LDAP has long been sought after by administrators for its convenience and the value this feature has to offer: authentication and data import. There is a configuration to tune LDAP queries and improve import performance. Reviewing your LDAP settings is essential. You should concentrate on setting the 'Attribute' field by specifying what fields to search you can improve your import time.
When you create a new LDAP server record, it sets the 'Attributes' field to no value, or empty. That is not bad if you have a small number of LDAP attributes on your data. However, the first LDAP data import will calculate the attributes to import from all the attributes found on the first 20 records retrieved. Even after that, the 'Attributes' field remain empty. This will force the queries to retrieve ALL the attributes of the records match as default. By searching all attributes of the record, you are slowing down your processes and dragging the time of the import.
Setting the LDAP server 'Attributes' fields will only retrieve the matching attributes specified on it.
To improve your LDAP import times you must do 3 things:
- Add the 'Attributes' field to the LDAP server form
- Create the LDAP server
- Validate the LDAP OU Definitions
Add the 'Attributes' field to the LDAP server form
To add the attribute field on the table, login as Admin, then open the form, and go to 'Configure\Form Layout'.
- Select Attributes
- Click ">"
- Move to the position wanted
- Click Save
Then, in the slushbucket, ensure the field Attributes is selected and save.
Setting the 'Attributes' field visible will ensure you will now have the option of specifying the attributes on the LDAP Server form.
Create the LDAP server
Once the attributes field is visible, you can add the LDAP server. Browse your LDAP server, and validate the starting search point for your LDAP.
Based on your initial review or the information provided by your LDAP administrator, you will need to set up the following:
- The Server Name
- The Server URL
- Starting search directory
The Server Server field is used for the LDAP Server entries, part of the new user and group data import names and the related LDAP monitor. Make it unique and recognisable.
In the Server URL field, the valid URLs of all servers appear separated by a space. Servers are first ordered by operational status, with servers that are Up listed first, then ordered by the Order value that you specify. The first server listed is the primary LDAP server. The others are redundant servers.
Finally the Starting search directory contains the base search for your LDAP queries. You can only specify one.
Once you have submitted the LDAP server, the ServiceNow record will be open to be edited. You will then need to set the relevant LDAP attribute names to extract on the 'attributes' field to minimize the size of the searches received from the LDAP server, improving performance accordingly. Each attribute name should be separated by comma as seen in the screenshot provided.
Here is a list of usual Active directory fields:
cn | , | department | , | description | , |
distinguishedName | , | dn | , | employeeid | , |
givenname | , | I | , | , | |
managedBy | , | manager | , | member | , |
memberOf | , | mobile | , | o | , |
postalCode | , | samaccountname | , | sn | , |
source | , | street | , | streetAddress | , |
telephoneNumber | , | title | , | uid | , |
userAccountControl | , | userPrincipalName | , | uSNChanged | , |
uSNCreated | , | sAMAccountName | , | sAMAccountType | , |
Please make sure to add the ones required. You can get this by browsing your LDAP or asking your LDAP administrator. Also validate the user and group transformation maps for the fields used. Note the transformation scripts can also reference some of these fields.
Here is how it looks on the actual form:
Note the attributes are comma separated.
Validate the LDAP OU Definitions
The next step is to validate the LDAP OU Definitions. Once the LDAP server is created, Users and Group LDAP OU Definitions are created with it. Validate the filter contains the relevant LDAP attributes filters. The groups and users specified in the LDAP OU Definition will be used to determine authentication and who receives the imports.
If you feel confident with your LDAP OU definition filter, then you can alter them here. If like me, you prefer a flexible way to test them first (instead of changing the LDAP OU Definitions filter directly), use the 'browse' feature to validate the new filter, change it there, click filter for every change, check you received the results wanted, then come back later with the tuned tested filter. The 'Browse' link is just below the LDAP OU Definition table.
With the LDAP Browse feature, you can set the filter, then click 'Filter' to validate that it retrieves the information required.
Then copy the browse filter value and use it on the LDAP OU Definitions later.
Here is an example with 'Users' LDAP OU Definition:
Similarly, you can validate the 'Group' LDAP OU Definition.
Don't say we didn't warn you, LDAP server are key for many features. Set the 'Attributes' field on the LDAP server definition to improve the data imports times and LDAP searches.
I performed my tests with LDAP Active Directory by Microsoft, an LDAP browser by Apache Directory Studio, on Geneva, within Chrome.
More information here:
LDAP Integration Troubleshooting - ServiceNow Wiki
LDAP Integration via MID Server Setup - ServiceNow Wiki
LDAP Integration - ServiceNow Wiki
Setting up the LDAP Import Map - ServiceNow Wiki
LDAP import has a limit for length?
1 Comment
