Netsus setup with Ldap login

baldiesrt
New Contributor

Hello,
We currently are not using ldap for JSS cloud and we intend to keep it that way. However, we want to use AD login for the NetSUS server. I have followed the instructions from here: http://content.jamfcloud.com/NetBootSUSLPServerUserGuide_v4.0.0.pdf but I am not sure if I used the right distinguished name/ldap url/etc. Do I have to create a new OU in Active Directory for this? Should n't i need to input an AD service account to login to ldap?

Thanks

2 REPLIES 2

cgalik
Contributor

Do you mean you want to use ldap to login to the NetSUS web page for administration? If so, what I did was to just use the standard hostname of a domain controller in the format suggested on the config page (ldaps://hostname.domain:636), then our domain name in the "LDAP Domain" field below (domain.tld), and for administrative groups, I just put in the name of the AD group I want to be able to manage the system. Seems to work okay. My only issue so far is that I haven't got ldaps to work, as the NetSUS system doesn't trust the certificate being presented by the domain controller, so I've only been able to do it with insecure ldap on port 389.

jelockwood
Contributor

I am now trying to get LDAP authentication working for the NetSUS webadmin site.

I had a look at the 'manual' and it really does not talk about this at all - not even for an AD perspective. In my case I am not using AD I am using FreeIPA which is a more generic LDAP server. I have various other more traditional Apache and PHP websites successfully using LDAP authentication to this FreeIPA server and I am even making progress on using it to authenticate Mac logins for mobile accounts. So NetSUS is pretty much the last one needing to be done.

If as is implied the 'standard' NetSUS code is biased to a 'real' AD server are there any tips on what files to modify to for example customise search bases for LDAP and whatever else might be needed?

It sounds like ideally more configuration options would be exposed in the settings page to do this rather than having to hand edit the code. This would however require JAMF (or someone) to enhance the code and I get the impression JAMF are no longer actively developing it.