This document will help you to add a new LDAP User Source rather than an Active Directory source.
This documentation will contain two main steps.
Adding a User Source
Configuring the Settings
Active Directory and LDAP settings are different. Please consider to use LDAP settings rather than Active Directory settings. On MonoSign for version 2023.01, we need to use following configuration for LDAP.
1. Adding a User Source
Create your User Source on MonoSign and select the type Active Directory / LDAP by reading the documentation.
2. Configuring the Settings
MonoSign has different LDAP options. Click Settings to configure details.
When you have your page, select a different option than Microsoft Active Directory. Such as OpenLDAP, Oracle Unified Directory, or find your provider.
After you have finished it, please use the following options to configure it.
Domain Ip or Host
Type your DNS or IP address
Your LDAP Port
Use Secure Connection
Yes or No depending your settings
User Base DN
Your users Base DN
User Search Container
Your can use multiple search container for your users store.
Group Base DN
Your groups Base DN
Group Search Container
Your can use multiple search container for your groups store.
Your domain name
Username for authentication
Password of the Domain UserName
Username if you want healtcheck
Password of the Sample UserName
Use BaseDN for Authentication
Should be Yes for LDAP
These settings are enough for the first connection but not enough for filters and more. Let’s continue. The following settings are also required for Filters.
Domain Ip or Host field allows for multiple domains to be configured. You can enter domains by separating them with commas.
Manages hostnames with connection errors in MonoSign via blacklist. If I have only one hostname and encounter a connection error, it is added to the blacklist immediately and will not be removed until the next restart. If there is multiple hostnames, hostname is added to blacklist for 10 minutes and during this interval the other hostnames will be used.
User Search Filter
Group Search Filter
Basic Text Filter
If you are using both uid and cn name for user, you need to change it with;
For Oracle Unified Directory
You can also use your filter settings if you know what to do. You can also use mappings to map your attributes to your MonoSign Profile. On the left side, your LDAP attribute name; on the right side, it should be your Profile Property Name (without spaces).
Modify Attributes for LDAP
In Oracle Unified Directory, Modify Date and Create Date attributes differ from Active Directory. For example, in Active Directory, these attributes are whenChanged and whenCreated. And also, you need to change Password Attribute for Oracle and may also some directories too.
Create Date-Time Attribute
Modify Date-Time Attribute
When you click Test, you are going to see the following UI. I don’t have any Groups in my directory. That’s why one of the items seems to be different in color.
Following settings are for Oracle Unified Directory (OUD)
If you use a service user configured with ACI (Access Control Instructions), you need to specify the following options for that user.
Allow unindexed search
Pagination size of each page for search
Time limit of the idle connection
Maximum size of your user count or upper number of that size.
Time limit of the search request
If you want to set these settings with ldapmodify, execute the following command with ldap ldif file.
ldapmodify -h hostname -p 1389 -D "cn=Directory Manager" -w $MONOFOR_OUD_PASSWORD -f ./target-aci.ldif
LDIF File (target-aci.ldif)
dn: o=monofor changetype: modify add: aci aci: (targetattr="*")(target="ldap:///o=monofor")(version 3.0; acl "Allow read access to specific OU"; allow (read, write, search, compare) userdn="ldap:///uid=search.user,ou=service-users,o=monofor";)
Explanation of the LDIF file
dn is the target definition
changetype is the action of ldapmodify
add is attribute
aci is the definition of Access Control Instructions
Exploration of aci
(targetattr="*") are attributes that you need to specify star means all attributes
(target="ldap:///o=monofor") is the ou or target level of your aci
(version 3.0; acl "Allow read access to specific OU"; allow (read, write, search, compare) userdn="ldap:///uid=search.user,ou=service-users,o=monofor";)
allow is the definition of access. For example, we will give our service user permission to read, write, search, and compare.
userdn is the target user that we will give permission.
If you are dealing with the following error, your limit settings are not set correctly.
This search operation has sent the maximum of 5 entries to the client
These settings are enough for your environment. If you want more, please talk to your support.