Configuring the JSS to Use LDAP Over SSL When Authenticating with Active Directory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-12-2014 03:02 PM
BoldText
This article explains how to configure the JAMF Software Server (JSS) to perform authentication with Active Directory (AD) using LDAP over SSL (LDAPS) instead of LDAP. The general process is as follows:
AD administrator generates a certificate request and sends it to the certificate authority? (CA)
CA generates a certificate from the request and sends it and the root certificate (for the certificate authority) to the AD administrator
AD administrator installs signed certificate and root certificate on domain controller queried by JSS
JSS administrator installs root certificate into Java keystore and restarts Tomcat
JSS administrator configures JSS to use SSL
Requirements
The following components are required to complete the steps in this article:
Access to certificates from your CA
Access to the JSS
Terminal application
Procedure
Step 1:
Generate a certificate for the AD server that is signed by your CA and accept the issued certificate. Follow the guidelines outlined in the Microsoft article, How to enable LDAP over SSL with a third-party certification authority, available at:
http://support.microsoft.com/kb/321051
?
Step 2:
If the domain controller already has the root certificate installed in the list of Trusted Root Certification Authorities, skip to the next step. If not, you will need to import it by following the instructions provided by Microsoft, available at:
http://technet.microsoft.com/en-us/library/aa995734.aspx
??Step 3:
Import the root certificate of the CA into the Java truststore.
Open Terminal on the server running the JSS and navigate to the Java security directory.
For Java 6, execute:
cd /Library/Java/Home/lib/security/
For Java 7, execute:
cd /Library/Java/JavaVirtualMachines/jdk1.7.0_xx.jdk/Contents/Home/jre/lib/security/
Import the root certificate into the Java truststore by executing:
sudo keytool -import -trustcacerts -alias RootCA -keystore cacerts –file /Users/admin/Desktop/RootCA.cer
When prompted with the message "Trust this certificate?", type “Yes” and press the Enter key. The result should be "Certificate was added to keystore". If prompted for a keystore password, the default password will be either “changeme” or “changeit”, depending on the version of Java on your server.
Restart Tomcat. For complete instructions, see Starting and Stopping Tomcat.
(Optional) Log in to the JSS and configure an LDAP server connection. For more information, see the Casper Suite Administrator’s Guide.
Once you have configured an LDAP server connection, verify that the LDAP server queries are working by logging in to the JSS with an Active Directory user.
Step 4:
Configure the JSS to use SSL.
Version 9.0 or Later
Log in to the JSS with a web browser.
In the top-right corner of the page, click Settings.
Click System Settings.
On a smartphone or iPod touch, this option is in the pop-up menu.
Click LDAP Servers.
Click the LDAP server you want to use LDAPS for.
Click Edit.
Select the Use SSL checkbox.
Click Save.
Test LDAP attribute mappings to ensure that LDAP over SSL is working:
a. Click Test.
b. Click the appropriate tab and enter information in the field(s) provided.
c. Click Test again.
Repeat steps 5-9 for each LDAP server.
Version 8.7 or Earlier
Log in to the JSS with a web browser.
Click Settings.
Click LDAP Server Connections.
Click Edit across from a defined LDAP Server.
Select the Encrypt using SSL checkbox.
Select the Use custom port checkbox and specify the port on which the AD Server is accepting LDAPS requests. The default port is 636.
Click Save.
On the LDAP Server Connections pane, click Test across from the server and look up a user to verify that the LDAP over SSL is working.
Repeat steps 4-8 for each defined LDAP Server.
