Skip to main content
Solved

Inital Connection to On-Prem AD LDAP and "Could not find user" during "Enter Credentials" step

  • June 27, 2023
  • 7 replies
  • 46 views
N
Forum|alt.badge.img+3

This is our first JAMF Pro instance being hosted in the cloud by JAMF and we've been hitting roadblocks while getting it set up for the first time using our on-prem Microsoft AD LDAP server. The first block was a firewall issue where it wouldn't proceed past the "Enter Server Info" step using the LDAP Server Assistant. We've got that sorted and it proceeds to the next step of "Enter Credentials," but that is where we are currently stuck and support emails haven't provided much insight and it seems this step isn't a big enough trouble point to be online on forums.

 

We're using SSL with a cert generated from Digicert(also attempted a self signed cert from the server, but can try again if better instructions are found). I've created an AD Service Account just for this connection and have confirmed it exists. I've also tried my personal AD account and it still states "Could not find user."

 

What are we missing here and how can we determine the point of failure?

Best answer by AJPinto

We do not have a proxy in place and did not realize it was required, it read to us like it was optional. And you would be right, we do have an SE to get us off the ground, but this initial LDAP connection we are lead to believe isn't covered as the SE wouldn't have knowledge of our setup and all that.

 

We'll take a look at AAD though and see if there was a reason this wasn't mentioned at the start.


On Prem JAMF and LDAP is a snap to setup. Off Prem (cloud) you need something (the LDAP Proxy) to allow the cloud instance to see your on Prem LDAP instance. Assuming you don't have your on Prem LDAP instance open internet, which would be hilarious :). 

 

For AAD, it does all the directory look up stuff you would expect. AAD integration not 100% feature parallel with LDAP, but it is close enough for most environments. The biggest difference for me is you cant log in to JAMF with an AAD account, you need to setup SSO with something like Azure. However for cloud hosted anything you really want to federate your login with some IDP to protect the product.

Azure AD Integration - Jamf Pro Administrator's Guide | Jamf

Single Sign-On - Jamf Pro Administrator's Guide | Jamf

    7 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • June 27, 2023

    Do not selfsign anything that is related to anything Apple, you will only have a bad time. 

    I recommend checking your LDAP Proxy and making sure its setup correctly and your DMZ is configured to allow it to function. Since you are setting up your environment for the 1st time, I would suggest reaching out to your JAMF SE for assistance. Usually JAMF has an admin service that covers getting you off the ground, but I dont know if the LDAP proxy is included in that. 

    You may not be aware, but JAMF Support AAD and AAD serves many of the same functions of LDAP for JAMF. AAD is also much easier to setup for cloud instances. 

     

    LDAP Proxy - Jamf Pro Administrator's Guide | Jamf

     

    N
    N
    Forum|alt.badge.img+3
    • New2JAMF
    • Author
    • New Contributor
    • June 27, 2023

    Do not selfsign anything that is related to anything Apple, you will only have a bad time. 

    I recommend checking your LDAP Proxy and making sure its setup correctly and your DMZ is configured to allow it to function. Since you are setting up your environment for the 1st time, I would suggest reaching out to your JAMF SE for assistance. Usually JAMF has an admin service that covers getting you off the ground, but I dont know if the LDAP proxy is included in that. 

    You may not be aware, but JAMF Support AAD and AAD serves many of the same functions of LDAP for JAMF. AAD is also much easier to setup for cloud instances. 

     

    LDAP Proxy - Jamf Pro Administrator's Guide | Jamf

     


    We do not have a proxy in place and did not realize it was required, it read to us like it was optional. And you would be right, we do have an SE to get us off the ground, but this initial LDAP connection we are lead to believe isn't covered as the SE wouldn't have knowledge of our setup and all that.

     

    We'll take a look at AAD though and see if there was a reason this wasn't mentioned at the start.

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • Answer
    • June 27, 2023

    We do not have a proxy in place and did not realize it was required, it read to us like it was optional. And you would be right, we do have an SE to get us off the ground, but this initial LDAP connection we are lead to believe isn't covered as the SE wouldn't have knowledge of our setup and all that.

