Import user photo from LDAP into S-N (reloaded)

conmic · ‎07-15-2013

Dear Community,
my company is now changing to Service-Now and I'm currently working on adapting it to our needs. I worked the entire day long on the import of the LDAP user photo into S-N and I really got to thank john.roberts who first published in 2009 the base-script for what I need, see this topic: Importing user picture from LDAP into S-N.

Unfortunately his script is out-of-date as calling packages directly is now prohibited with the Calgary release and also his script is not able to update existing photos in S-N. So I accepted the challenge and modified his script.
It's already working and I want to share it with you in a minute, but maybe you guys can help me on a few questions as I'm new to S-N and JavaScript (previously I was more working on MS.NET).

Let's start withe the requirements:

1. Only import JPEG pictures into your LDAP, else you need to modify the script (to be honest I don't know if LDAP supports other formats)

2. Make sure to add the value "thumbnailphoto" to the system property "glide.ldap.binary_attributes". This system property should already exist on the sys_properties.list, otherwise add it manually by following the instructions that can be found on the S-N wiki.

Note: john.roberts script was aiming for the "jpegphoto", you can also use such attribute but you need to change the previous mentioned system property and also the following script accordingly (simply replace each thumbnailphoto with jpegphoto).

3. Make sure to set the system property "com.glide.loader.verify_target_field_size" to true. By default it's false. Otherwise follow the instructions given on john.roberts script.

Now to the Script:

Go to your "LDAP user import" transform map and add a new onAfter transform script.

Sorry, I'm horrible in giving proper comments on scripts. Please refer to john.roberts base-script or simply ask me if you have a question.



//add user image from ldap thumbnailphoto attribute and keep records in SN up-to-date

//**first check and get the existing photo of the SN-record
//this is vital if we want to update the photo when it has been changed in LDAP
//however the more users there are and the bigger the stored pictures are, it might slowdown the import process
//It can be simplified but then SN-pictures will not be removed automatically when the picture has been removed in LDAP
var existingPhoto = new GlideRecord('sys_attachment');
existingPhoto.addQuery('table_name','ZZ_YYsys_user');
existingPhoto.addQuery('table_sys_id',target.sys_id);
existingPhoto.addQuery('file_name','photo');
existingPhoto.query();

//**check if there is a picture on LDAP
if (source.u_thumbnailphoto != '') {
    //**if there is no picture for the record in SN
    if (!existingPhoto.next()) {
        //**launch the function to attach the picture
        attachPhoto();
    }
    //**if there is a picture for the record in SN
    else {
        var sysEncodedAttachment = new GlideSysAttachment();
        var binData =  sysEncodedAttachment.getBytes(existingPhoto);
        var EncodedBytes = GlideStringUtil.base64Encode(binData);
        //**verify if the current existing SN-picture for the record does not match the current LDAP picture
        //if it does not match, delete the current SN-picture and launch the funtion to attach the new picture
        if (EncodedBytes != source.u_thumbnailphoto) {
            existingPhoto.deleteRecord();
            attachPhoto();
        }
    }
}
//**if there is no picture on LDAP
else {
    //**check if there is one on the SN-record and delete it
    if (existingPhoto.next()) {
        existingPhoto.deleteRecord();
    }
}

//function to attach a new photo from the LDAP to the SN-record
function attachPhoto(){
    var sysDecodedAttachment = new GlideSysAttachment();
    var DecodedBytes = GlideStringUtil.base64DecodeAsBytes(source.u_thumbnailphoto);
    var attID = sysDecodedAttachment.write(target, 'photo', 'image/jpeg', DecodedBytes);
    var newAttachment = new GlideRecord("sys_attachment");
    newAttachment.addQuery("sys_id", attID);
    newAttachment.query();
    if (newAttachment.next()) {
        newAttachment.table_name = "ZZ_YYsys_user";
        newAttachment.table_sys_id = target.sys_id;
        newAttachment.content_type = 'image/jpeg';
        newAttachment.update();
    }
}

So... as you can see in order to be able to delete the photo on S-N if it has been removed in LDAP, I need to load the entire S-N image-data for each user-record there is. Meaning the more users you have and the bigger the stored pictures are, the longer it will take to verify and import. If you guys have an idea how to optimise this, I'd be grateful! Otherwise we can simplify the script, but then the photo on S-N will not be removed if it has been removed in LDAP, however it will still be able to update changes.

As john.roberts also suggested, you can afterwards test the script only on a specific user by adding to the LDAP filter (sAMAccountName=DesiredUsername*)

P.S.: Unfortunately S-N has not yet the possibility to directly import the LDAP photo, this is the only possibility we have

jonas_waga · ‎04-22-2014

Hi,

I ´m having some problems with the import of photos in our environment.

I tried to get some answers on Import User Photo from LDAP — ServiceNow ELITE.com but with no luck.

Im hoping some of you guys can help me.

""

I cant get the photo-import to work in our environment.

I suspect that there is something wrong in ldap-import. Because when I either import or browse the ldap the "thumbnailPhoto" value is something like "[B@4f210b51". This seems to change if I reload the ldap browser, which seems strange since it should be the same. If i continue with the import the script is working, but the image is just a corrupt file.

What should the value look like in servicenow?

The only thing I can find on Google about ldap and [B@ is the page "https://confluence.atlassian.com/pages/viewpage.action?pageId=329352611" which seems to point to something with "invalid escape sequence". I have tried to move around the search base between the "Server URL", "Starting search directory," and "RDN" without any difference, but i guess it could be something completely different since its a completely different product.

Any pointers to push me in the right direction is appreciated.

Thanks for an excellent guide.

//Jonas

""

conmic · ‎04-23-2014

Hello Jonas,

"[B@4f210b51" is actually your photo, the binary data of it which comes from Active Directory as the photo is not actually stored as image file.

Within the script this is then decoded and you see the actual image.

But you're right, this value should only change if the image changes, so have you followed on the article of ServiceNow Elite the Step 2: LDAP Binary Attributes?

You need to add "thumbnailphoto" into the comma-separated list of this system property.

jonas_waga · ‎04-23-2014

Hi conmic

Thanks for the reply.

I checked the values in the AD using the attribute-editor so i know that they should look a bit strange. According to Mike the value in SN should look something like "/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/...", but when i try the browser all I get is results like this B@1e2cd56d, [B@1354afb7, [B@2679386 and [B@2eb19f0d. They change every time i reload the record.

And yes i have added the thumbnailphoto to glide.ldap.binary_attributes, together with the objectsid,objectguid that already existed.

All ideas are welcome…

conmic · ‎04-23-2014

Strange... looks almost for me like if the value coming from your Active Directory is encrypted. Or encoded with a different encoding-method.

Maybe you could check with your domain admin if the thumbnailPhoto is properly exported... In our AD, the thumbnailPhoto is defined as "Octet String", so it's readable for anybody.

If I use the LDAP browser in SN, I get always the same value, which is also the one that is then on the import table. So I really find it strange that it always changes for you. Seems really like it's specific to your AD.

jonas_waga · ‎04-23-2014

Actually I'm admin in the AD as well… and we haven't done anything special with the value. But i will check if i can find anything strange with it, thanks for the tip.

I have tried some different tools for adding images to the AD, and all of them are able to read the image from the previous one… but still no luck in SN.