Hi folks,
Has anyone configured the LDAP service of Okta to push users into
FreeIPA recently? Looking for tips/tricks more recent than this page
https://www.freeipa.org/page/HowTo/Integrate_With_Okta which I think
dates back to 2014.
I can get the Okta agent running on the FreeIPA host and talking to Okta
but user provisioning fails with a DN parsing related error that makes
me think that something is now different about (a) telling Okta what
LDAP type/scheme is used on the other end or (b) setting up the
attribute mapping.
This is my Okta ldap agent error when a user is pushed into FreeIPA -- I
100% understand this is an Okta config and Okta agent config thing but
am just wondering if anyone has been down this road recently. If not
I'll try to write up my notes if I can get it working.
This is my error as of now. The RDN value is mapped to Okta 'uid'
attribute which always resolves to an email address like DN. I'm going
to blow everything away and restart fresh as I changed too many things
while debugging the current config:
[ 2020-09-25 21:39:14.859 ] [ Thread-15 ] [ INFO ] [LdapRestClient:478]
- GET
https://XXXX.okta.com/api/1/internal/app/agent/ldap_sun_one/0oa5o6gyetYbG...
[ 2020-09-25 21:39:14.859 ] [ pool-2-thread-3 ] [ ERROR ]
[UnboundIDLdapClient:531] - Error during ModifyRequest. ResultCode=34
(invalid DN syntax) exception=
com.unboundid.ldap.sdk.LDAPException: Unable to parse string
'dag(a)XXX.net' as a DN because it does not have an equal sign after RDN
attribute 'dag(a)XXX.net'.
at com.unboundid.ldap.sdk.DN.<init>(DN.java:434)
at com.unboundid.ldap.sdk.DN.<init>(DN.java:300)
at com.unboundid.ldap.sdk.DN.getParentString(DN.java:1055)
at
com.okta.ldap_agent.client.unboundid.UnboundIDLdapClient.moveEntry(UnboundIDLdapClient.java:902)
at
com.okta.ldap_agent.client.unboundid.UnboundIDLdapClient.modifyEntry(UnboundIDLdapClient.java:483)
at
com.okta.ldap_agent.connectors.ldap.LdapConnectorExecutorImpl.modifyEntry(LdapConnectorExecutorImpl.java:67)
at
com.okta.ldap_agent.adapters.LdapDirectoryAdapter.modifyEntry(LdapDirectoryAdapter.java:175)
at
com.okta.ldap_agent.handlers.WriteObjectActionHandler.performAction(WriteObjectActionHandler.java:43)
at
com.okta.ldap_agent.LdapAgent.lambda$dispatchAction$0(LdapAgent.java:253)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[ 2020-09-25 21:39:14.860 ] [ pool-2-thread-3 ] [ ERROR ]
[WriteObjectActionHandler:65] - Interchange error: 34, Unable to parse
string 'dag(a)XXX.net' as a DN because it does not have an equal sign
after RDN attribute 'dag(a)XXX.net'.