Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

LDAP Group Sync Leaving Member in Empty Groups

Go to solution
normanks
Kilo Contributor

‎01-16-2017 07:42 AM

I have a pretty standard group sync with LDAP set up using the ldapUtils.addMembers(source, target); line to handle membership syncing in the onAfter section of our data pull, but I am having issues with empty groups. Whenever a group becomes empty in Active Directory, it leaves whoever the last member was in the group rather than making it empty in ServiceNow also. I've made up a fix for it by adding some script to the onAfter event that looks for where source.u_member.toString() is empty and removes all group assignments, but this seems a little backwards and it also seems odd that I haven't been able to find another thread yet discussing this issue.

So I guess I mostly just want a sanity check before I roll this fix into production. Is the ldapUtils.addMembers function supposed to be leaving the last member in a group? Am I missing a standard config setting that would properly empty the group? I could only find one discussion from 2013 about it that never really got answered very well.

0 Helpfuls
  • 3,324 Views
1 ACCEPTED SOLUTION

Go to solution
MarcB1
Tera Guru
In response to jhauptmann

‎03-08-2017 01:57 AM

Hi John



There is a System Property to allow 0 members in groups!



Instructions I got from ServiceNow support:



[-] Go sys_properties table


[-] Click New.


[-] Complete the form as follows:


[-][-] Name: glide.ldap.allow_empty_group


[-][-] Description: Allow empty group


[-][-] Leave Choice field blank


[-][-] Type: true|false


[-][-] Value: true


[-][-] Click Submit.



This is documented on this KB article: KB0533747


-- https://hi.service-now.com/kb_view.do?sysparm_article=KB0533747



regards


Marc


View solution in original post

6 REPLIES 6

Go to solution
davidfield
Kilo Contributor

‎12-11-2017 05:38 AM

Just to add the the KB article is not available, but this was the content;



The content of the KB is set to internal only, however, it is shown that it has been fixed In Eureka.


Below I have listed the content of the KB:



------------------------------------------------------------------------------------------------------------------------


When emptying a security group in AD - SN does not reflect and remove members until the next update to AD [Groups must have at least one member]


Description


When removing all members of a group in AD, the same group in SN is not updated as being empty.


It is only updated when a change to the group in AD is made--for example, adding a member to the group again.



Steps to Reproduce [NONE]



Workaround


There is no workaround for this Known Error at this time.


0 Helpfuls