If your organization has LDAP applications that require extra security, you can build a Conditional Policy or Default Access Policy to enable multi-factor authentication (MFA) as a requirement before users can access the applications.
Prerequisites:
- This article assumes that you have configured LDAP to work with JumpCloud. If not, see Get Started: Cloud LDAP for more information.
- You must have JumpCloud Protect or TOTP enabled for your users. See the Get Started: JumpCloud Protect or Configure TOTP MFA for User Accounts for steps.
Considerations:
- Conditional Access Policies and MFA are not supported for Samba authentications.
- Conditional Access Policies and MFA can only be supported when a client application BINDs a user's credentials with the LDAP server directly, which Samba does not do.
- Users are allowed 60 seconds to respond to a JC Protect notification. Most applications have shorter default authentication timeouts, and these can show up as connection errors during BIND requests. We recommend increasing the authentication timeout on your LDAP app to a minimum of 65 seconds to allow for the user to respond to the JC Protect notification.
Configuring MFA for LDAP Applications as a Conditional Policy
To configure MFA for LDAP Applications as a Conditional Policy:
- Log in to the JumpCloud Admin Portal.
- Go to SECURITY MANAGEMENT > Conditional Policies.
- Click + button and select JumpCloud LDAP.
- Ensure that your LDAP hostname is updated and click the I have updated the LDAP hostname for applications I want affected by this policy checkbox.
- Conditional Access Policies AND MFA are only supported when the application is configured to the ldap-mfa.jumpcloud.com hostname.
- Some applications will require you to increase the authentication timeout setting. Here is an example for the OpenVPN 2.11.0 application:
cd /usr/local/openvpn_as/scripts/
./sacli --key "auth.ldap.0.timeout" --value 65 ConfigPut
./sacli start
- Enter the policy name and an optional description.
- (Optional) If you do not wish for the policy to go live as soon as you finish creating it, move the Policy Status slider to OFF.
- Under Assignments, you can choose to apply the policy to all users or select user groups. You can also specify whether to exclude certain user groups as needed.
- LDAP Bind DN users are excluded by default. To include them, uncheck the option next to (Recommended) Exclude LDAP Bind DN Users. See Get Started: Cloud LDAP for more information on Bind DN users.
- If your LDAP Application requires all of your users to be configured as Bind DN users, then you should uncheck the box and create a user group that excludes your service account. Users must be bound directly to the LDAP Directory in order to log in. LDAP Policies refine access to your resources; they do not grant it.
- Under Action, for Access select the Allowed button, and for Authentication, select the Password + MFA button.
If you have not enabled JumpCloud Protect or TOTP for your org, you will be prompted to do so.
- Click create policy. You will see the main policies page, and your LDAP policy will appear in that list.
Configuring MFA for LDAP Applications as a Default Access Policy
A Default Access Setting determines how users access a resource when no conditional access policies apply to them.
If you are setting a Default Access Policy to Require MFA or to Deny Access, you will need to create a separate User Group and Default Access Policy for your LDAP Bind DN users, and set them up for Allow Authentication.
To configure MFA for LDAP applications as a default access policy:
- Log in to the JumpCloud Admin Portal.
- Go to SECURITY MANAGEMENT > Conditional Policies > Settings.
- Expand Default Access Policy Settings.
- Under JumpCloud LDAP, in the drop down menu, select Allow authentication & require MFA.
If you have not enabled JumpCloud Protect or TOTP for your users, you will be prompted to do so.
- Click save. MFA has now been enabled for LDAP applications.
Once MFA for LDAP has been enabled, if you disable JumpCloud Protect and TOTP, your users won’t be able to access their LDAP applications. Keep JumpCloud Protect or TOTP enabled to ensure users can access their applications.
Logging in to LDAP Applications with MFA
Instructions for users logging into LDAP applications with MFA
- JumpCloud Protect: Once LDAP MFA has been enabled, users will receive a push notification on their device when they are authenticating into certain applications. Once the user enters their user name and password, they will get a push notification and should approve it.
- TOTP: Once LDAP MFA has been enabled, users will need to open their authenticator app to get a verification code when authenticating into certain applications.
- When users are entering their username and password, in the password field they will add a comma, then enter the 6-digit TOTP after their JumpCloud password. For example, a user with a password of MyB@dPa33word and a TOTP of 123456 would enter MyB@dPa33word,1203456 in the password field.
If both TOTP and Push are enabled, and the user enters a TOTP code, then the Push notification will not be sent. If the user enters a TOTP code when MFA has not been set as required, the authentication will fail.