This will be a short one, promised. For this mid-week post I’ll go for a quick share of some default settings again: integrate freeIPA as LDAP provider in Jamf Pro.

Maybe less common than Active Directory or other more mainstream Directory Services, but still, handy to have some default references to crosscheck when needed. 

Recently I was asked to help with adding freeIPA in Jamf Pro, as the mappings did not work correctly. 

I must admit, I’m not a freeIPA expert, but yeah, always game for a challenge. So I spun up a small VM on my home lab ESXI, installed freeIPA, created some test users and checked the basic user attributes with “ldapsearch” in Terminal. Just to check what the default attributes in freeIPA are and map those in Jamf Pro.

$ ldapsearch -h freeipa.xxxxxxxx.xxx -p 389 -x -b "dc=freeipa,dc=xxxxxxxx,dc=xxx"

-h hostname
-p port number
-x simple_authentication
-b search base

(This will list all entries within the search base, but if needed you can limit it to a more specific level)

For a more specific search you can add -LLL "(sn=surname)" to search for a specific user with a known surname, for instance:

$ ldapsearch -h freeipa.xxxxxxxx.xxx -p 389 -x -b "dc=freeipa,dc=xxxxxxxx,dc=xxx" -L "(sn=ldap)"

or a specific username:

$ ldapsearch -h freeipa.xxxxxxxx.xxx -p 389 -x -b "dc=freeipa,dc=xxxxxxxx,dc=xxx" -L "(uid=jamf)"

or you can use any other LDAP tool such as Apache Directory Studio, LDAP Admin Tool, etc...

And the same for the groups:

$ ldapsearch -h freeipa.xxxxxxxx.xxx -p 389 -x -b "dc=freeipa,dc=xxxxxxxx,dc=xxx" -L "(cn=serviceaccounts)"

This gave me enough to configure freeIPA as LDAP provider in Jamf Pro.

(Remember to use “Configure Manually” to set up the LDAP server, as the wizard to integrate with LDAP only works with Active Directory, Open Directory and Novell’s eDirectory.)

See screenshots below: 

Connection:

Just like in Active Directory, the “distinguished username” must be used. See “DN” in the ldapsearch results above.

User Mappings:

Search base = look for the the DN, as in the ldapsearch result above.
User ID = uidNumber
Username = uid
Real Name = displayName

Email address = mail
User UUID =  uid

Group Mappings:

Search base = see user mappings (or change if different from your user DN)
Group ID = gidNumber
Group Name = cn
Group UUID = objectGUID

User Group Membership Mappings

Membership location = User Object
Group Membership mapping = memberOf
Use distinguished name for user groups when searching = selected

I did not add any custom / additional attributes, so I only kept the default mapping’s and put the settings to a test:

Yes! It works 🙂 

The above attributes are, like I said, only the default attributes present after installing a fresh freeIPA server. Additional attributes, like phone, building, department and position can off course be created and mapped accordingly.

A bit off topic, but just remember that the building and department attributes are a bit special, as those attributes also exists as non-LDAP inventory fields In Jamf Pro (see: Jamf Pro settings - Network Organization). Mapping those inventory fields to existing LDAP attributes, regardless of the type of LDAP server you use, requires you to create the existing building and department values (meaning the existing values in the LDAP server) as Building and Departments in the Jamf Pro settings, and map the attributes correctly in the LDAP server settings.

In other words, if 'user A' has an attribute assigned in LDAP, which is used to provide the building that this user belongs to, Jamf will only display the value of the mapped attribute under "Building" if that value also exists as a "Building" in the Jamf Pro settings. If the value of this attribute does not exist in the list of "Jamf Pro Buildings", the Building inventory field will remain blank (and same for Departments).

That’s it for this short post. As said, the main purpose was to share the freeIPA mappings which work for me with a default freeIPA installation.

Grtz,
TTG


Print Friendly, PDF & Email