Hello everybody.

I just had a very hard week in setting up a Zentyal server as an LDAP directory integration in our Okta federated directory, and I'd like to share the solution I found.

The first unsuccesful attempt was deploying the Okta LDAP agent (as per regular instructions) and configure it as an "AD LDS" server.... even after a lot of tweaks, I didn't manage to have a working integration: the first check was OK, but any Import activity ignored users' first name (contained in the "givenName" attribute) and user email (contained in the "mail" field.

The tweaks are as follow:

• first, on zentyal, be sure that every user that has to be imported has a "uid" field filled in with their LOGIN (without domain)
• During initial configuration of the agent, the "Admin DN" has to be spelled as user@my.domain, not as cn=admin,dc=my,dc=domain as I expected
• The parameters for the integration are as follow:
• Ldap integration: leaving "Sun One 5.2" works
• Unique Identifier Attribute: distinguishedName
• DN Attribute: distinguishedName
• User Search Base: cn=Users,dc=my,dc=domain (adjust to your domain)
• User Object Class: user
• Auxiliary Object Class: organizationalperson
• User Object Filter: (&(objectclass=person)(memberof=cn=oktausers,cn=groups,dc=my,dc=domain)) (adjust to your domain. in this case, I do not need to load all users but just those who belong to the "oktausers" group)
• Account Disabled Attribute; useraccountcontrol (well, I did not check if this works, but is a starting point)
• Account Disabled Value: 514
• Account Enabled Value: 512
• Password Attribute: empty (I think zentyal does not exposes password, and I do not need to change them via okta)
• Password Expiration Attribute: empty (I see in zentyal schema that there is a password expiration attribute, but I'm unsure about the format)
• Extra attributes: all empty (but adjust to your needs)
• Group Search Base: cn=groups,dc=my,dc=domain (adjust to your domain)
• Group Object Filter: (objectclass=group)
• Member Attribute: member
• User Attribute; empty
• Role Object Class: empty
• Role Membership Attribute: empty

usernames can be matched by email (it works). I suppose they can be matched per uid as well, but I didn't test it.

Important: while I was experimenting, I noticed by looking at /opt/Okta/OktaLDAPAgent/logs/agent.log that the problem was that attributes givenName and mail were not picked up from the schema during initializazion of the integration. In order to have okta read it, I had to deactivate the agent, deactivate and then delete the integration from okta console, uninstall the agent from the server, and restart from scratch.