Configure incremental imports for AD LDS

Incremental import with LDAP generally relies on an accurate modifyTimestamp value to identify changes since the last import. Each user, group, and OU/container entry in the LDAP server must have accurate modifyTimestamp value for incremental import to work.

Okta also supports the use of the Update Sequence Number (USN) for AD LDS users to support incremental imports.

To use the USN for incremental imports, all your LDAP agents must be at version 5.6.2. If you are not using AD LDS or any one of your Okta LDAP Agents is version 5.6.1 or below, you will have the option to select the change tracking attribute of USN, but the agent will revert to modifyTimestamp.

Additionally, you must have the following features enabled for your org:

  • The updated LDAP provisioning user interface
  • Incremental imports
  • USN incremental imports

After you have updated all your Okta LDAP Agents to 5.6.2 or higher, you can set the change tracking attribute for incremental imports as follows:

  1. On the Okta Admin Console, click Directory > Directory Integrations and select your LDAP instance.
  2. Click Provisioning and select To Okta in the Settings list.
  3. In the General section, click Edit.
  4. Select the Enable check box next to Incremental import.
  5. Select the change tracking attribute you want to use: USN or modifyTimestamp.
  6. Click Save.