<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

How Okta LDAP Incremental Imports Work

Last Updated:

Okta Classic Engine
Directories
Okta Identity Engine

Overview

An incremental LDAP import captures directory changes that occur only after the last import. Okta uses time stamp-based change tracking via the modifyTimestamp attribute to identify these changes, which significantly reduces import times compared to a full import.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • LDAP
  • Imports

Solution

An Incremental import captures changes in the directory that have occurred only since the last import was performed. Okta runs all scheduled LDAP imports incrementally by default. Administrators can also run an incremental import manually. 

 

Okta supports only time stamp-based change tracking for LDAP integrations. To identify changes made since the last import, the LDAP agent uses the modifyTimestamp attribute, which records the last time the directory object was modified.

 

When an incremental import begins, Okta sends LDAP queries to the directory via the LDAP agent. These queries combine the relevant object filter (User Object Filter or Group Object Filter) configured in the directory settings (Directory > Directory Integrations > [LDAP Instance Name] > Provisioning > Integration) and a search for a modifyTimestamp value greater than the highest value present in the directory during the last import.

 

Review the following examples of user and group queries that Okta generates during an incremental import.

 

User Query:

(&(objectclass=inetorgperson)(modifyTimeStamp>=20260527155548.000Z))

 

Group Query:

(&(objectclass=groupOfUniqueNames)(modifyTimeStamp>=20260527155548.000Z))

 

The modifyTimestamp value specified in the queries represents the maximum modifyTimestamp value present in the directory at the time of the last import. A modifyTimestamp value on a user or group object greater than the maximum value indicates an update to the object since the last import, prompting Okta to include it in the current import action.

 

A full import ignores the modifyTimestamp value of an object. Okta imports or updates any directory object that matches the configured object filter for the directory integration during a full import. As a result, a full import generally takes significantly longer to complete than an incremental import.

Related References

Recommended content

Still looking for help?
Loading
Okta Support - How Okta LDAP Incremental Imports Work