IBM Reference

This topic provides reference information specific to IBM Lightweight Directory Access Protocol (LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services.) integrations. Use this information in conjunction with Install the Okta LDAP Agent and Configure the Okta LDAP Agent.

Integration configuration

During the initial agent install and configuration documented in Configure integration settings, you are asked to configure some basic attributes. These are the default attributes for IBM integrations:

  • Unique Identifier Attribute - ibm-entryuuid
  • DN Attribute - distinguishedname
  • User Object Class - inetorgperson
  • User Object Filter - (objectclass=inetorgperson)
  • *Account Disabled Attribute - pwdaccountlockedtime
  • *Account Disabled Value - BLANK
  • *Account Enabled Value - BLANK
  • Password Attribute - userpassword
  • Group Object Class - groupofuniquenames
  • Group Object Filter - (objectclass=groupofuniquenames)
  • Member Attribute - uniquemember

To successfully complete provisioning, specify enabled and disabled values for your organization's user accounts. To disable an account, Okta recommends deleting the user password. Use the Profile Editorto select additional user profile attributes.

Schema read

There are no special considerations for IBM LDAP integrations.

Password change

Users can change their password by selecting Settings on the Okta end user dashboard.

To allow users to change or reset their password, click Security > Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. , select the LDAP tab, and then select Users can change their LDAP passwords in Okta.

Validation error messages are displayed on the Delegated Authentication page.

Passwords are plain text by default. To encrypt passwords before they are saved, see password encryption in the IBM Security Directory Server documentation.

Password reset

Password reset is triggered by an administrator or the User Forgot Password flow.

IBM password policies are not replicated in Okta. Passwords that do not meet the LDAP password policy criteria can be generated and cause authentication failure. To prevent this, review your IBM Directory Server password policies to identify and correct conflicts before allowing password resets through Okta.

Import

There are no special considerations for IBM LDAP integrations.

JIT provisioning

There are no special considerations for IBM Just In Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Do not use an external identity provider (IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) to trigger sign in.

To make sure that JIT provisioning is successful the first time:

  • the value of the configured naming attribute (such as UID) must not exist in Okta.
  • the value of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
  • the required attributes must present. The Okta defaults are email, givenName, sn, and uid.
  • the password must be correct.
  • the Account Disabled Attribute must be set to false on the LDAP server.

When JIT provisioning completes successfully, all of the user attributes specified on the LDAP settings page and in the Profile Editor are imported. To select additional mandatory attributes, use the Profile Editor.

Provisioning

IBM password policies are not replicated in Okta. Passwords that do not meet the LDAP password policy criteria can be generated and cause authentication failure. To prevent this, review your IBM Directory Server password policies to identify and correct conflicts before allowing password resets through Okta.

To create and assign passwords when creating user profiles:

  1. Contact Okta customer support to enable LDAP push password updates.
  2. Disable delegated authentication:
    1. Click Security > Delegated Authentication > LDAP.
    2. Click Edit in the Delegated Authentication pane.
    3. Clear the Enable delegated authentication to LDAP check box.
    4. Click Save.
    5. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
  3. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
  4. Open your Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations > LDAP > ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. > To AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..
  5. Click Edit, select Enable next to Sync Password, and click Save.
  6. When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.

To assign existing Okta users to LDAP:

  1. Open your Okta Admin Console, click Directory > Directory Integrations > LDAP > Provisioning > To App.
  2. Click Edit, select Enable next to Create Users, and click Save.
  3. Click Directory > GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups..
  4. Select the Okta group to which you want to assign users.
  5. Click Manage Directories.
  6. Select an LDAP instance in the left pane and click Next.
  7. Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
  8. Click Confirm Changes.

Troubleshooting

If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:

Agent: Success

scanResults are sent with user and group info

POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, actionId=ADSx27FqYtCqky2Wv0g3, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=IBM

Agent: Delauth failure

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSx1f9Wa5VsAmx8g0g3, diagnostic message=, error code=49, matched dn=cn=DelAuth,ouAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.=Automation,O=FOX, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials'), result code=invalid credentials, vendor=IBM

Agent: No user

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSx1zLU1yUw7hcKM0g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=inetorgperson)(uid=asdfasdf)), result code=, vendor=IBM

Agent: Password Expired

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSydvdqGivWZ2eBN0g3, diagnostic message=, error code=508, matched dn=cn=PasswordExpired,ou=Automation,o=FOX, message=LDAPException(resultCode=508, errorMessage='508'), result code=508, vendor=IBM

Agent: Locked Out

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSyhmxo2EEQAPJTu0g3, diagnostic message=Error, Account is locked, error code=53, matched dn=cn=miikka117 newman,ou=automation,o=fox, message=LDAPException(resultCode=53 (unwilling to perform), errorMessage='Error, Account is locked', diagnosticMessage='Error, Account is locked'), result code=unwilling to perform, vendor=IBM

Top