The Okta LDAP Interface (LDAPi) provides an LDAPv3 compatible read-only connection to the Okta Universal Directory, for use by third-party platforms. LDAPi works by transforming LDAPv3 compatible queries for Okta Users and/or Groups into API calls for the Okta API, and receiving the response.
By default, any user account can connect to the LDAP Interface, but can view only its own user account. This results in queries for groups returning no results and queries for users returning only the account used to connect.
This article describes the cause and solution of why a query to Okta LDAPi returns only the user who sent the query.
- Directories
- LDAP Interface
If the account used to connect to LDAPi does not have Okta read-only administrator permissions, a user query will only return the sending user's information and zero groups. This is by design.
Grant the Read-Only Administrator role to the Okta account used to connect to the LDAP Interface so that the querying user can return all Okta users or groups.
While it is not possible to prevent users from accessing LDAPi altogether, a Global Session policy for LDAPi users that requires a password and either a pre-fetched OTP or push factor can be configured.
