LDAP integration prerequisites

Before you start an LDAP integration, ensure that you have:

An Okta admin account to connect the agent with your Okta org. This account must have the permissions to manage directories, manage agents, and register agents. A best practice is to create a custom admin role that has these permissions. Assign that role to an Okta account to connect the agent to Okta. See Create a role and Agent permissions.
Note:
For greater security, consider requiring your admins to use MFA to access the Admin Console. See Enforce MFA to access the Okta Admin Console

Note:
For agent versions 5.22.0 or later, the LDAP agents operate independently of any Okta account. This ensures that the Okta LDAP integration works as expected, regardless of the status of the account that was used to register the agent. In version 5.21.0 or earlier, it was a common practice to use a dedicated account to register the agent. For those agents, if the privileges for the dedicated account changed (for example, were lowered or revoked), or the account was deactivated, then the LDAP agent stopped working.
An LDAP user to perform binds and queries from the agent to your LDAP directory. This user must be able to look up users, groups, and roles in the Directory Information Tree (DIT).
The modifyTimestamp attribute indexed on your LDAP server. This improves the performance of incremental imports.

Agent requirements

You can use a Windows or Linux agent to connect LDAP with your Okta org. If you're upgrading from a version 4.x agent or earlier to a version 5.x agent, uninstall the old agent before installing the new one.

Windows agent requirements

The host server must be running Windows Server 2016, Windows Server 2019, Windows Server 2022, or Windows Server 2025.
The Windows server must be able to reach the LDAP host and port.

Enable the TLS 1.2 security protocol. If it's not enabled by default, enable it using the following registry key settings:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Linux agent requirements

You can install the Linux-based agent on the following systems:

Package manager type	Linux distribution
RPM	CentOS (version 8 or later) Red Hat (version 8 or later)
DPKG	Ubuntu Debian