Jamf Nation Community

Computer authentication or user authentication? Those are two different things.

We are actually doing both. User authentication. Then the computer is checked against another list to see if the user has access to that computer.

We are using an LDAP connection on the JSS to authenticate users in self service and to authenticate techs and administrators to the JSS. We have recently been able to leverage an LDAP group on an OpenLDAP directory to place limitations on the scope of a policy. In our case, to verify that a user has paid their tech fee. We do not bind client computers to LDAP. The JSS handles all the queries. Computers are associated with LDAP users via the quickadd package that users are given during URL based enrollment. Don't add LDAP groups to the JSS User Accounts unless you want the users in that group to be able to access the JSS web interface. Rather, use scope exceptions and limitations to leverage LDAP groups. If you are binding at login, Casper can set up the login hook, but will override any pre-existing login hooks. If you want to retain control of login hooks you can create one using the JSS and then copy-paste the bits into your own scripts and deploy them with policy. Even when not managing login hooks with casper, the login trigger can be used to leverage LDAP in policies, as can Self service.

We have also made an extension attribute that looks for a member-of attribute in LDAP user records. It uses the "LDAP Attribute Mapping" input type. Mileage on this may vary as it appears that the JSS is grabbing the first attribute in the user record and comparing it against the string you provide and ignores all others, so if you have more than one attribute assigned to a user and you want to verify that the second one listed exists, you are out of luck. Our schema is pretty simple, and so this usually works for displaying group membership status in inventory searches.