I have setup Jamf Pro at several companies to link it to an LDAP server for authenticating enrolment - especially DEP enrolment and at two companies I have also linked Jamf Connect to use LDAP groups to define who gets Admin or Standard user accounts.
This had been working as of last week at my current job with no problems but this Monday morning it stopped working. I have made no LDAP related changes myself in either Jamf Pro or Okta and I suspect the change is in Okta and due to Okta.
I have defined a group in Okta that allows users to enrol devices - via DEP or via the special enrolment URL. I have configured Okta to not require MFA for LDAP connections and this is limited to the IP addresses of my Jamf Pro instance. This as mentioned had been working as of last week. Jamf Pro is correctly configured to bind via LDAP to do searches and user authentication.
I can still use the test function in Jamf Pro to successfully search for users on Okta via LDAP, I can also search for valid LDAP group names. What I can no longer do is a search for a member of an LDAP group in the way I previously was able to do.
Until today I was able to search for a user by entering a value like 'john.smith' despite the fact the uid value was a full email address like firstname.lastname@example.org this still works for searching for a user. I can still search for an LDAP group by entering just the group name e.g. myldapgroup and this still works however whereas previously I could search for a member of a group by entering a user name like 'john.smith' to see if they are a member of myldapgroup this no longer works. I stress this worked last week.
I have found that searching for 'email@example.com' does fortunately work. It does however have a nasty side effect of auto entering a computer user name in the format john.smithdomain.com and therefore I will need to ensure new starters spot and edit this before proceeding to the next screen.
As plenty of other admins also run Jamf Pro with Okta (with or without Jamf Connect) I was wondering if anyone else has seen this problem and has a better solution?
I do not believe this is down to a Jamf change although this is not impossible as I do not believe cloud instances where updated over the last week.