Configuring JumpCloud LDAP Integration

To integrate Jump Cloud’s LDAP-as-a-Service with PAM you will need to perform the following procedure.

Pre-requisites

  • A JumpCloud account that this configured as an LDAP Binding User. Please reference this JumpCloud article for more information.
  • A connection and account to login to the PAM host server to run commands, update configuration files and restart services.
  • A JumpCloud account to test the integration.

JumpCloud LDAP Integration

  1. Login to JumpCloud to retrieve your LDAP Binding User and the required parameters to perform the integration. This includes the LDAP Binding Account (DN), LDAP Binding Account password and your JumpCloud OrgID. For additional information, please review this JumpCloud article.
  2. On the PAM host server, open a command prompt and navigate to $PAM_HOME
  3. From the $PAM_HOME directory, execute the following command, replace the placeholders with your actual JumpCloud vaules.
    1. For Windows, substitute your <CONNECTION_NAME>, <LDAP_BINDING_USER>, <YOUR_ORG_ID> and <LDAP_BINDING_USER_PASSWORD> values and issue:

      Copy
      bin\PamDirectory.cmd LdapConnect web <CONNECTION_NAME> ldaps://ldap.jumpcloud.com:636 "uid=<LDAP_BINDING_USER>,ou=Users,o=<YOUR_ORG_ID>,dc=jumpcloud,dc=com" <LDAP_BINDING_USER_PASSWORD>
    2. For Unix or Linux, substitute your <CONNECTION_NAME>, <LDAP_BINDING_USER>, <YOUR_ORG_ID> and <LDAP_BINDING_USER_PASSWORD> values and issue:

      Copy
      bin/pamdirectory.sh LdapConnect web <CONNECTION_NAME> ldaps://ldap.jumpcloud.com:636 "uid=<LDAP_BINDING_USER>,ou=Users,o=<YOUR_ORG_ID>,dc=jumpcloud,dc=com" <LDAP_BINDING_USER_PASSWORD>
  4. When the command executes successfully (it will return an Ok response), next open the $PAM_HOME/web/conf/catalina.properties file in a text editor. You will need to manually update a few parameters to complete the integration.

  5. Locate the section of this file that is specific to your JumpCloud (it will probably be at the bottom). Update your parameters to match those from below.

    Copy
    ldap.name=CONNECTION_NAME
    ldap.url=ldaps://ldap.jumpcloud.com:636
    ldap.rootDn=ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
    ldap.baseDn=ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
    ldap.managerDn=uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
    ldap.managerPassword=LDAP_BINDING_USER_PASSWORD
    ldap.domain=jumpcloud.com
    ldap.roleBase=o=YOUR_ORG_ID,dc=jumpcloud,dc=com
    #ldap.authn.searchFilter=uid={0}  (Uncomment this line (remove #) if you want to login using UID)
    #ldap.authn.searchFilter=mail={0}  (Uncomment this line (remove #) if you want to login using Email Address)
    ldap.roleName=cn
    ldap.roleSearch=(member={0})
    ldap.groupSearch=(&(cn={0})(objectClass=groupOfNames))
  6. After the updates have been made, save and close the file.

  7. Restart the PamManagement (Windows) or pammanager (Linux) service to complete the integration.

  8. When the service comes back online (2-5 minutes), test your login using a JumpCloud account.