LDAP Interface known limitations

The LDAP Interface is a lightweight tool designed to perform the following LDAP operations: BIND, UNBIND, and SEARCH. While it can execute these basic functions without relying on an LDAP server, it may not support all the advanced features and functions that your current LDAP server provides. Therefore, before replacing your LDAP server with the LDAP interface, carefully evaluate its capabilities and limitations.

This topic shares common issues and known limitations. However, it may not cover all possible scenarios. Okta recommends working with your Okta sales team or CSM before incorporating the LDAP interface into your LDAP modernization plans.

Searches and attribute references

  • The processing time for memberOf and uniqueMember can be high, depending on the total number of group members and the admin role running the search operation. Searches executed by users with more restricted roles take longer to process.
  • Search results are limited to 1000 entries per page. For larger result sets, Simple Pagination Control (RFC 2696) is required.
  • LDAP interface defines memberOf as a virtual operational attribute. It's returned only if:
    • memberOf is a requested attribute, or
    • All operational attributes are requested using '+'.
  • The attributes available in the LDAP interface represent only a subset of the complete LDAP schema and may have some naming inconsistencies. Also, any custom Okta properties aren't reflected in the LDAP interface schema.

    To review the available LDAP interface schema, perform an LDAP interface search using the following:

    Attribute Value

    Base DN

    cn=schema

    Scope

    BASE

    Filter

    objectclass=subschema

    Requested attributes

    ldapSyntaxes matchingRules attributeTypes objectClasses

    Alternatively, use + or all user attributes.

  • Search results aren't returned if unsupported schema attributes are used in the search query.

Encryption

  • TLS 1.2 is only supported.
  • LDAP interface supports two methods of using encrypted connections: LDAPS and StartTLS. A connection must be encrypted using one of these methods to use the LDAP interface. Any operation received on an unencrypted connection is promptly rejected.

Authentication (BIND)

  • Unix or Linux-based PAM authentication isn't supported.

  • samAccountName can't be used as a sign-in value for your apps, and results in failure. You must provide an Okta user ID.

  • When using Okta Verify multifactor authentication with the LDAP interface, the reported IP address is the appserver IP rather than the client IP. This is due to limitations in forwarding the client IP through LDAP.