Group Members LDAP Mapping

john_roberts · ‎05-22-2007

I heard from a few people during the conference that they were having trouble importing LDAP group members and mapping to roles.
We have successfully imported groups and members. This allows us to assign roles to groups and manage all rights through Active Directory.

All we had to do was add a mapping in the User LDAP Mapping definition with the follow:
External name: member
Variable name: MEMBERS
Type: var
Table: sys_user

The external name for group members may vary if you are not using AD or ADAM. I haven't tested it, but I'm assuming this will not work with nested AD groups since the LDAP query will only resolve users with direct membership.

One more item that came up was troubleshooting LDAP server settings. The wiki references an LDAP browser that comes in handy when troubleshooting. Just browse to www.service-now.com/instance_name/ldapbrowse.do to verify connectivity to your LDAP server.

Valor1 · ‎08-28-2008

Here's how to pull only the group members for the starting OU of a Group import:

Example--
I have many groups (CNs) starting at:
OU=Workgroups,OU=ServiceNow,OU=Applications,DC=domain,DC=com

In the LDAP OU Definition,
1) Set the RDN to the starting point (like above--note that the "DC=domain,DC=com" is assumed). You may have to increase the Max length for the RDN field if you have a highly nested directory structure.
2) Set the Query field to "sAMAccountName" for Active Directory LDAP servers (if you don't set this properly, you won't get any results)
3) Set the Table field to "Group [sys_user_group]"
4) Set the Filter field to, at the very least, "(objectClass=group)"

After you set up the source and transform maps, save the transform map and create 2 scripts:
On the Transform map, you should at least map "sAMAccountName" and "source".

1) an "onStart" with the script of:



gs.include("LDAPUtils");
var ldapUtils = new LDAPUtils();
ldapUtils.setLog(log);

2) an "onAfter" script of:


ldapUtils.addMembers(source, target);

Valor1 · ‎08-28-2008

I think I just figured out a way to do it, but want still want to see if there's an easer way.
on the LDAP Group Import map,
1) map "member" to "user" on the sys_user_grmember table
2) run an onBefore script to
- split the list, using the "^" character as the separator
- look up the user's sys_id from the source
- iterate through the rest of the group members

What I don't know is if I need to use the coalesce property to true, and how the system handles multiple coalesce fields on one transform map.

technoside2 · ‎03-02-2013

I'm new to service-Now. My company is only trying to add group members into SN users table. We're getting our Users list from another Source. But we're trying to use LDAP for authentication. I'm having a hard time understating what you mean by

1) Set the RDN to the starting point (like above--note that the "DC=domain,DC=com" is assumed).

I tried inputting exactly what we have for the Starting search directory but I get an error 32 when I try to test connection.

Thanks for your assistance in advance.

Mike McCall · ‎07-10-2013

I'm trying to figure out if/how you can pull group members from nested groups: LDAP Nested Groups

For example, we have a "Network and Security" Active Directory security group for Service-Now with direct members that are successfully picked up as an assignment group. However, we would like to add a "Network" sub-group with its own members and have those users show up as part of the "Network and Security" assignment group in S-N. (The idea is that this sub-group actually holds all of the team members in one place and is then used throughout AD to grant access to more systems than just S-N.)

Your comment about S-N limitations worries me: "I'm assuming this will not work with nested AD groups since the LDAP query will only resolve users with direct membership." Of course, you made that comment over six years ago; is it still valid?