The LDAP Sync Tool (LST) allows users to sync to directory sources that support the LDAP protocol. 

Download the LDAP Sync tool:

This can be obtained through the Reveal Cloud in the Admin -> Directory menu.

Create a config file for the tool to use:

The LST requires a configuration file that hosts the connection details for the Okta configuration.  Below is an example configuration file:

Okta requires a TLS connection to the LDAP interface.  This is done via StartTLS over port 389 or TLS over port 636

In the below configuration file, values encapsulated by <..> should be replaced with your respective values.

---                                                     <----- Generic.

# NextDLP Reveal Web UI URL

apiurl: "https://<tenant-name>.reveal.qush.com"

# The NextDLP Reveal API token generated from https://mycorp.reveal.nextdlp.com/#admin/tokens

apitoken: <Reveal API Token>

# Disable TLS verification for the connection to NextDLP Reveal Cloud

skiptls: false

# The maximum number of retries that can occur after a failure connecting to

# the Ava Infrastructure or LDAP server, or syncing users.

maxretries: 5

# Whether to include LDAP photos when syncing. User photos are given by the image attribute.

photosync: false

archivedeleted: true

# The configuration details for the LDAP directory to download users from.

ldap-config:

  name: "directory"

  credentials:

    addr: "<Okta tenant domain>.ldap.okta.com"

    port: 636

    base: "ou=users, dc=<Okta tenant domain>, dc=okta, dc=com"

    binddn: "uid=<username@example.com>, ou=users, dc=<Okta tenant domain>, dc=okta, dc=com"

    bindpassword: <bind password>

    tlsconfig:

      # The TLS encryption method

      # 0: Uses TLS

      # 1: Uses StartTLS.

      method: 0

      skipverification: false

      # The CA certificate should be in PEM format

      # either as a single line, escaped with \n for each new line,

      # or using YAML | multi-line string formatting with indentation

      rootcabundle: |

        -----BEGIN CERTIFICATE-----

        MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ

        RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD

        VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX

        DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y

        ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy

        VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr

        mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr

        IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK

        mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu

        XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy

        dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye

        jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1

        BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3

        DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92

        9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx

        jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0

        Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz

        ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS

        R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp

        -----END CERTIFICATE-----

  # The optional configuration details for the LDAP directory

  sync:

    searchterm: "(uid=*)"

    keyfields:

      name: displayName

      email: mail

      image: thumbnailPhoto

      title: title

      department: department

      manager: managerDN

      phonenumbermobile: mobile

      phonenumberoffice: telephoneNumber

      addresshome: homePostalAddress

      addressoffice: physicalDeliveryOfficeName

      uniqueid: uid

      schemes:

        - scheme: sid

          attribute: objectSid

        - scheme: unix

          attribute: uidNumber

        - scheme: mail

          attribute: mail

    # label mappings to automatically create and assign labels to users based on LDAP properties

    labelfields:

      - key: department

      - key: city

      - key: country

      - key: memberOf

        labelname: group

        match: (cn=(test.*),ou=groups,dc=<Okta tenant domain>,dc=okta,dc=com)

        transform: $2

        anonymise: false

The ldap sync tool contains  a "--help" flag to list other flags available to the tool.  Notably the "--batchsize " and "--bindpassword" flags. These flags help adjust the batch size of the requests to Okta and keep the bind password from being stored in plaintext (respectively).

The attributes in the keyfields section may vary depending on the attributes configured in your Okta Tenant.

Perform a Dryrun to validate the settings:

 .\ldap-sync.exe --config okta.yaml --dryrun <----- Generic.

Perform a Full Sync:

Refer to the LST Admin guide for further details regarding sync options. Once verified via a dryrun the values retrieved from Okta,  perform a full sync. To do this, simple re-run the previous command without the '--dryrun' flag:

.\ldap-sync.exe --config okta.yaml <----- Generic.

Okta Limitations:

Okta does impose some limitations on its LDAP interface. Notably, they have a limit on the number of batched items they will return (1000), and when performing 'memberOf' queries - these are processed together and a batch response is returned.  

This can cause issues if this is over the 1000-item response limit. Other limitations can be found in their documentation here: https://help.okta.com/en-us/content/topics/directory/ldap-interface-limitations.htm