OpenDJ LDAP integration reference

This topic provides reference information specific to OpenDJ Lightweight Directory Access Protocol (LDAP) integrations. When you're installing the Okta LDAP Agent, you'll need this information to integrate your OpenDJ directory with Okta. See Install the Okta LDAP Agent.

Recommended version

OpenDJ Community Edition 2.6.4

Known issues

  • Users requesting a self password reset and who are required to change their password after it is reset by an admin, must provide their new password twice to access the Okta End-User Dashboard.

  • When the provisioning settings indicate Do nothing when users are deactivated, users remain active in Okta. When a single source provides user profile attributes, deactivated users are disconnected from the source and Okta becomes the source for user profile attributes

Integration configuration

During the initial agent install and configuration documented in Install the Okta LDAP Agent, these are the attributes for OpenDJ integrations:

  • Unique Identifier Attribute - entryuuid
  • DN Attribute - entrydn
  • User Object Class - inetorgperson
  • User Object Filter - (objectclass=inetorgperson)
  • *Account Disabled Attribute - ds-pwp-account-disabled
  • *Account Disabled Value - TRUE
  • *Account Enabled Value - FALSE
  • Password Attribute - userpassword
  • Group Object Class - groupofuniquenames
  • Group Object Filter - (objectclass=groupofuniquenames)
  • Member Attribute - uniquemember
  • Password Expiration Attribute - ds-pwp-password-expiration-time

Schema read

There are no special considerations for OpenDJ integrations.

To add attributes from AUX classes, add the auxiliary class as an Auxiliary Object Class to the directory provisioning configuration.

Password change

Users trigger a password change by selecting Settings on the Okta end user dashboard.

To allow users to change or reset their password, click Security > Delegated Authentication , select the LDAP tab, and then select Users can change their LDAP passwords in Okta.

You can configure settings such as password length and expiration on your LDAP instance.

Password update operations that fail are parsed by Okta and the error message appears in the Delegated Authentication page.

Password reset

Password reset is triggered by an administrator or the User Forgot Password flow.

Password reset can fail if the new password does not meet the password policy criteria.

Users cannot update expired passwords. Expired passwords must be reset by an administrator.

Password validation

Use the pwdPolicy object class to implement OpenDJ specific password policies.

If you do not specify OpenDJ password validators for your password policy, there are no restrictions on password length or permissible characters.

Import

Users or groups created in OpenDJ are not included in an incremental import until the first user profile change is detected.

JIT provisioning

There are no special considerations for OpenDJ Just In Time (JIT) provisioning. For user identification (UID), use an email format to match the default setting for an Okta username. Do not use an external identity provider (IDP) to trigger sign in.

To make sure that JIT provisioning is successful the first time:

  • the value of the configured naming attribute (such as UID) must not exist in Okta.
  • the value of the configured naming attribute (such as UID) must be unique in all JIT-enabled directories.
  • the required attributes must present. The Okta defaults are email, givenName, sn, and uid.
  • the password must be correct.
  • the Account Disabled Attribute must be set to false on the LDAP server.

When JIT provisioning completes successfully, all of the user attributes specified on the LDAP settings page and in the Profile Editor are imported. To select additional mandatory attributes, use the Profile Editor.

Membership import

User profiles with OpenDJ settings are added to groups with the object class groupofuniquenames and assigned the uniquemember group attribute.

Provisioning

If you do not specify OpenDJ password validators for your password policy, there are no restrictions on password length or permissible characters.

To create and assign passwords when creating user profiles:

  1. Contact Okta customer support to enable LDAP push password updates.
  2. Disable delegated authentication:
    1. In the Admin Console, go to Security > Delegated Authentication > LDAP.
    2. Click Edit in the Delegated Authentication pane.
    3. Clear the Enable delegated authentication to LDAP check box.
    4. Click Save.
    5. Accept the default setting to reset all LDAP user passwords and click Disable LDAP Authentication.
  3. In the Admin Console, go to Directory > Directory Integrations > LDAP > Provisioning > To App.
  4. Click Edit, select Enable next to Sync Password, and click Save.

    5. When Sync Password is enabled, the LDAP agent sends the action PASSWORD_UPDATE when the user signs in for the first time.

To assign existing Okta users to LDAP:

  1. In the Admin Console, go to Directory > Directory Integrations > LDAP > Provisioning > To App.
  2. Click Edit, select Enable next to Create Users, and click Save.
  3. Click Directory > Groups.
  4. Select the Okta group to which you want to assign users.
  5. Click Manage Directories.
  6. Select an LDAP instance in the left pane and click Next.
  7. Enter the full distinguished name (DN) for the new user LDAP container in the Provisioning Destination DN field.
  8. Click Confirm Changes.

Troubleshooting

If LDAP directory authentication fails, the agent logs display messages similar to the following to assist with diagnosis and resolution:

Agent: Success

scanResults are sent with user+group info POST initiated with result status=SUCCESS, actionType=USER_AUTH_AND_UPDATE, diagnostic message=, error code=, matched dn=, message=SUCCESS, result code=, vendor=OPEN_DJ

Agent: Delauth failure

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSv0hR8zflMGGeUY0g3, diagnostic message=, error code=49, matched dn=cn=LynxyForChange,cn=GroupForUser4Level,cn=GroupForUser3Level, cn=GroupForUser2Level,cn=GroupForUser1Level,ou=LynxySpecificUsers,ou=LynxyUsers, dc=example,dc=com, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials'), result code=invalid credentials, vendor=OPEN_DJ

Agent: No user

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSv0bQoITDYU63b80g3, diagnostic message=, error code=, matched dn=, message=User not found while executing query: (&(objectclass=inetorgperson)(uid=test@test.com)), result code=, vendor=OPEN_DJ

Agent: Password Expired

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSv091Tx5GPJsUxV0g3, diagnostic message=, error code=49, matched dn=cn=LynxyForChange,cn=GroupForUser4Level,cn=GroupForUser3Level, cn=GroupForUser2Level,cn=GroupForUser1Level,ou=LynxySpecificUsers,ou=LynxyUsers, dc=example,dc=com, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials', responseControls={PasswordExpiredControl(isCritical=false)}), result code=PASSWORD_EXPIRED, vendor=OPEN_DJ

Agent: Locked Out or Disabled

OpenDJ doesn't have specific error code for account that was locked. In case when pwdAccountLockedTime more than current time - response code will be the same as in case with incorrect password (49 (invalid credentials))

POST initiated with result status=FAILURE, actionType=USER_AUTH_AND_UPDATE, actionId=ADSv0pY84CfDLi2Jc0g3, diagnostic message=, error code=49, matched dn=cn=LynxyForChange,cn=GroupForUser4Level,cn=GroupForUser3Level,cn=GroupForUser2Level, cn=GroupForUser1Level,ou=LynxySpecificUsers,ou=LynxyUsers,dc=example,dc=com, message=LDAPException(resultCode=49 (invalid credentials), errorMessage='invalid credentials'), result code=invalid credentials, vendor=OPEN_DJ