“words—
lonely written words—are all you’ve got”

—Virginia Shea

“communication happens when I know you know what I know”

—Me

LDAP Servers

One of the first tasks a new Casper administrator should complete is joining the JSS to a directory service such as Active Directory or Open Directory. This connection lays the framework for assigning access to the JSS, associating users to computers and repurposing information intead of recreating and maintaining it in multiple locations.

Goals

 Create a service account
 Connect to an LDAP server
 Test user lookups
 Map additional attributes
 Test group membership
 Edit connection settings
 Test connection settings

LDAP Servers

Service Account

A directory connection is one-way—the JSS will only read information from the directory service. It will not have access to modify the directory database.

Before the JSS can access a directory, it needs a user account in that directory—preferably a service account dedicated to the purpose of accessing the directory. The service account should be disabled for all other services such as email, file sharing, instant messaging, computer logins, etc.

New LDAP Server

To add a new LDAP Server connection, click the New button or press the “n” key for “new”. Choose a directory service and click the Next button.

Choose a directory service

Enter the fully qualified domain name (FQDN) or IP address of the directory server and click the Next button.

LDAP server name

Your JSS has successfully found the server or domain if it next asks for the LDAP Server Account information.

Enter the username and password for the service account and click the Next button.

LDAP Server Account credentials

Your JSS has successfully authenticated with its service account to the server or domain if it next asks for test usernames.

At this stage, your JSS is successfully connecting to your directory server. The rest of the directory connection setup is devoted to testing whether the JSS can find user and group information in the directory.

Enter the usernames of two users in different parts of your company. For example, enter the name of someone in your IT group and then enter the name of someone in Marketing. This step is only testing lookups—you will not need the passwords for these accounts. Click the Next button.

Test usernames

The JSS will perform a lookup in the directory service, which is simply a search for the two user names. It will then read information about each user and display the results.

Configure user mappings

At minimum, a lookup should return the Full Name for each user name. Ideally, the lookup would return all available information for other attributes such as email, phone, building, etc. However, while it can be useful later, this information is not required.

Take the time now, though, to get as much of the mapping as complete as possible. For example, choosing the LDAP Attribute “telephoneNumber” next to Phone now displays the phone numbers of each user.

User mapping telephoneNumber

Configure mappings for any other attributes where possible. It’s OK to leave some of them blank if you don’t use these attributes in your directory. Note that you can map a JSS Attribute such as Building to a directory attribute such as State. Click the Next button.

User mappings

Enter two groups in different parts of your company. For example, enter the primary group name of your first user and then enter the primary group name of the second user. Again, this step is only testing lookups—you will not need the passwords for these accounts. Click the Next button.

Group membership test

This test does two things: It tests looking up a group name in the directory and it tests whether it can determine user membership in these groups. A successful test should show whether your test usernames are members of these groups. Click the Next button.

Group membership test results

Once the LDAP connection is working, click the Save button or press “Control + s” for “save” to complete the setup.

Save LDAP connection

Edit Connections

The service account settings or attribute mappings may need updating at a later time. For example, the service account’s password may have been compromized and may need changing. To change a connection, click the name of the connection in the LDAP Servers list.

LDAP Servers list

Click the Edit button or press the “e” key for “edit”.

If you need to edit the service account’s connection settings click the Connection tab. Adjust either the server or account settings here.

Connection tab

If you need to edit the attribute mappings for directory lookups click the Mappings tab. Adjust the User Mappings, User Group Mappings or User Group Membership Mappings here.

User, group and membership mappings

Once the Connection or Mappings changes is finished, click the Save button or press “Control + s” for “save” to complete the setup.

Test Connections

Click the Test button at the bottom of the window to verify the new settings.

Click the User Mappings tab to perform a username lookup. Click the User Group Mappings tab to perform a group name lookup. Click the Test button when ready. If a username or group exists in the directory then the JSS displays the results.

Test username lookup

However, if the test fails to find the username or group then it displays “No matches”.

No matches

To test a user’s group membership, click the User Group Membership Mapping tab and enter a username and group. Click the Test button.

Test user group membership

A successful test displays whether the user is a member of the group. Note all tests include the speed of the lookup too.