Google Secure LDAP Integration
- Last UpdatedOct 10, 2024
- 3 minute read
When integrating Jamf Pro with Google's Secure LDAP, consider the following:
Jamf Pro allows you to integrate with Google's secure LDAP service that is a part of G Suite Enterprise and Cloud Identity Premium. The service can be used with Jamf Pro for user authentication and group syncing. Cloud Identity Free or G Suite Basic/Business assigned users display in user lookup results and you can add them as Jamf Pro LDAP accounts.
Note:Users assigned to Cloud Identity Free or G Suite Basic/Business licenses are not allowed to authenticate in Jamf Pro. When such a user tries to authenticate, the INSUFFICIENT_ACCESS_RIGHTS (50) error code is displayed in Jamf Pro logs. For information on Secure LDAP service error codes, see the following documentation from Google: https://support.google.com/a/answer/9167101.
Google's secure LDAP service requires a different configuration than standard LDAP servers. For instructions about how to add Jamf Pro as an LDAP client to the secure LDAP service, configure access permissions, and download the generated certificate, see the following documentation from Google: https://support.google.com/cloudidentity/answer/9048516
After you have added Jamf Pro as an LDAP client, you need to generate the .p12 keystore file. For more information, see the Generating the PKCS12 Keystore File When Integrating Google Cloud Identity Provider with Jamf Pro article.
Jamf Pro may experience performance issues if too many cloud IdP groups are included in the scope of an object. If you need to use multiple criteria within a scope, consider creating a smart group with those criteria, and then scope to that smart group instead.
When a server connection is added, it is enabled by default. You can configure multiple connections and choose which configuration to use. Disabling the connection prevents Jamf Pro from querying data from this server. This means you can add a different configuration without deleting the current connection. To disable the connection, use the switch.
Saving a server connection triggers automatic verification of the hostname, port, and domain. The verification process must succeed before the connection is ready to use.
In large environments, the verification process for valid configurations may fail. Ensure the values in the form are correct and try saving the configuration again.
After your configuration is saved, you can test the mappings. For more information, see Testing Cloud Identity Provider Attribute Mappings.
To troubleshoot a failed connection, navigate to Reports in your Google Admin console, and check the LDAP audit log.
The following table lists the default Jamf Pro mappings and the corresponding cloud identity provider attributes:
Jamf Pro Attribute Mapping Name | Cloud Identity Provider Attribute Mapping Value |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To map Jamf Pro buildings and departments to a directory value, the corresponding building or department value must first be manually created in Jamf Pro. For more information on creating buildings and departments, see Buildings and Departments.
For more information on the Secure LDAP schema, see the following documentation from Google: Secure LDAP schema.