# Using LDAP to enroll macOS/iOS/Android devices

Use this document if you are trying to point your enrollment of device to directory services (Active Directory, Open Directory, eDirectory or OpenLDAP). This is used for Android Device and well as iOS devices or macOS devices enrolling OTA (over the air) as well as Apple's DEP (Device Enrollment Program) enrollment for both iOS and macOS devices.

---

This process consists of:  
1- Backing up the current config  
2- Editing a new config file to properly read the LDAP structure  
3- Restarting the Apache Process so it reads the new config file

## Getting the files ready

Open a Terminal Window or use SSH to get into the computer running FileWave Server

Gain root credentials

```
sudo -s
```

Enter your login password

Navigate to the FileWave Apache configurations folder

<table id="bkmrk-windows%3A-os-x-%2F-linu"><tbody><tr style="background-color: rgb(251, 238, 184);"><td>Windows:</td><td>OS X / Linux:</td></tr><tr><td>`C:\Program Files (x86)\FileWave\apache\conf`</td><td>`cd /usr/local/filewave/apache/conf/`</td></tr></tbody></table>

Backup your current mdm\_auth.conf by making a copy

```
cp mdm_auth.conf mdm_auth.conf.bac
```

Make a copy of the LDAP example and rename it

```
cp mdm_auth.conf.example_ldap_auth mdm_auth.conf
```

# Making the changes

Open it up using your preferred text editor (nano mdm\_auth.conf or vi mdm\_auth.conf).  
it will look like this:

```
<Location /ios/enroll>
# This is an example of ldap based user auth
	AuthType Basic
	AuthBasicProvider ldap
	AuthName "Enroll IOS Device"
	AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
	Require valid-user
# If you need to bind to the ldap server, use these lines
#	AuthLDAPBindDN "cn=Admin,o=myorg"
#	AuthLDAPBindPassword "secret1"
	 LDAPReferrals Off
</Location>

<Location /ios/dep_enrollment_profile>
# This is an example of ldap based user auth
	AuthType Basic
	AuthBasicProvider ldap
	AuthName "Enroll IOS Device"
	AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
	Require valid-user
        ErrorDocument 401 "Enrollment credentials are needed."
# If you need to bind to the ldap server, use these lines
#	AuthLDAPBindDN "cn=Admin,o=myorg"
#	AuthLDAPBindPassword "secret1"
	 LDAPReferrals Off
</Location>

<Location /android/enroll>
# This is an example of ldap based user auth
	AuthType Basic
	AuthBasicProvider ldap
	AuthName "Enroll Android Device"
	AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
	Require valid-user
# If you need to bind to the ldap server, use these lines
#	AuthLDAPBindDN "cn=Admin,o=myorg"
#	AuthLDAPBindPassword "secret1"
	 LDAPReferrals Off
</Location>

<Location /android/project_number>
# This is an example of ldap based user auth
	AuthType Basic
	AuthBasicProvider lda4
	AuthName "Google Cloud Messaging configuration"
	AuthLDAPURL "ldap://10.1.10.25:389/cn=Users,dc=saturn,dc=filewave,dc=us?uid"
	Require valid-user
# If you need to bind to the ldap server, use these lines
#	AuthLDAPBindDN "cn=Admin,o=myorg"
#	AuthLDAPBindPassword "secret1"
	 LDAPReferrals Off
</Location>
```

The different sections correspond with the different enrollment URLs.  
For example, if my servers hostname was [server.filewave.com](http://server.filewave.com):

**mdm\_auth.conf**

<table id="bkmrk-url-use-https%3A%2F%2Fserv" style="width: 100%;"><tbody><tr style="background-color: rgb(251, 238, 184);"><td style="width: 53.8974%;">URL</td><td style="width: 46.1026%;">Use</td></tr><tr><td style="width: 53.8974%;">[https://server.filewave.com:20443/ios/enroll](https://server.filewave.com:20443/ios/enroll)</td><td style="width: 46.1026%;">Over the air enrollment portal</td></tr><tr><td style="width: 53.8974%;">[https://server.filewave.com:20443/ios/dep\_enrollment\_profile](https://server.filewave.com:20443/ios/dep_enrollment_profile)</td><td style="width: 46.1026%;">URL iOS or macOS Devices request when a DEP device is enrolling. This URL is not accessible from a normal browser.</td></tr><tr><td style="width: 53.8974%;">[https://server.filewave.com:20443/android/enroll](https://server.filewave.com:20443/android/enroll)</td><td style="width: 46.1026%;">Downloading the APK FileWave Client</td></tr><tr><td style="width: 53.8974%;">[https://server.filewave.com:20443/android/project\_number](https://server.filewave.com:20443/android/project_number)</td><td style="width: 46.1026%;">Used by the FileWave Android client to talk to server</td></tr></tbody></table>

## Open Directory &amp; eDirectory

OD (by default) does not require a user to authenticate to read the structure.  
You will not need to uncomment the bind options.  
![What_to_change-OD.png](https://kb.filewave.com/uploads/images/gallery/2023-06/GdlOvHF3jPr8zOoh-what-to-change-od.png)  
AuthName - The title of the login window  
AuthLDAPURL - Where and what groups are allowed to login and there for enroll. The example above would allow anyone in the 'Users' group to enroll a device.

