Use Cloud LDAP

Cloud-hosted LDAP gives you the power of the LDAP protocol with none of the usual setup, maintenance, or failover requirements of traditional LDAP implementations. All you need to do is point your LDAP-connected endpoints to JumpCloud and you’re on your way.

Watch a video tutorial on configuring LDAP.

Create an LDAP Binding User

The LDAP binding user is created to allow the application to gain access to the LDAP directory in order to facilitate authentication requests when a regular LDAP user is attempting to log in. JumpCloud does not support anonymous binds. When a user is designated as the Bind DN, they are automatically bound to the JumpCloud LDAP directory.
 To create a binding user:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to USER MANAGEMENT > Users
  3. Click ( + ), then select Manual user entry
  4. Input User Information:
    • First Name
    • Last Name
    • (Required) Username
    • (Required) Company Email
    • Description
  5. Under User Security Settings and Permission​ > Permission Settings​​​​​​, check the box next to Enable as LDAP Bind DN. When enabled, this user acts to bind and search the JumpCloud LDAP directory; one or more users can enable this option.

Considerations:

  • It’s not required that this user be a service account. Any JumpCloud user can be set as a binding user, although it’s generally recommended to treat this account as privileged for use only to facilitate the application’s ability to bind/search the LDAP directory.
  • This option does NOT grant all LDAP users access to LDAP. To grant access, see Connecting Users to Resources – Grant Access.
  • More than one user may be designated as an LDAP binding user. Some applications require this designation for all users of the application. This can be the case if the Bind DN is able to log in, but others cannot, even though they are bound to the LDAP directory.
  • The LDAP binding user can be excluded from password expiration policy by selecting PASSWORD NEVER EXPIRES, an option that appears after the user is created. All other password policies are global and will apply.

Add Users to the LDAP Directory

To add users to the LDAP Directory:

  1. Log in to the JumpCloud Admin Portal:  https://console.jumpcloud.com/login
  2. Go to USER AUTHENTICATION > LDAP.
  3. Go to Users tab.
  4. Select users in the list.
  5. Click save.

In order to authenticate via LDAP, users must be granted access to the JumpCloud LDAP Directory, either individually or via a group. See Creating LDAP Groups and Connecting Users to Resources - Grant Access.
 

Configuration Details and Supported Standards

Hostnameldap.jumpcloud.com
URI/Portldap://ldap.jumpcloud.com:389 (STARTTLS) Note: Plaintext is not allowed.
 ldaps://ldap.jumpcloud.com:636
SSL CertificateJumpCloud LDAPS SSL Certificate
LDAP Distinguished Nameuid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
BaseDNou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
UserDNou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
GroupDNou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
Schema ComplianceRFC 2307
Samba ConfigurationSee Enabling Samba Support with JumpCloud LDAP
OtherSupport for inetOrgPerson, groupOfNames, and posixGroup objects.  Support for memberOf overlay and support for group member search

Considerations:

  • The LDAP DN value is found in the user details (see above screenshot).
  • Your application may not have a field called LDAP Distinguished Name. It may be referred to as the BindDN or may only have a username field paired with a password. This is the correct value for that field.
  • The BaseDN may also be referred to as SearchDN, Search Base, or other similar terminology.
  • LDAP service is Read-Only. As a result, ldapmodify and ldapadd are currently not supported. Any modifications to LDAP users will require the use of either the JumpCloud web console or our JumpCloud API
  • If you experience connection errors, ensure that your firewall isn’t configured to block traffic to port 389. 
  • The LDAP protocol doesn’t limit the number of concurrent connections you can have. For example, you can have multiple NAS devices connected to LDAP using the same Bind DN account. 

Examples of Usage

Note:

LDAP applications typically authenticate against uid, which is the JumpCloud username, not the full email address.

ldapsearch -H ldap://ldap.jumpcloud.com:389 -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

Note:

Plaintext is not allowed.

Example Schema

# auser, Users, 56c35d17a38ac9551e1e7857, jumpcloud.com
dn: uid=auser,ou=Users,o=56c35d17a38ac9551e1e7857,dc=jumpcloud,dc=com
gidNumber: 5006
givenName: Admin
sn: User
homePhone: +1 555-555-7777
mobile: +1 555-555-6666
pager: +1 555-555-9999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uid: auser
l: Boulder
postalCode: 80302
street: 123 main
loginShell: /bin/bash
sshKey: ssh-rsa YOUR_KEY
cn: Admin User
telephoneNumber: +1 555-555-8888
facsimileTelephoneNumber: +1 555-555-0000
st: CO
homeDirectory: /home/auser
mail: [email protected]
postOfficeBox: 3333
uidNumber: 5006
homePostalAddress: 2040 14th St. Ste. 200$Boulder CO 80304$USA
postalAddress: 123 main$Boulder CO 80302$USA
employeeNumber: 1234a​

Learn more: User Attributes.

MFA for LDAP

If your organization has LDAP applications that require extra security, you can build a Conditional Policy or Global Policy to enable multi-factor authentication (MFA) as a requirement before users can access the applications.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case