Posted on 09-27-2018 07:50 AM
Attempting to replicate our existing structure as we open up the console to more staff.
The admin guide doesn't seem to address this directly. If I add an LDAP group under Settings>System Setting>Jamf Pro User Accounts & Groups, the group itself is recognized without issue, but it appears that group members are not detected unless they are manually added to Jamf.
Example: I create a group in AD named "Test Auditors".
I add a user to the group in AD who is NOT already listed in Jamf Pro Accounts and Groups.
Under "Jamf Pro User Groups" I see the group, type is "LDAP Group", and Members is "N/A". The user, meanwhile, gets access denied when they try to log in.
Any suggestions, or am I mis-interpreting the use of the LDAP groups?
Posted on 09-27-2018 08:18 AM
Have you modified anything in the LDAP Servers > Your LDAP Server > Mappings > User Group Mappings section? Does your search base look right? Is your AD group in your search base?
Posted on 09-27-2018 08:30 AM
Appears to be. I can test, and it confirms the user is a member of the group when I test "User Group Membership Mapping".
I'll touch base with one of our AD admins to confirm the User Group Mappings and User Group Membership Mappings, but look right to me.
Posted on 09-27-2018 10:38 AM
This was a bug many years ago, but our helpdesk LDAP group is currently working with the expected permissions, and it's inside of other groups. I think members showing up as N/A is a red herring because ours shows that too.
Posted on 09-27-2018 11:27 AM
Thanks. I'd suspect red herring, but the user is getting access denied. Our main AD admin is out sick today, so going to try to pin them down tomorrow and take a look.