Oracle Directory Server Enterprise Edition LDAP integration reference

This topic provides reference information specific to Oracle Directory Server Enterprise Edition (ODSEE) LDAP integrations. When you're installing the Okta LDAP Agent, you need this information to integrate your ODSEE directory with Okta. See Install the Okta LDAP Agent.

Recommended version

ODSEE 11.1.1.7.0

Known issues

  • Users must provide their new password twice to access the Okta Admin Console after requesting a self-service password reset or after an admin resets their password.
  • Users with a temporary password aren't prompted to create a new password and can continue to use the temporary password for authentication.
  • A locked user account can't be unlocked when the account is locked on the LDAP server.
  • When the provisioning settings indicate Do nothing when users are deactivated, users remain active in Okta. When a single source provides user profile attributes, deactivated users are disconnected from the source and Okta becomes the source for user profile attributes.

Integration configuration

During the initial agent install and configuration documented in Install the Okta LDAP Agent, these are the attributes for ODSEE:

  • LDAP version: ODSEE. If you select Sun DSEE or another option, the virtual list view (VLV) request control isn't activated. An LDAP import can fail when the data set is too large. The ODSEE option isn't available unless it's activated by Okta support.
  • Unique Identifier Attribute: nsuniqueid
  • DN Attribute: entrydn
  • User Object Class: inetorgperson
  • User Object Filter: (objectclass=inetorgperson)
  • *Account Disabled Attribute: nsAccountLock
  • *Account Disabled Value: TRUE
  • *Account Enabled Value: FALSE
  • Password Attribute: userpassword
  • Group Object Class: groupofuniquenames
  • Group Object Filter: (objectclass=groupofnames)
  • Member Attribute: uniquemember

Schema read

There are no special considerations for ODSEE LDAP integrations.

To add attributes from AUX classes, add the auxiliary class as an Auxiliary Object Class to the directory provisioning configuration. For example, the dc attribute is added to the Okta schema attributes when the Auxiliary Object Class is dcObject.

Password change

Users can change their password by selecting Settings on the Okta end user dashboard.

Okta parses password update operations that fail, and the error message appears in the Delegated Authentication page. For example, when a new password already exists, the error message Password change failed due to following reason : password in history appears.

Password reset

Password reset is triggered by an administrator or the User Forgot Password flow.

Password reset can fail if the new password doesn't meet the password policy criteria.

Users can't update expired passwords. Admins must reset expired passwords.

Password validation

Use the pwdPolicy object class to implement ODSEE-specific password policies.

You can configure settings such as password length and expiration on your LDAP instance.

If a user incorrectly enters an Okta password four times or an LDAP password five times, their LDAP user account status is Locked. However, the status for the user account displays as Active on the Okta Admin Console. When an account is in this state, an administrator must unlock the user account. See Unlock an individual user account.

Import

ODSEE LDAP integrations include support for the LDAP virtual list view (VLV) control. By default, the sorting key for groups is cn and uid for users. A similar methodology to server simple-pagination control is used for imports. When VLV is enabled, the agent log displays this message: VLVContext for reading from LDAP with sortingKey=cn.

If you're using the LDAP VLV control, you need to create VLV indices to match user and group base Distinguished Names (DNs). For example, when creating a VLV index for the user base DN ou=people,dc=example,dc=com, you use these default values:

dn: cn=people_browsing_index, cn=database-name, cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: vlvSearch cn: Browsing ou=People vlvBase: ou=People,dc=example,dc=com vlvScope: 2 vlvFilter: (objectclass=inetOrgPerson) dn: cn=Sort rev uid, cn=people_browsing_index, cn=database-name,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: vlvIndex cn: Sort rev uid vlvSort: uid

After you create your VLV indices, you might need to reindex the LDAP server to implement the new settings.

To create a VLV index, see To Add or Modify Browsing Index Entries in the Oracle Directory Server Enterprise Edition Administration Guide.

JIT provisioning

There are no special considerations for ODSEE Just-In-Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Don't use an external identity provider (IdP) to trigger sign-in.

