Cloud-hosted LDAP gives you the power of the LDAP protocol with none of the usual setup, maintenance, or failover requirements of traditional LDAP implementations. All you need to do is point your LDAP-connected endpoints to JumpCloud and you’re on your way.
Watch a video tutorial on configuring LDAP.
Create an LDAP Binding User
The LDAP binding user is created to allow the application to gain access to the LDAP directory in order to facilitate authentication requests when a regular LDAP user is attempting to log in. JumpCloud does not support anonymous binds. When a user is designated as the Bind DN, they are automatically bound to the JumpCloud LDAP directory.
To create a binding user:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to USER MANAGEMENT > Users.
- Click ( + ), then select Manual user entry.
- Input User Information:
- First Name
- Last Name
- (Required) Username
- (Required) Company Email
- Description
- Under User Security Settings and Permission > Permission Settings, check the box next to Enable as LDAP Bind DN. When enabled, this user acts to bind and search the JumpCloud LDAP directory; one or more users can enable this option.
Considerations:
- It’s not required that this user be a service account. Any JumpCloud user can be set as a binding user, although it’s generally recommended to treat this account as privileged for use only to facilitate the application’s ability to bind/search the LDAP directory.
- This option does NOT grant all LDAP users access to LDAP. To grant access, see Connecting Users to Resources – Grant Access.
- More than one user may be designated as an LDAP binding user. Some applications require this designation for all users of the application. This can be the case if the Bind DN is able to log in, but others cannot, even though they are bound to the LDAP directory.
- The LDAP binding user can be excluded from password expiration policy by selecting PASSWORD NEVER EXPIRES, an option that appears after the user is created. All other password policies are global and will apply.
Add Users to the LDAP Directory
To add users to the LDAP Directory:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login
- Go to USER AUTHENTICATION > LDAP.
- Go to Users tab.
- Select users in the list.
- Click save.
In order to authenticate via LDAP, users must be granted access to the JumpCloud LDAP Directory, either individually or via a group. See Creating LDAP Groups and Connecting Users to Resources - Grant Access.
Configuration Details and Supported Standards
Hostname | ldap.jumpcloud.com |
URI/Port | ldap://ldap.jumpcloud.com:389 (STARTTLS) Note: Plaintext is not allowed. |
ldaps://ldap.jumpcloud.com:636 | |
SSL Certificate | JumpCloud LDAPS SSL Certificate |
LDAP Distinguished Name | uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
BaseDN | ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
UserDN | ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
GroupDN | ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
Schema Compliance | RFC 2307 |
Samba Configuration | See Enabling Samba Support with JumpCloud LDAP |
Other | Support for inetOrgPerson, groupOfNames, and posixGroup objects. Support for memberOf overlay and support for group member search |
Considerations:
- The LDAP DN value is found in the user details (see above screenshot).
- Your application may not have a field called LDAP Distinguished Name. It may be referred to as the BindDN or may only have a username field paired with a password. This is the correct value for that field.
- The BaseDN may also be referred to as SearchDN, Search Base, or other similar terminology.
- LDAP service is Read-Only. As a result, ldapmodify and ldapadd are currently not supported. Any modifications to LDAP users will require the use of either the JumpCloud web console or our JumpCloud API.
- If you experience connection errors, ensure that your firewall isn’t configured to block traffic to port 389.
- The LDAP protocol doesn’t limit the number of concurrent connections you can have. For example, you can have multiple NAS devices connected to LDAP using the same Bind DN account.
Examples of Usage
LDAP applications typically authenticate against uid, which is the JumpCloud username, not the full email address.
- Using ldapsearch, to filter by inetOrgPerson objectClass. For more examples, see Using ldapsearch with JumpCloud.
ldapsearch -H ldap://ldap.jumpcloud.com:389 -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"
Plaintext is not allowed.
- For basic testing, on Linux or OS X, this menu-driven script leverages ldapsearch. Download here.
- For testing in Windows, ldapsearch is available in OpenLDAP for Windows.
- An example of a UI-driven LDAP configuration with OpenVPN: Configuring OpenVPN to use JumpCloud’s LDAP-as-a-Service.
Example Schema
# auser, Users, 56c35d17a38ac9551e1e7857, jumpcloud.com
dn: uid=auser,ou=Users,o=56c35d17a38ac9551e1e7857,dc=jumpcloud,dc=com
gidNumber: 5006
givenName: Admin
sn: User
homePhone: +1 555-555-7777
mobile: +1 555-555-6666
pager: +1 555-555-9999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uid: auser
l: Boulder
postalCode: 80302
street: 123 main
loginShell: /bin/bash
sshKey: ssh-rsa YOUR_KEY
cn: Admin User
telephoneNumber: +1 555-555-8888
facsimileTelephoneNumber: +1 555-555-0000
st: CO
homeDirectory: /home/auser
mail: [email protected]
postOfficeBox: 3333
uidNumber: 5006
homePostalAddress: 2040 14th St. Ste. 200$Boulder CO 80304$USA
postalAddress: 123 main$Boulder CO 80302$USA
employeeNumber: 1234a
Learn more: User Attributes.
MFA for LDAP
If your organization has LDAP applications that require extra security, you can build a Conditional Policy or Global Policy to enable multi-factor authentication (MFA) as a requirement before users can access the applications.
- See Configuring MFA for LDAP Applications for details.