A failure may occur when authenticating to the Okta LDAP Interface (LDAPi), resulting in the error message:
LdapErrorCode = unavailable
FAILURE: This operation is not allowed in the current authentication state. : (Refer to Okta error Code E0000079)
- LDAP Interface
- Multi-Factor Authentication (MFA)
- Global Session Policy
If a Global Session Policy is not specifically created for the LDAP Interface, the highest priority Global Session Policy that matches the LDAPi bind account user will be triggered. If this Global Session Policy requires an additional factor, and the LDAPi bind account user is not enrolled with the MFA factor, then the authentication will fail with Okta Error Code E0000079.
Create an Enrollment Policy for a group in which the LDAPi bind account belongs. The Enrollment Policy must contain any factor required by the LDAPi Global Session Policy.
Okta Support also recommends that the Okta LDAP Interface have its own Global Session Policy. As stated in Okta documentation, MFA codes must be prefetched before authentication. Okta Verify Push is also allowed.
NOTE: LDAPi authentication does not allow for factor enrollment. If the LDAPi session policy requires MFA, any account authenticating must have its factors enrolled before the first LDAPi login.
