<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Service Account Fails to Import from LDAP
Oct 28, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This article describes one possible scenario that explains why certain server accounts may fail to import from Lightweight Directory Access Protocol (LDAP) during synchronization. In this case, affected accounts do not appear in the import confirmation list, even when the LDAP filter configuration appears to be correct and the user attributes align as expected. It is important to note that there may be other reasons for import failures, but this article focuses on this specific scenario.

An LDAP filter is used to determine which accounts are included or excluded from synchronization. Common examples of LDAP filter configurations include:

  • Filtering by object class 
    (objectClass=user)
    • Imports only objects classified as users.

 

  • Filtering by account status 
    (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    • Imports only enabled user accounts.

 

  • Filtering by organizational unit (OU)

    (distinguishedName=*,OU=Employees,DC=example,DC=com)

    • Limits the import to accounts located in the Employees OU.

     

  • Combining multiple conditions

    (&(objectClass=user)(mail=*)(department=IT))

    • Imports only user accounts that have an email address and belong to the IT department.

 

Even if such filters are configured correctly and user attributes match the criteria, certain accounts may still fail to appear due to specific limitations, such as email address length restrictions, which this article details.

Applies To
  • LDAP Integration
  • Import
  • Service Account
Cause

The import process does not complete successfully because the email address linked to the user account exceeds the maximum allowed length of 100 characters. Any user accounts with an email address longer than this limit cannot be imported and will be automatically excluded from the process.

NOTE: This issue may vary depending on the specific situation. The details outlined in this article address only one possible scenario that could explain why the process did not continue as expected. Other cases may have different underlying causes, so the information provided here should not be considered universally applicable.

 

Solution

To address this particular issue, the user’s email address needs to be updated so that it contains no more than 100 characters.

  1. In the source directory, identify the user account that is failing to import.

  2. Edit the user’s email address attribute and adjust it so that its length is 100 characters or fewer.

  3. Once the change has been made, run the LDAP import process again to verify that the account is successfully imported.

For additional guidance, please refer to the related article (character limits for specific fields), which provides more details about character length restrictions for specific fields.

 

Recommended content

Still looking for help?
Loading
Service Account Fails to Import from LDAP