LDAP Server Connections in Jamf Pro

This article explains LDAP server connections in Jamf Pro and how to troubleshoot them.

LDAP Connections

To allow Jamf Pro to connect to your LDAP server, you must provide the following information:

  • The appropriate DNS (recommended) or IP address of the server hostname and the listening port number

  • LDAP server account (user distinguished name that is used to connect to the LDAP server) and the associated password

LDAP over SSL Connections

LDAP connections can be established in an SSL session. This ensures data that is sent between the LDAP client (Jamf Pro) and the LDAP server is encrypted. LDAP server connections over SSL use the communication port TCP 636 by default. Custom LDAP server configuration can use other ports. A successful connection requires that the LDAP server is configured to issue the server certificate when a client requests an SSL connection, and the client needs to be configured with the trusted root certificate of the CA that issued the server certificate. When configuring Jamf Pro to use the secure LDAP connections, ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).

LDAP Server Proxy Connections

The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by Jamf Pro. After you install an instance of the Infrastructure Manager, Jamf Pro allows you to enable an LDAP proxy connection if you have an LDAP server set up in Jamf Pro. For more information, see Jamf Infrastructure Manager Instances in the Jamf Pro Administrator's Guide. The connection between your infrastructure manager instance and the LDAP server over SSL needs to be verified. This may take some time depending on the Recurring Check-In Frequency setting of your infrastructure manager instance configuration. LDAP connections will work only after the successful verification. To find out the status of the verification, see the Jamf Pro Notifications section.

Common LDAP Connection Issues

IssueResolution
Server name does not match the name on the certificateEnsure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
Invalid certificate trust chainEnsure that the issuing Certificate Authority (CA) or one of its parents is in the client's certificate list of trusted root CAs.
No CA certificate, expired CA certificate, not yet valid CA certificate, or revoked CA certificateEnsure that you have uploaded a valid CA certificate that falls within the issuer's validity period.
Certificate is not in the DER or PEM formatEnsure that your CA certificate is in the .der or .pem format. You may want to use openssl commands in the Terminal application or other tools to convert your certificate to the proper format.
Note:

Keep in mind that each LDAP server configuration is dependent on your LDAP service provider, which may result in additional issues. For information on troubleshooting a specific issue, see your service provider's help documentation.