Prerequisites
- An Okta Super admin account to connect the agent with your Okta org
- An LDAP user to perform binds and queries from the agent to your LDAP directory. This user must be able to look up users, groups, and roles in the Directory Information Tree (DIT)
- The modifyTimestamp attribute indexed on your LDAP server. This improves the performance of incremental imports
- The Okta LDAP agent is available for both Windows and Linux OSes:
- On Windows, a set of Registry modifications are required prior to installing the agent
Agent Requirements
You can use a Windows or Linux agent to connect LDAP with your Okta org. If you're upgrading from a version 4.x agent or earlier to a version 5.x agent, uninstall the old agent before installing the new one.
Windows agent requirements
- The host server must be running Windows server 2012, Windows server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows server 2022
- The Windows server must be able to reach the LDAP host and port
- The TLS 1.2 security protocol must be enabled with the following registry key settings
Linux agent requirements
- Linux-based agent must be installed on an RPM-enabled Linux distribution, such as CentOS or Red Hat
- DPKG-enabled Linux distributions are also supported, such as Debian or Ubuntu
Modifying the Registry
- On a Windows Device, launch the Registry Editor.
- Create the TLS 1.2 security protocol by setting up the necessary registry keys and their corresponding values. This involves creating the TLS 1.2 key along with the Client/Server subkeys and defining each key/value pair.
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] “Enabled”=dword:00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] “DisabledByDefault”=dword:00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] “Enabled”=dword:00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] “DisabledByDefault”=dword:00000000
Installing the Okta LDAP Agent
- In the Okta Admin Console, navigate to Directory Integrations and click Add LDAP Directory.
- After configuring the Registry keys, return to the Okta Admin console and select Setup LDAP.
- Navigate to Download Agent > Download EXE Installer.
Configuring the Okta LDAP Service
- Launch the Okta LDAP Agent installer and follow the installation steps until you arrive at the LDAP Configuration stage, as illustrated below:
- Configuring JumpCloud’s Hosted LDAP Service with Okta LDAP Agent To integrate JumpCloud’s LDAP service for authentication via the Okta LDAP Agent, adjust the following settings:
- LDAP Server: Specify as ldap.jumpcloud.com:636
- Root DN: Set to ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
- Bind DN: Use uid=LDAP_BIND_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
- Bind Password: Enter the password for LDAP_BIND_USER
- SSL Connection: Turn on SSL
- SSL Port: Set to 636
- Disable the option Use FIPS certified encryption algorithms only
- Proceed by clicking Next
- Deselect the Use Proxy Server option and click Next
- Locate your Okta Org URL in the Okta Admin console’s address bar or under the Setup Wizard page within the Admin console. You can locate the URL in your web browser address bar while logged in to your Okta tenant, and it is also provided by Okta during the configuration steps.
- Paste the URL into the designated Okta Org URL field, and click Next.
- When prompted, enter your Okta username and password.
- Click Allow Access and then click Finish.
Configuring LDAP Directory Mappings for the Okta Admin Console
Version
- LDAP Version: OpenLDAP
Objects
- Unique Identifier Attribute: entrydn
- DN Attribute: entrydn
Users
- User Search Base: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
- User Object Class: inetorgperson
- User Object Filter: (objectclass=inetorgperson)
- Account Disabled Attribute: pwdlock
- Account Disabled Value: true
- Password Attribute: userpassword
Group
- Group Search Base: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
- Group Object Class: groupofnames
- Group Object Filter: (objectclass=groupofnames)
- Member Attribute: member
- User Attribute: memberof
Role
- Object Class: groupofnames
- Membership Attribute: memberof
Validating Configurations
- Okta username format: email
- Example username: [email protected]
Note:
Use any email address associated to a user's JumpCloud account. The User in JumpCloud must also be bound either directly to or a member of a User Group which has been bound to LDAP. This will test to see if Okta can query an existing JumpCloud user through the Okta LDAP Agent to JumpCloud.
- Click Test Configuration and Next if successful.
- The following page should show LDAP Is now Integrated with Okta.
- Click Done.
Back to Top