dk9sx (dk9sx) asked a question.
Hi All,
Okta is used as the primary directory service in our organization(source of truth ).
We have some applications which require LDAP for authentication. We have enabled " Ldap Interface" for this. However the Okta ldap interface is an end point on okta cloud on the internet.
We want to restrict/lockdown any outbound traffic from our servers which hosts these applications. Can you please advise if it is possible to host an ldap proxy on our on-perm servers which can accept requests from the applications(ldap client) and forward it to the Okta LDAP interface and relay back responses back from the LDAP interface.
The LDAP proxy can be configured to have access to the okta LDAP interface over internet. But the application server cannot access the internet.
Can you please suggest a way to access okta ldap interface without letting traffic flow to the internet from the on-prem servers.
Thanks in advance
Hi Aveek,
I will suggest you to use your sign on policies for each application in your Okta Org or create a blacklist zone either for any specific IPs or a Dynamic type zone. Please take a look at the following documentation in order to understand how network policies work or how to set up a sign on policy on your application:
If you have any further questions or any concerns, please create a ticket at Okta Support and our engineering team will gladly provide you assistance.
Thank You,
Eusebiu Anani
Technical Support Engineer
Okta Global Customer Care
Hi Eusebiu, thank you for your response. We have some regulatory compliance which requires us to completely restricted outbound traffic from our internal application. We would like to setup a LDAP proxy server (something like an openLdap proxy server) which could act as an reverse proxy to LDAP interface.
I am have tried to setup a openLDAP proxy server but its not able to proxy requests to okta LDAP Interface. Here are the slapd config for proxy server. I understand Okta LDAP interface is a proxy itself, Can you please advice if Okta LDAP interface can act as a LDAP backend to other proxy server.
I have already opened a ticket(Case 00931581) for this issue . Can you please escalate the ticket to your engineering team. I can share more details if required on the ticket.
[root@ldap-server slapd.d]# cat /etc/openldap/slapd.conf
# Global Schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/dyngroup.schema
# Global Options
conn_max_pending 1000
sockbuf_max_incoming 4194303
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/slapd.log
loglevel -1
sizelimit unlimited
# Allow everything that can be retrieved to be read
readonly on
access to *
by * read
# LDAP proxy options
modulepath /usr/lib64/openldap
moduleload back_ldap
database ldap
suffix "ou=users,dc=mycompany,dc=okta,dc=com"
uri "ldaps://mycompany.ldap.okta.com"
idassert-bind bindmethod="simple"
binddn="cn=binduser,ou=Users,DC=your,DC=tld"
credentials="<secret password>"
# connection reuse limit
conn-ttl 3600