Active Directory and Ldap Integration via Mid Server

Brian G
Tera Contributor

‎01-21-2025 01:35 PM

Hello I've been recently working on converting our AD/LDAP connections from being direct from ServiceNow to our company network via VPN tunnel TO using mid server.

 

ServiceNow makes this very easy to configure LDAP Servers for data sources run through Mid Server; however, this breaks our current solution for dynamic lookups/checks against AD/LDAP. (Example. User enters an AD group name on a request form, A lookup is done to find out if the group is restricted and prevent user from proceeding).

 

Our Current Solution for realtime lookups uses the GlideLdap() object in a script include as seen here:

https://www.servicenow.com/community/developer-forum/reading-ldap-in-a-script/m-p/1609469

Example Code:

        var ldapServer = new GlideRecord("ldap_server_config");
        ldapServer.get('sys_id', '6359bfdc131a3200dc6676666144b067');
        var ldap = new GlideLDAP();
        ldap.setConfigID(ldapServer.getUniqueValue());
        var env = ldap.setup();
        var query = '';
        query = "(&(objectCategory=group)(cn=" + group + "))";
        var result = ldap.getMatching('', query, true, 10);
 
Because we've updated our LDAP Servers to use mid server the above code or GlideLDAP library lacks the ability to mimic the same connection through mid server and fails.
 
As a workaround I attempted to use a Flow solution using the Microsoft AD Spoke, but this came with a few cons:
  • Transaction times were 7+ seconds which was too slow for form submission validations
  • Only Active Directory connections would work. Our LDAP/Dirpoxy connections were not supported.

As a last ditch workaround I have developed a script include that will:

  1. Create an ECC queue record with high priority to mid server
    1. Payload for this record is a custom midserver powershell script exec command to query AD and LDAP
  2. Powershell Mid Server Script is called and uses the Directory Services module to establish connections to AD and LDAP
  3. Script include waits for the response ECC queue record to populate and grabs the response data from AD/LDAP lookup
  4. Data is further processed and passed back to calling client scripts for form validation.

This solution takes around 3 sec to complete which is faster than flow and acceptable enough for form processing (with ui help).

 

I was curious on if anyone else has run into this rather unique problem and if there was a better/faster solution for both AD and LDAP/dirproxy lookups on demand using script include?

 

 

 

 

0 Helpfuls
  • 938 Views
1 REPLY 1

Mohamed_Hazik
Tera Contributor

‎01-30-2025 07:03 AM

I do have a same problem statement.May I Know,

How you Implement this solution using powershell script?

how you do the validation in the form?

0 Helpfuls