Jamf Nation Community

powellbc · ‎04-10-2012

I have found the documentation to be lacking with regards to configuring the Active Directory integration on the JSS. I have 2 issues:

What do I enter for the host? Every other AD connection I have configured usually just needs the domain information and not a specific server. Can I use a domain controller?
What rights does the service account used require?

Thanks for any guidance anyone can provide.

powellbc · ‎04-13-2012

It turns out the issues we had were twofold (I opened a call to support to get to the bottom of this):

We had to create the connection manually. I am not sure if the failure of the wizard is a bug or something else on our end.
The search base has to be updated as our user accounts are not in a standard group.

Thanks to all for your responses. We are brand new to Casper and seeing this type of help and activity in the forums is heartening.

Cheers,

Bryan

View solution in original post

tsd25108 · ‎04-10-2012

For the host just enter your domain name and it will use DNS to steer itself to the correct domain controller. The service account I used was a Domain Admin, so it could read all aspects of the domain in, however I'd imagine as long as the account you use can read objects you'd probably be ok.

jarednichols · ‎04-10-2012

::shudder::

Woah boy. Set yourself up a service account. You don't want a domain admin's credentials stored anywhere - encrypted or not. As AD does not allow unauthenticated lookups, all it needs is the ability to read so the lowliest of privs should do it.

powellbc · ‎04-10-2012

This is very useful, thanks.

I have some accounts that should work but they keep getting rejected. Some accounts simply reload the page and some say check the user name and password.

Matt · ‎04-10-2012

Domain admin as a service account is a big big big no no. Have a service account created that specifically joins AD and thats it. You can use the JAMF directory option in Casper Admin via the JSS to create an AD bind. You can setup domain admins as well so all your users that are domain admins get admin rights automatically. I have a script that will also move them into local admin group.

powellbc · ‎04-10-2012

I am using a service account (which is used for the same thing in another application) and it is failing. It simply blanks the password out and never proceeds.

I am putting in the server info in the following format:
domain.company.com in the host field
domain in the AD domain field.

jarednichols · ‎04-10-2012

Any error logs on the DC side of things? I'd start there and see where it's tripping up. If it's actually a permissions thing, that'd tell you.

powellbc · ‎04-13-2012

It turns out the issues we had were twofold (I opened a call to support to get to the bottom of this):

We had to create the connection manually. I am not sure if the failure of the wizard is a bug or something else on our end.
The search base has to be updated as our user accounts are not in a standard group.

Thanks to all for your responses. We are brand new to Casper and seeing this type of help and activity in the forums is heartening.

Cheers,

Bryan

tomt · ‎06-04-2013

Bryan,

I'm in a similar position and am wondering if the "manual" method is documented anywhere that you know of?

Thanks,
Tom

jarednichols · ‎06-05-2013

I've never used anything but the manual method and have never had issues setting up an LDAP connection. Myself, I'd recommend going that way. You'll learn a bit about how LDAP (and how your LDAP) works.

Jamf Nation Community

LDAP Active Directory C Connection on JSS