This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP mapping between JumpCloud and OpenDirectory?

jlgtx
Novitiate II

‎01-30-2023 05:05 PM - edited ‎01-30-2023 05:39 PM

We have a Mac mini acting as a FileMaker database server, and I need to add SSO logins for database users. For some reason, the JumpCloud agent won't install, so as a workaround I added the Jumpcloud LDAP server as a native directory service per https://labzilla.io/blog/jumpcloud-ldap-bindI can now login to the Mac using JumpCloud credentials, I can browse the LDAP with Directory Utility.

Here's the catch: FileMaker controls access based on an LDAP group, not a user. FileMaker can see the JumpCloud LDAP groups, but it doesn't appear to be able to determine whether or not a given LDAP user is part of that LDAP group. I’m pretty sure we can fix this by tweaking the LDAP field mappings, but I need to know the correct field mapping between JumpCloud LDAP and macOS OpenDirectory, specifically where Groups are concerned.

Anyone have a clue?

Labels:
0 Kudos
6 REPLIES 6

jlgtx
Novitiate II

‎02-02-2023 03:44 PM

Long story short, there's no way to do this. The JC LDAP implementation simply does not support it. The "workaround" is the JC agent, which creates local users & groups that mirror the JC config. This is messy, but it does work.

From a technical standpoint, the main problem is that the JC LDAP does not include specific LDAP properties that tie users to groups in a way that macOS understands, and JC doesn't appear interested in fixing this.

0 Kudos

BScott
Community Manager Community Manager
Community Manager
In response to jlgtx

‎02-10-2023 02:44 PM

I would put in a feature request if you haven't already. If enough people request it, it'll get attention.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

0 Kudos

atoudam
Novitiate I
In response to BScott

‎09-19-2023 12:47 AM

this would be great if JC could sort this out, we cant be the only JC and Filemaker users out there

0 Kudos

atoudam
Novitiate I
In response to jlgtx

‎09-19-2023 12:46 AM

Hi

How did you get the groups from JC to show on the mac mini? I have manged to get the users to show but the groups do not sync to the mini

0 Kudos

jlgtx
Novitiate II
In response to atoudam

‎09-19-2023 12:33 PM

You have to get the JC Agent running on the mini, create APP groups in your JC console, and add users to those groups. I added Custom Attributes of "RealName" (e.g. "FileMaker") and "RecordName" (e.g. "filemaker").

I created three different groups, one for basic access, one for "delete-capable" access, and one for full admin access. Then use the Security config in FileMaker to give the desired permissions to those groups.

Also created a JC Device Group that contained only the FileMaker Server, so I could push the JC groups to only that machine.

0 Kudos

jlgtx
Novitiate II
In response to jlgtx

‎09-19-2023 12:36 PM

You don't actually need the Custom Attributes, though, as the Linux Group Name and GID are what get pushed to macOS.

0 Kudos
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.