Okta Requires a Full LDAP Import After an Import Roadblock Is Triggered
Last Updated:
Overview
When an Okta Lightweight Directory Access Protocol (LDAP) import triggers an import roadblock due to exceeding the unassignment threshold, the next import must be a full import. This requirement ensures that Okta processes all changes from the previously failed import. Because incremental imports rely on timestamps that update during the download phase, a subsequent incremental import skips any changes that Okta did not complete in the failed import.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Lightweight Directory Access Protocol (LDAP)
- Imports
- Import Roadblock
Cause
If an LDAP import triggers an import roadblock due to exceeding the unassignment threshold, Okta requires the next import to be a full import after the roadblock is resolved. This requirement applies regardless of whether a schedule or an administrator starts the next incremental import.
Solution
Why does Okta require a full LDAP import after an import roadblock?
When an incremental import starts, Okta scans the LDAP environment for updates using the modifyTimestamp attribute during the download object phase. Import roadblocks trigger after this download phase completes. Because Okta updates its internal timestamp marker during the failed run, the next incremental import only looks for new changes. It skips the updates from the failed import because the timestamp indicates Okta already handled them. A full import ignores the timestamps entirely and pulls all the data, ensuring Okta processes and reflects all changes accurately.
How are LDAP imports that are converted to full imports identified?
Locate LDAP imports that Okta automatically converts to full imports by navigating to Reports > System Log in the Okta Admin Console and using the following query.
eventType eq "system.import.start" and debugContext.debugData.importType eq "Full" and debugContext.debugData.importTrigger eq "Schedule"
