Support Center

Using JumpCloud's LDAP-as-a-Service

Create an LDAP Binding User
Add users to the LDAP Directory

Configuration Details and Supported Standards
Examples of Usage
Example Schema


Create an LDAP Binding user

  • It's not required that this user be a 'service account', any JumpCloud user can be set as a binding user.
  • LDAP BindDN should really only be used to create a service account which the application/resource uses to authenticate against LDAP. By definition: The administrator Bind DN is the username and password configured for LDAP authentication. This account should be considered a privileged account and is used only for querying the directory server and so this user will have escalated privileges to search the directory. 
  • This checkbox is often confused by our users who think they need to check this box in order for it to be accessible by LDAP. For example, they will check this box on a normal user account when in reality they only have to go to Directories and select the LDAP checkbox (or do similarly by adding the user to a group that has LDAP enabled for that group). 
  • In VERY rare circumstances, a resource like some antiquated app will require the user account to also be a binding account. That is very rare though. 
  • Multiple users can be set to be an LDAP Binding User, some applications require this option enabled when any authenticating user also needs to bind and search LDAP, e.g., to determine group membership and authorization to the application. 
  • Any user, including the LDAP Binding User, can be excluded from password expiration policy by selecting PASSWORD NEVER EXPIRES. All other password policies are global and will apply.


Add Users to the LDAP Directory

Users can be added to LDAP individually or via a group.  See Creating LDAP Groups and Binding Users to Resources.

Configuration Details and Supported Standards
URI/Port ldap:// (clear text or STARTTLS)
SSL Certificate JumpCloud LDAPS SSL Certificate
LDAP Distinguished Name uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
BaseDN ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
Schema Compliance RFC 2307
Samba Configuration See Enabling Samba with JumpCloud LDAP
Other Support for inetOrgPerson, groupOfNames, and posixGroup objects.  Support for memberOf overlay and support for group member search
  • The LDAP DN value is found in the user details (See above screenshot)
  • Your application may not have a field called LDAP Distinguished Name, it may be referred to as the BindDN or may only have a 'username' field paired with a password. This is the correct value for that field
  • The BaseDN may also be referred to as SearchDN, Search Base or other similar terminology
  • LDAP service is Read-Only. As a result, ldapmodify and ldapadd are currently unsupported. Any modifications to LDAP users will require the use of either the JumpCloud web console or our JumpCloud API

Examples of Usage

Note: LDAP applications typically authenticate against uid, which is the JumpCloud username, not the full email address.
Example Schema
# auser, Users, 56c35d17a38ac9551e1e7857,
dn: uid=auser,ou=Users,o=56c35d17a38ac9551e1e7857,dc=jumpcloud,dc=com
gidNumber: 5006
givenName: Admin
sn: User
homePhone: +1 555-555-7777
mobile: +1 555-555-6666
pager: +1 555-555-9999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uid: auser
l: Boulder
postalCode: 80302
street: 123 main
loginShell: /bin/bash
sshKey: ssh-rsa YOUR_KEY
cn: Admin User
telephoneNumber: +1 555-555-8888
facsimileTelephoneNumber: +1 555-555-0000
st: CO
homeDirectory: /home/auser
mail: auser@yourdomain.local
postOfficeBox: 3333
uidNumber: 5006
homePostalAddress: 2040 14th St. Ste. 200$Boulder CO 80304$USA
postalAddress: 123 main$Boulder CO 80302$USA
employeeNumber: 1234a​

Click here for more information about JumpCloud User Attributes.


Last Updated: Sep 26, 2018 03:50PM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found