Considerations:<\/strong><\/p>\n\n\n\n
- \n
- Conditional Access Policies and MFA are not supported for Samba authentications.\n
- \n
- Conditional Access Policies and MFA can only be supported when a client application BINDs a user’s credentials with the LDAP server directly, which Samba does not do.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Users are allowed 60 seconds to respond to a JC Protect notification. Most applications have shorter default authentication timeouts, and these can show up as connection errors during BIND requests. We recommend increasing the authentication timeout on your LDAP app to a minimum of 65 seconds to allow for the user to respond to the JC Protect notification.<\/li>\n<\/ul>\n\n\n\n
Configuring MFA for LDAP Applications as a Conditional Policy<\/h2>\n\n\n\n
To configure MFA for LDAP Applications as a Conditional Policy<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0SECURITY MANAGEMENT<\/strong>\u00a0>\u00a0Conditional Policies<\/strong>.<\/li>\n\n\n\n
- Click\u00a0+<\/strong>\u00a0button and select\u00a0JumpCloud LDAP<\/strong>.
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png\")
<\/li>\n\n\n\n - Ensure that your LDAP hostname is updated and click the I have updated the LDAP hostname for applications I want affected by this policy<\/strong> checkbox.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \n- \n
- Conditional Access Policies AND MFA are only supported when the application is configured to the\u00a0ldap-mfa.jumpcloud.com hostname.<\/li>\n\n\n\n
- Some applications will require you to increase the authentication timeout setting. Here is an example for the OpenVPN 2.11.0 application:<\/li>\n<\/ul>\n\n\n\n
cd \/usr\/local\/openvpn_as\/scripts\/ \u00a0
.\/sacli –key “auth.ldap.0.timeout” –value 65 ConfigPut \u00a0
.\/sacli start<\/code><\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n- Enter the policy name and an optional description.<\/li>\n\n\n\n
- (Optional) If you do not wish for the policy to go live as soon as you finish creating it, move the Policy Status<\/strong> slider to OFF<\/strong>.<\/li>\n\n\n\n
- Under Assignments<\/strong>, you can choose to apply the policy to all users or select user groups. You can also specify whether to exclude certain user groups as needed.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \n- \n
- LDAP Bind DN\u00a0users are excluded by default. To include them, uncheck the option next to\u00a0(Recommended) Exclude LDAP Bind DN Users<\/strong>. See Get Started: Cloud LDAP<\/a> for more information on Bind DN users.<\/li>\n\n\n\n
- If your LDAP Application requires all of your users to be configured as Bind DN users, then you should uncheck the box and create a user group that excludes your service account. Users must be bound directly to the LDAP Directory in order to log in. LDAP Policies refine access to your resources; they do not grant it.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Under Action<\/strong>, for Access<\/strong> select the Allowed<\/strong> button, and for Authentication<\/strong>, select the Password + MFA<\/strong> button.<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
If you have not enabled JumpCloud Protect or TOTP for your org, you will be prompted to do so.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click create policy<\/strong>. You will see the main policies page, and your LDAP policy will appear in that list.<\/li>\n<\/ol>\n\n\n\n
Configuring MFA for LDAP Applications as a Default Access Policy<\/h2>\n\n\n\n
A Default Access Setting determines how users access a resource when no conditional access policies apply to them.<\/p>\n\n\n\n
<\/p><\/div>Important:<\/strong> \nIf you are setting a Default Access Policy to Require MFA or to Deny Access, you will need to create a separate User Group and Default Access Policy for your LDAP Bind DN users, and set them up for Allow Authentication.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure MFA for LDAP applications as a default access policy<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0SECURITY MANAGEMENT<\/strong>\u00a0>\u00a0Conditional Policies<\/strong> > Settings<\/strong>.<\/li>\n\n\n\n
- Expand\u00a0Default Access Policy Settings<\/strong>.<\/li>\n\n\n\n
- Under JumpCloud LDAP<\/strong>, in the drop down menu, select\u00a0Allow authentication & require MFA<\/strong>.
