How to get LDAP Import to show Nested Groups

jstifflear · ‎08-28-2015

I am looking to see if anyone has figured out a way to display nested groups in ServiceNow. If LDAP imports a group and its members, I need to see any nested groups that are contained in the parent group and all of the members. If a group is a member of any other groups or if a group has groups as members I need to be able to see, display and report on this in ServiceNow. Thanks in advance for any advice you can provide!

Michael Fry1 · ‎08-28-2015

Make sure you Starting Search directory just contains the DC='s. Then on your LDAP OU definition, try limiting what you are filter. We had to use something like this: (&(objectClass=person)(mail=*))

This worked for us versus building a whole bunch of OU definitions.

Michael Ritchie · ‎08-28-2015

This script may help you with the nested queries:

Advanced 'getMyGroups' Function - ServiceNow Guru

murateryucel · ‎11-19-2015

Only add a related Matching rule OID " 1.2.840.113556.1.4.1941 " in filter " like (&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=...)) .

https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

Matching rule OID	String identifier (from Ntldap.h)	Description
1.2.840.113556.1.4.803	LDAP_MATCHING_RULE_BIT_AND	A match is found only if all bits from the attribute match the value. This rule is equivalent to a bitwise AND operator.
1.2.840.113556.1.4.804	LDAP_MATCHING_RULE_BIT_OR	A match is found if any bits from the attribute match the value. This rule is equivalent to a bitwise OR operator.
1.2.840.113556.1.4.1941	LDAP_MATCHING_RULE_IN_CHAIN	This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

jstifflear · ‎11-19-2015

Thanks for the info on Matching rule OID, I will try to take a look at this in a couple of weeks when I get some time.