LDAP Groups

cleverleys
Contributor

Hello all & Merry Christmas!!!

We have SSO setup using ADFS and LDAP using the Jamf Infrastructure Manager with LDAP proxy set in our Jamf Cloud instance.
I can search LDAP and bring a user in who can log in and access what they are allowed to access, equally I can add an LDAP group.

What I would like to do is manage everything through Active Directory. So my theory is, bring in an LDAP group and members of that group can log in to Jamf and get what they are told they can get!

So, I have brought in an LDAP group that I know contains a user, applied site access to that group and applied audit permissions. However, when the user attempts to log in, they are presented with Access Denied. I have tested the mappings, Jamf knows that the group exists in AD and the the user is a member of it.

So, my question is once an LDAP group is imported, does it bring the user(s) with it?

1 ACCEPTED SOLUTION

cleverleys
Contributor

Hi All,
Apologies for my tardiness in responding, I have been busy implementing Jamf across our organisation and training out usage!

So the setup in AD is an AD group for each site, each site is added to a "regional" group so as to save on adding admins to each group, I can just add them to the regional one. All sites are added to a service desk group so that they have access to all sites, nested and so on and so on. (we have 50 sites in our organisation).

Bring in the AD LDAP group and add that group to the site in Jamf.

I am more than happy to discuss this via Skype/phone/email if anyone still has difficulties!!! But let me know if you get it to work.

Our setup is now like so:

SSO
SSO enabled
User Mapping: SAML NameID
User Mapping: Jamf Pro: Username
Group Attribute Name: http://schemas.xxx.org/xxx/xxx
Identity Provider: Active Directory Federation Services
Identity Provider Metadata source: Metadata URL http://(Address for Azure)
EntityID: https://JamfcloudURL/saml/metadata
Certificate.pfx

LDAP Settings
Jamf Infrastructure Manager installed in DMZ

Directory Service: MS Active Directory
Server IP x.x.x.x:389
Enable LDAP Proxy - address of server in DMZ
Proxy binding address xxx.xxx.org:8389
Auth Type Simple
LDAP Server account: DN name of account to authenticate with AD
Referral response: Use default from LDAP service

User Mappings
Object Class Limitation: All ObjectClass Values
Object Class(es) OrganisationalPerson, user
Search Base DC=DC=DC=
Search Scope: All Subtrees

Attribute Mappings
UserID uSNCreated
Username sAMAccountName
Real Name displayName
Email Address userPrincipalName
User UUID objectGUID

User Group Mappings
Object Class Limitation All ObjectClass Values
Object Class(es) group, top
Search base DC=DC=DC=
Search scope All Subtrees

Attribute Mappings
Group ID uSNCreated
Group Name name
Group UUID objectGUID

Group Membership Mappings
Member Ship Location user Object
Group Membership Mapping memberOf

Use distinguished name of user groups when searching = ticked
Use recursive group searches = ticked

View solution in original post

15 REPLIES 15

rdwhitt
Contributor II

Have they selected the appropriate site from the drop down? When we add new AD users to a site, the first time they log in they have "Full JSS" selected and they get the access is denied message.

cleverleys
Contributor

@rdwhitt Hey!

They don't even get as far as getting to the site select option.
As soon as they hit enter after the SSO page, they get access denied.

gachowski
Valued Contributor III

Reach out to your jamf buddy. I have heard that there might be a issue. It’s second hand so I could be totally wrong

cleverleys
Contributor

Happy new year guys!

I've logged a call, so will let you know what they come back with!

dmw3
Contributor III

@cleverleys We had a similar issue with AD groups. Could not get the user in the group to authenticate correctly, strange thing is that if we did a "Test" on both "User Group Mappings" and "User Group Membership Mappings", the user could then login. The time length between the need to retest the groups as far as we could tell was random.

In the end we gave up on using LDAP / AD groups and just went with LDAP users. We created a sudo template with the permissions we wanted and then cloned it before using the cloned 8c6b8aef97034e109062633871c8cd12
template to add LDAP Users to the system.

Would love to be able to use a customisable template to add users to the system with, a sudo template works but only if you remember to clone it or have the issue with LDAP / AD groups fixed.