     

    We'll take a look at AAD though and see if there was a reason this wasn't mentioned at the start.


    On Prem JAMF and LDAP is a snap to setup. Off Prem (cloud) you need something (the LDAP Proxy) to allow the cloud instance to see your on Prem LDAP instance. Assuming you don't have your on Prem LDAP instance open internet, which would be hilarious :). 

     

    For AAD, it does all the directory look up stuff you would expect. AAD integration not 100% feature parallel with LDAP, but it is close enough for most environments. The biggest difference for me is you cant log in to JAMF with an AAD account, you need to setup SSO with something like Azure. However for cloud hosted anything you really want to federate your login with some IDP to protect the product.

    Azure AD Integration - Jamf Pro Administrator's Guide | Jamf

    Single Sign-On - Jamf Pro Administrator's Guide | Jamf

    N
    N
    Forum|alt.badge.img+3
    • New2JAMF
    • Author
    • New Contributor
    • June 27, 2023

    On Prem JAMF and LDAP is a snap to setup. Off Prem (cloud) you need something (the LDAP Proxy) to allow the cloud instance to see your on Prem LDAP instance. Assuming you don't have your on Prem LDAP instance open internet, which would be hilarious :). 

     

    For AAD, it does all the directory look up stuff you would expect. AAD integration not 100% feature parallel with LDAP, but it is close enough for most environments. The biggest difference for me is you cant log in to JAMF with an AAD account, you need to setup SSO with something like Azure. However for cloud hosted anything you really want to federate your login with some IDP to protect the product.

    Azure AD Integration - Jamf Pro Administrator's Guide | Jamf

    Single Sign-On - Jamf Pro Administrator's Guide | Jamf


    Thank you for those links! We do put everything we have behind SSO using Azure, so that is not a problem for us. And just to understand correctly, once we hook into AAD, we can just ignore the LDAP connection step then since it will pull users and groups from AAD?

    N
    Forum|alt.badge.img+3
    • New2JAMF
    • Author
    • New Contributor
    • June 27, 2023

    Thank you for those links! We do put everything we have behind SSO using Azure, so that is not a problem for us. And just to understand correctly, once we hook into AAD, we can just ignore the LDAP connection step then since it will pull users and groups from AAD?


    Actually, I just stumbled upon my answer to this and that we shouldn't attempt to do both. I appreciate your help and you've been way more help than previous support avenues. I'll mark this as answered from you once we have it connected!

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • June 27, 2023

    (Apologies for the out of band response, I was interrupted while replying and managed to miss several responses between the original question and posting my response)

    @New2JAMF Is your LDAP server public facing (that's not normally the case), or are you using a Jamf Infrastructure Manager to proxy communications between your on-prem AD server and your Jamf Cloud instance? It's been several years since we did our Jamf Cloud migration but as I recall setting up the LDAP configuration to use a JIM wasn't possible using the "wizard" approach after choosing the "Microsoft's Active Directory" option for adding an LDAP server and I had to use the "Configure Manually" option to specify the JIM configuration. 

    Also note that you will need the certificate for your LDAP server if you're configuring the connection to use SSL (which you should be).

    N
    Forum|alt.badge.img+3
    • New2JAMF
    • Author
    • New Contributor
    • June 27, 2023

    On Prem JAMF and LDAP is a snap to setup. Off Prem (cloud) you need something (the LDAP Proxy) to allow the cloud instance to see your on Prem LDAP instance. Assuming you don't have your on Prem LDAP instance open internet, which would be hilarious :). 

     

    For AAD, it does all the directory look up stuff you would expect. AAD integration not 100% feature parallel with LDAP, but it is close enough for most environments. The biggest difference for me is you cant log in to JAMF with an AAD account, you need to setup SSO with something like Azure. However for cloud hosted anything you really want to federate your login with some IDP to protect the product.

    Azure AD Integration - Jamf Pro Administrator's Guide | Jamf

    Single Sign-On - Jamf Pro Administrator's Guide | Jamf


    So that was much easier than messing with the on-prem; however, it doesn't pull results when I search for a username. Should it be searching our AAD or just whomever connected to JAMF?

    Terms & ConditionsCookie settingsAccessibility statement