Okta generates an administrative limit exceeded event in the System Log when an account exceeds the end-user rate limit by making more than 4 BIND requests per second. Resolve this by using unique Okta Read-Only Administrator accounts for each application, or by throttling Lightweight Directory Access Protocol (LDAP) requests within the application.

Okta displays the following error message in the Okta System Log:

FAILURE: LDAP operation failed because an administrative limit has been exceeded. Please contact support for assistance.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Lightweight Directory Access Protocol (LDAP) Interface
• Rate Limits

The API calls exceed the rate limit defined in the Non-authenticated users rate limits. The account exceeds the rate limit by making more than 4 BIND requests per second.

How are LDAP interface rate limit violations avoided?

Manage LDAP interface rate limits by using unique administrator accounts, throttling requests, and following rate-limiting best practices.

• Use a different Okta Read Only Administrator account for each unique application, or multiple accounts per application, to connect to the LDAP Interface. This reduces the chances of exceeding the per-user authentication limit of four requests per second.
  • See How to Create Custom Admin Roles for more details on creating administrator roles in Okta.
• Throttle or batch the LDAP requests originating from third-party applications.
• Follow best practices outlined in Monitor and troubleshoot rate limits to keep the rate limit within the allowed range.
• Contact Okta Support for further assistance if the previous steps do not resolve the issue.

Related References

• Additional rate limits
• Rate limits overview