LDAP configuration parameters
The following table lists the LDAP configuration parameters and indicates which parameters you can change after you install the Okta LDAP Agent.
Use this command to change the Okta LDAP Agent password:
/opt/Okta/OktaLDAPAgent/scripts/update.sh [-w|--ldap-admin-password] "<NewLDAPPassword>"
| Parameter | Description | Can be changed after agent installation |
|---|---|---|
| ldapHost = 216.3.128.12 | Hostname or IP of the LDAP server. This is the value configured during the agent installation. | Yes1 |
| ldapPort = 389 | Port number of the LDAP server for unencrypted connection, configured during installation. | Yes1 |
| ldapSSLPort = 636 | Port number of the LDAP server for encrypted connection, configured during installation. | Yes1 |
| ldapUseSSL = true | Choose between the encrypted and unencrypted connections. If true, the agent uses encrypted connection. The default option during installation is to use an unencrypted connection. The recommended option is to use a secured connection during installation. | Yes1 |
| ldapAdminDN = cn=ldsadmin, cn=admins, dc=example, dc=net, dc=local | The Distinguished Name of the user the agent binds to the LDAP server as. | Yes2 |
| ldapAdminPassword = <password hash> | Password of a user that the agent binds to the LDAP server as. | Yes2 |
| baseDN = dc=funnyface,dc=net,dc=local | The root DN of the LDAP domain. | No1 |
| proxyEnabled = true | Web proxy configuration is enabled or not. | Yes1 |
| proxyHost = 172.16.52.90 | Web proxy host. | Yes1 |
| proxyPort = 8888 | Web proxy port. | Yes1 |
| connectionHealthCheckFrequencyInMinutes = 0 | Specify a positive number (minutes) to instruct the agent to print the connection health statistics to the log. | Yes1 |
| memoryTrackFrequencyInMinutes = 0 | Specify a positive number (minutes) to instruct the agent to print the memory usage details to the log. | Yes1 |
| threadDumpFrequencyInMinutes = 0 | Specify a positive number (minutes) to instruct the agent to print details about the running threads to the log. | Yes1 |
| ldapSearchPageSize = 500 | The agent fetches search results from the LDAP server split into pages. The following parameter configures the maximum number of entries the LDAP server returns in a single response. | Yes1 |
| sslPinningEnabled = true | Enable or disable SSL pinning. When SSL pinning is enabled, the agent uses a built-in allowlist of server certificates to make sure it connects to a known Okta server. The default option during installation is to enable SSL pinning for EA agents. The recommended option is to use SSL pinning. | Yes1 |
| agentId = a53d6jnf0kg38CpYG0h7 | The parameter is configured during installation. | No1 |
| instanceId = | The parameter is configured during installation. | No1 |
| ldapDomainId = 0oadmcd4ztXMng8FlkD7 | The parameter is configured during installation. | No1 |
| orgUrl = https://privatedomain.oktapreview.com | The parameter is configured during installation. | No1 |
| token = 274m55...kldu9 | The parameter is configured during installation. This parameter only applies to Okta LDAP Agent version 5.21.0 and earlier. | No1 |
| agentKey = O2Ngbf...ggzY= | The parameter is configured during installation. | No1 |
| clientId = wlp2xvb6mIgCcVB7W5s6 | The parameter is configured during installation. | No1 |
| propertyKey = 92rFf9...8m9 | The parameter is configured during installation. | No1 |
| maxConnectionsPerHost | The default is 10 and the maximum is 50. Must be higher than the number of agent polling threads. | Yes1 |
| pollingThreadCount | The default is 2 and the maximum is 10. The number of threads the LDAP agent uses to poll the server | Yes1 |
|
fipsMode |
When installing LDAP agent version 5.19.0 and higher, fipsMode can be enabled or disabled. During restart or upgrade, if fipsMode isn't present or has an invalid value, FIPS mode is enabled. |
Yes3 |
1 If there are changes in infrastructure, the old agent should be uninstalled and a new agent should be installed.
2 Requires an agent restart to take effect.
3 LDAP agent versions 5.16.0, 5.17.0, and 5.18.0 have FIPS mode enabled by default and can't be disabled.
Update LDAP configuration parameters
To change the value of configurable LDAP parameters, you update the values in the OktaLDAPAgent.conf file. Before you open or modify the LDAP agent configuration file, stop the Okta LDAP Agent service under Windows Services. After updating and saving your changes to the OktaLDAPAgent.conf file, you'll need to restart the Okta LDAP Agent to implement your changes.
Windows
In a Windows environment, you'll find the OktaLDAPAgent.conf file here: C:\Program Files\Okta\Okta LDAP Agent\conf\OktaLDAPAgent.conf.
Linux
In a Linux environment, you'll find the OktaLDAPAgent.conf file here: /opt/Okta/OktaLDAPAgent/conf/OktaLDAPAgent.conf.