IBM LDAP integration reference

This topic provides reference information specific to IBM Lightweight Directory Access Protocol (LDAP) integrations. When you're installing the Okta LDAP Agent, need this information to integrate your IBM directory with Okta. See Install the Okta LDAP Agent.

Known issues

  • Users can't update their expired passwords. Admins must reset them.
  • When the provisioning settings indicate Do nothing when users are deactivated, users remain active in Okta. When a single source provides user profile attributes, deactivated users are disconnected from the source and Okta becomes the source for user profile attributes.

Integration configuration

During the initial agent install and configuration documented in Install the Okta LDAP Agent, these are the attributes for IBM integrations:

  • Unique Identifier Attribute: ibm-entryuuid
  • DN Attribute: distinguishedname
  • User Object Class: inetorgperson
  • User Object Filter: (objectclass=inetorgperson)
  • *Account Disabled Attribute: ibm-pwdAccountLocked
  • *Account Disabled Value: TRUE
  • *Account Enabled Value: FALSE
  • Password Attribute: userpassword
  • Group Object Class: groupofuniquenames
  • Group Object Filter: (objectclass=groupofuniquenames)
  • Member Attribute: uniquemember

To lock an account, delete the user password or set the pwdLockout attribute to TRUE. Use the Profile Editor to select more user profile attributes.

Schema read

There are no special considerations for IBM LDAP integrations.

Password change

Users can change their password by selecting Settings on the Okta End-User Dashboard.

To allow users to change or reset their password, click SecurityDelegated Authentication, select the LDAP tab, and then select Users can change their LDAP passwordsinOkta.

Validation error messages are displayed on the Delegated Authentication page in the Admin Console.

Passwords are plain text by default. To encrypt passwords before they're saved, see password encryption in the IBM Security Directory Server documentation.

Password reset

Password reset is triggered by an administrator or the User Forgot Password flow.

IBM password policies aren't replicated in Okta. Passwords that do not meet the LDAP password policy criteria can be generated and cause authentication failure. To prevent this, review your IBM Directory Server password policies to identify and correct conflicts before allowing password resets through Okta.

Users can't update expired passwords. Admins must reset them.

IBM LDAP integrations don't support the password expiration warning and setting a Password age value in the LDAP Group Password Policy has no effect.

Import

There are no special considerations for IBM LDAP integrations.

JIT provisioning

There are no special considerations for IBM Just-In-Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Don't use an external identity provider (IdP) to trigger sign-in.

To make sure that JIT provisioning is successful the first time:

  • The value of the configured naming attribute (such as UID) must not exist in Okta.
  • Thevalue of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
  • Therequired attributes must present. The Okta defaults are email, givenName, sn, and uid.
  • Thepassword must be correct.
  • TheAccount Disabled Attribute must be set to false on the LDAP server.

When JIT provisioning completes successfully, all user attributes specified on the LDAP settings page and in the Profile Editor are imported. To select more mandatory attributes, use the Profile Editor.

Provisioning

IBM password policies aren't replicated in Okta. Passwords that don't meet the LDAP password policy criteria can be generated and cause authentication failure. To prevent this, review your IBM Directory Server password policies to identify and correct conflicts before allowing password resets through Okta.

To create and assign passwords when creating user profiles:

  1. Contact Okta customer support to enable LDAP push-password updates.
  2. Disable delegated authentication:
    1. In the Admin Console, go to SecurityDelegated AuthenticationLDAP.
    2. Click Edit in the Delegated Authentication pane.
    3. Clear the Enable delegated authentication to LDAP checkbox.
    4. Click Save.
    5. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
  3. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
  4. Open your Okta Admin Console, click DirectoryDirectory IntegrationsLDAPProvisioningTo App.
  5. Click Edit, select Enable next to Sync Password, and click Save.
  6. When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.

To assign existing Okta users to LDAP:

  1. In the Admin Console, go to DirectoryDirectory IntegrationsLDAPProvisioningTo App.
  2. Click Edit, select Enable next to Create Users, and click Save.
  3. Click DirectoryGroups.
  4. Select the Okta group to which you want to assign users.
  5. Click Manage Directories.
  6. Select an LDAP instance in the left pane and click Next.
  7. Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
  8. Click Confirm Changes.

Troubleshooting

If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:

Agent: Success

scanResults are sent with user and group information.

POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, actionId=ADSx27FqYtCqky2Wv0g3, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=IBM

Agent: Delauth failure

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSx1f9Wa5VsAmx8g0g3, diagnostic message=, error code=49, matched dn=cn=DelAuth,ou=Automation,O=FOX, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials'), result code=invalid credentials, vendor=IBM

Agent: No user

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSx1zLU1yUw7hcKM0g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=inetorgperson)(uid=asdfasdf)), result code=, vendor=IBM

Agent: Password Expired

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSydvdqGivWZ2eBN0g3, diagnostic message=, error code=508, matched dn=cn=PasswordExpired,ou=Automation,o=FOX, message=LDAPException(resultCode=508, errorMessage='508'), result code=508, vendor=IBM

Agent: Locked Out

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSyhmxo2EEQAPJTu0g3, diagnostic message=Error, Account is locked, error code=53, matched dn=cn=smith117 newman,ou=automation,o=fox, message=LDAPException(resultCode=53 (unwilling to perform), errorMessage='Error, Account is locked', diagnosticMessage='Error, Account is locked'), result code=unwilling to perform, vendor=IBM