We have a case with Jamf support that is closed, no fix was found. Case #: JAMF-0268513

prbsparx
Contributor II

Did Jamf ever come up with a solution for this? I believe we're running into the same issue.

dmw3
Contributor III

@prbsparx No fix has been found so far. Would have like this to be fixed in v10.0 or later but sadly no. using the sudo template is about the best we have come up with.

Biggest issue is if you have to change permissions as in v10.0 and Patch Management, you need to set the permissions for this on an individual basis.

prbsparx
Contributor II

I've brought it to our Jamf Buddy's attention, and will continue to push on this one. I'm going to create a feature request for this issue so Jamf can get a better idea of impact.

dmw3
Contributor III

There is already a Feature Request about User Templates - https://www.jamf.com/jamf-nation/feature-requests/2005/ability-to-create-custom-privilege-set-for-users-and-groups

cleverleys
Contributor

Hi guys,

So Jamf have confirmed that our workflow is sound. Jamf "should" do what I am trying to do!
Their server team have said that they can see nothing wrong in the system so it must be a credential issue connecting to AD. I've tested this with domain admin credentials. The credentials will run all tests fine and bring in the group - so it can't be anything to do with that!!!
Will keep you posted.

prbsparx
Contributor II

Hi @cleverleys,

I've been working with my Jamf Buddy as well. We had to add an attribute to the ADFS SAML assertion that includes the AD group name.

So, workflow:
Create AD security user group (distribution lists don't work)
Add AD group name as filter for ADFS assertion
Add AD group to Casper Suite.
Clear user session.
User sign in.

cleverleys
Contributor

Hi All,

So we have finally got to the bottom of the issue!
We had a "CN" attribute entered into the RDN key for LDAP Group field of Single Sign on Settings. Removed this, added an AD group and the users could log in.

If you would like a detailed explanation of how we've got this set up, please let me know.

prbsparx
Contributor II

@cleverleys You had the “RDN Key for LDAP Groups” field set to “CN” and that was causing the issue for you?

Do you still have to pass AD groups as part of the SAML Assertion or are you able to just do it based off the username?

dmw3
Contributor III

@cleverleys A detailed explanation of what you found and the resolution would be fantastic.

Having to change permissions on a group instead of individuals would save a lot of repetition.

Maybe Jamf can add it to some documentation.

cleverleys
Contributor

Hi All,
Apologies for my tardiness in responding, I have been busy implementing Jamf across our organisation and training out usage!

So the setup in AD is an AD group for each site, each site is added to a "regional" group so as to save on adding admins to each group, I can just add them to the regional one. All sites are added to a service desk group so that they have access to all sites, nested and so on and so on. (we have 50 sites in our organisation).

Bring in the AD LDAP group and add that group to the site in Jamf.

I am more than happy to discuss this via Skype/phone/email if anyone still has difficulties!!! But let me know if you get it to work.

Our setup is now like so:

SSO
SSO enabled
User Mapping: SAML NameID
User Mapping: Jamf Pro: Username
Group Attribute Name: http://schemas.xxx.org/xxx/xxx
Identity Provider: Active Directory Federation Services
Identity Provider Metadata source: Metadata URL http://(Address for Azure)
EntityID: https://JamfcloudURL/saml/metadata
Certificate.pfx

LDAP Settings
Jamf Infrastructure Manager installed in DMZ

Directory Service: MS Active Directory
Server IP x.x.x.x:389
Enable LDAP Proxy - address of server in DMZ
Proxy binding address xxx.xxx.org:8389
Auth Type Simple
LDAP Server account: DN name of account to authenticate with AD
Referral response: Use default from LDAP service

User Mappings
Object Class Limitation: All ObjectClass Values
Object Class(es) OrganisationalPerson, user
Search Base DC=DC=DC=
Search Scope: All Subtrees

Attribute Mappings
UserID uSNCreated
Username sAMAccountName
Real Name displayName
Email Address userPrincipalName
User UUID objectGUID

User Group Mappings
Object Class Limitation All ObjectClass Values
Object Class(es) group, top
Search base DC=DC=DC=
Search scope All Subtrees

Attribute Mappings
Group ID uSNCreated
Group Name name
Group UUID objectGUID

Group Membership Mappings
Member Ship Location user Object
Group Membership Mapping memberOf

Use distinguished name of user groups when searching = ticked
Use recursive group searches = ticked