To make sure that JIT provisioning is successful the first time:

  • The value of the configured naming attribute (such as UID) must not exist in Okta.
  • The value of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
  • The required attributes must be present. The Okta defaults are email, givenName, sn, and uid.
  • The password must be correct.
  • The Account Disabled Attribute must be set to false on the LDAP server.

When JIT provisioning completes successfully, all user attributes specified on the LDAP settings page and in the Profile Editor are imported. To select other mandatory attributes, use the Profile Editor.

Membership import

During import, if the default ODSEE settings are used, user groups with the objectClass group are imported and added to the user specified in the member group attribute.

During import, if the membership attribute is set to seeAlso, users are assigned to the groups added to the seeAlso user attribute.

Provisioning

To allow passwords to be set when users are created or assigned, disable DelAuth, enable LDAP_PUSH_PASSWORD_UPDATES, and enable password sync on your LDAP instance. With these settings, the LDAP agent sends the PASSWORD_UPDATE action when the user logs in for the first time or when they're assigned. If you don't set these settings, the password isn't transferred to your LDAP instance.

To create and assign passwords when creating user profiles:

  1. Contact Okta customer support to enable LDAP push password updates.
  2. Disable delegated authentication:
    1. In the Admin Console, go to SecurityDelegated AuthenticationLDAP.
    2. Click Edit in the Delegated Authentication pane.
    3. Clear the Enable delegated authentication to LDAP checkbox.
    4. Click Save.
    5. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
  3. In the Admin Console, go to DirectoryDirectory IntegrationsLDAPProvisioningTo App.
  4. Click Edit, select Enable next to Sync Password, and click Save.

    5. When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.

To assign existing Okta users to LDAP:

  1. In the Admin Console, go to DirectoryDirectory IntegrationsLDAPProvisioningTo App.
  2. Click Edit, select Enable next to Create Users, and click Save.
  3. Click DirectoryGroups.
  4. Select the Okta group to which you want to assign users.
  5. Click Manage Directories.
  6. Select an LDAP instance in the left pane and click Next.
  7. Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
  8. Click Confirm Changes.

Troubleshooting

If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:

Agent: Success

POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, actionId=ADStwgvcY62FO3G5j0g3, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=OID

Agent: Delauth failure

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADStwmk6wiL2JhaEq0g3, diagnostic message=, error code=49, matched dn=cn=MultyGroupsODSEE MultyGroupsODSEE,ou=QA users,dc=okta,dc=com, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials'), result code=invalid credentials, vendor=OID

Agent: No user

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADStwotN9I9aWlO0w0g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=inetorgperson)(uid=ODSEE@odsee.com)), result code=, vendor=OID

Agent: Password expired

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSu1co2UeSUZXlxd0g3, diagnostic message=password expired!, error code=49, matched dn=cn=MultyGroupsODSEE MultyGroupsODSEE,ou=QA users,dc=okta,dc=com, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='password expired!', diagnosticMessage='password expired!', responseControls={PasswordExpiredControl(isCritical=false)}), result code=PASSWORD_EXPIRED, vendor=OID

Agent: User deactivated (nsAccountLock = TRUE)

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSu1eOJMNAcTT3hQ0g3, diagnostic message=Account inactivated. Contact system administrator., error code=53, matched dn=cn=MultyGroupsODSEE MultyGroupsODSEE,ou=QA users,dc=okta,dc=com, message=LDAPException(resultCode=53 (unwilling to perform), errorMessage='Account inactivated. Contact system administrator.', diagnosticMessage='Account inactivated. Contact system administrator.'), result code=unwilling to perform, vendor=OID

Agent: User locked

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADStwqjhzOuGiPm6M0g3, diagnostic message=Exceed password retry limit. Account locked., error code=19, matched dn=cn=MultyGroupsODSEE MultyGroupsODSEE,ou=QA users,dc=okta,dc=com, message=LDAPException(resultCode=19 (constraint violation), errorMessage='Exceed password retry limit. Account locked.', diagnosticMessage='Exceed password retry limit. Account locked.'), result code=constraint violation, vendor=OID