LDAP Group Sync Leaving Member in Empty Groups

normanks · ‎01-16-2017

I have a pretty standard group sync with LDAP set up using the ldapUtils.addMembers(source, target); line to handle membership syncing in the onAfter section of our data pull, but I am having issues with empty groups. Whenever a group becomes empty in Active Directory, it leaves whoever the last member was in the group rather than making it empty in ServiceNow also. I've made up a fix for it by adding some script to the onAfter event that looks for where source.u_member.toString() is empty and removes all group assignments, but this seems a little backwards and it also seems odd that I haven't been able to find another thread yet discussing this issue.

So I guess I mostly just want a sanity check before I roll this fix into production. Is the ldapUtils.addMembers function supposed to be leaving the last member in a group? Am I missing a standard config setting that would properly empty the group? I could only find one discussion from 2013 about it that never really got answered very well.

MarcB1 · ‎03-08-2017

Hi John

There is a System Property to allow 0 members in groups!

Instructions I got from ServiceNow support:

[-] Go sys_properties table

[-] Click New.

[-] Complete the form as follows:

[-][-] Name: glide.ldap.allow_empty_group

[-][-] Description: Allow empty group

[-][-] Leave Choice field blank

[-][-] Type: true|false

[-][-] Value: true

[-][-] Click Submit.

This is documented on this KB article: KB0533747

-- https://hi.service-now.com/kb_view.do?sysparm_article=KB0533747

regards

Marc

View solution in original post

jhauptmann · ‎01-19-2017

Norman,

The issue is that the addMembers function won't run if there are no members in the group in ServiceNow so it always leaves 1 member.

John

MarcB1 · ‎03-08-2017