ldap group member import

Go to solution
jwerkmann
Tera Contributor

‎11-06-2017 02:34 AM

I'm struggling with importing AD group members into ServicceNow by using the default AD utility functions as described here:

https://docs.servicenow.com/bundle/jakarta-servicenow-platform/page/integrate/ldap/concept/c_LDAPTra...

Unfortunately I can't find any detailed description how users and groups are identified and mapped by using function 'ldapUtils.addMembers(source, target);'.

 

Can anybody explain which information is expected?

Labels:
0 Helpfuls
  • 9,503 Views
1 ACCEPTED SOLUTION

Go to solution
jose_valle
ServiceNow Employee
ServiceNow Employee

‎11-06-2017 06:25 AM

Hi Jürgen,



Essentially, what will happen is that for each dn that is in the u_members field of the incoming group staging record will be used to look an existing user with a matching value for source




Here are a couple of points about how members are added as part of the group import.



  • The transform script looks for the members in a field named "u_members" by default. This can be changed with a line like "ldapUtils.setMemberField('u_yourAttributeNameGoesHere')" on the same script that calls the .addmembers() method "ldapUtils.addMembers(source, target)"
  • The value of the "u_members" field should contain a list of full dn's for each member. This is used to find the corresponding user in the sys_user table with a matching source value.
  • You should not map the members field as this is handled by the scripts


Hope this helps.


View solution in original post

9 REPLIES 9

Go to solution
Jaspal Singh
Mega Patron
Mega Patron

‎11-06-2017 02:43 AM

Hi Jurgen,



Did you give script include "LDAPUtils" a look.


0 Helpfuls

Go to solution
jwerkmann
Tera Contributor
In response to Jaspal Singh

‎11-07-2017 06:11 AM

Hi Jaspal,



Thanks, yes for sure.


It doesn't help. And to be honest, I don't think it is a good practice to analyse the source code. I'm expecting a meaningful documentation



Regards


Jürgen


0 Helpfuls

Go to solution
Aditya Telideva
ServiceNow Employee
ServiceNow Employee

‎11-06-2017 03:38 AM

Hi Jurgen,



Here's how to pull only the group members for the starting OU of a Group import:



Example--
I have many groups (CNs) starting at:
OU=Workgroups,OU=ServiceNow,OU=Applications,DC=domain,DC=com



In the LDAP OU Definition,
1) Set the RDN to the starting point (like above--note that the "DC=domain,DC=com" is assumed). You may have to increase the Max length for the RDN field if you have a highly nested directory structure.
2) Set the Query field to "sAMAccountName" for Active Directory LDAP servers (if you don't set this properly, you won't get any results)
3) Set the Table field to "Group [sys_user_group]"
4) Set the Filter field to, at the very least, "(objectClass=group)"



After you set up the source and transform maps, save the transform map and create 2 scripts:
On the Transform map, you should at least map "sAMAccountName" and "source".



1) an "onStart" with the script of:



  1. gs.include("LDAPUtils");  
  2. var ldapUtils = new LDAPUtils();  
  3. ldapUtils.setLog(log);  

2) an "onAfter" script of:



  1. ldapUtils.addMembers(source, target);                                                                                                                                                                                                                              


Thanks,


Aditya Telidevara










Go to solution
jwerkmann
Tera Contributor
In response to Aditya Telideva

‎11-07-2017 06:14 AM

Hello Aditya,



Thank you for your feedback.


Unfortunately I still not know how ServiceNow matches users to groups. However, in my data seems to be some mismatch.



Regards


Jürgen


0 Helpfuls