Okta provides a point-and-click method to include or exclude Organizational Units (OUs) in an Active Directory (AD) integration. Selecting hundreds of individual OUs in large environments presents challenges, so administrators may choose to use the Early Access feature AD LDAP Filter to include or exclude specific OUs directly using a Lightweight Directory Access Protocol (LDAP) query. This method streamlines the process of importing users and groups into Okta from AD and functions properly with Just-In-Time (JIT) Provisioning events.
- Directories
- Active Directory (AD)
- LDAP Query
- AD LDAP Filter
How can Active Directory LDAP filters be used to include or exclude Organizational Units?
NOTE: The Okta Support team cannot assist with designing LDAP queries. This guide provides best-effort examples to address hierarchically large AD environments.
Confirm that the AD LDAP Filter feature is active before continuing. The User Filter and Group Filter options will appear on the OU selection page of the AD integration only if this feature is enabled, as shown below. Contact Support to enable this feature if necessary.
Use the following guidelines to configure the AD LDAP Filter:
-
Select the highest possible OU(s) when using the AD LDAP Filter feature (for example, choose the root of the forest or the topmost OUs for Users and/or Groups).
-
Use the attribute
msDs-parentdistnamein the User Filter or Group Filter to explicitly include or exclude an OU in an LDAP query.
NOTE: The msDs-parentdistname attribute requires a Domain Functional Level of 2012 or higher.
Review the following examples for user filters:
-
To include only:
(&(sAMAccountType=805306368)(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com))
-
To exclude only:
(&(sAMAccountType=805306368)(!(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)))
Review the following examples for group filters:
-
To include only:
(&(objectCategory=group)(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com))
-
To exclude only:
(&(objectCategory=group)(!(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)))
NOTE: AD does not support extensible match rules. Because extensible matching is not performed, the filter includes or excludes only users or groups explicitly present in the named OU. To include or exclude child OUs, the query must also explicitly name them.
Review the following advanced examples for user filters with child OUs:
-
To include only:
(&(sAMAccountType=805306368)(|(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=SubChild,OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child2,OU=ParentOU,DC=domain,DC=com)))
-
To exclude only:
(&(sAMAccountType=805306368)(!(|(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=SubChild,OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child2,OU=ParentOU,DC=domain,DC=com))))
Review the following advanced examples for group filters with child OUs:
-
To include only:
(&(objectCategory=group)(|(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=SubChild,OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child2,OU=ParentOU,DC=domain,DC=com)))
-
To exclude only:
(&(objectCategory=group)(!(|(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=SubChild,OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child2,OU=ParentOU,DC=domain,DC=com))))
