Any using or tried JumpCloud for LDAP?

tony_schaps
Contributor

Currently have no LDAP system, growing rapidly and looking to implement something. This "Directory as a Service" cloud service looks interesting. Has anyone tried it?
https://jumpcloud.com/

Thanks

34 REPLIES 34

asopher
New Contributor

Hey Tony,

We are actually working to implement it now. We are in a test phase before we roll out. Same situation. No directory server, in need of one ASAP, however trying to stay cloud first and focused. Still no servers on prem so far ;-)

Let me know if you have any questions or have had a chance to try it out. I can't find too many others who have experience with it so far. We did have lunch with the CEO and it is a very fascinating product. There may be some immaturities within the current build, but only expect the product to grow. We do know, it does not integrate with Okta well, but does integrate with Bitium very well.

Regards,

Anthony

tony_schaps
Contributor

Thanks for the response. Our need for LDAP is only really to make Casper work better for enrolling and assigning/managing computers. I am torn whether to investigate this further or just set up a simple open directory on CentOS, or even use our Mac mini Casper server to run Open Directory. Rather have a cloud solution if possible (and worth the money). Or I could also forget it and enter user info manually.
Hmmm...

mpermann
Valued Contributor II

@tony.schaps could you use a limited enrollment-only account to enroll the devices and fill in any other information important to you manually? Do you have a lot of users that would make using LDAP worthwhile?

kitzy
Contributor III

@tony.schaps I've been looking for a cloud directory service for a while now, and haven't found one I liked. This was the first I heard of JumpCloud, but after about 10 minutes I've got it talking to my JSS and user and group lookups are working as expected. I plan to hammer on it more, but so far it seems like a totally viable option for assigning computers to users in the JSS.

tony_schaps
Contributor

@mpermann I do have a limited enrollment-only account, but we're at about 130 staff adding 15-20 per month. I'd much rather edit a directory record linked with an asset than to do it all manually, although I certainly could do it manually. There are other services we have which might also be able to be simplified as we grow by linking to an LDAP. It could make on- and off-boarding a lot easier. Kinda wish we could just do it with Google Apps, which we have anyway, but as I understand it, will not work with Casper Suite. Thanks!

tony_schaps
Contributor

@kitzy Cool, thanks for the info. I may have enough reason to demo JumpCloud now. Don't have the skillz with Casper yet, though. Thanks!

kitzy
Contributor III

@tony.schaps no worries, happy to help! I'll probably end up blogging my findings after some more testing. I'll post back here with the link if/when I do.

DaaSJames
New Contributor

Hi, guys, I'm James Brown, JumpCloud's Chief Architect.

Just saw this thread and wanted to point out a couple of things:

  1. We actually work very well with Okta. You can find an integration video (https://jumpcloud.com/engineering-blog/integrating-okta-and-jumpcloud-with-ldap/) and step-by-step instructions (https://jumpcloud.com/engineering-blog/integrating-okta-jumpclouds-ldap-service/) on our engineering blog, at: https://jumpcloud.com/engineering-blog .

  2. We can also help you to integrate your Google Apps users with JAMF software. We can import your users, and then expose them to the rest of your infrastructure via LDAP, RADIUS, through our local agent. That means you can expose your Google Apps users to JAMF Casper, as well!

Many of our customers use both JAMF Casper and JumpCloud together, so we'd love to help you add JumpCloud's directory services to JAMF Casper's already-considerable capabilities.

If you've got any questions, feel free to email me directly at james@jumpcloud.com.

Thanks!
James

john_at_lindegr
New Contributor
We can also help you to integrate your Google Apps users with JAMF software. We can import your users, and then expose them to the rest of your infrastructure via LDAP, RADIUS, through our local agent. That means you can expose your Google Apps users to JAMF Casper, as well!

This is gold. Is there documentation on this configuration anywhere?

DaaSJames
New Contributor

Here's how that configuration looks:

  1. Connect JumpCloud to Google Apps (http://support.jumpcloud.com/knowledgebase/articles/613809-getting-started-with-google-apps-user-import-prov)
  2. Set up JAMF Casper to connect to JumpCloud's LDAP service (https://jumpcloud.com/engineering-blog/integrating-jamf-softwares-lamf-cloud-with-ldap/)

Once done, your Google Apps users will be imported into JumpCloud, and then they'll be exposed through LDAP to JAMF Casper!

