User17182675147246543332 (Customer) asked a question.
Hello everyone,
I am currently trying to connect the OktaLDAPAgent (Linux version 5.21) to a Synology LDAP server. The Synology is running an LDAP server as OpenLDAP.
I always get the following error message:
“Validation failed!
User Not Found - Try adjusting your configuration or changing the targeted username
Please review your configuration and retry validation.”
The LDAP schema was probably customized by Synology. I have therefore also adapted the attributes to the circumstances during setup.
I specified the following options in step 2 “Configure Directory Mappings”:
LDAP Verion: OpenLDAP
Unique Identifier Attribute: sambaSID
DN: dn
UserBase: cn=users,dc=<mydomain>,dc=lan
Object Class: posixAccount
User Object Filter: (objectclass=posixAccount)
Account Dis Attr: shadowInactive
Dis Val: 1
En Val: 0
Passwor Attr: userPassword
GroupBase: cn=groups,dc=<mydomain>,dc=lan
Group Object Class: posixGroup
Group Object Filter: (objectclass=posixGroup)
Member Attribute: member
User Attribute : <empty>
This is an example user and a group:
* SGrp_VPN, groups, jsnets.lan
dn: cn=SGrp_VPN,cn=groups,dc=<mydomain>,dc=lan
objectClass: top
objectClass: posixGroup
objectClass: extensibleObject
objectClass: apple-group
objectClass: sambaGroupMapping
objectClass: sambaIdmapEntry
cn: SGrp_VPN
gidNumber: 1000004
description: VPN USers
apple-generateduid: DE3C3478-C983-479F-BAAF-651DDA8B023E
sambaSID: S-1-5-21-892605888-531996753-3876400088-1007
displayName: SGrp_VPN
sambaGroupType: 2
member: uid=jonathang,cn=users,dc=<mydomain>,dc=lan
memberUid: jonathang
* jonathang, users, <mydomain>.lan
dn: uid=jonathang,cn=users,dc=<mydomain>,dc=lan
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: apple-user
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: extensibleObject
cn: jonathang
uid: jonathang
gecos: JG
uidNumber: 1000001
gidNumber: 1000001
loginShell: /bin/sh
homeDirectory: /home/jonathang
shadowLastChange: 19888
shadowMin: 100000
shadowMax: 99999
shadowWarning: 7
shadowExpire: -1
shadowInactive: 0
shadowFlag: 0
sn: ldapreader
authAuthority: ;basic;
apple-generateduid: E1B1A3A6-5068-459F-81FD-95B5A43D2976
sambaSID: S-1-5-21-892605888-531996753-3876400088-1008
sambaNTPassword: xxxx
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1
sambaAcctFlags: [U ]
displayName: jonathang
userPassword:: xxxx
memberOf: cn=users,cn=groups,dc=<mydomain>,dc=lan
memberOf: cn=Directory Consumers,cn=groups,dc=<mydomain>,dc=lan
memberOf: cn=Directory Clients,cn=groups,dc=<mydomain>,dc=lan
I have already checked the log of the agent (/opt/Okta/OktaLDAPAgent/logs/agent.log) in DEBUG mode. However, this did not yield any results.
What else can I check or set up?
Is there a log or an option that I can still check?
Hello @User17182675147246543332 (Customer) Thank you for posting on our Community page!
When setting up LDAP you need to make sure that:
"Okta requires usernames be in an email format. Configuring these options correctly ensures that your usernames satisfy this requirement."
As per our doc below:
https://help.okta.com/en-us/content/topics/directory/ldap-configure-integration-settings.htm
I would recommend to review our doc and make sure that the settings are setup accordingly.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Ask Us Anything about Workflows now thru 10/31
Dear Paul,
Thank you very much for your reply. Indeed, our UID entries in LDAP do not have the format of an email address.
In the article you provided me with it says that you can use the options “User Id (UID) + Configurable Suffix” or “User Id (UID) @ Domain” if the UID is not in the format of an email address.
However, this doesn't seem to work for me either, I still get the same error message.
I am surprised that the check fails but I always get a SUCCES in the agent log.
[ 2024-10-30 06:57:21.891 ] [ worker-thread-316 ] [ INFO ] [RealTimeSyncActionHandler:139] - Returning success result, details=LdapActionResult{type=REAL_TIME_SYNC, actionId='rpc::app.active_directory.agent.reply.ok12-majorecs04b.auw2-ok12.internal//1730267859751//8ecfa90435d6d4cdd2afe03caf340eb9:0ca9c104-41a9-48a7-960f-521ea628b9df:', status=SUCCESS, message='No Auth Performed', errorCode='', vendor=OPEN_LDAP, diagnosticMessage='', resultCode='', matchedDN='', additionalInfo='', lastDownloadToken=''}
[ 2024-10-30 06:57:21.895 ] [ worker-thread-316 ] [ INFO ] [LdapRestClient:280] - POST initiated with result status=SUCCESS, actionType=REAL_TIME_SYNC, actionId=rpc::app.active_directory.agent.reply.ok12-majorecs04b.auw2-ok12.internal//1730267859751//8ecfa90435d6d4cdd2afe03caf340eb9:0ca9c104-41a9-48a7-960f-521ea628b9df:, diagnostic message=, error code=, matched dn=, message=No Auth Performed, result code=, vendor=OPEN_LDAP
Hello @User17182675147246543332 (Customer) I would recommend to open a Case with Support for additional troubleshoot on this matter.
Dear Paul,
many thanks for your help.
I will think about it.
Best regards