<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D51Y00009zcAKKSA2Okta Classic EngineIntegrationsAnswered2024-04-16T13:34:21.000Z2020-11-25T21:25:59.000Z2020-12-01T19:48:24.000Z
  • Pl√°cidoE.89677 (Santalucía, S.A., Compañía de Seguros y Reaseguros)

    Hi @z9cf6 (z9cf6)​ 

     

    Have you check the LDAP Interface feature? You can find how to enable/disable it here.

     

    *** IF THIS OR ANY OTHER ANSWER HAD BEEN USEFUL, PLEASE, CLICK ON UPVOTE TO THANK THE COMMUNITY CONTIRBUTIONS ***

    Expand Post
  • od8ab (od8ab)

    Yes the LDAP interface is enabled.

     

  • od8ab (od8ab)

    I'm executing this search:

    ldapsearch -h XXX.ldap.okta.com -p 389 -b "dc=XXX,dc=okta,dc=com" -s sub -D "uid=XXX,dc=XXX,ou=users,dc=okta,dc=com" -W -z none -Z '(&(objectClass=person)(memberOf=cn=GROUP_NAME,ou=groups,dc=XXX,dc=okta,dc=com))'

     

    It only works when the bind user is an admin

    Expand Post
  • Pl√°cidoE.89677 (Santalucía, S.A., Compañía de Seguros y Reaseguros)

    Regarding the user privileges of bind credentials, yes you're right but on the other hand you could use a dedicated account (service account) with Read-only Admin role. I personally used this option on several times for API keys and registering AD/LDAP Agents.

     

    You can check the Read-only reference on this KBA.

     

    In addition to info above, you could include MFA as part of the Auth process for LDAP Interface. You can find further information on this URL.

     

    *** IF THIS OR ANY OTHER ANSWER HAD BEEN USEFUL, PLEASE, CLICK ON UPVOTE TO THANK THE COMMUNITY CONTIRBUTIONS ***

    Expand Post
  • od8ab (od8ab)

    Ok thanks, I also like that option but is not valid for us.

    We need to make the validation with the user that is being authenticated with the app

This question is closed.
Loading
Cant query for members of group in LDAP without admin privileges