Troubleshooting LDAP Connections to Active Directory

Updated: 01 July 2021

Product: Jamf Pro

If you cannot successfully integrate with an Active Directory (AD) server using the LDAP Server Connection Assistant in Jamf Pro, several options are available to troubleshoot this issue.

This article explains how to:

Troubleshoot an LDAP connection to AD using Apache Directory Studio
Troubleshoot a failed connection to the AD server
Find the DN or username for the bind user in Active Directory Users and Computers (ADUC)
Troubleshoot failed authentication with the bind DN or username

Troubleshooting Using Apache Directory Studio

Open Apache Directory Studio.

Note:
Apache Directory Studio is available for free at: http://directory.apache.org/studio/
Add a new LDAP connection.
Enter a connection name.
Enter the host name of the AD server.
If you have a custom environment, modify the port and encryption method as needed.

Note:
Using an encryption method allows Jamf Pro to perform authentication with AD using LDAP over SSL (LDAPS). For more information, see Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory.
Click Check Network Parameter and verify that the host name resolves correctly. If the connection fails, see the "Additional Information" section.
Once the connection is established successfully, click OK, and then click Next.
Choose an authentication method.

Note:
Jamf Pro supports Simple, CRAM-MD5, and DIGEST-MD5 authentication types only.
Enter credentials for a bind user in AD (an AD user with permissions to browse LDAP). There are three formats you can use for the bind DN or username:

Distinguished name (DN)
The full path to the common name of the object. For example, (CN=Administrator,OU=Users,DC=ad,DC=jamfsw,DC=corp).
Domain and sAMAccountName
For example, AD\administrator.
userPrincipalName
For example, administrator@ad.jamfsw.corp.

For more information on how to find the DN or username for the bind user, see the "Additional Information" section.
Click Check Authentication to verify the credentials. If the authentication fails, see the "Additional Information" section.
Once the correct credentials are entered and verified, click OK, and then click Finish.
Log in to Jamf Pro.
In the top-right corner of the page, click Settings.
Click System Settings.
Click LDAP Servers, and then click New.
Select Microsoft's Active Directory and then click Next.
Enter the hostname or IP address of the LDAP server, and then click Next.
Enter the domain of the LDAP server. The domain is the value for the dc attribute in Apache Directory Studio.
Enter credentials for a bind user in AD (an AD user with permissions to browse LDAP). The username must be value for the sAMAccountName attribute in Apache Directory Studio. After you enter the username, Jamf Pro automatically adds ad\ to the beginning so that it is in the domain\username format.
Enter two users to verify attribute mappings for, and then click Next. The usernames must be the values for the sAMAccountName attributes in Apache Directory Studio. Jamf Pro will use these usernames to determine the search base for the LDAP server connection. You will be able to use the LDAP server connection to search for users that share the lowest common denominator of these two usernames. For example, if you want to be able to search for users in two different organizational units (OUs), you must enter a username from each OU.
Verify the attribute mappings for the users and click Next. These mappings are based on settings in ADUC. If you want to use custom mappings, you can enter them here or wait until later. Click the ellipsis ... button to edit mappings.
Enter two groups to verify group membership mappings for, and then click Next. The groups must be the values for the sAMAccountName attributes in Apache Directory Studio. You should choose two groups that the users from step 20 are members of.
Verify the group membership mappings and click Next.
Click Save.

After you finish creating the LDAP server connection, you should view the mappings and verify that the search bases are correct. If the users search base is OU=Test,OU=JAMFSW,DC=ad,DC=jamfsw,DC=corp, you can only search users in the Test folder. You can modify the search base to include a wider search range. For example, if you change the search base to DC=ad,DC=jamfsw,DC=corp, you can search all computers in the domain.

Troubleshooting a Failed Connection

The connection to the AD server may fail if:

Apache Directory Studio cannot reach the AD server
The port entered in Apache Directory Studio is incorrect
The encryption method in Apache Directory Studio does not match the encryption method of the AD server

To ensure that you can reach the server, execute the following command and verify that you receive a response:

ping ad.jamfsw.corp

To verify that the server uses the port that you entered in Apache Directory Studio, execute a command similar to the following and verify that you receive a connected status:

telnet ad.jamfsw.corp 389

To verify the encryption method of the AD server, contact your AD administrator.

Finding the DN or Username for the Bind User

You can find the DN or username for the bind user by opening ADUC, right-clicking a user, and choosing Properties.

To find the distinguished name, click the Attribute Editor tab.

The Attribute Editor tab in Administrator Properties

To find the domain and sAMAccountName or the userPrincipalName, click the Account tab. The domain and sAMAccountName is in the User logon name (pre-Windows 2000) fields. The userPrincipalName is in the User logon name field.

The Account tab in Administrator Properties

Troubleshooting Failed Authentication with the Bind DN or Username

Authentication with the bind DN or username may fail if:

The bind user entered does not exist in AD
The bind user entered does not have permission to browse LDAP
The DN or username is not formatted properly

Contact your AD administrator.