LDAP interface known limitations
The following are the LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. interface known limitations:
- Unix or Linux-based PAM authentication is not supported.
- Only Okta groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. are supported. AD groups and appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. groups are not returned.
- Ability to search on memberOf results in longer search times.
- Support for TLS 1.2 only.
- Only READ-only commands are supported. WRITE commands are not supported.
- The server allows a page size of 1000 entries. If the size of the result exceeds the page size, an LDAP error code is returned. For a large result set, use Simple Pagination Control. For details, refer to https://www.ietf.org/rfc/rfc2696.txt.
- Okta must be the source of truth for the apps.
- You must use an Okta user ID. If you are using samAccountName as a log in value for your apps, authentication fails.
- For LDAP searches that query uniquemember and memberOf attributes, the LDAP Interface iterates through all pages before returning membership response back to the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. .
- LDAPi defines memberOf as a virtual operational attribute. It is returned only if :
- memberOf is requested in the list of attributes, or
- all operational attributes are requested using '+'
Querying the memberOf attribute may have impact on the rate limits of your orgThe Okta container that represents a real-world organization.. Therefore, it is best to query this attribute only when necessary. Improvements were also made to additional operational attributes that were part of LDAP core schema. This list includes hasSubordinates, structuralObjectClass, entryDN, subschemaSubentry, and numSubordinates. Note that numSubordinates is not calculated for users and groups containers.
- Sensitive attributes and LDAP Interface searches - LDAP Interface search filters that reference sensitive attributes or attributes that do not exist in the schema will not return any results.
For example, if a custom attribute Employee Number is sensitive, then the filter employeenumber=123-45-6789 will not return any results, nor will the filter (|(employeenumber=*)(uniqueIdentifier=*).
Additionally, LDAPi search filters that reference attributes that are not in the schema will not return any results. For example, if the attribute xyz does not exist in the schema, then the filter xyz=foo will not return any results, nor will the filter (|(xyz=*)(bar=*)).
When using Okta Verify multifactor authentication with the LDAP interface, the IP address reported will be the appserver IP rather than the client IP. This is due to limitations in being able to forward the client IP through LDAP.