Configure Okta to LDAP provisioning settings
After installing and configuring the Okta LDAP agent, you can use this procedure to update your Okta to LDAP provisioning settings as the needs of your org change. The Okta to LDAP provisioning settings define how Okta shares and updates user data on your LDAP instance.
- In the Admin Console, go to Directory > Directory Integrations.
- Select the LDAP agent from the list of directories.
Click the Provisioning tab and select To App in the SETTINGS list.
- Click Edit, and complete the following settings:
- Create Users — Selecting Enable creates or links a user in LDAP for members of groups in Okta where LDAP is assigned. If LDAP is the highest priority Profile Master, Okta user profiles are automatically updated based on changes made to user profiles in LDAP.
- Activation email recipient — Enter the email address to which new LDAP account credentials are sent. The recipient is responsible for distributing the credential information to the appropriate user.
- RDN attribute name — Select the attribute type to be used for user Relative Distinguished Name (the leftmost portion of the user Distinguished Name).
You can customize the attribute value on the Profile Editor page.
If you set the RDN attribute to UID, you must map the attribute to the Okta userName attribute. The attribute type you select must be mapped correctly in Profile Editor for this LDAP instance, in the same direction for provisioning.
- Update User Attributes — Select Enable to allow Okta to update a user's attributes in LDAP when the app is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in LDAP.
- Deactivate Users — Select Enable if you want to deactivate a user's LDAP account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to the user in Okta.
- Sync Password — Select Enable if you want each user's LDAP password to be synced to their Okta password. Any subsequent changes to a user's Okta password are pushed to the on-premise LDAP server. To enable this option, Delegated Authentication must be disabled. Organizations using both Active Directory (AD) and LDAP can now synchronize their user passwords from AD through Okta to LDAP.
- Click Save.
The Attribute Mappings section lets you map LDAP attributes to Okta attributes. The attributes listed in the table are your LDAP attributes. To edit these mappings, click the edit icon. See Work with profiles and attributes