LDAP Nested Groups
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-08-2010 08:42 AM
I am currently working on an integration with Active Directory. Within AD, we are using groups to designate the Assignment Groups within Service-now. This is working just fine as long as, in AD, the members of the groups are individual users. If another AD group is added as a member of this group, we are not able to see the individual user accounts within the nested group.
Does anyone know of a way to have Service-now traverse the nested group members?
Also, there are multiple levels within the nested groups (e.g. groups within groups within groups, etc.).
Any help or suggestions would be greatly appreciated.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-10-2013 12:12 PM
This is a pretty old post, but I'm running into exactly the same issue right now and would love to know if this is possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-11-2013 04:23 AM
I have this filter in my LDAP OU definition for 'Users' and I get all the users from all the groups/subgroups.
(&(objectCategory=person)(objectClass=user)(name=*))
I hope this works for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-11-2013 07:18 AM
Thanks for the suggestion!
I've actually got all of the users I need in the system. My challenge is that we want to assign group membership by using sub-groups. Basically, if there's a "Network and Security" Active Directory group that has a corresponding assignment group in Service-Now, I want to be able to add myself to a nested "Network" group in AD and have that imply membership in the overall "Network and Security" assignment group in S-N.
If this is possible, I expect it will mean making some adjustments to my Groups OU Definition (or adding a new OU Definition altogether).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-19-2013 04:37 PM
In AD, although the console and browser makes it look like Groups are nested, it is really just flat data.
Say you have:
Group A
Group B
SO you have two fields to tell you this, "member" on the parent object, and "memberof" on the child object.
But basically, the search in ServiceNow isn't going to walk down the structure. Group B has to be within you search criteria (the OU definition for the import). Then, as long as your bringing over the memberof field, adding a script to loop through the groups memberof field and adding them to the parent shouldn't be more than a GlideRecord query against the group table setting the Parent value.
Unfortunately this would not work with one Group being a part of multiple other Groups.
If you want to flatten it out, you could bring each of the Groups in flat, then query the memberof field for each group that comes in, and add the users in that group to the foreign group. Unfortunately, with that there isn't really a link between the two after you have done that.
Thanks,
Chris Nanda
Blue Horizon Systems
