LDAP Interface known limitations

The following are the known limitations of the LDAP Interface:

  • Unix or Linux-based PAM authentication isn't supported.
  • Ability to search on memberOf results in longer search times.
  • Support for TLS 1.2 only.
  • Only BIND, UNBIND, and SEARCH operations are supported, and the StartTLS extended operation is also supported.
  • The server allows a page size of 1000 entries. If the size of the result exceeds the page size, an LDAP error code is returned. For a large result set, use Simple Pagination Control. See https://www.ietf.org/rfc/rfc2696.txt.
  • You must use an Okta user ID. If you're using samAccountName as a sign-in value for your apps, authentication fails.
  • For LDAP searches that query uniquemember and memberOf attributes, the LDAP Interface iterates through all pages before returning membership response back to the client.
  • LDAP Interface defines memberOf as a virtual operational attribute. It's returned only if:
    • memberOf is requested in the list of attributes, or
    • All operational attributes are requested using '+'

    Querying the memberOf attribute can affect your org rate limits. To avoid rate limit issues, Okta recommends using the group membership attribute uniqueMember. This configuration scales API calls with the number of groups and not the number of users.

    Improvements were also made to other operational attributes that were part of LDAP core schema. This list includes hasSubordinates, structuralObjectClass, entryDN, subschemaSubentry, and numSubordinates. Note that numSubordinates isn't calculated for users and groups containers.

  • Sensitive attributes and LDAP Interface searches: LDAP Interface search filters that reference sensitive attributes or attributes that don't exist in the schema won't return any results.

    For example, if a custom attribute Employee Number is sensitive, then the filter employeenumber=123-45-6789 won't return any results, nor will the filter (|(employeenumber=*)(uniqueIdentifier=*).

    Additionally, LDAP Interface search filters that reference attributes that aren't in the schema won't return any results. For example, if the attribute xyz doesn't exist in the schema, then the filter xyz=foo won't return any results, nor will the filter (|(xyz=*)(bar=*)).

  • When using Okta Verify multifactor authentication with the LDAP Interface, the IP address reported is the appserver IP rather than the client IP. This is due to limitations in being able to forward the client IP through LDAP.

  • The creation of Okta attributes such as user.uid isn't supported. These attributes can't be retrieved by <uid=user.login> attribute searches. Results aren't returned when an attribute search is performed and the user profile contains the user.uid attribute.

  • Group administrators, help desk administrators, and custom administrators whose permissions are limited to viewing and managing the users of their assigned groups may experience a timeout when performing user searches.