Hi all,

A while ago, I explored the obscure realm of configuring Google LDAP via sTunnel, however, in the mean time Jamf implemented a much better way to integrate this: Cloud Identity Providers.

So, it was about time I updated the article and tested the integration in a more modern way! And the good news is that it’s actually very straight forward, with only one little gotcha… but more about this below.

First of all, 2 official resources you may want to read before attempting the configuration:

That said, let’s dive into it! Trust me, it’s going to be a quick, short and smooth ride!

The first thing you’ll need is obviously a Google Cloud environment with the LDAP functionality available. You do need a premium Google Cloud Identity account for this. The standard account does not include this feature, which means that you will not see the LDAP functionality in the list of apps:

To enable the LDAP functionality, click on the LDAP app, and hit “ADD CLIENT”:

Give your integration a name…

… and set the permissions:

Next Google is going to create a client certificate for you. Download it, as you’ll need to upload that to Jamf Pro later.

When you hit “Continue to client details”, you will however see that the client is not enabled by default. Let’s enable that right away to avoid running into the gotcha I mentioned before:

Make sure to change it to ON:

That’s it from the Google side of things! Easy!

However, before we head over to Jamf Pro to configure the Cloud Identity Provider, there is one more thing we need to do: create a .p12 file including the .crt and the .key which you downloaded from Google.

Full instructions can be found in the ressource I shared that the beginning of the post, or by clicking here, but in se it’s nothing more that running the command below and specifying the output path, and the path to the cert and key to combine in the .p12.

openssl pkcs12 -export -out /path/to/generated/keystore.p12 -inkey /path/to/saved/privatekey.key -in /path/to/saved/certificate.crt
Note: you will be asked to set an export password which you will need to upload it in Jamf Pro!

The result will be a .p12 file which is created at /path/to/generated/keystore.p12 which you specified in the command above. With that file ready, let’s head into Jamf Pro -> System Settings -> Cloud Identity Provider and hit “new”:

The settings in Jamf Pro are really straight forward:

  • Give your connection a name
  • Leave the Connection type to LDAPS
  • Keep the server and port at ldap.google.com / 636
  • Upload the .p12 file you downloaded from Google (provide the export password when prompted)
  • And enter the Domain Name of your Google instance

The only thing I changed in the mappings is the “username” in the “User Mappings“, which I set to ‘mail:

No changes to the “User Group Mappings

… and no changes to the default “User Group Membership Mappings” either:

This gives me the successful tests below, but depending your deployment, you may want/need to change some mappings:

That’s it! As promised, a short and straight forward post, with not too much hassle!

As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!

Brgds,
TTG