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/global-policy-settings-expanded.png\")
<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \nIf you have not enabled JumpCloud Protect or TOTP for your users, you will be prompted to do so.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click save<\/strong>. MFA has now been enabled for LDAP applications. <\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
Once MFA for LDAP has been enabled, if you disable JumpCloud Protect and TOTP, your users won\u2019t be able to access their LDAP applications. Keep JumpCloud Protect or TOTP enabled to ensure users can access their applications.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Logging in to LDAP Applications with MFA<\/h2>\n\n\n\n
Instructions for users logging into LDAP applications with MFA<\/strong><\/p>\n\n\n\n
- \n
- JumpCloud Protect: Once LDAP MFA has been enabled, users will receive a push notification on their device when they are authenticating into certain applications. Once the user enters their user name and password, they will get a push notification and should approve it.<\/li>\n\n\n\n
- TOTP: Once LDAP MFA has been enabled, users will need to open their authenticator app to get a verification code when authenticating into certain applications.\n
- \n
- When users are entering their username and password, in the password field they will add a comma, then enter the 6-digit TOTP after their JumpCloud password. For example, a user with a password of MyB@dPa33word and a TOTP of 123456 would enter MyB@dPa33word,1203456 in the password field.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
If both TOTP and Push are enabled, and the user enters a TOTP code, then the Push notification will not be sent. If the user enters a TOTP code when MFA has not been set as required, the authentication will fail.<\/p>\n <\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
If your organization has LDAP applications that require extra security, you can build a\u00a0Conditional Policy\u00a0or\u00a0Default Access Policy\u00a0to enable multi-factor authentication […]<\/p>\n","protected":false},"author":206,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2845,2896,2908,2854],"support_tag":[],"coauthors":[2842],"acf":[],"yoast_head":"\n
Configure MFA for LDAP - JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn how to use conditional access or global policies to require MFA for LDAP.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Configure MFA for LDAP\" \/>\n<meta property=\"og:description\" content=\"Browse the JumpCloud Help Center by category, search for a specific topic, or check out our featured articles.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-15T20:07:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"Pam Kellman\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap\",\"url\":\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap\",\"name\":\"Configure MFA for LDAP - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png\",\"datePublished\":\"2023-06-05T17:11:34+00:00\",\"dateModified\":\"2024-08-15T20:07:45+00:00\",\"description\":\"Learn how to use conditional access or global policies to require MFA for LDAP.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Configure MFA for LDAP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Configure MFA for LDAP - JumpCloud","description":"Learn how to use conditional access or global policies to require MFA for LDAP.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap","og_locale":"en_US","og_type":"article","og_title":"Configure MFA for LDAP","og_description":"Browse the JumpCloud Help Center by category, search for a specific topic, or check out our featured articles.","og_url":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap","og_site_name":"JumpCloud","article_modified_time":"2024-08-15T20:07:45+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes","Written by":"Pam Kellman"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap","url":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap","name":"Configure MFA for LDAP - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png","datePublished":"2023-06-05T17:11:34+00:00","dateModified":"2024-08-15T20:07:45+00:00","description":"Learn how to use conditional access or global policies to require MFA for LDAP.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#primaryimage","url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png","contentUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/new-ldap-cap.png"},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/configure-mfa-for-ldap#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Configure MFA for LDAP"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/84319"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/206"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/84319\/revisions"}],"predecessor-version":[{"id":114206,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/84319\/revisions\/114206"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=84319"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=84319"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=84319"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=84319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- When users are entering their username and password, in the password field they will add a comma, then enter the 6-digit TOTP after their JumpCloud password. For example, a user with a password of MyB@dPa33word and a TOTP of 123456 would enter MyB@dPa33word,1203456 in the password field.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Click save<\/strong>. MFA has now been enabled for LDAP applications. <\/li>\n<\/ol>\n\n\n\n
- Click create policy<\/strong>. You will see the main policies page, and your LDAP policy will appear in that list.<\/li>\n<\/ol>\n\n\n\n
- Under Action<\/strong>, for Access<\/strong> select the Allowed<\/strong> button, and for Authentication<\/strong>, select the Password + MFA<\/strong> button.<\/li>\n<\/ol>\n\n\n\n
\n