LDAP integration prerequisites
Before you start an LDAP integration, ensure that you have:
- An Okta admin account to connect the agent with your Okta org. This account must have the manage directories, manage agents, and register agents permissions. A best practice is to create a custom admin role that has these permissions. Assign that role to an Okta account to connect the agent to Okta. See Create a role and Agent permissions.
For greater security, consider requiring your admins to use MFA to access the Admin Console. See Enforce MFA to access the Admin Console
For agent versions 5.22.0 or later, the LDAP agents operate independently of any Okta account. This ensures that the Okta LDAP integration works as expected, regardless of the status of the account that was used to register the agent. In version 5.21.0 or earlier, it was a common practice to use a dedicated account to register the agent. For those agents, if the privileges for the dedicated account changed (for example, were lowered or revoked), or the account was deactivated, then the LDAP agent stopped working.
- An LDAP user to perform binds and queries from the agent to your LDAP directory. This user must be able to look up users, groups, and roles in the Directory Information Tree (DIT).
-
The modifyTimestamp attribute indexed on your LDAP server. This improves the performance of incremental imports.
Agent requirements
You can use a Windows or Linux agent to connect LDAP with your Okta org. If you're upgrading from a version 4.x agent or earlier to a version 5.x agent, uninstall the old agent before installing the new one.
Windows agent requirements
- The host server must be running Windows server 2012, Windows server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows server 2022.
- The Windows server must be able to reach the LDAP host and port.
- The TLS 1.2 security protocol must be enabled with the following registry key settings: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000
Linux agent requirements
- Linux-based agent must be installed on an RPM-enabled Linux distribution, such as CentOS or Red Hat.
- DPKG-enabled Linux distributions are also supported, such as Debian or Ubuntu.