hpscy (hpscy) asked a question.
The LDAP Interface allows cloud-based LDAP authentication against Okta's Universal Directory instead of an on-premises LDAP server or Active Directory.
macOS is able to join an on premise LDAP service, so I was wondering if it is possible to hook it up to Okta's LDAP interface. Has anyone been able to get this working?
In response to the question about using the Okta LDAP interface to join macOS, that configuration isn't supported currently by Okta.
The Okta LDAP Agent officially supports the following Operating Systems:
MacOS requires posix attributes to function. I believe posix support is "coming" later this year.
@hpscy (hpscy) @EricK.22493 (Kohl's)
Don't necessarily treat the following as gospel but it is based on numerous battle scars.
Apple themselves only officially support 100% genuine OpenDirectory (their own system) and 100% genuine ActiveDirectory. There is a good chance that SAMBA4 configured in AD mode should work well but I have not yet tried this.
I can say that FreeIPA only partially works. There is no Apple schema available for it and this means as a first step having to define a manual mapping of LDAP fields on each Mac client, this cannot easily be automated and I suspect Catalina will have made this worse. Even if one does do this and again manually sets up Kerberos and the matching rootCA and does all the other steps you are left with one big issue. Whilst a manual setup with working Kerberos will allow users to change passwords via System Preferences -> Users & Groups this will not work if you reset the users password at the server end which causes the need to change the password at the login screen, this is because before you login you don't have a working Kerberos ticket to change the password via so you then get stuck in a loop. This is why for OpenDirectory you have Password Server which does this via an alternative method. Password Server used to be available as open source but neither the FreeIPA nor OpenLDAP projects ever bothered to port it to their systems. Annoyingly Apple have now removed the source from their open source server.
Much the same applies to OpenLDAP, however here there is or was an Apple schema available (ironically part of the SAMBA schema) so in theory you don't have to worry about the field mappings. You still have the password reset issue though.
I would therefore imagine that if you did use Okta LDAP for Mac clients it would at best be on the same level as FreeIPA. If/when Okta add POSIX support this would in itself be an improvement I do not believe it will otherwise help provide true Mac support due to the above schema and Password Server issues.
Something to consider is Jamf Connect based on the NOMAD code, this can link user accounts to Okta accounts and sync passwords. It is not anywhere near as elegant as the built-in OD and AD support of Macs but might be better than nothing.
Another approach might be to build a SAMBA4 AD system and link this to Okta with the Macs linked to the SAMBA4 AD server. Okta do have both an AD agent for Linux and an LDAP agent for Linux.
It should be noted that binding Windows AD clients to Okta is also not possible in the way that one normally interprets this. If it was one could have potentially bound Macs as AD clients to Okta. I cannot stress how big a deal this would be if Okta supported this. Right now almost the entire world revolves around AD which gives Microsoft an almost complete monopoly, if someone like (cough) Okta got off their fat ass and implemented a compatible alternative this would I am sure be in huge demand. Azure AD is only a partial solution with Microsoft expecting you to link to 'real' AD to fill-in the gaps e.g. support for binding Macs.
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
May Okta Community Buzz
Stay ahead of the curve with Okta for AI Agents, new Okta Learning live sessions and labs, shout-outs, and top trending topics—all aimed at enriching your Okta journey.
In response to the question about using the Okta LDAP interface to join macOS, that configuration isn't supported currently by Okta.
The Okta LDAP Agent officially supports the following Operating Systems: