MID Server, Integration with AD for users and groups

skylarbarth · ‎07-28-2017

I am very curious as to some lower level and best practice info around integration w/ LDAP for the purpose of importing users, auth-ing them, importing group/structures.

I am familiar with transform maps once the data is at the import set ... but getting it in, that's what I'm curious about.

I want to use the KISS simplest way to get this done.

I was reading that a MID server w/ hardware or on a VM and then install/config and point to xyz ... why?

Is this because there is a security risk with going form SN -> LDAP through a traditional ldap integration?

We are spinning up internal it on SN ticketing system from remedy and I'd like to "do it right" or at least with some design/higher plan in mind.

In terms of config once I'm in the system, I'm comfortable with, but this is hardware and more IA and as a SaaS I'm a bit confused as to those elements ...

Perhaps I can explain my question better ... but I am looking for a way to get users and groups into the system. from AD. and then use AD to auth those users when they try to login ...

shouldn't be that hard?

danpatino · ‎07-28-2017

Customers will typically engage SN professional services or a partner for this kind of thing. However, it seems like you may have something similar before.

Here are some documentation resources:

http://wiki.servicenow.com/index.php?title=LDAP_Integration_Setup#gsc.tab=0

LDAP integration setup

Basically you'll need to ask your network or security team to make a firewall rule to allow communication over port 636 from your ServiceNow instance (you can get your instance IP address through HI support). They will probably create a virtual IP and NAT rule to point to your domain controller. Then configure the LDAP server in servicenow using the VIP and SSL cert (included in documentation).

You can of course avoid some complexity by using plain LDAP or putting your DC in the DMZ but I don't think they'll get on board with that. Also that approach isn't recommended. Although there are several steps, in my opinion it is straight forward and not many options for variation if you're following best practice. Of course someone else on the community may have their own opinion

View solution in original post

danpatino · ‎07-28-2017

You're probably looking for a more in-depth explanation but all I have time for right now is a quick tip: if you are planning to authenticate using the LDAP integration, the MID server implementation won't allow it. You'll need to go directly from ServiceNow to your domain controller. That might make the approach an easy decision.

People use the MID server for an LDAP feed if they are using some some other form of authentication (like SSO or local password management).

skylarbarth · ‎07-28-2017

Interesting. So actually it may not be a good idea/option to use MID server for LDAP (to pull the users and such in) if we can just do that via ... LDAPs for ex ...?

danpatino · ‎07-28-2017

You got it. We use SSO for authentication but I still avoid using a MID server for my LDAP pull because direct LDAPS seems to be faster. It just requires engaging the security/network team which is probably why some people take the MID server approach.

skylarbarth · ‎07-28-2017

Exactly, we are thinking the same thing.

Now, my question is, what kinds of ... questions ... should I be asking the ... network/sec team?

We're meeting with them Monday to say we need X.

I'm assuming it's just to put the LDAP server in the DMZ? and then to get an X cert to connect to it using LDAPs in that guys (this is why you dont need vpn) article ...

What kinda ... "things" do we need to think about if we ... say ... take the LDAPs approach?