Legacy RADIUS server IPs will be deprecated on Dec 17, 2018. Please see this KB for more info.

Support Center

Using JumpCloud's LDAP-as-a-Service

Create an LDAP Binding User
Add users to the LDAP Directory

Configuration Details and Supported Standards
Examples of Usage
Example Schema

 


Create an LDAP Binding user

The LDAP Binding user is created to allow the application to gain access the LDAP directory in order to facilitate authentication requests when a regular LDAP user is attempting to login. JumpCloud does not support anonymous binds. When a user is designated as the Bind DN, they are automatically bound to the JumpCloud LDAP directory.


 
Notes:
  • It's not required that this user be a 'service account'. Any JumpCloud user can be set as a binding user, although it's generally recommended to treat this account as privileged for use only to facilitate the applications ability to bind/search the LDAP directory.
  • This option does NOT grant users access to LDAP, to grant access, see Binding Users to Resources.
  • More than one user may be designated as an LDAP Binding User, some applications require this designation for all users off the application. This can be the case if the Bind DN is able to login, but others cannot even though they are bound to the LDAP directory.
  • The LDAP Binding User can be excluded from password expiration policy by selecting PASSWORD NEVER EXPIRES. All other password policies are global and will apply.


 

Add Users to the LDAP Directory

In order to authenticate via LDAP, users must be granted access to the JumpCloud LDAP directory, either individually or via a group.  See Creating LDAP Groups and Binding Users to Resources.

Configuration Details and Supported Standards
 
Hostname ldap.jumpcloud.com
URI/Port ldap://ldap.jumpcloud.com:389 (clear text or STARTTLS)
  ldaps://ldap.jumpcloud.com:636
SSL Certificate JumpCloud LDAPS SSL Certificate
LDAP Distinguished Name uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
BaseDN ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
Schema Compliance RFC 2307
Samba Configuration See Enabling Samba with JumpCloud LDAP
Other Support for inetOrgPerson, groupOfNames, and posixGroup objects.  Support for memberOf overlay and support for group member search
 
Notes
  • The LDAP DN value is found in the user details (See above screenshot).
  • Your application may not have a field called LDAP Distinguished Name, it may be referred to as the BindDN or may only have a 'username' field paired with a password. This is the correct value for that field.
  • The BaseDN may also be referred to as SearchDN, Search Base or other similar terminology.
  • LDAP service is Read-Only. As a result, ldapmodify and ldapadd are currently unsupported. Any modifications to LDAP users will require the use of either the JumpCloud web console or our JumpCloud API


Examples of Usage

Note: LDAP applications typically authenticate against uid, which is the JumpCloud username, not the full email address.
  • Using ldapsearch, to filter by inetOrgPerson objectClass. For more examples, see Using ldapsearch with JumpCloud
    ldapsearch -H ldap://ldap.jumpcloud.com:389 -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"
  • For basic testing, on Linux or OS X, this menu-driven script leverages ldapsearch.  Download here.
  • For testing in Windows, ldapsearch is available in OpenLDAP for Windows
  • An example of a UI driven LDAP configuration with OpenVPN, Configuring OpenVPN to use JumpCloud's LDAP-as-a-Service

Example Schema
# auser, Users, 56c35d17a38ac9551e1e7857, jumpcloud.com
dn: uid=auser,ou=Users,o=56c35d17a38ac9551e1e7857,dc=jumpcloud,dc=com
gidNumber: 5006
givenName: Admin
sn: User
homePhone: +1 555-555-7777
mobile: +1 555-555-6666
pager: +1 555-555-9999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uid: auser
l: Boulder
postalCode: 80302
street: 123 main
loginShell: /bin/bash
sshKey: ssh-rsa YOUR_KEY
cn: Admin User
telephoneNumber: +1 555-555-8888
facsimileTelephoneNumber: +1 555-555-0000
st: CO
homeDirectory: /home/auser
mail: auser@yourdomain.local
postOfficeBox: 3333
uidNumber: 5006
homePostalAddress: 2040 14th St. Ste. 200$Boulder CO 80304$USA
postalAddress: 123 main$Boulder CO 80302$USA
employeeNumber: 1234a​

Click here for more information about JumpCloud User Attributes.

 

Last Updated: Nov 30, 2018 02:45PM MST

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete