Skip to main content
Skip table of contents

LDAP - User and Profile Sync

This document will help you to add a new LDAP User Source rather than an Active Directory source.

📘 Instructions

This documentation will contain two main steps.

  1. Adding a User Source

  2. Configuring the Settings

Active Directory and LDAP settings are different. Please consider to use LDAP settings rather than Active Directory settings. On MonoSign for version 2023.01, we need to use following configuration for LDAP.

1. Adding a User Source

Create your User Source on MonoSign and select the type Active Directory / LDAP by reading the documentation.

2. Configuring the Settings

MonoSign has different LDAP options. Click Settings to configure details.

When you have your page, select a different option than Microsoft Active Directory. Such as OpenLDAP, Oracle Unified Directory, or find your provider.

Example configurations

After you have finished it, please use the following options to configure it.

Domain Username and Password

Setting

Value

Example(s)

Domain Ip or Host

Type your DNS or IP address

oud.mfor.local

Port

Your LDAP Port

389 for LDAP

636 for LDAPS

Use Secure Connection

Yes or No depending your settings

No

User Base DN

Your users Base DN

dc=mfor,dc=local

User Search Container

Your can use multiple search container for your users store.

cn=People,dc=mfor,dc=local

Group Base DN

Your groups Base DN

dc=mfor,dc=local

Group Search Container

Your can use multiple search container for your groups store.

cn=Groups,dc=mfor,dc=local

Domain Name

Your domain name

mfor

Domain UserName

Username for authentication

cn=root
uid=root
uid=your-username

Domain Password

Password of the Domain UserName

******

Sample UserName

Username if you want healtcheck

uid=sample-user

Sample Password

Password of the Sample UserName

******

Use BaseDN for Authentication

Should be Yes for LDAP

Yes

These settings are enough for the first connection but not enough for filters and more. Let’s continue. The following settings are also required for Filters.

Domain Ip or Host field allows for multiple domains to be configured. You can enter domains by separating them with commas.

Manages hostnames with connection errors in MonoSign via blacklist. If I have only one hostname and encounter a connection error, it is added to the blacklist immediately and will not be removed until the next restart. If there is multiple hostnames, hostname is added to blacklist for 10 minutes and during this interval the other hostnames will be used.

Settings

Value

User Search Filter

objectClass=inetorgperson

Group Search Filter

objectClass=groupOfNames

Text Filter

|(givenname={0}*)(uid={0}*)(sn={0}*)(cn={0}*)(displayname={0}*)(mail={0}*)

Basic Text Filter

|(sn={0})(cn={0})(givenname={0})(uid={0})(mail={0}*)

Id Filter

uid={0}

If you are using both uid and cn name for user, you need to change it with;

|(uid={0})(cn={0})

For Oracle Unified Directory

|(uid={0})(entryUUID={0})

You can also use your filter settings if you know what to do. You can also use mappings to map your attributes to your MonoSign Profile. On the left side, your LDAP attribute name; on the right side, it should be your Profile Property Name (without spaces).

Modify Attributes for LDAP

In Oracle Unified Directory, Modify Date and Create Date attributes differ from Active Directory. For example, in Active Directory, these attributes are whenChanged and whenCreated. And also, you need to change Password Attribute for Oracle and may also some directories too.

Property

Value

Example

Create Date-Time Attribute

createTimestamp

20230223093716Z

Modify Date-Time Attribute

modifyTimestamp

20230224231708Z

Password Attribute

userPassword

Example Mappings

When you click Test, you are going to see the following UI. I don’t have any Groups in my directory. That’s why one of the items seems to be different in color.

Following settings are for Oracle Unified Directory (OUD)

If you use a service user configured with ACI (Access Control Instructions), you need to specify the following options for that user.

Attribute

Value

Description

ds-privilege-name

unindexed-search

Allow unindexed search

ds-rlim-lookthrough-limit

1000

Pagination size of each page for search

ds-rlim-idle-time-limit

Time limit of the idle connection

ds-rlim-size-limit

100000

Maximum size of your user count or upper number of that size.

ds-rlim-time-limit

Time limit of the search request

If you want to set these settings with ldapmodify, execute the following command with ldap ldif file.

Shell Command

BASH
ldapmodify -h hostname -p 1389 -D "cn=Directory Manager" -w $MONOFOR_OUD_PASSWORD -f ./target-aci.ldif

LDIF File (target-aci.ldif)

CODE
dn: o=monofor
changetype: modify
add: aci
aci: (targetattr="*")(target="ldap:///o=monofor")(version 3.0; acl "Allow read access to specific OU"; allow (read, write, search, compare) userdn="ldap:///uid=search.user,ou=service-users,o=monofor";)

Explanation of the LDIF file

dn is the target definition
changetype is the action of ldapmodify
add is attribute
aci is the definition of Access Control Instructions

Exploration of aci

(targetattr="*") are attributes that you need to specify star means all attributes

(target="ldap:///o=monofor") is the ou or target level of your aci

(version 3.0; acl "Allow read access to specific OU"; allow (read, write, search, compare) userdn="ldap:///uid=search.user,ou=service-users,o=monofor";)

allow is the definition of access. For example, we will give our service user permission to read, write, search, and compare.

userdn is the target user that we will give permission.

If you are dealing with the following error, your limit settings are not set correctly.

This search operation has sent the maximum of 5 entries to the client

These settings are enough for your environment. If you want more, please talk to your support.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.