If you run into any trouble, please email support@jumpcloud.com.

James

rlincoln
New Contributor

We are in the middle of implementing Jump Cloud and we found an issue with keychain. Changing the password on the Jump Cloud portal will not change the password for keychain, therefore not syncing with FileVault. Changing the password locally (Users & Groups) will not change the directory account password and will cause keychain problems. The have said they are 50% of the way with integrating this piece and when I was initially testing the jump cloud agent and it was unsigned but the new agent 0.9.561 is signed.

Seems they have a few issues to overcome. But this could be a great cloud directory service. Just a heads up!

Rick

jared_f
Valued Contributor

We are also taking a look into jump cloud. Is there away to just bind the computers and then have the users input their username and password in a lab setting? I have been trying, but it seems I have to push individual suer accounts via jumpcloud. Thanks for any help.

mpermann
Valued Contributor II

@jared_f there used to be a knowledgebase article on JumpCloud's website explaining how to bind Mac OS X to JumpCloud. I printed it out last November when I was testing with JumpCloud. I searched their website and was unable to find it. The article number was 2439994. I emailed their support asking why the document was removed. I scanned my printed copy and you can access it here. If I hear back from their support people I will update the thread with hopefully a valid link from JumpCloud's website for the article. After binding a computer to JumpCloud using the method in that article I was able to login using a set of JumpCloud credentials to log into the computer. I didn't assign the user I logged in with to the computer in JumpCloud and I don't have the JumpCloud agent installed on the computer I used. If you need further help let me know.

jared_f
Valued Contributor

@mpermann Thank you! This worked perfectly.

rlincoln
New Contributor

Hey Guys,

Just an update, I am testing this here I will let you guys know my findings.

Rick

jared_f
Valued Contributor

I am going to see if I can find or write a script that will complete this binding process for us. It is a few more steps than normal bindings.

mpermann
Valued Contributor II

@jared_f give the instructions that @rlincoln posted above your post. I gave those a try and those seemed to work as well. You may no longer need to do step #18 in the instructions I posted above. The newer instructions might be more standard and you might be able to do it with Casper or use some existing binding scripts.

jared_f
Valued Contributor

@mpermann I am going to take a look into a binding script later today. I will get back to you.

mpermann
Valued Contributor II

@jared_f I did receive a response from JumpCloud on why the original article that I provided you had been pulled. Below is there response:

...the reason the knowledge base article you are referring to has been pulled is because we no longer support LDAP binding on systems, and rather require the JumpCloud agent.

If anyone has any ideas on how to get access to groups on a Mac OS X Server that is bound to a JumpCloud directory I'd love to know how you did it. That's the last hurdle I'm trying to clear with the POC I'm doing with their product. If I can get a Mac OS X Server properly connected to a JumpCloud system and be able to assign folders on the share to groups pulled from the JumpCloud directory I would be thrilled.

jared_f
Valued Contributor

@mpermann The issue with the JumpCloud agent for me was that it doesn't allow users to log in and build a home folder. I literally have to push it from JumpCloud admin dashboard. That document you scanned allowed me to bind the computer to JumpCloud and now allows me to log in using credentials. Have you had any different result with the JumpCloud agent? This would be an issue with a lab environment. I really like the idea of cloud hosted directories because then they are always online.

mpermann
Valued Contributor II

@jared_f when I installed the agent on a test computer, as long as I assigned users to the computer in the admin console I could login with their credentials. I don't imagine that would be very convenient for a lab situation though. I don't know what their workflow looks like for that situation. They need to do some more engineering on their agent. They don't have local keychain password and FileVault password sync working. The Nomad folks have that sorted. They also make the /opt directory visible which isn't a good idea in my opinion.

jared_f
Valued Contributor

@mpermann I have been testing it on a test MacBook and it seems to be working ok. I am binding the computer via the steps in the document you provided and also installing the agent. I am creating fresh users and not pushing them to the computers via the admin console. I enter the credentials, it accepts, and builds the home folder. The only issue I have seen is that logins take an average of about 20-25 seconds. I am going to keep investigating.

rlincoln
New Contributor

@jared_f is it just on initial login that you are seeing the delay? Is the system FileVault encrypted? If it is just on initial account creation I would consider that normal behavior as it is pulling down the account info creating the home directory etc

jared_f
Valued Contributor

@rlincoln I agree, it is most likely normal behavior because (as you said) it is creating a home directory. I personally think it is slower than an on-premise directory server. Obviously, it has many, many upsides for reliability, etc. I am looking into giving new laptops out next year and will probably user JumpCloud for our directory. I am looking into finding a script for binding (so I do not have to push users directly down to the machines).

rlincoln
New Contributor

I just got off the phone with Jump Cloud and they said the no longer support that method as using the JC agent it will always be available instead of having to the on your network or VPN to auth against. We are going to test managing Jump Cloud through Casper. I will know more next week.

