LDAP mapping between JumpCloud and OpenDirectory?

jlgtx
Novitiate II

We have a Mac mini acting as a FileMaker database server, and I need to add SSO logins for database users. For some reason, the JumpCloud agent won't install, so as a workaround I added the Jumpcloud LDAP server as a native directory service per https://labzilla.io/blog/jumpcloud-ldap-bindI can now login to the Mac using JumpCloud credentials, I can browse the LDAP with Directory Utility.

Here's the catch: FileMaker controls access based on an LDAP group, not a user. FileMaker can see the JumpCloud LDAP groups, but it doesn't appear to be able to determine whether or not a given LDAP user is part of that LDAP group. Iโ€™m pretty sure we can fix this by tweaking the LDAP field mappings, but I need to know the correct field mapping between JumpCloud LDAP and macOS OpenDirectory, specifically where Groups are concerned.

Anyone have a clue?

6 REPLIES 6

jlgtx
Novitiate II

Long story short, there's no way to do this. The JC LDAP implementation simply does not support it. The "workaround" is the JC agent, which creates local users & groups that mirror the JC config. This is messy, but it does work.

From a technical standpoint, the main problem is that the JC LDAP does not include specific LDAP properties that tie users to groups in a way that macOS understands, and JC doesn't appear interested in fixing this.

BScott
Community Manager Community Manager
Community Manager

I would put in a feature request if you haven't already. If enough people request it, it'll get attention.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

this would be great if JC could sort this out, we cant be the only JC and Filemaker users out there

Hi

How did you get the groups from JC to show on the mac mini? I have manged to get the users to show but the groups do not sync to the mini

You have to get the JC Agent running on the mini, create APP groups in your JC console, and add users to those groups. I added Custom Attributes of "RealName" (e.g. "FileMaker") and "RecordName" (e.g. "filemaker").

I created three different groups, one for basic access, one for "delete-capable" access, and one for full admin access. Then use the Security config in FileMaker to give the desired permissions to those groups.

Also created a JC Device Group that contained only the FileMaker Server, so I could push the JC groups to only that machine.

You don't actually need the Custom Attributes, though, as the Linux Group Name and GID are what get pushed to macOS.