LDAP User sync issues

vartikagarg
Kilo Contributor

‎11-02-2017 03:14 PM

We have LDAP Integration for Users where we have put the coalesce on objectGUID as thats the only unique field.

So when any Employee leaves the organization, his AD account is deleted and at SN user account is inactivated

But if now the User is rehired (a new account is created for the user in AD), so SN creates a separate record but when rehired User is being added to any group, then sometimes Inactive User record gets added to the Group instead of active one because both records have same source.

If we update the coalesce on UserID(samaccountname), then what if another user joins the organization and we give the userid which was earlier their for the User who left the company.

I am expecting we are not the first company to face such scenarios, so wanted to know the best practice to make sure this LDAP works

0 Helpfuls
  • 2,153 Views
5 REPLIES 5

henry_cheng
ServiceNow Employee
ServiceNow Employee

‎11-02-2017 06:53 PM

Hi vartika,



How did you add the user into any group?


If this is done in transform script then you need to judge on the active field to ignore the inactive users from adding into the group.


If you update the coalesce on UserID field then you need to delete the user who left the company on your instance.


Then next time when LDAP sync takes place it will create a new user based on the same UserID in the sys_user table.


If you want to discuss in more details you can always raise a HI ticket to ServiceNow support team.



Cheers


Henry


0 Helpfuls

Jaspal Singh
Mega Patron
Mega Patron

‎11-03-2017 02:27 AM

Hi Vartika,



Ideally, all Users would have unique User ID. If a there is a business requirement that may demand same or reuse of User IDs then you can use Email as a distinguishing factor along with User ID & objectGUID.


0 Helpfuls

Ibaa_Shoheb
Tera Contributor
In response to Jaspal Singh

‎07-30-2018 03:17 AM

Hi Jaspal,

We have encountered similar issue. There is a user in AD whose account was deleted and so the same got inactivated in SNOW.

The same user is hired again. Account in AD is created with the same details as it was created earlier. We have used samaccountname name as unique identity of the users.

The data that is getting synced with AD is the deleted one not the new one. Any idea how this we can fetch the new data instead of the old one? 

Regards,

Shoheb Shaikh 

0 Helpfuls

Jaspal Singh
Mega Patron
Mega Patron
In response to Ibaa_Shoheb

‎07-30-2018 03:55 AM

Hi Shoheb,

 

You can try coalescing on Active field along with samaccountname field in the Transform map that exists for User table  & LDAP. I think that would solve the issue.

 

Thanks,

Jaspal Singh

 

Hit Helpful or Correct on the impact of response.

0 Helpfuls