Make the appropriate changes and then save the .conf

## Active Directory

AD (by default) requires you bind to the directory to read. Many people create a read-only directory account.  
![What_to_change-AD.png](https://kb.filewave.com/uploads/images/gallery/2023-06/1l0UPiBY6Z7EFGIx-what-to-change-ad.png)  
AuthName - The title of the login window  
AuthLDAPURL - Where and what groups are allowed to login and there for enroll. The example above would allow anyone in the 'Users' group to enroll a device.  
AuthLDAPBindDN - From specific to most general. Username, what group that is in, what group (or organizational unit) that group is in, and the server. The example above would allow the user 'TestDir Reader' who is in the group 'User' who is in the Org Unit 'IT' on the Active Directory server of [ad-ldap.filewave.com](http://ad-ldap.filewave.com) to bind.  
AuthLDAPBindPassword - Password for user account being used to bind to AD.

Make the appropriate changes and then save the .conf

## Restarting Apache

Once saved, restart the FileWave Apache process/service

<table id="bkmrk-os-x-%2F-linux%3A-%2Fusr%2Fl" style="width: 53.4568%;"><tbody><tr style="background-color: rgb(251, 238, 184);"><td style="width: 100%;">OS X / Linux:</td></tr><tr><td style="width: 100%;">`/usr/local/filewave/apache/bin/apachectl graceful`</td></tr></tbody></table>

Now when a device attempts to enroll (by pressing the Enroll Device option on the site). They will be prompted to enter their username and password from the directory server.

![ldapenroll.png](https://kb.filewave.com/uploads/images/gallery/2023-06/3JurXXwqSAbda1lo-ldapenroll.png)

## Using several authentication sources for the same enrollment type

When we want to use several authentication sources (not nested locations) , we need to use AuthnProviderAlias sections to define those sources. The same format for binding to a single source ( see above ) apply for configuring each AuthnProviderAlias section , as in the following example

At the start of the file we define an alias by using:

```
    <AuthnProviderAlias ldap ALIAS_NAME0>
        AuthLDAPBindDN ""
        AuthLDAPBindPassword ""
        AuthLDAPURL ""
    </AuthnProviderAlias>

```

Then below that you specify the location and call for the alias

```
    <Location /ios/enroll>
        AuthBasicProvider ALIAS_NAME0 ALIAS_NAME1 ALIAS_NAME2
        AuthType Basic
        AuthName "Enroll IOS Device"
   
        Require valid-user
    </Location>

```

A final MDM\_auth.conf would look something like this:

```
  <AuthnProviderAlias ldap Student>
      AuthLDAPBindDN "cn=BindUserName,dc=filewave,dc=net"
      AuthLDAPBindPassword "YourBindPassword"
      AuthLDAPURL "ldap://ldap.filewave.net:389/OU=student,dc=filewave,dc=net?sAMAccountName"
  </AuthnProviderAlias>

  <AuthnProviderAlias ldap Faculty>
      AuthLDAPBindDN "cn=BindUserName,dc=filewave,dc=net"
      AuthLDAPBindPassword "YourBindPassword"
      AuthLDAPURL "ldap://ldap.filewave.net:389/OU=staff,dc=filewave,dc=net?sAMAccountName"
  </AuthnProviderAlias>

  <Location /ios/enroll>
      AuthBasicProvider Faculty Student
      AuthType Basic
      AuthName "Enroll IOS Device"

      Require valid-user
  </Location>

```

---

## Troubleshooting tips

Take a look at the log files for apache:

<table id="bkmrk-os-x-%2F-linux%3A-%3Cbr%3E%2Fu"><tbody><tr style="background-color: rgb(251, 238, 184);"><td>OS X / Linux:</td></tr><tr><td>`<br>/usr/local/filewave/apache/logs/error_log<br>		<br>`</td></tr></tbody></table>

Below are some sample errors and what they typically mean.

NOT Bound:

```
[Thu Feb 09 22:10:19 2012] [error] [client 192.168.1.109] user diradmin: authentication failure for "/ios/enroll": Password Mismatch, referer: https://192.168.1.95:20443/ios/

```

Bound but user entered info wrong OR ldap url pointed to wrong group:

```
[Thu Feb 09 22:29:16 2012] [error] [client 192.168.1.109] user diradmin: authentication failure for "/ios/enroll": Password Mismatch

```

Bound w/ Bad User

```
[Thu Feb 09 22:29:00 2012] [error] [client 192.168.1.109] user lkajshdg not found: /ios/enroll

```

Could be Bound or not but not filtering by the correct ?uid ?sAMAccountName at end of URL (?UID is an OD or eDir, AD is typically ?sAMAccountName)

```
[Thu Feb 09 22:17:31 2012] [error] [client 192.168.1.109] user admin not found: /ios/enroll, referer: https://192.168.1.95:20443/ios/

```

Something wrong in the mdm\_auth.conf file. Like AuthzLDAPAuthoritative isn't off or shoudn't be there.

```
apache require directives present and no authoritative handler

```

### Recursive issues

Does it appear that your server only looks at the one group/unit pointed to and not sub-groups? try adding ?sub at the end of your AuthLDAPURL lines:

```
  AuthLDAPURL "ldap://ldap.filewave.net:389/OU=student,dc=filewave,dc=net?sAMAccountName?sub"

```

Always feel free to contact support for further assistance.