Query AD LDAP by ObjectSid, not SamAccountName
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2019 03:09 PM
Understanding that ServiceNow documentation indicates LDAP query fields are limited but has anyone developed an alternative to samaccountname? (Excluding source, cn, dn)
We import the AD LDAP "name" field as our group name and sometimes it doesn't match the "samaccountname" field in AD. We want to query against the objectSid field. Scheduled imports work fine but the ldaputils.refreshgroups function when called by the "Refresh from LDAP" UI Action will only load AD records if the samaccountname matches.
We have alternate LDAP OU and data sources for querying against name, samaccountname, & objectsid. How do I get a function similar to ldaputils.refreshgroups to use the different objectsid field?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2019 11:05 PM
Hi,
So you don't need to use samaccountname in your ldap ou definition query but use another attribute.
Is that attribute unique? because samaccountname will always be unique in AD
Can you explain in detail your requirement?
Regards
Ankur
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2019 09:02 AM
Assuming that there are 2 ways to populate import tables from an AD/LDAP source, both use the same LDAP OU definitions and data sources. Those 2 methods are:
- Load data from the data source through a scheduled job or clicking the "Load All Records" link
- Navigate to a group (or user) and click the "Refresh from LDAP" UI Action link.
The (group) "Refresh from LDAP" UI action passes the group name to the LDAPUtils.refreshGroup Script Includes, which calls GlideLDAPConfigurations. This function calls the appropriate data source(s) and LDAP OU records to query the AD LDAP source and populate then process an import set. This process only populates the import set if the group name matches the samaccountname in AD/LDAP.
The transform maps will coalesce on any field necessary. My issue is that the "Refresh from LDAP" UI actions won't populated an import set unless it can match the group or user name with an AD/LDAP samaccountname. (Again, the queries work and will populated import sets, except when called by the "Refresh from LDAP" UI action and the group name does not match with AD/LDAP samaccountname.
The https://docs.servicenow.com/bundle/madrid-platform-administration/page/integrate/ldap/concept/c_LDAPTransformMaps.html document indicates that a transform map must meet the following mapping requirements, including to select u_samaccountname as the source field.
Has anyone successfully populated import sets through the "Refresh from LDAP" UI action using a field other than samaccountname?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2021 06:37 AM
Thank you for marking my response as helpful.
Would you mind marking the best matching answer as correct and helpful, to close this thread?
Regards
Ankur
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2019 05:03 PM
"If LDAP integrates to Active Directory, select u_samaccountname as the source field. If other LDAP directories are used, select u_dn or u_cn as the source field."
This limitation appears to have yet been addressed as it still appears in the most recent documentation: https://docs.servicenow.com/bundle/newyork-platform-administration/page/integrate/ldap/concept/c_LDAPTransformMaps.html
