Configure LDAP integration settings

After installing the Okta LDAP Agent, you'll need to configure the integration settings to allow data to be exchanged with Okta.

  1. In the Admin Console, go to DirectoryDirectory Integrations.
  2. Click the Okta LDAP Agent marked Not yet configured.
  3. Configure the following settings:

    When you select an LDAP provider, provider-specific configuration values are automatically added. If your LDAP provider is not on the list, complete the configuration fields manually. Confirm the default values are correct. Not all configuration settings must have values.

    • Unique Identifier Attribute: An auto-populated value defined by the selected LDAP provider. This value defines the unique immutable attribute of all imported LDAP objects (users and groups). Only objects possessing this attribute can be imported into your Okta org. You can change the auto-populated value during initial setup. Note: if your LDAP server implements RFC 4530, make sure to enter entryuuid in this field. For AD LDS, use objectguid.
    • DN Attribute: An auto-populated value defined by the selected LDAP provider. The attribute on all LDAP objects containing the Distinguished Name value.
  4. In the User section, configure the following settings:
    • User Search Base: Enter the Distinguished Name (DN) of the container for user searches (that is, root of the user subtree). This is the base DN of the container that holds all users imported into your Okta org. For example: cn=Users, dc=example, dc=com.
    • User Object Class: The objectClass of a user that Okta uses in its query when importing users. For example, inetorgperson, posixaccount, posixuser.
    • Auxiliary Object Class: Optional. Enter a comma-separated list of auxiliary objectClasses to use in Okta import queries. For example, auxClass1,auxClass2.
    • User Object Filter: An auto-populated value defined by the selected LDAP provider. The default is objectClass (objectClass=<entered objectClass name>). This must be a valid LDAP filter.

      Use standard LDAP search filter notation (RFC 2254). For example:

      (&(givenName=Bab*)(|(sn=Jensen)(cn=Babs J*)))

      The same filter capability is also in place for Group Objects.

    • Account Disabled Attribute: Enter the attribute that indicates whether or not the user account is disabled in Okta. If this attribute equals the value specified in the Account Disabled Value field, the user account is deactivated.
    • Account Disabled Value: Enter the value that indicates that the account is locked (for example, TRUE).
    • Password Attribute: Enter the user password attribute.
    • Password Expiration Attribute: An auto-populated value when a supported LDAP provider is selected. If your directory provider is not in the list, see your LDAP server documentation or configuration for the password expiry value. Often, this attribute is a Boolean value.
    • Extra User Attributes: Optional. Enter additional user attributes to import from LDAP.
  1. Complete the Group or Role section. Typically, only one of these is used.
  1. Configure the following settings in the Validation configuration section:
    1. Example username.

      When you import users from LDAP, these settings are used to generate the Okta username that your users use to sign in to Okta.

      Note: Okta requires that valid user names are in an email format. Configuring these options correctly makes sure that your user names satisfy this requirement.

    1. Enter a Username.

      Enter the username of a user in the specified username format. Since the username that you enter uniquely identifies a single user in your LDAP directory, the query that Okta executes will retrieve only your specified user and the following details about the user. Validate that all returned details are correct.

      • Status
      • UID
      • Unique ID
      • Distinguished Name
      • Full Name
      • Email
      • Groups: All the groups of the specified Group Object Class within the Group Search Base of which this user is a member. If the expected groups are not listed here, group imports might fail later.
    1. Click Test Configuration.

      If your configuration settings are valid, the message Validation successful! displays along with information about the returned user object. If there is a problem with your configuration, or if the user is not found, you are prompted to review your settings.

  1. When your settings are successfully validated, click Next and then Done to complete LDAP configuration.

After validating your settings, Okta begins the LDAP schema discovery process.