Nesting AD groups for access to Jamf | Pro console?

Taylor_Armstron
Valued Contributor

Attempting to replicate our existing structure as we open up the console to more staff.

The admin guide doesn't seem to address this directly. If I add an LDAP group under Settings>System Setting>Jamf Pro User Accounts & Groups, the group itself is recognized without issue, but it appears that group members are not detected unless they are manually added to Jamf.

Example: I create a group in AD named "Test Auditors".

I add a user to the group in AD who is NOT already listed in Jamf Pro Accounts and Groups.

Under "Jamf Pro User Groups" I see the group, type is "LDAP Group", and Members is "N/A". The user, meanwhile, gets access denied when they try to log in.

Any suggestions, or am I mis-interpreting the use of the LDAP groups?

4 REPLIES 4

ryan_ball
Valued Contributor

Have you modified anything in the LDAP Servers > Your LDAP Server > Mappings > User Group Mappings section? Does your search base look right? Is your AD group in your search base?

Taylor_Armstron
Valued Contributor

Appears to be. I can test, and it confirms the user is a member of the group when I test "User Group Membership Mapping".

I'll touch base with one of our AD admins to confirm the User Group Mappings and User Group Membership Mappings, but look right to me.

Emmert
Valued Contributor

This was a bug many years ago, but our helpdesk LDAP group is currently working with the expected permissions, and it's inside of other groups. I think members showing up as N/A is a red herring because ours shows that too.

Taylor_Armstron
Valued Contributor

Thanks. I'd suspect red herring, but the user is getting access denied. Our main AD admin is out sick today, so going to try to pin them down tomorrow and take a look.