Subscribe to Help Center RSS FeedCloud-hosted LDAP gives you the power of the LDAP protocol with none of the usual setup, maintenance, or failover requirements of traditional LDAP implementations. All you need to do is point your LDAP-connected endpoints to JumpCloud and you’re on your way.
Watch: Configuring LDAP
Create an LDAP Binding User
The LDAP binding user is created to allow the app to gain access to the LDAP directory in order to facilitate authentication requests when a regular LDAP user is attempting to log in. JumpCloud doesn't support anonymous binds. When a user is designated as the Bind DN, they're automatically bound to the JumpCloud LDAP directory.
To create a binding user:
- Log in to the JumpCloud Admin Portal.
- Go to USER MANAGEMENT > Users.
- Click ( + ), then select Manual user entry.
- Add the User Information:
- First Name
- Last Name
- (Required) Username
- (Required) Company Email
- Description
- Under User Security Settings and Permission > Permission Settings, check the box next to Enable as LDAP Bind DN. When enabled, this user acts to bind and search the JumpCloud LDAP directory; one or more users can enable this option.
Considerations:
- It's not required that this user be a service account. Any JumpCloud user can be set as a binding user, although it's generally recommended to treat this account as privileged for use only to facilitate the application's ability to bind/search the LDAP directory.
- This option does not grant all LDAP users access to LDAP. To grant access, see Connecting Users to Resources - Grant Access to learn more.
- More than one user may be designated as an LDAP binding user. Some apps require this designation for all users of the app. This can be the case if the Bind DN is able to log in, but others cannot, even though they are bound to the LDAP directory.
Add Users to the LDAP Directory
To add users to the LDAP Directory:
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > LDAP.
- Click the Users tab.
- Select users from the list.
- Click Save.
In order to authenticate via LDAP, users must be granted access to the JumpCloud LDAP directory, either individually or via a group. See Creating LDAP Groups and Connecting Users to Resources - Grant Access to learn more.
Migrate Users from OpenLDAP
Importing users from an OpenLDAP environment can be completed by leveraging the Export function in OpenLDAP along with JumpCloud's CSV Import Tool.
To export users from OpenLDAP, follow these steps:
- Go to the admin portal for your OpenLDAP instance.
- Select your domain component.
- Click Export.
- Change Search Scope to reflect the groups of users that you would like to export.
- Enter
(uid=*)in the Search Filter field. - Click the box adjacent to Save as file.
- Under Export Format, select CSV.
- Click Proceed.
Configuration Details and Supported Standards
| Hostname | ldap.jumpcloud.com |
| URI/Port | ldap://ldap.jumpcloud.com:389 (STARTTLS) Note: Plaintext is not allowed. |
| ldaps://ldap.jumpcloud.com:636 | |
| SSL Certificate | JumpCloud LDAPS SSL Certificate |
| LDAP Distinguished Name | uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
| BaseDN | ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
| UserDN | ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
| GroupDN | ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com |
| Schema Compliance | RFC 2307 |
| Samba Configuration | See Enabling Samba Support with JumpCloud LDAP |
| Other | Support for inetOrgPerson, groupOfNames, and posixGroup objects. Support for memberOf overlay and support for group member search |
Considerations:
- The LDAP DN value is found in the user details.
- Your app may not have a field called LDAP Distinguished Name. It may be referred to as the BindDN or may only have a username field paired with a password. This is the correct value for that field.
- The BaseDN may also be referred to as SearchDN, Search Base, or other similar terminology.
- LDAP service is Read-Only. As a result, ldapmodify and ldapadd are currently not supported. Any modifications to LDAP users will require the use of either the JumpCloud web console or our JumpCloud API.
- If you experience connection errors, ensure that your firewall isn’t configured to block traffic to port 389.
- The LDAP protocol doesn't limit the number of concurrent connections you can have.
- For example, you can have multiple NAS devices connected to LDAP using the same Bind DN account.
Examples of Usage
LDAP apps typically authenticate against uid, which is the JumpCloud username, not the full email address.
- Using ldapsearch, to filter by inetOrgPerson objectClass. See Using ldapsearch with JumpCloud for more examples.
ldapsearch -H ldap://ldap.jumpcloud.com:389 -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"
Plaintext is not allowed.
- For basic testing, on Linux or OS X, this menu-driven script leverages ldapsearch. Download here.
- For testing in Windows, ldapsearch is available in OpenLDAP for Windows.
- An example of a UI-driven LDAP configuration with OpenVPN: Configuring OpenVPN to use JumpCloud's LDAP-as-a-Service.
Example Schema
# auser, Users, 56c35d17a38ac9551e1e7857, jumpcloud.com
dn: uid=auser,ou=Users,o=56c35d17a38ac9551e1e7857,dc=jumpcloud,dc=com
gidNumber: 5006
givenName: Admin
sn: User
homePhone: +1 555-555-7777
mobile: +1 555-555-6666
pager: +1 555-555-9999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uid: auser
l: Boulder
postalCode: 80302
street: 123 main
loginShell: /bin/bash
sshKey: ssh-rsa YOUR_KEY
cn: Admin User
telephoneNumber: +1 555-555-8888
facsimileTelephoneNumber: +1 555-555-0000
st: CO
homeDirectory: /home/auser
mail: auser@yourdomain.local
postOfficeBox: 3333
uidNumber: 5006
homePostalAddress: 2040 14th St. Ste. 200$Boulder CO 80304$USA
postalAddress: 123 main$Boulder CO 80302$USA
employeeNumber: 1234a
- See User Attributes for more information.
MFA for LDAP
If your org has LDAP apps that require extra security, you can build a Conditional Policy or Global Policy to enable multi-factor authentication (MFA) as a requirement before users can access the apps, see Get Started: Policies or Set a Default Access Policy for more information.
In this Article
Learn More