LDAP integration to multiple domains
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2017 01:19 AM
I've setup an LDAP integration to multiple active directory domains and am having issues with uniqueness. There is no way of ensure the sAMAccountName (e.g. jsmith) is unique in each of the source domains so, when the user import runs, many accounts are not created in the ServiceNow user table since the user_name attribute in ServiceNow needs to be unique. This causes issues with Orchestration workflows I am developing.
If I alter the transform map so the active directory attribute userPrincipalName (e.g. jsmith@mydomain.com) is mapped to the ServiceNow attribute user_name, all the users are imported but the users are not added to the active directory groups they should be - ServiceNow is looking to for the user_name to be the active dirsctory sAMAccountName.
Does anyone have any advice on this? I've had a quick look and there doesn't seem to be an obvious way to manipulate the way the users are added to groups.
Thanks in advance!
Mark
- Labels:
-
Best Practices
-
Integrations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2017 06:42 AM
The LDAP Group Import transform map has an OnAfter transform script that runs the following:
ldapUtils.addMembers(source, target);
Looking at the ldapUtils script include I see the following in the addMembers function:
addMembers : function(source, target) {
var ge = source.getElement(this.members);
var geString = null;
if (ge && !ge.isNil()) {
this._log(ge.toString());
geString = ge.toString();
}
var group = new GlideLDAPGroups(target, geString);
group.setMembers();
I believe I need to change the way this works somehow. Could I change the target in some way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2017 08:29 AM
OK, I think I've got it. I have added the active directory user account GUID (objectGUID) to the transform map (mapped to a new attribute on the ServiceNow user table) and used this field to coalesce the transform. Previously I was cloalescing using the sAMAccountName which seemed to be what's driving the user selection when adding users to a group.
I mapped userPrincipalName to user_name to make the ServiceNow user_name field unique and it seems to be working.
I hope this helps!
