Technical Tip: Configuring the FortiGate to use the Jumpcloud LDAP server with the CLI

For the regular LDAP user to log in, the LDAP binding user has to be configured to gain access to the LDAP directory in order to facilitate authentication requests.

This user need not be a service account. Any JumpCloud user can be set as a binding user but should be treated as a privileged user.

Sample config in the GUI:

Sample config in the CLI:

The sample CLI configuration is as follows:

config user ldap
    edit <Server Name>
        set server ldap.jumpcloud.com
        set secure ldaps
        set port 636
        set cnid uid
        set dn ou=Users,o=Organization ID,dc=jumpcloud,dc=com
        set type regular
        set username uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
        set password LDAP_BINDING_USER_PASSWORD
        set password-expiry-warning enable
        set password-renewal enable
        set group-member-check group-object
        set group-object-filter "(&(objectClass=groupOfNames) (cn=*))"

    next
end

cnid is set to uid instead of cn/sAMAccountName. UID is an LDAP account attribute that stores a username.

The username would be in the format uid=<userid>,ou=xxxxx,o=xxxxxxxxxxxxxxxxxx,dc=jumpcloud,dc=com.

If MFA is in use, consider the following:

So far, there is not an easy solution to support MFA when connecting to WPA_Enterprise SSID. The push time will be 5 seconds. This timer cannot be changed.

For a wired ethernet connection, it is possible to change the push timer with the remoteauthtimeout value:

config system global

set  remoteauthtimeout  <-- Specify a value in seconds.