Integrating any system into Active Directory can seem like a daunting task, especially for someone who’s not an AD administrator or doesn’t even has access to the directory service. JAMF Software has supported connecting Casper to AD for several versions of its product and has refined the connection process to be simple enough for someone with little or no AD experience to complete.
Connecting Casper to AD allows it to take advantage of existing user and group accounts, eliminating the tedium of creating them manually, and the user himself has one less password to remember. When his password changes the new password works immediately in Casper. Likewise, when a user’s account expires or is disabled then access to Casper ceases.
Gather the following information for the connection process:
- Service account. This should be an AD account dedicated for Casper to use to authenticate to AD. It should be set not to expire and not to require changing at first login. This requires both the account name and its AD password.
- The name of an AD Domain Controller (same as a Windows Global Catalog server, which assumes the role of an LDAP server).
- The name of the organization’s NetBIOS domain.
- The login names for any two user accounts in AD. Passwords aren’t required; these are used for testing lookups only.
- The names for any two security groups in AD that include one or both test user accounts. These are used for testing lookups only. (Domain Users and Domain Admins are two common security groups.)
To connect Casper to AD do the following:
- Log in to the JAMF Software Server (JSS) for Casper using a local user account.
- Navigate to Settings tab –> LDAP Server Connections. Click on the Add LDAP Server Connection button. This begins a process that verifies the service account’s credentials and creates the user and group mappings between Casper and AD.
- Select Active Directory as the LDAP server type and click the Continue button.
- For Host name enter the fully qualified domain name or IP address of the Domain Controller.
- For AD Domain enter the Windows NetBIOS domain name. Click the Continue button.
- Enter the name of the service account and its password that the JSS will use to authenticate and connect to AD. Click the Continue button.
- If the Enter Test Accounts page appears then AD has accepted the service account’s credentials. Now, enter the account names of two AD users. These can be your own and a co-worker’s account. For the best results pick two users who are in very different parts of the organization. Click the Continue button.
- The Verify Attribute Mappings page should display information about each user the JSS found in AD. Mappings are the pairing of attributes and values for an object in AD. In this case, verify the Username shown is actually the user’s short account name, verify Real Name shows the user’s first and last name, verify that Email displays the correct email address for each user, etc.
- Some fields may not be populated. That’s typically because the AD information is incomplete. If either user has information for a field but not the other then verify that information is correct or at least in the correct format.
- Casper may have wrongly mapped an attribute. For example, the telephoneNumber attribute may actually be phone in AD. To change the mapping click the edit button (ellipsis) to the right of the mapping and review the LDAP Attributes to see if another one is more suitable. Changing the attribute immediately changes the values for each user to help quickly identify better choices. Click the Return to Verify Mappings button when done.
- The new mappings appear in the list. Click the Continue button.
- Enter the two domain security groups and verify whether the test users are members. They may be members of one, both or none. Click the Continue button.
- Finally, click the Save button to save the settings.
Now, when adding new users to Casper, the JSS can pull the user information from AD.
- Navigate to Settings tab –> Accounts. Click on the Add Account from LDAP button.
- Enter the name of an AD user who should have privileges in the JSS. Click the Next button.
- If the lookup returns more than one result then locate the correct result and click the Add… link to the right.
- Grant the necessary privileges to the JSS and click the Save button.
At this point the newly added user should be able to log in to the JSS using his AD credentials. The JSS will also use the AD information for email alerts and other functions.
If the LDAP connection is ever deleted then existing LDAP user accounts will fail to work, even if the LDAP connection is recreated. Re-enabling users to log in will require adding their accounts and privileges again under the new LDAP connection.