One of the first tasks a new Casper administrator should complete is joining the JSS to a directory service such as Active Directory or Open Directory. This connection lays the framework for assigning access to the JSS, associating users to computers and repurposing information intead of recreating and maintaining it in multiple locations.
A directory connection is one-way—the JSS will only read information from the directory service. It will not have access to modify the directory database.
Before the JSS can access a directory, it needs a user account in that directory—preferably a service account dedicated to the purpose of accessing the directory. The service account should be disabled for all other services such as email, file sharing, instant messaging, computer logins, etc.
New LDAP Server
To add a new LDAP Server connection, click the New button or press the “n” key for “new”. Choose a directory service and click the Next button.
Enter the fully qualified domain name (FQDN) or IP address of the directory server and click the Next button.
Your JSS has successfully found the server or domain if it next asks for the LDAP Server Account information.
Enter the username and password for the service account and click the Next button.
Your JSS has successfully authenticated with its service account to the server or domain if it next asks for test usernames.
At this stage, your JSS is successfully connecting to your directory server. The rest of the directory connection setup is devoted to testing whether the JSS can find user and group information in the directory.
Enter the usernames of two users in different parts of your company. For example, enter the name of someone in your IT group and then enter the name of someone in Marketing. This step is only testing lookups—you will not need the passwords for these accounts. Click the Next button.
The JSS will perform a lookup in the directory service, which is simply a search for the two user names. It will then read information about each user and display the results.
At minimum, a lookup should return the Full Name for each user name. Ideally, the lookup would return all available information for other attributes such as email, phone, building, etc. However, while it can be useful later, this information is not required.
Take the time now, though, to get as much of the mapping as complete as possible. For example, choosing the LDAP Attribute “telephoneNumber” next to Phone now displays the phone numbers of each user.
Configure mappings for any other attributes where possible. It’s OK to leave some of them blank if you don’t use these attributes in your directory. Note that you can map a JSS Attribute such as Building to a directory attribute such as State. Click the Next button.
Enter two groups in different parts of your company. For example, enter the primary group name of your first user and then enter the primary group name of the second user. Again, this step is only testing lookups—you will not need the passwords for these accounts. Click the Next button.
This test does two things: It tests looking up a group name in the directory and it tests whether it can determine user membership in these groups. A successful test should show whether your test usernames are members of these groups. Click the Next button.
Once the LDAP connection is working, click the Save button or press “Control + s” for “save” to complete the setup.
The service account settings or attribute mappings may need updating at a later time. For example, the service account’s password may have been compromized and may need changing. To change a connection, click the name of the connection in the LDAP Servers list.
Click the Edit button or press the “e” key for “edit”.
If you need to edit the service account’s connection settings click the Connection tab. Adjust either the server or account settings here.
If you need to edit the attribute mappings for directory lookups click the Mappings tab. Adjust the User Mappings, User Group Mappings or User Group Membership Mappings here.
Once the Connection or Mappings changes is finished, click the Save button or press “Control + s” for “save” to complete the setup.
Click the Test button at the bottom of the window to verify the new settings.
Click the User Mappings tab to perform a username lookup. Click the User Group Mappings tab to perform a group name lookup. Click the Test button when ready. If a username or group exists in the directory then the JSS displays the results.
However, if the test fails to find the username or group then it displays “No matches”.
To test a user’s group membership, click the User Group Membership Mapping tab and enter a username and group. Click the Test button.
A successful test displays whether the user is a member of the group. Note all tests include the speed of the lookup too.