LDAP integration known issues

  • Oracle Internet Directory: Oracle Internet Directory (OID) has been tested and is supported with the Okta LDAP Agent v5.04.01 and later. When Okta searches an LDAP Directory, it uses a paged search control to optimize how results are returned to the agent. Due to an OID pagination issue (Oracle bug 25287786), Okta LDAP Agent can't query for more objects than the default LDAP page size. While resolution from Oracle is pending, customers should evaluate the configuration of the orclsizelimit attribute within their directory to balance scalability, performance, and interoperability. Further details are available within the Oracle Internet Directory Administrator's Guide.
  • Incremental Import: Each user, group, organizational unit (OU), or container entry in the LDAP server must have an accurate modifyTimestamp value for incremental import to work. If this isn't possible, don't use incremental import.
  • LDAP proxy server: Connecting the Okta LDAP Agent to an LDAP server through an LDAP proxy server with its own schema may cause issues with importing user data. These occur when the schemas of the LDAP Proxy Server and LDAP server are different. To avoid data importation issues, make sure that the LDAP proxy server and LDAP server schemas are identical. Alternatively, you should make sure that schema discovery requests sent to the LDAP server are transparent.
  • SUSE Linux Enterprise Server: The Okta LDAP Agent isn't supported on the SUSE Linux Enterprise Server.
  • Self service account unlock: Users can't unlock LDAP sourced accounts that have been locked. Only an admin can unlock them.
  • Large numbers of JIT-enabled directory integrations can degrade JIT performance. This can cause JIT requests to fail with timeouts when searching for users in multiple directories. Several factors can contribute to JIT's performance degradation such as the performance of the on-premises agents and on-premises directory servers and the Okta service. If you experience any persistent issues, visit the Okta Help Center.
  • Active Directory LDS: Updating a user’s givenName or SN causes an error if the directory is configured to use CN as part of the DN. The following error is logged on the LDAP Agent: Error during ModifyRequest. ResultCode=67 (not allowed on RDN) exception=com.unboundid.ldap.sdk.LDAPException: 000020B1: UpdErr: DSID-030F113B, problem 6004 (CANT_ON_RDN), data 0.