Expose app groups in the LDAP interface directory information tree
To assist you with your access control decisions, you can define the Okta groups and app groups you want exposed in the LDAP interface (LDAPi) directory information tree (DIT).
After exposing app groups, admins can use LDAPi to search for users or groups in the org.
Admins can use LDAPi to search for users in the org, and use the memberOf attribute to list the groups that each of those users belongs to. Admins can use LDAPi to search for groups in the org, and use the uniqueMember attribute to list the members of a group.
Admins need to have the View groups and their details permission to successfully retrieve and view group membership information. Otherwise, the admin can only view their own user entry, and no group information is displayed. See Administrators.
-
In the Admin Console, go to .
- Select an LDAP interface instance and click Edit.
- In the Groups area, select these options:
- Okta groups: Select this option to expose Okta groups in the LDAP interface DIT.
- App groups: Select this option to expose app groups in the LDAP interface DIT.
- Okta groups and app groups: Select this option to expose Okta groups and app groups in the LDAP interface DIT.
- Group base DN: Non-editable field. Click Clipboard
to copy the information to your clipboard. - App group base DN: Non-editable field. Click Clipboard to copy the information to your clipboard.
- App group filter: Select All applications to expose all imported app groups, or select Filter by applications and enter the names of the apps in the field to expose groups imported from specific apps.
- Click Save.