UPDATE 18th of December: got it to work JamfCloud! See bottom of post.

Earlier this year Jamf announced support for the new Google Secure LDAP service. As I was too pre-occupied with macOS Mojave & Secure Tokens, I didn’t have the change to test it until now. 

But to break away from testing token related deployments, I decided to have a look at this new LDAP integration today.

Before I continue, I just want to highlight one important detail regarding the pre-reqs to integrate this feature in Jamf Pro.

If you look at the configuration guide for Google Secure LDAP, you'll see that it requires 'Certificate based Authentication'. Important to know, because the LDAP integration in Jamf Pro currently does not allow us to do so.

This means that, in case you do want to integrate Google Secure LDAP into Jamf Pro, whether you are hosting your own Jamf Pro server or using JamfCloud, you will need an additional proxy server. More about that below.

That said, let’s have a quick look at how to do things.

First of all we need to set up the LDAP app in G Suite or Google Cloud Identity:

In Google Admin, go to APPS – LDAP
Give your LDAP app a name and description…
and give the LDAP Client appropriate access level: entire domain or specific OU’s.

Important, for Jamf to be able to query group memberships, you must give it ‘Read group information’ privileges.
On the next screen you will be provided with the Google Cert which you’ll need for the Certificate Based Authentication. As said, more about that below.
I’ll come back to this screen below. In order to configure the LDAP integration in Jamf Pro, you’ll need to generate additional credentials under “access credentials”. 

Note: you will not be able to retrieve the password of the additional credentials after closing the popup. Hence, leave it like this for now, we’ll come back to it later.
You can already enable the app if you want.

Next we’ll need to sort out our certificate proxy. As said, Jamf Pro currently does not allow Certificate Based Authentication, but Google Secure LDAP requires it. This means we’ll need to run an additional service to make this magic happen. 

For this we use ‘stunnel‘, which will actually use the certificate we got from Google to authenticate to the LDAP service, and proxy this to Jamf. Download and install stunnel on the link above, or for example for Ubuntu, run ‘sudo apt-get install stunnel4’.

For his tutorial I installed it on Ubuntu 18.04, on the same machine as my Jamf Pro test server.

Note: When trying to install 'stunnel' I was unable to locate the package. Not sure why, but I had to fix my repository source file. (/etc/apt/sources.list).

Next, we need to configure ‘stunnel’ to connect to the Google LDAP service:

  • Navigate to the ‘stunnel’ directory and create a google-ldap.conf file (‘sudo nano /etc/stunnel/google-ldap.conf’)
  • Copy-paste the following into the file:
[ldap]
client = yes
accept = 127.0.0.1:1636
connect = ldap.google.com:636
cert = 
/etc/stunnel/ldap-client.crt
key = 
/etc/stunnel/ldap-client.key

Change the .crt and .key filename to match the filenames of the certificate/key file you downloaded from the Google Admin Portal, and specify the location. I uploaded the files to the ‘stunnel’ directory.

Note: port 1636 is actually free to choose. At least, for Windows/Ubuntu that is, for RHEL you'll have to choose something above the privileged 0-1023 ports.

Save your config file

Enable ‘stunnel’:  ‘sudo nano /etc/default/stunnel4′ and set ENABLED=1

Restart ‘stunnel’: ‘sudo /etc/init.d/stunnel4 restart’

Next, Jamf Pro!

Like always, for more exotic LDAP integrations we have to use the ‘manual configuration’. The idea here is to connect to the ‘stunnel’ LDAP proxy service which we just configured.

Server and port: 127.0.0.1 and 1636 if you left it default and installed the proxy on the same server as Jamf Pro

DO NOT select SSL, as we are connecting locally to the proxy.

*** LDAP Server Account – SEE BELOW ***
Note: If you choose to run 'stunnel' on a separate server, you must configure your firewalls so that only the Jamf Pro server can access your stunnel server or for JamfCloud have a look at: permitting inbound/outbound traffic with JamfCloud. You can also configure 'stunnel' to listen with TLS.

I'll keep it at running 'stunnel' on the same server as Jamf Pro for now. I'll dive into securing it with TLS on a remote server later and update accordingly.

In order to configure the LDAP connection in Jamf Pro, we’ll need a “LDAP Server Account”. This brings us back to our Google Admin Portal, where I mentioned we had to create additional credentials.

Go back to your LDAP app in the Google Admin Console and click on ‘Authentication’. Next, ‘Generate New Credentials’. This will generate a username and password, which you can use in Jamf Pro as service account.

NOTE: Copy the password before closing the pop-up!

Use the generated credentials in the ‘connection tab’ of Jamf Pro, with authentication set to ‘simple’. Next continue with the mappings:

For additional LDAP mappings: have a look here.

And the official Jamf Pro KB: here

That’s it! Enjoy Secure LDAP via Google Cloud Identity!

As said, I’ll have a look at enabling TLS to run ‘stunnel’ on a remote server in case you want to add some additional security. For instance when using it with JamfCloud. I’ll update ASAP.

UPDATE: How to do this with JamfCloud?

So, while installing this on-prem on the same server as the Jamf Pro server is quite straight forward, I had to do some additional testing to get it to work with JamfCloud. I’m not an ‘stunnel’ expert, so what would you expect 🙂

Anyway, this is how I did it. If there are any ‘stunnel’ experts around, please feel free to comment, correct or share any best practices!

Note: I'm not running my 'stunnel' processes in a chroot environment. I guess for this purpose it wouldn't really matter, correct me if I'm wrong!

I tweaked the config file for the google-ldap.conf file in order to create an additional tunnel. The idea is that JamfCloud will tunnel into the FQDN of my proxy server, which then tunnels it further via localhost to Google LDAP:

Additional to the extra tunnel, I added an SSL cert (and private key) to enforce SSL on the incoming connection from Jamf Cloud. The same cert is used in the Jamf Pro LDAPs connection.

In Jamf pro we enable SSL, upload the cert and configure server and port according to the FQDN of your proxy server. I am running the proxy on a virtual machine in my homelab. A bit funny to tunnel JamfCloud LDAP via an on-prem server to Google Cloud… but yeah, first of all the lack of ‘Certificate base authentication’ for LDAP in Jamf Pro is what it is. Secondly, a similar setup could easily be configured on any cloud hosted server.

That’s it! Google Secure LDAP in Jamf Cloud! Let me know if you have any advice, remarks or suggestions.

One thing I would add is limiting the communication inbound to the ‘stunnel’ proxy service to only those IP Addresses used by JamfCloud.

Maybe I’m missing some best practices on ‘stunnel’, like running it in chroot, but at least, it works!

grtz,
TTG

Print Friendly, PDF & Email