<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000091OZGGCA4Okta Classic EngineDirectoriesAnswered2023-04-11T21:26:36.000Z2023-04-10T21:05:34.000Z2023-04-11T21:26:36.000Z

MatthewE.60094 (Customer) asked a question.

April 10, 2023 at 9:05 PM
LDAP Interface - Custom Admin Role Access

We are utilizing the LDAP interface to sync user data from Okta to an external application (Igloo). We were able to set up the sync to our main tenant, but now we're trying to set up a secondary connection to a "spoke" tenant that's just for one subset of the business.

 

We'd like to create a custom Admin role for the Spoke that is restricted to a specific Resource Group so that the import tool only pulls users from that group, but all attempts have failed. I can do a successful test using the main account, but that would also mean that we would need to manage the connection at Corporate instead of passing the utility to the Spoke's IT.

 

According to the documentation (https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-connection-settings.htm), "Must have admin permissions, but can be a read-only admin". Is there a way to do that via Custom Admin settngs?

  • 2 answers
  • 537 views

  • MatthewE.60094 (Customer)

    We solved it; the issue appeared to be with our search string. We were copying the string from the primary sync that uses a full RO Admin account to look up people in a specific group:

     

    (&amp;(objectclass=inetOrgPerson)(memberOf=cn=groupName))

     

    Because this uses a custom RO Admin for a Group, we simplified the search string:

     

    (objectclass=inetOrgPerson)

     

    That pulls just the users in the group where the Admin has access and allows us to proceed. I'll need to do some additional modifications for some subsequent queries but it appears to be working for this small population.

     

    Thanks!

     

     

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @MatthewE.60094 (Customer)​ , Thank you for reaching out to the Okta Community!

     

    Does not look like this is currently possible. The way I'm reading this, the docs mention it as a limitation: 

     

    "Group administrators, help desk administrators, and custom administrators whose permissions are limited to viewing and managing the users of their assigned groups may experience a timeout when performing user searches. "

    Reference: https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-limitations.htm

     

    You can suggest this as a Feature Enhancement on the Okta Community page by going to the Community Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented.  

    More details here: 

    https://support.okta.com/help/s/blog/a674z000001cj7YAAQ/okta-ideas-faq

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    Expand Post

  • MatthewE.60094 (Customer)

    We solved it; the issue appeared to be with our search string. We were copying the string from the primary sync that uses a full RO Admin account to look up people in a specific group:

     

    (&amp;(objectclass=inetOrgPerson)(memberOf=cn=groupName))

     

    Because this uses a custom RO Admin for a Group, we simplified the search string:

     

    (objectclass=inetOrgPerson)

     

    That pulls just the users in the group where the Admin has access and allows us to proceed. I'll need to do some additional modifications for some subsequent queries but it appears to be working for this small population.

     

    Thanks!

     

     

    Expand Post
    Selected as Best
This question is closed.
Loading
LDAP Interface - Custom Admin Role Access