Configuring LDAP For JAMFCloud

NYBGIT
New Contributor III

Hi Everyone,

I've decided to create a simple discussion about configuring LDAP for JAMFCLOUD. I've had somewhat of a difficult time getting this to work since JAMF in their documentation do not support NAT. I've decided to share what I've done to make this work which will be helpful for other individuals.

OS Environment
• Please refer to Jamf Infrastructure Manager Guide - http://docs.jamf.com/infrastructure-manager/1.3.1/Jamf_Infrastructure_Manager_Overview.html • In my environment, I am using a hyper-v VM running Windows Server 2012r2
• Java 1.8 - https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Prerequisites: • The ports and IP we need whitelisted to the proxy are listed below

• IP address, Link: h​t​t​p​s​:​/​/​w​w​w​.​j​a​m​f​.​c​o​m​/​j​a​m​f​-​n​a​t​i​o​n​/​a​r​t​i​c​l​e​s​/​4​0​9​/​p​e​r​m​itting-inbound-outbound-traffic-with-jamf-cloud

• Ports to allow: h​t​t​p​s​:​/​/​w​w​w​.​j​a​m​f​.​c​o​m​/​j​a​m​f​-​n​a​t​i​o​n​/​a​r​t​i​c​l​e​s​/​3​4​/​n​e​t​w​o​rk-ports-used-by-jamf-pro

• Create a service account in the JAMFcloud that is allowed for communication from the infrastructure manager to your JamfCloud instance

• Create external IP Address that can be resolved

Infrastructure Manager Setup:
• Install IM on server following each page. Please reference here for more details http://docs.jamf.com/infrastructure-manager/1.3.1/Installing_a_Jamf_Infrastructure_Manager_Instance.html

• Note: if you are using NAT, during the setup you will need to do the following in the Hostname section during setup.

○ An external IP address will need to be resolvable. Please have your System Admin or Network team create an external IP address for your JIM server. Have that IP address resolvable to a FQDN. e.g. 69.101.54.10 - jamf.company.com

○ Enter "jamf.company.com" in the hostname section during the setup. This name will then populate in the Infrastructure Managers section in your JAMFCloud instance.

○ Make sure your external IP address can be resolved internally. Have your sys admin create an alias for Jamf.company.com = JIM Proxy Server. So if you ping (external FQDN) jamf.company.com your return IP should be your internal ip address (10.1.5.123).

○ Edit your host file to reflect below
JIM Proxy Server (IP address) = Jamf.company.com. e.g; 10.1.5.123 jamf.company.com

JAMFCLOUD Settings
• Login to your web portal and go to Settings | System Settings | LDAP Servers
• Create a new LDAP server
• User Mappings
First up, user mappings. These would typically be configured as follows:
• Object Class Limitation • ‘All ObjectClass values’

• Object Class(es) • “organizationalPerson, person, top, user”

• Search Base • [search base of Domain, e.g. • DC=ad,DC=amsys,DC=co,Dc=uk] *
• ‘All Subtrees’

• Attribute Mappings: User ID • [typically ‘uSNCreated’]

• Attribute Mappings: Username • [typically ‘sAMAccountName’]

• Attribute Mappings: Real Name • [typically ‘displayName’]

• Attribute Mappings: Email Address • [typically ‘userPrincipalName’]

• Attribute Mappings: Append to Email Results • [typically blank]

• Attribute Mappings: Department • [Check using Directory Utility or Apache Directory Studio]*

• Attribute Mappings: Building • [typically ‘st’]

• Attribute Mappings: Room • [Check using Directory Utility or Apache Directory Studio]

• Attribute Mappings: Phone • [typically ‘telephoneNumber’]

• Attribute Mappings: Position • [typically ‘title’]

• Attribute Mappings: User UUID • [typically ‘objectGUID’]

User Group Mappings

Next, user group mappings. These would typically be configured as follows:

• Object Class Limitation • ‘All ObjectClass values’

• Object Class(es) • “group, top”

• Search Base • [search base of Domain, e.g. • DC=ad,DC=amsys,DC=co,Dc=uk]

• Search Scope • ‘All Subtrees’

• Attribute Mappings: Group ID • [typically ‘uSNCreated’]

• Attribute Mappings: Group Name • [typically ‘name’]

• Attribute Mappings: Group UUID • [typically ‘objectGUID’]

User Group Membership Mappings

Lastly, user group membership mappings. These would typically be configured as follows:

• Membership Location • [typically ‘User Object’]

• Group Membership Mapping • [typically ‘memberOf’]

• Append to Username When Searching • [typically blank]

• Use distinguished name of user groups when searching • Tick

• Use recursive group searches • Tick

From https://www.amsys.co.uk/typical-ldap-mappings-active-directory-jamf/

After all information is entered run a test to verify LDAP is working.

0 REPLIES 0