SymptomsYou cannot successfully integrate with an Active Directory (AD) server using the LDAP Server Connection Assistant in the JSS.
ResolutionApache Directory Studio is useful for troubleshooting an LDAP connection to AD. It is available for free at:
To use Apache Directory Studio to troubleshoot an LDAP connection to AD:
- Open Apache Directory Studio.
- Add a new LDAP connection.
- Enter a connection name.
- Enter the host name of the AD server.
- If you have a custom environment, modify the port and encryption method as needed.
Note: Using an encryption method allows the JSS to perform authentication with AD using LDAP over SSL (LDAPS). For more information, see "Configuring the JSS to Use LDAP Over SSL When Authenticating with Active Directory".
- Click Check Network Parameter and verify that the host name resolves correctly.
If the connection fails, see the "Additional Information" section.
- Once the connection is established successfully, click OK, and then click Next.
- Choose an authentication method.
Note: The JSS supports CRAM-MD5 and DIGEST-MD5 authentication types only.
- Enter credentials for a bind user in AD (an AD user with permissions to browse LDAP).
There are three formats you can use for the bind DN or username:
- Distinguished name (DN)
The full path to the common name of the object. For example, "(CN=Administrator,OU=Users,DC=ad,DC=jamfsw,DC=corp)".
- Domain and sAMAccountName
For example, "AD\administrator".
For example, "firstname.lastname@example.org".
- Distinguished name (DN)
- Click Check Authentication to verify the credentials.
If the authentication fails, see the "Additional Information" section.
- Once the correct credentials are entered and verified, click OK, and then click Finish.
- Log in to the JSS with a web browser.
- Click the Settings tab.
- Click the LDAP Server Connections link.
- Click Add LDAP Server Connection.
- Select Active Directory and click Continue.
- In the JSS, enter the hostname and domain of the AD server, and then click Continue.
The domain is the value for the "dc" attribute in Apache Directory Studio.
- In the JSS, enter credentials for a bind user in AD (an AD user with permissions to browse LDAP). The username must be value for the sAMAccountName attribute in Apache Directory Studio.
After you enter the username, the JSS automatically adds "ad\" to the beginning so that it is in the "domain\username" format.
- Enter two users to verify attribute mappings for, and then click Continue. The usernames must be the values for the sAMAccountName attributes in Apache Directory Studio.
The JSS will use these usernames to determine the search base for the LDAP server connection. You will be able to use the LDAP server connection to search for users that share the lowest common denominator of these two usernames. For example, if you want to be able to search for users in two different organizational units (OUs), you must enter a username from each OU.
- Verify the attribute mappings for the users and click Continue.
These mappings are based on settings in ADUC. If you want to use custom mappings, you can enter them here or wait until later. Click the ellipsis (...) button to edit mappings.
- Enter two groups to verify group membership mappings for, and then click Continue. The groups must be the values for the sAMAccountName attributes in Apache Directory Studio.
You should choose two groups that the users from step 20 are members of.
- Verify the group membership mappings and click Continue.
- Click Save.
You can modify the search base to include a wider search range. For example, if you change the search base to DC=ad,DC=jamfsw,DC=corp, you can search all computers in the domain.
Additional InformationThis section explains how to:
- Troubleshoot a failed connection to the AD server
- Find the DN or username for the bind user in Active Directory Users and Computers (ADUC)
- Troubleshoot failed authentication with the bind DN or username
Troubleshooting a Failed ConnectionThe connection to the AD server may fail if:
- Apache Directory Studio cannot reach the AD server
- The port entered in Apache Directory Studio is incorrect
- The encryption method in Apache Directory Studio does not match the encryption method of the AD server
To verify that the server uses the port that you entered in Apache Directory Studio, execute a command similar to the following and verify that you receive a connected status:
To verify the encryption method of the AD server, contact your AD administrator.
Finding the DN or Username for the Bind UserYou can find the DN or username for the bind user by opening ADUC, right-clicking a user, and choosing Properties.
To find the distinguished name, click the Attribute Editor tab.
To find the domain and sAMAccountName or the userPrincipalName, click the Account tab. The domain and sAMAccountName is in the User logon name (pre-Windows 2000) fields. The userPrincipalName is in the User logon name field.
Troubleshooting Failed Authentication with the Bind DN or UsernameAuthentication with the bind DN or username may fail if:
- The bind user entered does not exist in AD
- The bind user entered does not have permission to browse LDAP
- The DN or username is not formatted properly