This article discusses the expected behavior for password enforcement during password resets for users assigned to LDAP and with Delegated Authentication enabled.

• LDAP
• Delegated Authentication
• Password Reset and Enforcement

Differences in the Password Policy in Okta and the Password Policy set in LDAP.

Okta recommends that the Okta Password Policy for LDAP match the requirements set by the Password Policy in LDAP. 

• When Delegated Authentication is enabled on a Directory, the Okta LDAP Password Policy does not enforce the configured Minimum Length and Complexity Requirements.
• Instead, the Okta LDAP Agent passes the password request attempt to the LDAP Server. This means the LDAP Password Policy configured on the LDAP Server enforces its password requirements on the reset.
• The settings configured in the Okta LDAP password policy should mirror the LDAP Server policy so the end user sees the correct criteria on the Okta password Reset page.

End User View of the Okta Password Policy that applies to Active Directory Users:

View of the Password Policy in the Okta Admin Console:

NOTE: Okta will enforce the configured Common password check before passing the request to the Okta LDAP Agent. Okta will enforce the Password age settings unless the corresponding LDAP setting is configured with a value of 0, in which case it will ignore this setting and not enforce the password age.