the appropriate tab and enter information in the field(s) provided.
- Click Test again.
- Repeat steps 5-9 for each LDAP server.
For information on common connection issues that can occur when configuring LDAP over SSL in Jamf Pro, see LDAP Server Connections in Jamf Pro.