LDAP Import Adds or Removes Group Membership Unexpectedly
Jan 8, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview
This article explains a potential cause for unexpected group removals or additions during LDAP imports.
Applies To
- LDAP import
- Group Membership
- Directory
Cause
User Object Filter and Group Object Filter are configured with the same objectClass value. For example, each value is set to (objectClass=top). While both User and Group object classes can belong to this objectClass, Okta does not support using the same objectClass for both user and group.
Solution
Navigate to the LDAP integration in Okta > select Provisioning > Integration and change the value for either User Object Filter or Group Object Filter to a more specific objectClass. Once the configuration is tested and saved, run an import.
