LDAP Import Filter for differenet OUs

sry · ‎08-06-2015

Hi,

Till now we ar using this filter: (&(objectCategory=person)(objectClass=user)) to import the users in LDAP and Queryfiled is "sAMAccountName".

we are not using any datasources or transformation maps current. we have a new instance and trying to import the users using the same LDAP server. But we don't want to use the same filter in the current instance. we knew that old filter is importing all the users from all the OUs. My requirement is we have different OUs nested and standalone. How do i filter a specific OUs within the filter. I am giving an example RDN below

RDN1: OU=Users,OU=XYZ1,OU=ABC1

RDN2: OU=Users, OU=XYZ2

.......and so on I have figured 21

like the above all of my OUs are either nested or standalone. How to include OUs i want to import in FILTER definition? or Do i need to create a seaparate LDAP OU Definition for each RDN?

thanks in advanced,

sy

jonnyseymour · ‎08-07-2015

Hello Sry,

This is a tricky one. Only one RDN is allowed per OU definition.

ServiceNow application is set up to import the user based on the LDAP OU definitions,

the RDN and the LDAP filter.

If you want to reduce the number of imports, depends on finding attributes on which

you can filter the requested records, then use parent RDN=OU=Users, to filter those

based on that attribute (beware of performance as you will retrieve more records).

Otherwise, you will need to create different OU Definitions for the other RDNs.

Remember to consider duplicates and inactive users on your design.

In more detail,

You can only use an LDAP filter to filter LDAP attributes, not the actual OU hierarchy.

If you want to filter the OU level, use the RDN or the starting search directory on the

LDAP server as a starting point, which does not traverse the OU that you do not want.

If you have an LDAP attribute on the record that contains a value, you can use this to

exclude in a filter.

For example, if the OU hierachy is:

OU=San Diego,OU=California,OU=United States

You cannot write an LDAP filter to try and target any of those OU in the heirarchy.

WRONG ----> For example, this does not work: (!(OU=California))

You can only filter the attributes on the records.

Whatever values you can see on a record are what can be

targeted in an LDAP filter. The difference is that the OU hierarchy is

a path that defines where a record lives in the directory.

Think of it as a folder. These "folders" contain records, and

the records have attribute and value pairs.

You can only filter the attribute and value pairs

for the records and not the name of the "folder".

More information here:

LDAP Integration Setup - ServiceNow Wiki: http://bit.ly/1ghiVm3

LDAP - Duplicate users and disabled users - Community: http://bit.ly/1Mew6C4

Good luck. Please let me know how did you finally implemented this.

sry · ‎08-07-2015

Hi Jonny,

Thank you very much for your reply. your insights are really helpful. What i have been given by AD team is 21 random OUs to import the users from them. If i can give only one RDN value for each OU Definition then i need to create 21 OU Definitions. I am trying to figure out is there any possibility i can create only one LDAP OU Definition to import USERS !

1) If i have to filter on attribute, for example we have an attribute DN ,given below

dn	CN=IT Support,OU=IT,OU=BP,DC=xyz,DC=com

suppose from the above i want to include DN which has IT in its name,basically i want OU=IT ; can i filter this in LDAP Filter like this (&(objectCategory=person)(dn=*IT)(objectClass=user))

2) second possibility i am thinking is there any way i can utilize onBefore transform script. Because in this case i will give no RDN value and filter will be this (&(objectCategory=person)(objectClass=user)) ; and onBefore script will filter whichever the OUs i dont want or whichever OUs i want.

Let me know your thoughts and thank you very much once again,

SY

jonnyseymour · ‎08-10-2015

In regard to your question:

>1) If i have to filter on attribute, for example we have an attribute DN ,given below

>dn CN=IT Support,OU=IT,OU=BP,DC=xyz,DC=com

>

>suppose from the above i want to include DN which has IT in its name,

>basically i want OU=IT ; can i filter this in LDAP Filter

> like this (&(objectCategory=person)(dn=*IT)(objectClass=user))

***************************

Answer. It looks like you will return a huge amount of entries and filter them by

the attributes. As long as you locally test the filter works as expected,

it should do the trick. If you hit a performance problem, you would be better by

splitting the results accordingly.

>2) second possibility i am thinking is there any way i can utilize

>onBefore transform script. Because in this case i will give no

>RDN value and filter will be this (&(objectCategory=person)(objectClass=user)) ;

>and onBefore script will filter whichever the OUs i dont want or whichever OUs i want.

***************************

Answer. It sounds unlikely and very complex to develop/admin/test and troubleshoot

if you hit errors.You would be better with static OU definitions that you can test and

troubleshoot one-by-one.

If you have tested it and works, then it should be safe to use.

Good luck

sry · ‎08-10-2015

Hi Johnny,

thanks once again for your valuable effort. I have filtered OUs using onBefore script. I have found one issue here, i am not able to filter couple of OU's which have space in their DN value. For example i am not able to filter DN value " OU=Users - Admins ".. there is SPACE and "-" between "Users", "Admins". when i run the schedule all the records are being ignored from this OU though i set "ignore = false". If you have any idea please let me know.

thanking you very much,