LDAP Nested Groups

mflora · ‎09-08-2010

I am currently working on an integration with Active Directory. Within AD, we are using groups to designate the Assignment Groups within Service-now. This is working just fine as long as, in AD, the members of the groups are individual users. If another AD group is added as a member of this group, we are not able to see the individual user accounts within the nested group.

Does anyone know of a way to have Service-now traverse the nested group members?

Also, there are multiple levels within the nested groups (e.g. groups within groups within groups, etc.).

Any help or suggestions would be greatly appreciated.

Thanks

tstocking · ‎02-04-2019

Hi Luis,

Yes we have this running in the onAfter script for the parent group. We have an OU for our ServiceNow groups. This OU contains groups for fulfillers and members of these groups are either directly added or contain a nested group. So the onAfter takes the nested group name and uses it to parse the membership field on the user table to see who is a member of that nested group. If a match is found, that user is then added to that parent group in ServiceNow directly.

Mike McCall · ‎02-19-2018

Five years and one company later, I still think this would be a powerful feature.

I [re-]submitted the question as a HI ticket today, and the up-to-date answer is that this functionality is still not supported. If enough customers asked, we could probably get an enhancement prioritized, but my plan is to continue working around the limitation, and I assume others are just doing the same.

With SailPoint coming into my company's environment in the near future, I'll be interested to see if that tool (or others like it) can do the "flattening" within AD. For example, could a tool like SailPoint turn the concept of groups "nested" within groups into a single-but-dynamic list of members (one that ServiceNow could then consume like normal)?

I'm imagining some setup where you don't technically create an AD group with other AD groups nested within it; you somehow tell a separate tool that you'd like an AD group "made up of" multiple other AD groups...and the tool takes it from there.

Davin Biggs · ‎02-07-2019

You can use this in your onAfter script in your Group Transform map.

It uses the LDAP_MATCHING_RULE_IN_CHAIN LDAP filter described above to retrieve all the Users of the group.

See: https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax

var memberString = '';

try {
    var groupMembers = [];

    // Get LDAP Server from 'source'
    var ldapServerID = source.sys_import_set.data_source.ldap_target.server.sys_id.toString();
        
    //Initialise ldapConfig Object with the LDAP Server to be used to retrieve the Group Membership
    var ldapConfig = new GlideLDAPConfig.get(ldapServerID);
    var ldap = ldapConfig.getLDAP();

    var query = '';

    // Ensure this record has a dn to retrieve data against
    if (!JSUtil.nil(source.u_dn)) {
        // Set query of Person records, against the dn of the Group
        query = '(&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=' + source.u_dn + '))';
    }

    // result is an Object (of some sort) of AD records
    var result = ldap.getMatching('', query, true, 1000);

    // If there are members found
    if (!JSUtil.nil(result)) {

        // the 'record' needs to be set this way to be able to retrieve data, other methods did not work
        while (record = result.next()) {
            // Add Person dn to the Array
            var strResult = record.get('dn');
            groupMembers.push(strResult);
        }
    }

    // Create caret delimited string of dn’s
    memberString = groupMembers.join('^');

    // Use same methodology of adding users to groups as OOB Script
    var group = new GlideLDAPGroups(target, memberString);
    group.setMembers();

} catch (e) {
    gs.log("LDAPUtilCC: " + e);
}

lrossy31 · ‎02-08-2019

Thanks a lot Davin,

I will test this out today. By the way, will this remove members if the member does no longer belong to the child group?

Again thanks and will provide update today.

Regards,

Luis

Mike Naputano · ‎01-10-2022

Hi Davin,

Your script is very helpful, and I think this is what we need on our end. In testing this out, I have added log statements along the way to see where the script is failing for us. Here is what I have added so far:

var memberString = '';

try {
    var groupMembers = [];

    // Get LDAP Server from 'source'
    var ldapServerID = source.sys_import_set.data_source.ldap_target.server.sys_id.toString();
   gs.info("Mike1: " + ldapServerID);

    //Initialise ldapConfig Object with the LDAP Server to be used to retrieve the Group Membership
    var ldapConfig = new GlideLDAPConfig.get(ldapServerID);
    var ldap = ldapConfig.getLDAP();
   gs.info("Mike2: " + ldapConfig);
   gs.info("Mike3: " + ldap);

    var query = '';

    // Ensure this record has a dn to retrieve data against
    if (!JSUtil.nil(source.u_dn)) {
        // Set query of Person records, against the dn of the Group
        query = '(&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=' + source.u_dn + '))';
    }
   gs.info("Mike4: " + query);

    // result is an Object (of some sort) of AD records
    var result = ldap.getMatching('',query,true,1000);
   gs.info("Mike5: " + result);

The log entries with Mike5: always returns NULL, and I cannot figure out why.

Any thoughts?

Thank you!

Mike