Rick

SegalCo
New Contributor II

@rlincoln and all:

Yesterday JumpCloud informed me and updated their kb regarding the keychain issue:

The issue has been resolved in agent 0.9.560 and newer. The KB has been updated. It will not retroactively fix users that were provisioned with the older agent, so they will need to be fixed manually with the step documented. You can leverage commands to perform the fix if desired. Let me know if you have any additional questions.

SegalCo
New Contributor II

Hello. New here. My JumpStart remains to be scheduled. Currently leveraging Bushel / JAMF Now.

Been evaluating JumpCloud GSuite integration—works well. I went ahead and hid /opt with seemingly no ill affect—I agree it should be hidden. As far as binding to systems our company is small and I'll be fine doing it from the JC console to the agent.

In general is everyone here finding JumpCloud LDAPaaS and JAMF Pro / Casper connectivity reliable, robust, working as advertised? Any ldaps:// SSL issues? Would love to hear of pitfalls, recommendations, praise, thoughts etc.

Thanks

mpermann
Valued Contributor II

@jgeiger I've been testing JumpCloud's LDAP integration with a small test JSS and have noticed some issues. I have a JumpCloud account setup as an LDAP account with admin permissions for logging into my JSS. Sometimes I am unable to login to the JSS using those credentials. At times I am only able to login with the local admin account I've created in the JSS. I've also got some VPP Mac apps scoped to some LDAP groups setup in JumpCloud. I've noticed that from time to time the In Use column will show 0 which indicates to me that the connection between the JSS and JumpCloud has been lost. I'm running 9.97.1482356336 on Ubuntu 14.04.5 LTS with Java 1.7.0_121, Tomcat 7.0.52, and MySQL 5.5.54. I know they recommend Java 1.8 and Tomcat 8, but my setup does meet the minimum requirements so I am not sure the problem I'm seeing is because of the JSS. I've not had a chance to contact my TAM or the JumpCloud folks about the issue yet. I've been trying to get some help with using JumpCloud as the directory for assigning permission for file sharing in Mac OS X Server. Not had much luck getting that working yet. You might want to check the LDAP based login and LDAP based group scoping with your JSS if this is something you think you might need.

jared_f
Valued Contributor

@rlincoln Hi! Do you possibly know a good binding script I could use to bind via the Users and Groups in system preferences? Thanks!

rlincoln
New Contributor

@jared_f

They have deprecated SAML based auth and have no plans to bring it back. Going forward the want to leverage the client only. We have the agent installed via a script during imaging as well as a policy for existing machines then we have to go into the JC console and assign the user to the machine(s)

I did hear some good news that the newest version of the client supports Keychain sync, Mac agent version 0.9.575. They are still working on the FileVault sync and should be relatively soon!

Now that we have the ability to sync Keychain we will be flipping users over. We have several users that do not have the standard first initial last name format so we will be using a script that the provided that will rename the home directory to match our standard naming convention.

jared_f
Valued Contributor

@rlincoln How are you doing it via imaging? When installing the client, it makes you enter the organization ID. Is this what you are using the script for? If so, could you possibly post it? I would love to have ht ebjnding as part of our imaging process!

Thanks,
Jared

rlincoln
New Contributor

I have a script in place runs at reboot you can follow the guide here: https://support.jumpcloud.com/customer/portal/articles/2389320-agent-deployment-via-command-line#osx

Rick

rlincoln
New Contributor

You can find your organization ID in the jumpcloud console>settings>general

conor
New Contributor III

Can anyone give me an answer regarding the setup how JC and Jamf link together. Does the JSS need a public facing IP in order to hook in with its LDAPaaS? Our JSS is behind a VPN at the moment and not public facing.