AD LDS LDAP integration reference

This topic provides reference information specific to Active Directory Lightweight Directory Services (AD LDS) Lightweight Directory Access Protocol (LDAP) integrations. When you're installing the Okta LDAP Agent, you need this information to integrate your AD LDS directory with Okta. See Install the Okta LDAP Agent.

Recommended version

Windows Server 2016

Known issues

  • The status of users requesting a temporary password doesn't change from active to password expired.
  • When the provisioning settings indicate Do nothing when users are deactivated, users remain active in Okta. When a single source provides user profile attributes, deactivated users are disconnected from the source and Okta becomes the source for user profile attributes.

Integration configuration

During the initial agent install and configuration documented in Install the Okta LDAP Agent, these are the attributes for AD LDS integrations:

  • Unique Identifier Attribute: distinguishedname
  • DN Attribute: distinguishedname
  • User Object Class: identityperson
  • User Object Filter: (objectclass=identityperson)
  • *Account Disabled Attribute: msds-useraccountdisabled
  • *Account Disabled Value: TRUE
  • *Account Enabled Value: FALSE
  • Password Attribute: unicodepwd
  • Group Object Class: group
  • Group Object Filter: (objectclass=group)
  • Member Attribute: member

Schema read

To add attributes from AUX classes, add the auxiliary class as an Auxiliary Object Class to the directory provisioning configuration.

Password change

Users can change their password by selecting Settings on the Okta End-User Dashboard.

To allow users to change or reset their password, click SecurityDelegated Authentication , select the LDAP tab, and then select Users can change their LDAP passwords in Okta.

Error messages displayed in Okta are determined by the AD LDS error message value. For example, the AD LDS value 2245 generates this error message when a user enters a password that doesn't meet the password policy criteria:

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Password reset

Password reset is triggered by an administrator or the User Forgot Password flow.

Password reset can fail if the new password doesn't meet the password policy criteria.

Password validation

AD LDS uses the local system password policy or the domain password policy for password validation.

Import

To create user profiles, use object classes such as user, inetOrgPerson, person, or OrganizationalPerson. To use a customized profile, update the identityperson options.

JIT provisioning

There are no special considerations for AD LDS Just-In-Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Do not use an external identity provider (IdP) to trigger sign-in.

To make sure that JIT provisioning is successful the first time:

  • The value of the configured naming attribute (such as UID) must not exist in Okta.
  • The value of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
  • The required attributes must be present. The Okta defaults are email, givenName, sn, and uid.
  • The password must be correct.
  • The Account Disabled Attribute must be set to false on the LDAP server.

When JIT provisioning completes successfully, all user attributes specified on the LDAP settings page and in the Profile Editor are imported. To select other mandatory attributes, use the Profile Editor.

Membership import

During import, if the default AD LDS settings are used, user groups with the objectClass group are imported and added to the user specified in the member group attribute.

During import, if the membership attribute is set to seeAlso, users are assigned to the groups added to the seeAlso user attribute.

Provisioning

There are no special considerations for AD LDS LDAP integrations.

To create and assign passwords when creating user profiles:

  1. Contact Okta customer support to enable LDAP push password updates.
  2. Disable delegated authentication:
    1. In the Admin Console, go to SecurityDelegated AuthenticationLDAP.
    2. Click Edit in the Delegated Authentication pane.
    3. Clear the Enable delegated authentication to LDAP checkbox.
    4. Click Save.
    5. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
  3. Open your Okta Admin Console, click DirectoryDirectory IntegrationsLDAPProvisioningTo App.
  4. Click Edit, select Enable next to Sync Password, and click Save.

    When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.

To assign existing Okta users to LDAP:

  1. In the Admin Console, go to DirectoryDirectory IntegrationsLDAPProvisioningTo App.
  2. Click Edit, select Enable next to Create Users, and click Save.
  3. Click DirectoryGroups.
  4. Select the Okta group to which you want to assign users.
  5. Click Manage Directories.
  6. Select an LDAP instance in the left pane and click Next.
  7. Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
  8. Click Confirm Changes.

Troubleshooting

If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:

Agent: Success

POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, actionId=ADSttbJoCgX6d8bVs0g3, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=AD_LDS

Agent: Delauth failure

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSttkKzNHPmn4Cky0g3, diagnostic message=8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839?, error code=49, matched dn=CN=LynxyADLVSWih2Group,CN=UsersGroup,OU=usersLynxy,DC=funnyface,DC=net,DC=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839?', diagnosticMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839?'), result code=invalid credentials, vendor=AD_LDS

Agent: No user

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSttml2duHannKQp0g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=identityperson)(uid=LynxyADLDSWith2Group22s@lynxy.com)), result code=, vendor=AD_LDS

Agent: User deactivated (msDS-UserAccountDisabled = TRUE)

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSttoAFlo2ktz8nu0g3, diagnostic message=8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 533, v3839?, error code=49, matched dn=CN=LynxyADLVSWih2Group,CN=UsersGroup,OU=usersLynxy,DC=funnyface,DC=net,DC=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 533, v3839?', diagnosticMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 533, v3839?'), result code=invalid credentials, vendor=AD_LDS

Agent: Account expired

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADStxkjhWLW7DX9qN0g3, diagnostic message=8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 701, v3839?, error code=49, matched dn=CN=LynxyADLVSUserForChange2,CN=UsersGroup,OU=usersLynxy,DC=funnyface,DC=net,DC=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 701, v3839?', diagnosticMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 701, v3839?'), result code=invalid credentials, vendor=AD_LDS

Agent: Password Expired

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSu99dXaoVG7gFjG0g3, diagnostic message=8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?, error code=49, matched dn=CN=delauth2,CN=\#Users,DC=funnyface,DC=net,DC=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?', diagnosticMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?'), result code=invalid credentials, vendor=AD_LDS

Agent: Account locked

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSv4gTD5ihbuqeep0g3, diagnostic message=8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 775, v3839?, error code=49, matched dn=CN=test1706 test1706,CN=UsersGroup,OU=usersLynxy,DC=funnyface,DC=net,DC=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 775, v3839?', diagnosticMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 775, v3839?'), result code=invalid credentials, vendor=AD_LDS