eDirectory LDAP integration reference
This topic provides reference information specific to eDirectory LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. integrations. When you're installing the Okta LDAP agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations., you'll need this information to integrate your eDirectory with Okta. See Install and configure the Okta LDAP Agent.
During the initial agent install and configuration documented in Install and configure the Okta LDAP agent, these are the attributes for eDirectory:
- Unique Identifier Attribute — localentryid
- DN Attribute — entrydn
- User Object Class — inetorgperson
- User Object Filter — (objectclass=inetorgperson)
- *Account Disabled Attribute — loginDisabled
- *Account Disabled Value — TRUE
- *Account Enabled Value — FALSE
- Password Attribute — userpassword
- Group Object Class — groupofnames
- Group Object Filter — (objectclass=groupofnames)
- Member Attribute — member
To add attributes from AUX classes, add the auxiliary class as an Auxiliary Object Class to the directory provisioning configuration. For example, the
dc attribute is added to the Okta schema attributes when the Auxiliary Object Class is
Users can change their password by selecting Settings on the Okta end user dashboard.
If you are using eDirectory specific password settings on your LDAP instance, a password change or reset may fail on Okta if a user doesn't have the correct ACL permissions for self-service password change. If this is the case, the password change fails and returns the error message: NDS error: no access (-672).
Password reset is triggered by an administrator or the User Forgot Password flow. Password reset works without adding a specific ACL.
Password reset can fail if the new password does not meet the password policy criteria.
eDirectory has a different modifyTimestamp decimal precision than other LDAP servers. The usual value is 3, but for eDirectory the value must be set to 1. There are two ways to set this value:
- If you have eDirectory support enabled and your LDAP agent is version 5.6.2 or higher — the decimal precision should be set to 1 automatically during the install process. It can be changed on the Directory Integrations > ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. > To Okta page.
- If your LDAP agent version is 5.6.0 or 5.6.1 — update the decimal precision of all deployed agents by updating the attribute
generalizedTimeMillisecondDecimalPlacesand setting its value to
1in the OktaLDAPAgent.conf file.
- LDAP agent versions prior to 5.6.0 do not support eDirectory LDAP integrations.
There are no special considerations for eDirectory Just In Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Do not use an external identity provider (IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) to trigger sign in.
To make sure that JIT provisioning is successful the first time:
- the value of the configured naming attribute (such as UID) must not exist in Okta.
- the value of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
- the required attributes must present. The Okta defaults are email, givenName, sn, and uid.
- the password must be correct.
- the Account Disabled Attribute must be set to false on the LDAP server.
When JIT provisioning completes successfully, all of the user attributes specified on the LDAP settings page and in the Profile Editor are imported. To select additional mandatory attributes, use the Profile Editor.
During import, if the default eDirectory settings are used, user groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. with the objectClass groupofnames are imported and added to the user specified in the member group attribute.
During import, if the membership attribute is set to seeAlso, users are assigned to the groups added to the seeAlso user attribute.
There are no special considerations for eDirectory LDAP integrations.
To create and assign passwords when creating user profiles:
- Contact Okta customer support to enable LDAP push password updates.
- Disable delegated authentication:
- Click Security > Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. > LDAP.
- Click Edit in the Delegated Authentication pane.
- Clear the Enable delegated authentication to LDAP check box.
- Click Save.
- Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
- Open your Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations > LDAP > Provisioning > To AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..
- Click Edit, select Enable next to Sync Password, and click Save.
When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.
To assign existing Okta users to LDAP:
- Open your Okta Admin Console, click Directory > Directory Integrations > LDAP > Provisioning > To App.
- Click Edit, select Enable next to Create Users, and click Save.
- Click Directory > Groups.
- Select the Okta group to which you want to assign users.
- Click Manage Directories.
- Select an LDAP instance in the left pane and click Next.
- Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
- Click Confirm Changes.
If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:
POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, actionId=ADSuirvHXkjvU4It20g3, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=UNDEFINED
Agent: Delauth failure
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSzbsNoy4eNjPI090g3, diagnostic message=NDS error: failed authentication (-669), error code=49, matched dn=cn=UserEdirectoryNewOne@edir.com,o=QAUsers,dc=Okta,dc=Com, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='NDS error: failed authentication (-669)', diagnosticMessage='NDS error: failed authentication (-669)'), result code=invalid credentials, vendor=UNDEFINED
Agent: No user
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSzbmckuuz7LniPk0g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=inetorgperson)(uid=UserEdirectoryNewOne@edir.com333)), result code=, vendor=UNDEFINED
Agent: Password expired
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSu99dXaoVG7gFjG0g3, diagnostic message=8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?, error code=49, matched dn=CN=delauth2,CN=\#Users,DC=funnyface,DC=net,DC=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?', diagnosticMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?'), result code=invalid credentials, vendor=AD_LDS
Agent: User deactivated (loginDisabled = TRUE)
POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSzbyLP2YaxpJyKI0g3, diagnostic message=NDS error: log account expired (-220), error code=53, matched dn=cn=UserEdirectoryNewOne@edir.com,o=QAUsers,dc=Okta,dc=Com, message=LDAPException(resultCode=53 (unwilling to perform), errorMessage='NDS error: log account expired (-220)', diagnosticMessage='NDS error: log account expired (-220)'), result code=unwilling to perform, vendor=UNDEFINEDTop