Modify LDAP integration settings
Update your existing integration settings as the needs of your org change.
- In the Admin Console, go to Directory > Directory Integrations.
- Select the LDAP agent from the list of directories.
- Click the Provisioning tab and select Integration in the Settings list
- In the Version list, select a directory vendor. Vendor-specific configuration templates are provided and pre-populate configuration settings for you. Because each LDAP environment is unique, you must confirm the default values. Not all configuration settings must have values. See Configure supported LDAP directory services.
- In the Configuration section, complete the following:
- Unique Identifier Attribute: Enter the unique immutable attribute of all LDAP objects that will be imported (users and groups). Only objects possessing this attribute can be imported into your Okta org. You can change the auto-populated value during initial setup. If your LDAP server implements RFC 4530, make sure to enter entryuuid in this field. For AD LDS, use objectguid.
- DN Attribute: Enter the attribute on all LDAP objects containing the Distinguished Name value.
- In the User section, complete the following:
- User Search Base: Enter the DN of the container for user searches (the root of the user subtree). This is the base DN of the container that holds all users imported into your Okta org. For example: cn=Users, dc=example, dc=com.
- User Object Class: Enter the objectClass of a user that Okta uses in its query when importing users. For example, inetorgperson, posixaccount, posixuser.
- Auxiliary Object Class: Enter a comma-separated list of auxiliary objectClasses. Okta uses these in its query when importing users. For example, auxClass1,auxClass2.
- User Object Filter: Okta auto-populates this field. If you modify the value, it must be a valid LDAP filter.
Use standard LDAP search filter notation (RFC 2254). For example:(&(givenName=Bab*)(|(sn=Jensen)(cn=Babs J*)))
The same filter capability is also in place for Group Objects.
- Account Disabled Attribute: Enter the user attribute that indicates whether or not the account is disabled for the user in Okta. If this attribute equals the value specified in the Account Disabled Value field, the user account is deactivated.
- Account Disabled Value: Enter the value that indicates that the account is locked (for example, TRUE).
- Account Enabled Value: Enter the value that indicates that the account is unlocked (for example, TRUE).
- Password Attribute: Enter the user password attribute.
- Password Expiration Attribute: Enter the attribute name for password expiration. This is usually a Boolean value. If you selected an LDAP directory that isn’t on the supported list, refer to your LDAP server documentation and use that value.
- In the Extra User Attributes section, you can specify up to four additional attributes to be imported from LDAP.
- In the Group section, complete the following fields:
- Group Search Base: Enter the DN of the container for group searches (that is, root of the group subtree) that holds all groups that will be imported into your Okta org. For example: ou=groups, dc=example, dc=com.
- Group Object Class: Enter the objectClass of a group that Okta uses in its query when importing groups. For example, groupofnames, groupofuniquenames, posixgroup.
- Group Object Filter: By default, Okta auto-populates this field with the objectClass of the group (objectClass=<entered objectClass name>).
- Member Attribute: Enter the attribute containing all the member DNs.
- User Attribute: Okta uses the member attribute on the group object to determine the user group memberships at runtime. Unless your group object and group filter are explicitly posixGroup and (objectclass=posixGroup), leave the user attribute field empty. If you use posixGroup, configure the member attribute value to memberUID and the user attribute value to uid.
If your LDAP vendor is not on the list, complete the configuration fields manually.
- In the Role section, complete the following fields:
- Object Class: The objectClass of a role.
- Membership Attribute: The attribute of the user object that indicates role membership (that is, containing the role DNs).
- Validate your configuration settings.
- Enter a Username in the Example username field.
Validate that all returned user details are correct. If any expected groups aren’t listed, group imports may fail later.
- Click Test Configuration.
If your configuration settings are valid, the message Validation successful! appears along with information about the returned user object. If there is a problem with your configuration, or if the user is not found, you are prompted to review your settings.