LDAP Server Connections in Jamf Pro
This article explains LDAP server connections in Jamf Pro and how to troubleshoot them.
LDAP Connections
To allow Jamf Pro to connect to your LDAP server, you must provide the following information:
The appropriate DNS (recommended) or IP address of the server hostname and the listening port number
LDAP server account (user distinguished name that is used to connect to the LDAP server) and the associated password
LDAP over SSL Connections
LDAP connections can be established in an SSL session. This ensures data that is sent between the LDAP client (Jamf Pro) and the LDAP server is encrypted. LDAP server connections over SSL use the communication port TCP 636 by default. Custom LDAP server configuration can use other ports. A successful connection requires that the LDAP server is configured to issue the server certificate when a client requests an SSL connection, and the client needs to be configured with the trusted root certificate of the CA that issued the server certificate. When configuring Jamf Pro to use the secure LDAP connections, ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
LDAP Server Proxy Connections
The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by Jamf Pro. After you install an instance of the Infrastructure Manager, Jamf Pro allows you to enable an LDAP proxy connection if you have an LDAP server set up in Jamf Pro. For more information, see Jamf Infrastructure Manager Instances in the Jamf Pro Documentation. The connection between your infrastructure manager instance and the LDAP server over SSL needs to be verified. This may take some time depending on the Recurring Check-In Frequency setting of your infrastructure manager instance configuration. LDAP connections will work only after the successful verification. To find out the status of the verification, see the Jamf Pro Notifications section.
Common LDAP Connection Issues
Server Name Does Not Match the Name on the Certificate
- Jamf Pro Server Log Example
[ERROR] [LDAPConnectionVerifier ] - Error while checking LDAP server with ID: 1 javax.naming.CommunicationException: ldap-server:636 Caused by: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLException: hostname in certificate didn't match: <ldap-server> != <ldap-server.corporatedomain.tld> Caused by: java.security.cert.CertificateException: javax.net.ssl.SSLException: hostname in certificate didn't match: <ldap-server> != <ldap-server.corporatedomain.tld> Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <ldap-server> != <ldap-server.corporatedomain.tld>
- Resolution
- Ensure that the fully qualified domain name or URL of your authentication server (the server you are trying to make the connection to) matches the Common Name (CN) or the Subject Field Alternative Name (SAN).
Invalid Certificate Trust Chain
- Jamf Pro Server Log Example
[ERROR] [LDAPConnectionVerifier ] - Error while checking LDAP server with ID: 1 javax.naming.CommunicationException: ldap-server.corporatedomain.tld:636 Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Resolution
- Ensure that you have uploaded a valid CA certificate that falls within the issuer's validity period.
No CA Certificate, Expired CA Certificate, Not yet Valid CA Certificate, or Revoked CA Certificate
- Jamf Pro Server Log Example
[ERROR] [LDAPConnectionVerifier ] - Error while checking LDAP server with ID: 1javax.naming.CommunicationException: ldap-server.corporatedomain.tld:636Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Resolution
- Ensure that you have uploaded a valid CA certificate that falls within the issuer's validity period.
Certificate is Not in the DER or PEM Format
- Result
- An error is presented in Jamf Pro Console UI at time of Certificate Upload.
- Resolution
- Ensure that your CA certificate is in the (.der) or (.pem) file format. You may want to use
openssl
commands in the Terminal application or other tools to convert your certificate to the proper format.