By Greg Keller Posted April 17, 2015
This post is no longer accurate. Please visit our support documentation for an up to date guide.
JAMF Software’s Cloud platform enables their customers to host their Software Server and Casper Suite products in the cloud. A prerequisite is to connect it to an LDAP Server for user authentication and authorization needs. This is where JumpCloud’s LDAP-as-a-Service aspect to our product comes in to play, obviating the need for JAMF customers to download, install and manage an OpenLADP (or similar) server. JAMF can tie in to JumpCloud’s cloud-based user directory through native LDAP. This article demonstrates the configuration required to connect JAMF to JumpCloud’s LDAP endpoint screen by screen, in addition to necessary configurations required up front on the JumpCloud side.
Initial set-up: Preparing JumpCloud as the LDAP directory
Before JAMF can be integrated with JumpCloud to access the user identities managed in its cloud-based directory, the following steps need to be completed to ensure JAMF can communicate effectively via ldapsearch.
1) Turn the LDAP Service ‘On’
In JumpCloud’s ‘Settings’ enable the LDAP service…
Once enabled, JumpCloud will unveil certain customer-specific data, aspects of which will be required in setting up ldapsearch in the steps below…
2) Create an LDAP Service User Account
When utilizing LDAP, JumpCloud recommends the use of a binding user service account (e.g., the “Bind DN”). This user will act as a true service account, enabling ldap to search the user directory as the Bind DN. To create this user:
- Go to Users and ‘Add User’
- Fill in the properties of this service account in the manner you wish. An example called username “ldapuser” is below.
- Most critically, ensure ‘LDAP binding user service account’ checkbox is enabled.
- Enter a password for the service account to ensure the account is ‘verified’ and active.
2) Create a User and Tag (Group) in JumpCloud:
For purposes of the JAMF configuration and connection test screens below, two objects also need to be created in JumpCloud:
1) A User, “John Smith” (username jsmith)
2) A Tag (e.g., ‘Group’) entitled “JSS”
To create a user:
- Click on the Users tab of the left navigation tree
- Click Add User
- Input First Name (John), Last Name (Smith), User Name: jsmith and email: email@example.com
- Once added, go back into the ‘Details’ of the newly created user
- IMPORTANT! Give this user a password. This will immediately ‘verify’ the account enabling it to be searched for and found by LDAP. Alternatively, an email was sent to this same account to complete the verification step, yet the Admin can immediately verify the user account by adding in a password directly.
With the user is created, we’ll next build a Tag. Tags are analogous to ‘Groups’ in LDAP. This will be where specific members who should be authorized to use JAMF will be be contained or ‘grouped’. LDAP looks at JumpCloud’s Tags as either posixGroups or groupsOfNames. To create a Tag:
- Click on the Tags tab of the left navigation tree
- Click Add Tag
- Name the Tag ‘JSS’ (for purposes of this demo)
- Select the checkbox for ‘Create Linux group for this tag’. LDAP will recognize this as a posixGroup with this enabled. A tag will always be looked upon as a groupsOfNames through our LDAP regardless of that checkbox checked on.
- Provide a GID for this Tag…’20000′ as an example.
- In ‘All Users’, find the jsmith user you created above and check this user.
- Click OK/Add Tag.
With JumpCloud LDAP set up and user and tag built, let’s configure JAMF to communicate with us via LDAP.
IMPORTANT: This article will be extremely helpful to understand JumpCloud’s LDAP Bind DN, Base DN and other configuration parameters applications like JAMF below will require for successful integration.
Connection and Mappings:
With the initial configurations complete to the LDAP, specific User and Group Mappings must be applied.
Next, User Group Mappings must be configured.
NOTE: Within JumpCloud, only Tags that have been created without the ‘Create Linux Group for this tag’ option. groupOfNames is the LDAP query utilized for checking membership of Groups that should be imported into JAMF. Checking this option will essentially have LDAP see this Tag as a posixGroup.
User Group Mappings:
Finally, User Group Membership Mappings require configuring if Tags/Groups are going to be used to contain the specific LDAP users that JAMF will query to authenticate/authorize:
User Group Membership Mappings:
With User, Group and Membership mappings applies, you may test the configuration within JAMF before deployment.
Testing a lookup for jsmith:
Testing a lookup for a Tag (Group):
Testing a lookup for User and Group Membership:
And that’s it! Congratulations, you have successfully configured JAMF with JumpCloud via LDAP. Feel free to contact JumpCloud support for any other questions on this integration.