Anyone using OneLogin vLDAP as a directory for the JSS?

bluo212
New Contributor II

Like the title says. OneLogin offers a vLDAP feature which will turn your OneLogin user directory into a cloud-based LDAP directory. It works 75% of the time but I've noticed that it will run into an error such as losing connection/not being able to query any users. Has anyone had better luck or tried using this?

19 REPLIES 19

bentoms
Release Candidate Programs Tester

@bluo212 Tbh, 9.93 should add support for SAML.

So might be able to use OneLogin that way when released.

bluo212
New Contributor II

@bentoms Yes I spoke with JAMF support regarding that. It will perform authentication for user-initiated enrollments but it will not perform LDAP functions like lookups and binding. Specifically, 9.93 won't perform authentication during DEP or assign users to devices. Hopefully that will change later down the road!

laurene
New Contributor

Hi! Do you just use this for user initiated enrollment? I'm curious to see if it integrates with the OneLogin Desktop App.

bluo212
New Contributor II

Hey there. I ended up not going with vLDAP because it didn't work 100% of the time. I did get user initiated enrollment to work with OneLogin via SAML which was introduced in 9.93. If you want some direction with that, I'm happy to help where I can

tangerinehuge
New Contributor III

@bluo212 were you able to get User Group Mappings or User Group Membership Mappings working with VLDAP? I'm able to get users working fine but having difficulty with the other two.

Thanks!

taylor_trick
New Contributor

Tangerinehuge can you please tell me how you were able to configure OneLogin LDAP with JAMF

Br3ck
New Contributor III

@tangerinehuge - are you able to shed some light on how you have vldap configured? I also cant seem to get any of the group mapping tests to work successfully.

tangerinehuge
New Contributor III

Sorry, forgot to reply earlier. I haven’t gotten groups to work either. Supposedly the new version of OL will work better if they ever release it. At this point I may decouple it from LDAP entirely and just work with the APIs.

Br3ck
New Contributor III

So I finally got OneLogin to be forthright about this after countless hours of communication as well as OL trying to get me to engage a third party partner of theirs to get this working. -__-

"He did see your message and said that he can't provide the mappings information you requested until the group search functionality is out. -- After meeting with the developers this week, he's optimistic this will be implemented in November, but worse case, we have engineering commitment to have it finished prior to the end of the year."

We are very likely ditching vLDAP for JumpCloud. It works.

Br3ck
New Contributor III

@tangerinehuge - OneLogin just relayed to me that group lookup should be working with their vLDAP now. Is it working for you?

bkebbay
New Contributor

Hi guys I am planning to use OneLogin VLDAP with Jamf Pro unfortunately, I cannot find any documentation.

Please can you point me in the right direction or if you have one can you share it. The email address to share it to is info@cancersl.org

I would be grateful if you can share anything that would be useful.

Thank you

Br3ck
New Contributor III

@bkebbay - Just had a call with OneLogin again today and they are making progress but group lookup is still not functional as we were once told.

User lookup however has actually always been working.

Check out: https://onelogin.service-now.com/support/?id=kb_article&sys_id=7b3ad943db109700d5505eea4b9619db

typeraj
New Contributor III

@Br3ck Do you know if OneLogin made any progress with fixing the group lookup?

typeraj
New Contributor III

@Br3ck So I reached out to OneLogin support and they advised that the account you specify in the Jamf LDAP config should have super-user permissions set in the OneLogin console. I've done this and can verify that it works for user, group and group membership lookups.

Br3ck
New Contributor III

@typeraj - Raj! So nice to see you here! Hope you're well.

Sorry for the severe delay here, I somehow missed your reply.

I've been working with OneLogin on this for months now and it seems still pretty dead in the water for us at least.

I appreciate the super user tidbit but unfortunately we have had that permission in place since the initial configuration of vLDAP in JAMF so that wasn't our snag unfortunately.

While the built-in testing mechanism in the JAMF LDAP config pane seems to work successfully for user, group and group membership lookups, it doesn't actually function in action. I can't successfully scope policies to LDAP groups nor can my IT team authenticate to JAMF Pro using vLDAP (say in JAMF Remote as an example or at the /?failover auth URL).

The engineer I have been working with at OneLogin swears this functionality works in their internal instance of JAMF but I have yet to successfully get this going in ours even with their hand holding on call after call with them. Are you able to confirm that you can scope (limit) using a vLDAP group?

Also are you able to add an LDAP group to the JAMF user administration and have your team successfully authenticating that way? (Not individual LDAP account creation within JAMF that part works but who cares because thats not really sustainable :P)

DouglasWard-IA
New Contributor III

@Br3ck I am super interested to hear about your work on this. i find myself in the same boat - needed to get this configured for our organization. Please post any more info or updates - thank you!

Br3ck
New Contributor III

@AdminIA - I am meeting with OneLogin today, stay tuned :)

davizmr
New Contributor

Hi @Br3ck and @AdminIA , How the story ended?
We are new to JAMF and to start I want to use OL vLDAP for user enrollment and inventory, so I am very interested in your final success on this topic.
Thanks!

Br3ck
New Contributor III

@davizmr - wow sorry I am so bad at responding here. Its still not working properly with JAMF from my perspective :-/

This is the latest I have from our NoLogin rep about vLDAP:

*I'm reaching out to advise our base VLDAP refactor came out in our March release. Please find the release notes linked here.

vldap4.us.onelogin.com has also been updated with name attribute and entryDN enhancements.

However please note: there are also role/group search performance improvements coming soon which will be important for Jamf Pro testing. We'd recommend re-testing once all improvements are released for best results.*