Came across a question in community where LDAP Users & Group sync was established & well in place with ServiceNow & worked well for all create, updates & other operations. But there were 2 scenarios where it did not work as desired.
1. When Manager value in AD was changed to empty/blank
2. When all Members of Group were removed at AD
These worked well at AD (& should as it was source end) but it did not reflect the same in ServiceNow.
On digging deep in to the issue found that LDAPUtils script include had to be modified so as to make the Scenario 1. work.
setManager function of LDAPUtils script include was modified
From
setManager: function(source, target) {
var ge = source.getElement(this.manager);
if (!ge || ge.isNil())
return;
Here, variable ge has the Manager value that has come in from AD & is stored in import set table. If it is blank/empty it is returned directly & hence the value of the Manger field on the record stays as is.
To
setManager: function(source, target) {
var ge = source.getElement(this.manager);
//if (!ge || ge.isNil())
//return;
if(ge.isNil())
{
target.manager='';
}So, in order to update the manger field with the value it got from AD (when empty/blank) which is stored in import set table it was modified as above which sets the Manager field as blank when ge has blank value for Manager.
However, it works well when there is a change in Manager field at AD end as we have below script that is remains as is
this._getLdapUserUpdate();
var lda
LanguageHTML/XML
p = new GlideLDAPUserUpdate();
var mid = this.ldapUserUpdate.getManagerValue(target, ge.toString());
if (mid == null)
return;
target.manager = mid;
For scenario 2. the Group-User part all that is required is to get a check for system property glide.ldap.allow_empty_group with choices as True/False & value as True. If there does not exist any it needs to be created as below
This property checks if the Groups coming in from AD has some User records or not. Setting the value as True would imply that it would remove all the Members from the Groups in ServiceNow if they are removed from AD.
If the value is set to False or there isn't any property as above then removal of all Members from Group in AD would not reflect the same in ServiceNow.
Note: This property is only to check for Groups that does not have any User members. If a Group has 10 members & 9 of them were removed from AD then it would remove those from ServiceNow as well. Only issue would happen when the remaining member from that Group is removed from AD as it would not remove that remaining user from ServiceNow. Configuring the above property would help us achieve that.
Hopefully the information in this blog helps understand LDAP - ServiceNow sync a step further.
Thanks,
Jaspal Singh
