- Jamf Nation Community
- Products
- Jamf Pro
- Problem adding LDAP user to policy scope
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2023 10:21 AM
I have a new field tech whose LDAP account I need to add to several policy scopes. The policies are scoped using Static User Groups, and up until today have never had any issues.
I can add the tech's LDAP account to the JSS console (Settings/User accounts and groups) without issue, so I know the LDAP lookups are working as expected. The tech has the same privilege set as all of my other field techs.
I watched the tech log into the JSS console and self service app, so the LDAP account is active, they know their password and the login works.
Our JSS is hosted in the cloud w/ Jamf Infrastructure Manager, which passes all communications tests, and we are using SSO with external 2fa, all of which works fine.
What I cannot do, in any way, shape or form, is add the tech's LDAP account to a scope or a static group.
When I try to add to a Static user group, I edit the group, go to "Assignments" tab, where I see a list of all users that can be added, enter their LDAP account to the search field, and get no results.
Their LDAP account does not appear in the list of all users when I clear the search results.
I get the same behavior when trying to add directly to the scope via the Users tab.
Any account that is shown in the list can be added to the group and/or the policy without issue; for some reason this one user does not appear in the Assignments list or policy scope.
Has anyone else seen this behavior? What I am I missing here?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2023 10:26 AM - edited 02-22-2023 10:31 AM
@pbenware1 Have the tech enroll a Mac so their AD account is added to the User list. Jamf Pro doesn't do LDAP lookups on Users. You could however use their AD ID as a Limitation.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2023 10:26 AM - edited 02-22-2023 10:31 AM
@pbenware1 Have the tech enroll a Mac so their AD account is added to the User list. Jamf Pro doesn't do LDAP lookups on Users. You could however use their AD ID as a Limitation.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2023 10:31 AM
Having them try it now, but question: Does them having a JSS LDAP account not give me the ability to add their LDAP account to a scope?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2023 10:32 AM - edited 02-22-2023 10:33 AM
@pbenware1 No, LDAP accounts can only be scoped as a Limitation->LDAP/Local User for a Policy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2023 10:54 AM
Thanks @sdagley. I was actually able to temporarily assign the tech to an unassigned computer, which then created the necessary user record to allow me to add to the Static user group, so problem solved.
I also have a slightly better understanding of the connection (or lack thereof) between JSS Console accounts and User records for scoping.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2023 11:12 AM
If you search on https://ideas.jamf.com/ you'll see you have lots of company wishing for more ways to scope with LDAP :-(
