nnmqu (nnmqu) asked a question.
We have Delegated Authentication Enabled for LDAP users and most of the user profile in Okta is mastered by LDAP. User logins to Okta, and Delegated Authentication validates passwords in LDAP.
We have a use case to migrate users & password from LDAP mastered to Okta mastered. We tried user import using password inline hook but that failed as user is already present in Okta - "login An object with this field already exists in the current organization".
Similarly tried to update the LDAP mastered user in Okta to using Update API to convert credential to inline hook, but that too resulted in error - "password Imported passwords may only be specified for Okta mastered users".
Do we have some other option where we don't have to force users to update password and use inline hook.
Hi, @nnmqu (nnmqu)
Thank you for posting on our Community page!
I did some research and found this link which should be of assistance:
https://developer.okta.com/docs/reference/architecture-center/directory-coexistence/lab-ldap-server/#migrate-users-from-ldap-to-okta
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
Watch and Learn: New Okta how-to videos, plus what's new this month in the May newsletter.
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
@User16594883467582706479 (Customer Support Online Experience) : Thanks for your response.
However I do see if we follow the approach in the link that you posted, we need to reset passwords for all users. Which is definitely not something we want on the other hand I can't user password inline hook as the users are already in Okta.
If it's possible from Okta's end (definitely I was unable to do it from an API) to modify the credentials for existing users to use inline hook rather than delegated authentication.
@nnmqu (nnmqu)
Unfortunately, there is no out-of-the-box solution other than the ones listed in the article I mentioned. You could raise this as a feature request on ideas.okta.com
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
Watch and Learn: New Okta how-to videos, plus what's new this month in the May newsletter.
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
@nnmqu (nnmqu)
typically, LDAP (Lightweight Directory Access Protocol) does not allow the direct export of user passwords. This is because passwords should be stored in an encrypted form in the LDAP directory to ensure security. LDAP usually stores password hashes instead of plaintext passwords.
One of the design goals of LDAP directory servers is to protect the security of user passwords. Passwords are typically stored as hashes, which are one-way encryption algorithms that cannot be reversed. When users log in, the password they provide is compared to the stored hash value in the LDAP server. If they match, the user is granted access.
Therefore, it is generally not possible to directly export the plaintext passwords of users, as it would compromise the security and confidentiality of passwords.
Hi, has anyone managed to come up with a solution for this as we have the same issue moving from AD with Delegated Authentication Enabled and wanting to retain current passwords?