Oracle Internet Directory LDAP integration reference
This topic provides reference information specific to Oracle Internet Directory (OID) Lightweight Directory Access Protocol (LDAP) integrations. When you install the Okta LDAP Agent, you need the following information to integrate your OID directory with Okta. See Install the Okta LDAP Agent.
Recommended version
Oracle Internet Directory 11.1.1.5.0
Known issues
- Users who request a self-service password reset and who are required to change their password after being reset by an admin, must provide their new password twice to access the Okta End-User Dashboard.
- Users with expired passwords can't update their passwords. An admin must reset passwords in these cases.
- When the provisioning settings indicate Do nothing when users are deactivated, users remain active in Okta. When a single source provides user profile attributes, deactivated users are disconnected from the source and Okta becomes the source for user profile attributes.
- The LDAP server doesn't allow users to update expired passwords. An admin must perform these updates.
Integration configuration
Input the following attributes for OID integrations when you perform the initial agent install and configuration:
- Unique Identifier Attribute: entryuuid
- DN Attribute: entrydn
- User Object Class: inetorgperson
- User Object Filter: (objectclass=inetorgperson)
- *Account Disabled Attribute: pwdlockout
- *Account Disabled Value: TRUE
- *Account Enabled Value: FALSE
- Password Attribute: userpassword
- Group Object Class: groupofuniquenames
- Group Object Filter: (objectclass=groupofuniquenames)
- Member Attribute: uniquemember
Schema read
There are no special considerations for OID integrations.
To add attributes from AUX classes, add the auxiliary class as an Auxiliary Object Class to the directory provisioning configuration.
Password change
Users can change their password by selecting Settings on the Okta end user dashboard.
To allow users to change or reset their password, click , select the LDAP tab, and then select Users can change their LDAP passwords in Okta.
Okta parses failed password update operations and the resulting error messages are displayed on the Delegated Authentication page.
Password reset
Password reset is triggered by an admin or the User Forgot Password flow.
Users can't update expired passwords. Admins can reset expired passwords.
Password validation
Use the pwdPolicy object class to implement OID-specific password policies.
You can configure settings such as password length and expiration on your LDAP instance.
Password reset can fail if the new password doesn't meet the password policy criteria.
Import
There are no special considerations for OID integrations.
JIT provisioning
There are no special considerations for OID Just In Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Don't use an external identity provider (IdP) to trigger sign in.
To make sure that JIT provisioning is successful the first time:
- The value of the configured naming attribute (such as UID) must not exist in Okta.
- The value of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
- The required attributes must be present. The Okta defaults are email, givenName, sn, and uid.
- The password must be correct.
- The Account Disabled Attribute must have a value of false on the LDAP server.
When JIT provisioning completes successfully, the user attributes specified on the LDAP settings page and in the Profile Editor are imported. Use the Profile Editor to select more mandatory attributes.
Membership import
User profiles with default settings are added to groups with the object class group and assigned the member group attribute.
During import, if the membership attribute is set to seeAlso, users are assigned to the groups added to the seeAlso user attribute.
Provisioning
The functionality to create users isn't available when using an OID server.
To allow passwords to be set when users are created or assigned, disable DelAuth, enable LDAP_PUSH_PASSWORD_UPDATES, and enable password sync on your LDAP instance. With these settings, the LDAP agent sends the PASSWORD_UPDATE action when the user logs in for the first time or when they're assigned. If you don't use these settings, the password isn't transferred to your LDAP instance.
To create and assign passwords when creating user profiles:
- Contact Okta customer support to enable LDAP push password updates.
- Disable delegated authentication:
- In the Admin Console, go to .
- Click Edit in the Delegated Authentication pane.
- Clear the Enable delegated authentication to LDAP checkbox.
- Click Save.
- Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
- In the Admin Console, go to .
- Click Edit, select Enable next to Sync Password, and click Save.
When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.
To assign existing Okta users to LDAP:
- In the Admin Console, go to .
- Click Edit, select Enable next to Create Users, and click Save.
- Click .
- Select the Okta group to which you want to assign users.
- Click Manage Directories.
- Select an LDAP instance in the left pane and click Next.
- Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
- Click Confirm Changes.
Troubleshooting
If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:
Agent: Success
scanResults are sent with user and group information.
POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, actionId=ADSwb4cGS4hdSWYnX0g3, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=OIDAgent: Delauth failure
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSwa0ihYKyosvlFe0g3, diagnostic message=, error code=49, matched dn=cn=LynxyOIDExpiredPassword,cn=ExpiredPasswordOID,ou=LynxyUsers,dc=vpc,dc=oktalab,dc=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials'), result code=invalid credentials, vendor=OIDAgent: No user
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSwayJJ1gms5xUTg0g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=inetorgperson)(uid=test@test.com)), result code=, vendor=OIDAgent: Password Expired
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSwa29fIw60TAKOG0g3, diagnostic message=Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password., error code=49, matched dn=cn=LynxyOIDUserForChange222,ou=LynxyUsers,dc=vpc,dc=oktalab,dc=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.', diagnosticMessage='Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.'), result code=invalid credentials, vendor=OIDAgent: Locked Out
pwdLockout set as 1 for user pwdPolicy.
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSwc0y9kr6t2OMJy0g3, diagnostic message=Password Policy Error :9001: GSL_ACCOUNTLOCKED_EXCP : Your account is locked. Contact your OID administrator., error code=53, matched dn=cn=LynxyOIDUserForChange222,ou=LynxyUsers,dc=vpc,dc=oktalab,dc=local, message=LDAPException(resultCode=53 (unwilling to perform), errorMessage='Password Policy Error :9001: GSL_ACCOUNTLOCKED_EXCP : Your account is locked. Contact your OID administrator.', diagnosticMessage='Password Policy Error :9001: GSL_ACCOUNTLOCKED_EXCP : Your account is locked. Contact your OID administrator.'), result code=unwilling to perform, vendor=OID