Expose app groups in the LDAP interface directory information tree
To assist you with your access control decisions, you can define the Okta groups and app groups you want exposed in the LDAP interface directory information tree (DIT).
After exposing app groups, users without administrator permissions who search for their own user entry should use the User Base DN and not the Base DN in their search queries. Users searching for group memberships must use the complete Group DN with the memberOf
filter or an empty result is returned.
- In the Admin Console, go to .
- Select an LDAP interface instance and click Edit.
- In the Groups area, select these options:
- Okta groups — Select this option to expose Okta groups in the LDAP interface DIT.
- App groups — Select this option to expose app groups in the LDAP interface DIT.
- Okta groups and app groups — Select this option to expose Okta groups and app groups in the LDAP interface DIT.
- Group base DN — Non-editable field. Click Clipboard to copy the information to your clipboard.
- App group base DN — Non-editable field. Click Clipboard to copy the information to your clipboard.
- App group filter — Select All applications to expose all imported app groups, or select Filter by applications and enter the names of the applications in the field to expose groups imported from specific applications.
- Click Save.