eDirectory LDAP integration reference

This topic provides reference information specific to eDirectory LDAP integrations. Use the following information when you install the Okta LDAP Agent to integrate your eDirectory with Okta. See Install the Okta LDAP Agent.

Considerations

• Users who request a self-service password reset and who are required to change their password after an admin resets it, must provide their new password twice to access the Okta End-User Dashboard.
• When the provisioning settings indicate Do nothing when users are deactivated, users remain active in Okta. When a single source provides user profile attributes, deactivated users are disconnected from the source and Okta becomes the source for user profile attributes.
• Okta login and import flows process memberships based on member. NetIQ uses groupMember to track nested group memberships, which means that Okta can't process nested memberships for NetIQ eDirectory integrations.

Integration configuration

When you install and configure the LDAP agent, use the following attributes for eDirectory:

• Unique Identifier Attribute: localentryid
• DN Attribute: entrydn
• User Object Class: inetorgperson
• User Object Filter: (objectclass=inetorgperson)
• *Account Disabled Attribute: loginDisabled
• *Account Disabled Value: TRUE
• *Account Enabled Value: FALSE
• Password Attribute: userpassword
• Group Object Class: groupofnames
• Group Object Filter: (objectclass=groupofnames)
• Member Attribute: member

Schema read

To add attributes from AUX classes, add the class as an auxiliary object class to the directory provisioning configuration. For example, the dc attribute is added to the Okta schema attributes when the auxiliary object class is dcObject.

Password change

Users can change their password by selecting Settings on the Okta end user dashboard.

If you're using eDirectory-specific password settings on your LDAP instance, a password change or reset may fail on Okta if a user doesn't have the correct ACL permissions for self-service password change. When this happens, the password change fails and returns the error message: NDS error: no access (-672).

Password reset

An admin can trigger a password reset. A password reset is also triggered when a user clicks the Forgot password link. Password reset works without adding a specific ACL.

Password reset can fail if the new password doesn't meet the password policy criteria.

Import

eDirectory has a different modifyTimestamp decimal precision than other LDAP servers. The usual value is 3, but for eDirectory the value must be set to 1. There are two ways to set this value:

• If you have eDirectory support enabled and your LDAP agent is version 5.6.2 or higher: the decimal precision is automatically set to 1 during the install process. You can change this value on the Directory IntegrationsProvisioningTo Okta page.

• If your LDAP agent version is 5.6.0 or 5.6.1: update the decimal precision of all deployed agents by setting the value of generalizedTimeMillisecondDecimalPlaces to 1 in OktaLDAPAgent.conf.

JIT provisioning

There are no special considerations for eDirectory Just In Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Don't use an external identity provider (IdP) to trigger sign in.

To make sure that JIT provisioning is successful the first time:

• The value of the configured naming attribute (such as UID) must not exist in Okta.
• The value of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
• The required attributes must present. The Okta defaults are email, givenName, sn, and uid.
• The password must be correct.
• Set the Account Disabled Attribute to false on the LDAP server.

When JIT provisioning completes successfully, Okta imports the user attributes that are specified on the LDAP settings page and in the Profile Editor. To select more mandatory attributes, use the Profile Editor.

Membership import

During import, if the default eDirectory settings are used, user groups with the objectclass groupofnames are imported and added to the user specified in the member group attribute.

During import, if the membership attribute is set to seeAlso, users are assigned to the groups added to the seeAlso user attribute.

Provisioning

There are no special considerations for eDirectory LDAP integrations.

To create and assign passwords when creating user profiles:

1. Contact Okta customer support to enable LDAP push password updates.
2. Disable delegated authentication:
   1. In the Admin Console, go to SecurityDelegated AuthenticationLDAP.
   2. Click Edit in the Delegated Authentication pane.
   3. Clear the Enable delegated authentication to LDAP checkbox.
   4. Click Save.
   5. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
3. In the Admin Console, go to DirectoryDirectory IntegrationsLDAPProvisioningTo App.
4. Click Edit, select Enable next to Sync Password, and click Save.

   When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.

To assign existing Okta users to LDAP:

1. In the Admin Console, go to DirectoryDirectory IntegrationsLDAPProvisioningTo App.
2. Click Edit, select Enable next to Create Users, and click Save.
3. Click DirectoryGroups.
4. Select the Okta group to which you want to assign users.
5. Click Manage Directories.
6. Select an LDAP instance in the left pane and click Next.
7. Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
8. Click Confirm Changes.

Troubleshooting

If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:

Agent:Success

POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, actionId=ADSuirvHXkjvU4It20g3, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=UNDEFINED

Agent: Delauth failure

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSzbsNoy4eNjPI090g3, diagnostic message=NDS error: failed authentication (-669), error code=49, matched dn=cn=UserEdirectoryNewOne@edir.com,o=QAUsers,dc=Okta,dc=Com, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='NDS error: failed authentication (-669)', diagnosticMessage='NDS error: failed authentication (-669)'), result code=invalid credentials, vendor=UNDEFINED

Agent: No user

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSzbmckuuz7LniPk0g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=inetorgperson)(uid=UserEdirectoryNewOne@edir.com333)), result code=, vendor=UNDEFINED

Agent: Password expired

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSu99dXaoVG7gFjG0g3, diagnostic message=8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?, error code=49, matched dn=CN=delauth2,CN=\#Users,DC=funnyface,DC=net,DC=local, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?', diagnosticMessage='8009030C: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 532, v3839?'), result code=invalid credentials, vendor=AD_LDS

Agent: User deactivated (loginDisabled = TRUE)

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSzbyLP2YaxpJyKI0g3, diagnostic message=NDS error: log account expired (-220), error code=53, matched dn=cn=UserEdirectoryNewOne@edir.com,o=QAUsers,dc=Okta,dc=Com, message=LDAPException(resultCode=53 (unwilling to perform), errorMessage='NDS error: log account expired (-220)', diagnosticMessage='NDS error: log account expired (-220)'), result code=unwilling to perform, vendor=UNDEFINED