<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007Xtr2DCAROkta Classic EngineDirectoriesAnswered2022-05-30T01:02:47.000Z2022-04-02T08:27:14.000Z2022-04-04T17:32:23.000Z

JoeL.04696 (Customer) asked a question.

April 2, 2022 at 8:27 AM
OpenLDAP groups

Hi all, I'm attempting to retrieve both OpenLDAP and Okta groups in OpenID Connect claims similar to what is documented here for Active Directory: https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims?language=en_US As described in that link, the expression to merge Active Directory groups with Okta groups is: Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100)) I can't work out what the equivalent "active_directory" string is to get this working with my OpenLDAP groups. Has anyone done this and got it working? Thanks, Joe

  • 2 answers
  • 662 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @JoeL.04696 (Customer)​ , Thanks for reaching out to the Okta Community!

     

    If I'm reading that article right, the "active_directory" string is the generic variable name, so if you want to adapt that to your LDAP, you need to get the value from your Okta Admin Dashboard→ Directory→ Profile Editor→ (insert you LDAP directory name) .

     

    On the LDAP's Profile page, you should see the variable's name. For example in my case (see attached screenshot), I have "ldap_sun_one".

     

     

    Hope it helps! image

    Expand Post

  • JoeL.04696 (Customer)

    Hi @Mihai Negoita - Okta (Okta, Inc.)​, thank you for your help.

     

    You clearly have done a far better job of interpreting the https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims?language=en_US article than I did 😊

     

    You're correct, having tested I am able to confirm that the "active_directory" string in the article does refer to the Variable name as shown in your screenshot. In my case I also have "ldap_sun_one" for this value in my OpenLDAP directory integration and configuring an expression that looks like this:

     

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("ldap_sun_one","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("ldap_sun_one","",100))

     

    ..worked as I hoped it would with my OpenLDAP groups.

     

    Thank you again for your help, very much appreciated, Joe

    Expand Post
This question is closed.
Loading
OpenLDAP groups