LDAP integration known limitations

The following table lists the known limitations with Okta LDAP integrations.

Feature	Comments
Supported Directories	The Okta LDAP Agent supports all LDAP v3 servers (RFC 4510 compliant). It has been tested with the following: Active Directory Lightweight Directory Services (AD LDS) eDirectory IBM OpenDJ OpenLDAP Oracle Directory Server Enterprise Edition (ODSEE) Oracle Internet Directory (OID) Oracle Unified Directory (OUD)
Scenarios	Object Lifecycle Management Group Management Password Management Notable features not supported by the LDAP Agent: Per-instance Delegated Authentication Group Push The Okta LDAP Agent is not recommended for large LDAP migrations.
Operations	The following operations are supported on all LDAP directories: Full import User provisioning The following operations are only supported on specific directories: Incremental imports Set password Change password
Schema	The Okta LDAP Agent automatically detects user schema based on the user objectClass specified Supports structural classes, auxiliary classes for users
Group imports	Okta limits the total number of bytes that can be sent from an Active Directory (AD) or LDAP agent to Okta server in a single request. To avoid exceeding Okta size limitations during data import, result sets containing multiple group objects are split into separately sized units and each unit is sent in a separate request. A single group that exceeds the defined size limitation is still sent to Okta, but a standard HTTP 413 (Payload Too Large) error might be returned. The length of the group distinguishedName (dn), the length of the user dn within the group, and the group membership size all contribute to the total bytes sent to Okta. If you receive a HTTP 413 (Payload Too Large) error, Okta recommends splitting direct group membership into nested group membership or sub-groups to avoid the size limit limitation and allow the data to be sent in a single request.