Posted on 26th July 2017 by Darren Wallace

Typical LDAP mappings for Active Directory in Jamf Pro (formally Casper)

LDAP Settings

Hi All. This blog is my attempt to document the typical LDAP mapping settings I use when connecting a Jamf Pro (formally Casper) instance to an Active Directory domain.

This is used to allow scoping of policies, profiles and administration access to users from an AD domain. This is not the details your client Macs would use to bind to your Active Directory domain.

Please Note: These are the typical values I would use and ‘as-is’ may still not be correct for your environment. As always test, test and test again.

Where to first?

Occasionally, when trying to configure an AD LDAP connection in a Jamf Pro instance, I find that either the mappings aren’t correct for the environment, or the setup wizard doesn’t quite work. In this case I’ll use the manual method to configure this option, as documented by Jamf here.

Once setup, navigate to “Management Settings” > “System Settings” > “LDAP Servers” > [Connection name] > “Mappings” tab and click “Edit” at the very bottom.

User Mappings

First up, user mappings. These would typically be configured as follows:

Object Class Limitation
(Drop down menu)
‘All ObjectClass values’
Object Class(es)
(Text Field)
“organizationalPerson, person, top, user”
Search Base
(Text Field)
[search base of Domain, e.g.
DC=ad,DC=amsys,DC=co,Dc=uk] *
Search Scope
(Drop down menu)
‘All Subtrees’
Attribute Mappings: User ID
(Text Field)
[typically ‘uSNCreated’]
Attribute Mappings: Username
(Text Field)
[typically ‘sAMAccountName’]
Attribute Mappings: Real Name
(Text Field)
[typically ‘displayName’]
Attribute Mappings: Email Address
(Text Field)
[typically ‘userPrincipalName’]
Attribute Mappings: Append to Email Results
(Text Field)
[typically blank]
Attribute Mappings: Department
(Text Field)
[Check using Directory Utility or Apache Directory Studio]*
Attribute Mappings: Building
(Text Field)
[typically ‘st’]
Attribute Mappings: Room
(Text Field)
[Check using Directory Utility or Apache Directory Studio]*
Attribute Mappings: Phone
(Text Field)
[typically ‘telephoneNumber’]
Attribute Mappings: Position
(Text Field)
[typically ‘title’]
Attribute Mappings: User UUID
(Text Field)
[typically ‘objectGUID’]

User Group Mappings

Next, user group mappings. These would typically be configured as follows:

Object Class Limitation
(Drop down menu)
‘All ObjectClass values’
Object Class(es)
(Text Field)
“group, top”
Search Base
(Text Field)
[search base of Domain, e.g.
DC=ad,DC=amsys,DC=co,Dc=uk]
Search Scope
(Drop down menu)
‘All Subtrees’
Attribute Mappings: Group ID
(Text Field)
[typically ‘uSNCreated’]
Attribute Mappings: Group Name
(Text Field)
[typically ‘name’]
Attribute Mappings: Group UUID
(Text Field)
[typically ‘objectGUID’]

User Group Membership Mappings

Lastly, user group membership mappings. These would typically be configured as follows:

Membership Location
(Drop down menu)
[typically ‘User Object’]
Group Membership Mapping
(Text Field)
[typically ‘memberOf’]
Append to Username When Searching
(Text Field)
[typically blank]
Use distinguished name of user groups when searching
(Tick box)
Tick
Use recursive group searches
(Tick box)
Tick

“Use Directory Utility or Apache Directory Studio”?

Some of the fields above have this comment, and this is due to the fact that some options vary so greatly between sites and configurations I can’t even supply a suggested typical value!

In these cases, you have two choices:

  1. Get onto a Mac that is already successfully bound to the Domain, and launch the Directory Utility application (/System/Library/CoreServices/Applications/). Mac Mule has written a great guide on finding out AD information from the application. This can be found here
  2. Get onto a Mac that can access the AD domain (bound or not) and follow the Jamf guide on using the free Apache Directory Studio to find out the information. This can be found here

These two tools above can also be used to find all of the above information should you feel your specific site may be different.

Testing!

Once complete, save your changes and use the ‘Test’ button to test your changes. If you’re finding the LDAP plugin is not pulling out the results you expect, check Directory Utility and / or Apache Directory Studio as detailed above, and modify your settings as required.

Summary

As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.