Problem adding LDAP user to policy scope

pbenware1
Release Candidate Programs Tester

I have a new field tech whose LDAP account I need to add to several policy scopes.  The policies are scoped using Static User Groups, and up until today have never had any issues.

I can add the tech's LDAP account to the JSS console (Settings/User accounts and groups) without issue, so I know the LDAP lookups are working as expected.  The tech has the same privilege set as all of my other field techs.

I watched the tech log into the JSS console and self service app, so the LDAP account is active, they know their password and the login works.

Our JSS is hosted in the cloud w/ Jamf Infrastructure Manager, which passes all communications tests, and we are using SSO with external 2fa, all of which works fine.

What I cannot do, in any way, shape or form, is add the tech's LDAP account to a scope or a static group.

When I try to add to a Static user group, I edit the group, go to "Assignments" tab, where I see a list of all users that can be added, enter their LDAP account to the search field, and get no results.

Their LDAP account does not appear in the list of all users when I clear the search results.

I get the same behavior when trying to add directly to the scope via the Users tab.

Any account that is shown in the list can be added to the group and/or the policy without issue;  for some reason this one user does not appear in the Assignments list or policy scope.

 

Has anyone else seen this behavior?  What I am I missing here?

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@pbenware1 Have the tech enroll a Mac so their AD account is added to the User list. Jamf Pro doesn't do LDAP lookups on Users. You could however use their AD ID as a Limitation.

View solution in original post

5 REPLIES 5

sdagley
Esteemed Contributor II

@pbenware1 Have the tech enroll a Mac so their AD account is added to the User list. Jamf Pro doesn't do LDAP lookups on Users. You could however use their AD ID as a Limitation.

pbenware1
Release Candidate Programs Tester

Having them try it now, but question: Does them having a JSS LDAP account not give me the ability to add their LDAP account to a scope?

sdagley
Esteemed Contributor II

@pbenware1 No, LDAP accounts can only be scoped as a Limitation->LDAP/Local User for a Policy

pbenware1
Release Candidate Programs Tester

Thanks @sdagley. I was actually able to temporarily assign the tech to an unassigned computer, which then created the necessary user record to allow me to add to the Static user group, so problem solved.

I also have a slightly better understanding of the connection (or lack thereof) between JSS Console accounts and User records for scoping.

sdagley
Esteemed Contributor II

If you search on https://ideas.jamf.com/ you'll see you have lots of company wishing for more ways to scope with LDAP :-(