lsb4a (lsb4a) asked a question.
The synchronization failed. Failure Reason 'admin limit exceeded'.
We sync to an OKTA instance to pull in users into a COTS application. I think we may have reached a point where the number of users or records returned exceeds an LDAP call limit.
I would like to excluded "suspended" and "deactivated" users from the synchronization pull.
Our current filter for users within the COTS app is the default filter of (objectClass=inetOrgPerson)
If this was a native Active Directory LDAP call I would use the filter (&(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) to get users that are not disabled.
What are the names for the OKTA attributes that can be added to the filter (objectClass=inetOrgPerson) to reduce the number of users returned.
Hello @lsb4a (lsb4a) Thank you for reacting out to our Community!
This might be a limitation to LDAP and the information retrieved. Please see below documentation that should provide you with the information your are looking for:
https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-limitations.htm
https://help.okta.com/en-us/Content/Topics/Directory/ldap-agent-known-limitations.htm
https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-troubleshooting.htm
https://docs.oracle.com/cd/E19253-01/816-4556/nis2ldap-10/index.html
Hope this helps and if this answered your question, please mark this as Best Answer!
Paul,
I saw all of those pages prior to posting to the community. Was hoping someone else had same issue as me and was able to overcome issue by altering the user filter (objectClass=inetOrgPerson) with some additional attributes.
Dan