Use ldapsearch with JumpCloud

For testing and configuration purposes, you can use the ldapsearch command with JumpCloud's LDAP service.


  • You’ll need to create an LDAP Binding User so that you can execute searches on the JumpCloud directory, not just bind to it. For instructions, see Use Cloud LDAP.
  • ldapsearch is used via Terminal on Linux and Mac. 
  • ldapsearch will only work if users are first added to the LDAP Directory in JumpCloud. See Use Cloud LDAP for instructions on adding users to the LDAP Directory.


In the following ldapsearch examples, you will be required to enter the LDAP binding user's password. 

List all Users in the Directory

All users in the "Users" tab are reflected into the JumpCloud Hosted LDAP service under the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com".


ldapsearch -H ldaps:// -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

List All POSIX Groups in the Directory

POSIX groups are reflected into the JumpCloud Hosted LDAP service when you create a tag or Group of Users in JumpCloud with the "Create Linux group.." enabled in the object's details side panel. They appear under the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com". Ensure that the group is assigned to the LDAP directory before performing the search.


ldapsearch -H ldaps:// -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=posixGroup)"

List all Groups of Names in the Directory

Groups of names (LDAP objectClass: groupOfNames) can be found in the JumpCloud Hosted LDAP service in the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com".


ldapsearch -H ldaps:// -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=groupOfNames)"

Using LDAP versus LDAPS (StartTLS – port 389)

As you will note in the above examples, we have provided various methods of executing an ldapsearch using SSL on port 636. You may execute requests similar to the examples above when connecting via StartTLS, with the exception that you will want to have the -ZZ flag set. When you give ldapsearch the -ZZ flag, you are asking it to use "in-band" SSL/TLS by using the StartTLS command.


ldapsearch -H ldap:// -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

Testing Client Authentication 

ldapwhoami -H "ldaps://" -D "uid=UID_TO_TEST,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -x -W

Troubleshooting: ldapsearch Can’t Contact LDAP Server

When your server's CA root certificates do not contain our CA, your ldapsearch will refuse to connect to JumpCloud because it cannot verify that our certificate was created by a trusted third party, resulting in the following error message:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

When this happens, you may be able to correct it by doing the following:

CentOS/RedHat/Amazon Linux

  1. Edit /etc/openldap/ldap.conf
  2. Replace any lines that start with TLS_CACERT with the following:

TLS_CACERT /etc/ssl/certs/ca-bundle.crt

The following command may correct the issue:
On macOS, no additional CAs are required, so all certs are already in place.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case