Modify LDAP integration settings
After installing and configuring the Okta LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations., you can use this procedure to update your existing integration settings as the needs of your orgThe Okta container that represents a real-world organization. change.
- On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
- Select the LDAP agent from the list of directories.
- Click the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab and select Integration in the SETTINGS list
- In the Version section, select your vendor. Vendor-specific configuration templates are provided and pre-populate configuration settings for you. If your LDAP vendor is not on the list, complete the configuration fields manually. Because each LDAP environment is unique, you must confirm the default values using an LDAP browser like Apache Directory Studio. Note that not all configuration settings must have values.
- In the Configuration section, complete the following:
- Unique Identifier Attribute — Specifies the unique immutable attribute of all LDAP objects that will be imported (users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.). Only objects possessing this attribute can be imported into your Okta org. Okta populates this field automatically based on your chosen LDAP version. You can change the auto-populated value during initial setup. Note: if your LDAP server implements RFC 4530, make sure to enter entryuuid in this field. For AD LDS, use objectguid.
- DN Attribute — The attribute on all LDAP objects containing the Distinguished Name value.
- In the User section, complete the following:
- User Search Base — The DN of the container for user searches (that is, root of the user subtree). This is the base DN of the container that holds all users that will be imported into your Okta org. For example: cn=Users, dc=example, dc=com.
- User Object Class — The objectClass of a user that Okta uses in its query when importing users. For example, inetorgperson, posixaccount, posixuser.
- Auxiliary Object Class — You can input a comma-separated list of auxiliary objectClasses. Okta will use these in its query when importing users. For example, auxClass1,auxClass2.
- User Object Filter — By default, Okta auto-populates this field with the objectClass (objectClass=<entered objectClass name>). This must be a valid LDAP filter.
Use standard LDAP search filter notation (RFC 2254). For example:
The same filter capability is also in place for Group Objects.
- Account Disabled Attribute — The user attribute that indicates whether or not the account is disabled for the user in Okta. If this attribute equals the value specified in the Account Disabled Value field, we deactivate the user account.
- Account Disabled Value — The value that indicates that the account is locked (for example, TRUE).
- Account Enabled Value — The value that indicates that the account is unlocked (for example, TRUE).
- Password Attribute — The user password attribute.
- Password Expiration Attribute — Different LDAP directories have different attribute names for password and password expiration. If you select one of the pre-populated directories, Okta will auto-fill the correct default value. If your directory is not in the supported list, refer to your LDAP server documentation or configuration and use that value for password expiry. This attribute is usually a Boolean value, but may vary depending on your LDAP server.
- In the Extra User Attributes section, you can specify up to four additional attributes to be imported from LDAP.
- In the Role section, complete the following:Group
- Group Search Base — The DN of the container for group searches (that is, root of the group subtree) that holds all groups that will be imported into your Okta org. For example: ouAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.=groups, dc=example, dc=com.
- Group Object Class — The objectClass of a group that Okta uses in its query when importing groups. For example, groupofnames, groupofuniquenames, posixgroup.
- Group Object Filter – By default, Okta auto-populates this field with the objectClass of the group (objectClass=<entered objectClass name>).
- Member Attribute — The attribute containing all the member DNs.
- User Attribute — Okta uses the member attribute on the group object to determine the user group memberships at runtime. Unless your group object and group filter is explicitly posixGroup and (objectclass=posixGroup), leave the user attribute field empty. If you are using posixGroup, we recommend that you configure the member attribute value to memberUID and the user attribute value to uid.
If the specified group object and group filter is posixGroup . . . ,
then enter memberUid in the User Attribute field.
If the specified group object and group filter is something other than posixGroup . . . ,
then leave the User Attribute field blank.
- Object Class – The objectClass of a role.
- Membership Attribute – The attribute of the user object that indicates role membership (that is, containing the role DNs).
- Validate your configuration settings.
- Enter a Username in the Example username field.
Enter the username of a user in the specified username format. Since the username that you enter uniquely identifies a single user in your LDAP directory, the query that Okta executes will retrieve only your specified user and the following details about the user. Validate that all returned details are correct.
- Unique ID
- Distinguished Name
- Full Name
- Groups – All the groups of the specified Group Object Class within the Group Search Base of which this user is a member. If the expected groups are not listed here, group imports might fail later.
- Enter a Username in the Example username field.