This article provides a solution to the connection issue for the LDAP agent from version 5.22.0 and above.
- LDAP Agent versions 5.22.0 and up
- LDAP
- Windows
Starting with version 5.22.0, the LDAP Agent, similar to the AD Agent version 3.18 and above, uses OAuth 2.0 authentication to verify its connection to the Okta Org. This is in contrast to the previous version, which used a persistent API token with all the permissions of the Okta Administrator that granted the Agent access to the Org.
Similar to the AD Agent, the same error will appear in the system logs OpenID Connect (OIDC) token request, depending on the direction of time skew:
- token_timestamp_invalid
- FAILURE: invalid_dpop_proof_jwt_issued_in_future
- FAILURE: invalid_dpop_proof_jwt_too_old
These errors will also appear in the Okta LDAP Agent logs:
"Unexpected response status (400 BadRequest) for request URI
Response from server: {“error”:“invalid_dpop_proof”,“error_description”:“The DPoP proof JWT is issued in the future.“}
Could not fetch a new access token"The maximum allowable clock skew for successful OAuth token requests is 30 seconds. This value is subject to change.
In order to determine the clock skew, compare the local server time to the Official U.S. Time.
As in the case of the AD Agent, to resolve this, sync the member server to any standard NTP server.
Using an elevated command prompt (CMD), type the following and press Enter:
w32tm /resync
If the above does not adequately sync to NTP time, perform the following using an elevated CMD window:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org"
net start w32time
w32tm /config /update
w32tm /resync /rediscover
