Attempts to connect to the Okta LDAP interface, [subdomain].ldap.okta.com, over port 389 have not been successful.
- Directories
- LDAP Interface (LDAPi)
- StartTLS
The Okta LDAP Interface requires BIND attempts over port 389 to use StartTLS for encryption.
Follow the steps or the video below.
NOTE: Okta Support cannot assist with the configuration or customizations of any 3rd party application that is unable to connect to the Okta LDAP Interface. Please reach out to the vendor that provides the application for assistance with that type of configuration.
Validate a connection to the Okta LDAP Interface over port 389 using the command ldapsearch via a Mac or Linux terminal with the switch -ZZ. See the example below.
- Replace each instance of [subdomain] with the Okta Subdomain.
- Replace[user@domain.com] with the full Okta User Login of the LDAP Interface read-only Admin account.
- Change "firstName" to the name of a user known to be active in Okta. Keep the Wildcard (*) character.
ldapsearch -ZZ -H ldap://[subdomain].ldap.okta.com:389 -D "uid=[user@domain.com],ou=users,dc=[subdomain],dc=okta,dc=com" -W -b dc=subdomain,dc=okta,dc=com uid="firstName*"
If the Read-only Admin Okta account used to bind to the Okta LDAP Interface is set up to use MFA, separate the password and the MFA code with a comma. For Push MFA, add a comma and the word push:
Example:
- Enter LDAP Password: mypassword,123456
- Enter LDAP Password: mypassword,push
