Smart Computer Group based on user's LDAP Group

hmn
New Contributor

Hi there, 
I am trying to automate some processes based on our LDAP integration. 
At this we have a stable integration with our LDAP and all the tests are successful. (Settings: System > LDAP servers).
Group Names and GIDs are found. So far I was able to use the information for some configuration profiles. Now I want to use it for associating specific devices with a smart computer group but I am somehow stuck. 
Ultimately, it should result like this: If user is member of a specific LDAP group, then the user's device to be associated automatically with a specific computer smart group.  
In system > computer management, I created custom "extension attributes" to map the "Directory Service Attribute" "gidNumber" to the LDAP attribute for "GID". 
But it does not seem to work. Any idea what I am missing?

2 REPLIES 2

Tangentism
Contributor III

The way you can do it is to set the scoping as:

Targets: All Computers or Specific Computer Group
Limitations: Members of LDAP group

 

You cannot directly scope to an LDAP group.

Edit: You might be able to do an Extension Attribute that does a `dscl` query of the users group memberships (and maybe even filter it so if they are a member, it displays a true/false boolean) then base the computer group membership from that.

AJPinto
Honored Contributor II

As @Tangentism said this is done with a policy directly, not through a Smart Group. You would target all devices, or a group of devices, then assign a limitation to the LDAP group you want to target to limit the scope to users with the LDAP group within the targeted scope.

 

One thing to note is Jamf has no good way to know what a user's group membership is unless they log in to Self Service. In domain bound situations logging in to Self Service is not necessary, but in 2024 you should not be domain binding macOS.

 

It would look something like this. This policy is targeting all Macs and is limited to Mac_Users so only users with the Mac_Users LDAP group can see the policy.

AJPinto_0-1718113567372.png

AJPinto_1-1718113578338.png