ºÚÁϺ£½Ç91Èë¿Ú

Get Started: Cloud LDAP

Cloud-hosted LDAP gives you the power of the LDAP protocol with none of the usual setup, maintenance, or failover requirements of traditional LDAP implementations. All you need to do is point your LDAP-connected endpoints to ºÚÁϺ£½Ç91Èë¿Ú and you’re on your way.

.

Create an LDAP Binding User

The LDAP binding user is created to allow the application to gain access to the LDAP directory in order to facilitate authentication requests when a regular LDAP user is attempting to log in. ºÚÁϺ£½Ç91Èë¿Ú does not support anonymous binds. When a user is designated as the Bind DN, they are automatically bound to the ºÚÁϺ£½Ç91Èë¿Ú LDAP directory.

To create a binding user:

  1. Log in to the .
  2. Go to USER MANAGEMENT > Users
  3. Click ( + ), then select Manual user entry
  4. Add the User Information:
    • First Name
    • Last Name
    • (Required) Username
    • (Required) Company Email
    • Description
  5. Under User Security Settings and Permission​ > Permission Settings​​​​​​, check the box next to Enable as LDAP Bind DN. When enabled, this user acts to bind and search the ºÚÁϺ£½Ç91Èë¿Ú LDAP directory; one or more users can enable this option.

Considerations:

  • It's not required that this user be a service account. Any ºÚÁϺ£½Ç91Èë¿Ú user can be set as a binding user, although it's generally recommended to treat this account as privileged for use only to facilitate the application's ability to bind/search the LDAP directory.
  • This option does NOT grant all LDAP users access to LDAP. To grant access, see Connecting Users to Resources - Grant Access.
  • More than one user may be designated as an LDAP binding user. Some applications require this designation for all users of the application. This can be the case if the Bind DN is able to log in, but others cannot, even though they are bound to the LDAP directory.

Add Users to the LDAP Directory

To add users to the LDAP Directory:

  1. Log in to the .
  2. Go to USER AUTHENTICATION > LDAP.
  3. Go to Users tab.
  4. Select users in the list.
  5. Click save.

In order to authenticate via LDAP, users must be granted access to the ºÚÁϺ£½Ç91Èë¿Ú LDAP directory, either individually or via a group. See Creating LDAP Groups and Connecting Users to Resources - Grant Access.
Ìý

Configuration Details and Supported Standards

Hostname
URI/Portldap://:389 (STARTTLS) Note: Plaintext is not allowed.
 ldaps://:636
SSL Certificate
LDAP Distinguished Nameuid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
BaseDNou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
UserDNou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
GroupDNou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
Schema ComplianceRFC 2307
Samba ConfigurationSee Enabling Samba Support with ºÚÁϺ£½Ç91Èë¿Ú LDAP
OtherSupport for inetOrgPerson, groupOfNames, and posixGroup objects.  Support for memberOf overlay and support for group member search

Considerations:

  • The LDAP DN value is found in the user details (see above screenshot).
  • Your application may not have a field called LDAP Distinguished Name. It may be referred to as the BindDN or may only have a username field paired with a password. This is the correct value for that field.
  • The BaseDN may also be referred to as SearchDN, Search Base, or other similar terminology.
  • LDAP service is Read-Only. As a result, ldapmodify and ldapadd are currently not supported. Any modifications to LDAP users will require the use of either the ºÚÁϺ£½Ç91Èë¿Ú web console or . 
  • If you experience connection errors, ensure that your firewall isn’t configured to block traffic to port 389. 
  • The LDAP protocol doesn't limit the number of concurrent connections you can have. For example, you can have multiple NAS devices connected to LDAP using the same Bind DN account. 

Examples of Usage

Note:

LDAP applications typically authenticate against uid, which is the ºÚÁϺ£½Ç91Èë¿Ú username, not the full email address.

  • Using ldapsearch, to filter by inetOrgPerson objectClass. For more examples, see .

ldapsearch -H ldap://:389 -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

Note:

Plaintext is not allowed.

  • For basic testing, on Linux or OS X, this menu-driven script leverages ldapsearch. Download .
  • For testing in Windows, ldapsearch is available in .
  • An example of a UI-driven LDAP configuration with OpenVPN: .

Example Schema

# auser, Users, 56c35d17a38ac9551e1e7857, jumpcloud.com
dn: uid=auser,ou=Users,o=56c35d17a38ac9551e1e7857,dc=jumpcloud,dc=com
gidNumber: 5006
givenName: Admin
sn: User
homePhone: +1 555-555-7777
mobile: +1 555-555-6666
pager: +1 555-555-9999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uid: auser
l: Boulder
postalCode: 80302
street: 123 main
loginShell: /bin/bash
sshKey: ssh-rsa YOUR_KEY
cn: Admin User
telephoneNumber: +1 555-555-8888
facsimileTelephoneNumber: +1 555-555-0000
st: CO
homeDirectory: /home/auser
mail: [email protected]
postOfficeBox: 3333
uidNumber: 5006
homePostalAddress: 2040 14th St. Ste. 200$Boulder CO 80304$USA
postalAddress: 123 main$Boulder CO 80302$USA
employeeNumber: 1234a​

MFA for LDAP

If your organization has LDAP applications that require extra security, you can build a Conditional Policy or Global Policy to enable multi-factor authentication (MFA) as a requirement before users can access the applications.

Back to Top

List IconIn this Article

Notebook IconLearn More

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case