Do manually added users in a group gets removed after LDAP runs

kumarkamlesh · ‎12-05-2017

Hi,

I have a scenario where user data is imported in servicenow from two different source. One from LDAP and other from different application. But Group data is stored from LDAP only. Now when I add the user whose data came from different source into the group, the very next day when LDAP runs it removes the user from that group.

So is it that when LDAP group import runs it removes all the users that are added manually. If yes then how to restrict LDAP from doing so.

Regards,

Kamlesh

DrewW · ‎12-05-2017

If you really need to do this and you do not want to or cannot just add the missing users to the AD group then you are going to have to right your own group member import. There is a script include called "LDAPUtils" that OOB uses to do the group members. The issue with it is that it uses "GlideLDAPGroups" to do the member updates which you do not have access to.

There is a memberOf attribute that you will need from AD along with the distinguished name (DN) from AD. You will then need to add a column to the Group Membership table that indicates what import added the user so you can keep them strait.

I would advise if at all possible adding the users to the AD group.

Dave Smith1 · ‎12-05-2017

Drew echoed what I was thinking: what's your definitive source in all of this? It seems that you've got two sources you're trying to combine in the platform; it would make sense to combine and ratify within LDAP first, then import those as known good accounts.

Is there a Reconciliation engine for LDAP imports? You may want to look at data source priorities.

So is it that when LDAP group import runs it removes all the users that are added manually. If yes then how to restrict LDAP from doing so.

Is it a good idea to do that? The point of the LDAP transformation is to keep them in sync - if the user doesn't exist in that LDAP group, it shouldn't exist in the platform group - else it doesn't make sense to have an LDAP connector if you're manually managing group membership.

kumarkamlesh · ‎12-12-2017

I Understand this and that is why I am not thinking of changing any thing in LDAP Script.

As a workaround for this I have written a before delete Business rule which runs on sys_user_grmember table . Idea is to check if there is any record that is being deleted by LDAP user from sys_user_grmember table and the location of user is JDevice then abort deletion else allow. But this BR is not running I tried printing in log but it is not working as well. Any Ide why it is not working. Even the first log is not printing :-

gs.log("LDAP is trying to remove JDevice Membership ");

if(gs.getUserID()=='6816f79cc0a8016401c5a33be04be441' && current.user.location=='5431e79cc0a8016401b5a24be04be956'){

gs.log("Prohibiting AD from deleting JDevice user ");

current.setAbortAction(true);

}

Manually when I remove jdevice user from group, this BR executes. Any one any idea why it is not executing.

Regards,

Kamlesh

Dave Smith1 · ‎12-13-2017

No idea why it's not running, but try simply:

gs.log("LDAP is trying to remove JDevice Membership ");

in your BR and see if that logs anything.

If it does, it's likely to be a logic issue lower down.