Tim - refer to case 700379 / 2021. SAP thinks it's a system-level LDAP query that Okta isn't able to handle. I'm trying to get the query from them, but they aren't really giving me any useful information. Can you assist?

Here's what my record looks like in the Okta LDAP interface:

Another interesting piece of information - - I've been able to determine that the secLDAP plugin *can* determine if I've properly authenticated. If I goof my password, it'll say "Invalid username or password". If I properly type my password, I get "Security plugin error: An error has occurred in the plugin, but the plugin is unable to return a detailed error message".

So I have to conclude that secLDAP *is* binding as my user, confirming the password is good, but the "next" step is what fails. I assume it's trying to access an unconfigurable attribute?

--M

If I login with the full DN, I get "Account information not recognized: Invalid username or password".

Your last paragraph will be the kicker.

We're looking to use the LDAP emulator that Okta provides. My Apache Directory Studio is able to connect to that LDAP server and browse with no issues; the thing that's really frustrating is that the User&Group sync runs with no problem. I get my user and group aliases in the system with no problem. It's only when logging in that I get that error.

I'd really like to avoid having a traditional LDAP server around just for this one software package; I'd really like to see if we can get this to work. I'm willing to harass Okta if need be. But the message that the secLDAP plugin puts out really gives me no information.

The one thing that a login would do that the user/group sync wouldn't is bind to the LDAP server as the actual end user. So I assume that's where the difficulty is. (Again, I can bind with my Directory Studio as the end user with no issues). But if someone "on the inside" could help me get a little more information out of the secLDAP plugin I can then turn to Okta.

Thanks for the message! --M

Instead of logging in with the UID what happens if you login with the users full DN (should be able to pull this from LDAP browser).

When you login with UID, if that is defined in the attributes then it should look up and login with the DN (behind the scenes) what you are doing is skipping the lookup to test if the DN fails too.

Some info on how the LDAP attributes work and which is used for login (default user search attribute)

https://apps.support.sap.com/sap/support/knowledge/en/1253052

Also very important what type of LDAP server are you using and version? Our LDAP plugin has been tested with a very limited # of LDAP servers and I can tell you certain ones will not work no matter how clever you configure it.