LDAP with Okta¶
Configuring LDAP authentication using Okta as the LDAP provider.
Edition note: LDAP authentication is a commercial feature. The community edition supports only local user authentication.
Overview¶
Okta provides an LDAP Interface that allows applications like Faraday to authenticate users against the Okta directory using the LDAP protocol. This guide walks through configuring Okta's LDAP Interface and connecting Faraday to it.
Prerequisites¶
- An Okta organization with admin access
- Faraday Server (commercial edition) installed and running
- Network access from the Faraday server to
<domain>.ldap.okta.comon port 636
Step 1: Sign Up for Okta¶
- Navigate to Okta's website.
- Sign up for an account.
- Note your user and work domain from
user@workdomain.com. - Okta will send you an email with:
- Your Okta URL (e.g.,
https://workdomain.okta.com) - A temporary password
- Log in to your Okta admin console.
Step 2: Enable the LDAP Interface in Okta¶
- In the Okta admin console, navigate to Directory > Directory Integrations.
- Click Add LDAP Interface.
- Follow the prompts to enable the LDAP Interface.
Step 3: Create Groups for Role Mapping (Recommended)¶
Create Okta groups to map to Faraday roles:
| Okta Group | Faraday Role |
|---|---|
fadmin |
admin |
fpentester |
pentester |
fassetowner |
asset_owner |
fclient |
client |
Assign Okta users to the appropriate groups.
Step 4: Configure Faraday LDAP Settings¶
Run the LDAP configuration command on the Faraday server:
faraday-manage settings -a update ldap
Enter the following values (replace <domain> with your Okta work domain):
| Setting | Value |
|---|---|
enabled |
true |
server |
<domain>.ldap.okta.com |
port |
636 |
use_ldaps |
true |
use_start_tls |
false |
domain |
<domain>.okta.com |
domain_dn |
OU=users,DC=<domain>,DC=okta,DC=com |
bind_format |
DN |
bind_dn |
dc=<domain>,dc=okta,dc=com |
user_class |
user |
user_attribute |
sAMAccountName |
group_class |
group |
use_local_roles |
true |
default_local_role |
admin |
admin_group |
fadmin |
pentester_group |
fpentester |
asset_owner_group |
fassetowner |
client_group |
fclient |
disconnect_timeout |
2.0 |
paginated_fetch |
false |
Full CLI Session Example¶
$ faraday-manage settings -a update ldap
Update settings for: ldap
enabled [False]: true
use_local_roles [True]: true
default_local_role [admin]: admin
admin_group []: fadmin
asset_owner_group []: fassetowner
client_group []: fclient
pentester_group []: fpentester
disconnect_timeout [2.0]: 2.0
server []: mycompany.ldap.okta.com
port [389]: 636
use_ldaps [False]: true
use_start_tls [False]: false
domain []: mycompany.okta.com
domain_dn []: OU=users,DC=mycompany,DC=okta,DC=com
bind_format [CN]: DN
bind_dn []: dc=mycompany,dc=okta,dc=com
user_class [user]: user
user_attribute [sAMAccountName]: sAMAccountName
group_class [group]: group
paginated_fetch [False]: false
Do you confirm your changes on ldap? y
Step 5: Restart Faraday Server¶
# Systemd
systemctl restart faraday-server
# Docker
docker restart faraday-server
Step 6: Log In¶
Log in to Faraday using the Okta username and password you use to sign in to Okta.
Admin-Only Initial Access
The first LDAP user to log in will receive the role specified in
default_local_role. You cannot create additional users from within
Faraday — users are provisioned automatically from Okta on first login.
Key Differences from Standard LDAP¶
| Setting | Standard AD | Okta LDAP |
|---|---|---|
server |
AD domain controller | <domain>.ldap.okta.com |
port |
389 (LDAP) or 636 (LDAPS) | 636 (LDAPS required) |
use_ldaps |
Optional | Required (true) |
domain_dn |
DC=example,DC=com |
OU=users,DC=<domain>,DC=okta,DC=com |
bind_format |
CN (typical) |
DN (required for Okta) |
bind_dn |
Service account DN | dc=<domain>,dc=okta,dc=com |
Troubleshooting¶
Cannot connect to Okta LDAP¶
| Symptom | Solution |
|---|---|
| Connection timeout | Verify outbound port 636 is open on your firewall |
| SSL handshake error | Ensure the Okta root CA is trusted on the Faraday server |
| "Server not found" | Verify the server hostname: <domain>.ldap.okta.com |
Users cannot authenticate¶
| Symptom | Solution |
|---|---|
| "Invalid credentials" | Verify the Okta password is correct; check Okta's sign-on policies |
| "User not found" | Verify domain_dn includes the OU where Okta users reside |
| "Bind failed" | Ensure bind_format is set to DN (not CN) for Okta |
Verify Okta LDAP Connectivity¶
Test from the Faraday server:
ldapsearch -H ldaps://<domain>.ldap.okta.com:636 \
-D "uid=testuser,ou=users,dc=<domain>,dc=okta,dc=com" \
-W -b "ou=users,dc=<domain>,dc=okta,dc=com" "(uid=testuser)"