LDAP Imports allow administrators to keep ServiceNow users and groups sync'ed with the corporate "single-source of truth", the company LDAP Server. The use of a MID server may be required to be able to access the LDAP server from the ServiceNow instance.
LDAP imports performed through a MID server can leave you looking for a lost user or group in certain patches of Geneva and Helsinki. In this round of testing, I'll do a "Group" import using the MID Server. Looking at the Groups in the sys_user_group table, one group from the import set will be gone. If you track back through the process, checking the ECC queue, you will see that all of the groups are there. The remaining table to check is the import set (staging) table. Sure enough, this is where we find the mix-up. The import set table will have the correct number of records; however, one will be missing and one will be duplicated.
How you know if your LDAP import is missing a user or group:
- Configure LDAP server with the MID server.
- Load all groups in LDAP (this can happen with any LDAP imported records through a MID server, not just with Groups).
- Check the ECC queue records, which show the correct data.
- In the staging table, note that one of the records is omitted and a duplicate of another record is created.
For this testing, I setup a simple LDAP group OU. The LDAP Server requires the use of a MID Server (to reproduce this PRB). When "Browsing" from the OU, we can see 4 groups, Group1-Group4:
The data source used for the import:
After loading the records (either Test load 20 Records, or Load All Records😞
We can see that four records were processed and inserted; however, when we check the "Loaded data", we see the issue:
Group4 was loaded 2 times, and Group2 was missed.
This shows that the LDAPProbeResult (in the ECC queue) correctly shows all 4 groups (including Group2).
Between the ECC queue and the loading of the import set table, we can see that we have lost one record and doubled-up on another. This has been classified as a regression. The fix is available in Helsinki Patch 4, but if you don't want to upgrade there is a workaround you can use.
Retrieving a missing user or group when doing a LDAP Import through the MID Server
The workaround is to create and set the following property to a value of 0 (zero):
com.glide.loader.max_sample_size
For steps on how to add a new system property (in Helsinki), see the docs.
