Cloning my prod instance causes my AD LDAP service account to lock out - how can I prevent this?

Wayne Richmond · ‎07-05-2017

Hi. Whenever I clone our prod instance over another sub-prod instance, the AD account that allows LDAP authentication gets locked out. This means no one can log in, alarm bells ring at Service Now, people start shouting at me. How can I prevent this from happening? I assume I need to add a table to the Exclude Table list - maybe the ldap_server_config table?

lks · ‎07-05-2017

Hello Wayne,

Your understanding is correct. You need to add an entry in your exclude table list for ldap_server_config table. In absence of this, all your LDAP configurations are also cloned to your target non-production instance. And, you know there are scheduled job stuffs performing various actions including the LDAP heartbeat check as well. Now that the LDAP server is specific to your PROD only therefore, when such jobs trying to access your PROD LDAP server they don't authenticate. There are some rules defined on AD side which locks your LDAP Server login account after certain failure attempts. And, this is exactly what happened in your case.

Therefore, please add an entry in your exclude table list for ldap_server_config table and you have a permanent fix!

View solution in original post

Wayne Richmond · ‎01-23-2018

Hi. Who did the clone, you or ServiceNow? When I do a clone, the account does not get locked. However, when ServiceNow now take a clone, they seem to do it differently (copy the instance perhaps) which doesn't maintain these rules and the account becomes locked.

This is all I did. Are you sure worked in your case (not copying that table I mean). You could make a small change somewhere on the instance you're about to clone then see if that appears on your cloned instance afterwards.

prajaktanaik · ‎01-23-2018

are you using different ldap username and password for production and non-prod instances or same?