Multi-AD LDAP Sync with Group Membership

mattp · ‎06-06-2017

We currently have a single AD LDAP sync, where we pull down user information and group membership. We use AD to manage ServiceNow groups and their members (the ldapUtils.addMembers function), which has worked out great for us so far. However, we're looking at adding a 2nd AD sync, with its own unique users and groups. Is there a way to have both AD syncs work together for group membership?

We have situations where users in the 2nd domain will need to be added to groups within the 1st domain, or users from both AD domains will coexist in the same group. Our understanding is, each AD sync will overwrite the group membership based on what AD knows about the group - so there is no way to have non-AD users in a group managed by AD. Is there any way around this?

We do not have a domain separated instance - both AD syncs will be populating the same sys_user, sys_user_group, and sys_user_grmember tables.

Thank you!

Michael Fry1 · ‎06-06-2017

Our understanding is, each AD sync will overwrite the group membership based on what AD knows about the group - I looked high and low and couldn't find anything that would substantiate or deny this, not trying to disprove but trying to help you! Just looking at the LDAP setup (screen shot below), I can add a 2nd LDAP, use the same transform map, etc and would think it would blend group membership together without overwriting one or the other. SN wouldn't do that to us, would then!

Have you tried it?

mattp · ‎06-07-2017

Thank you for the reply. The issue with that method (looking at ldap_server_config.do screen) is the starting search directory and attributes would need to be the same. The other LDAP requires a different configuration for MID Server, Starting Search Directory, and Attributes. I haven't tried the method your suggesting, but I'm not sure how it would work given those requirements. Looking at the documentation (LDAP server fields), it says those fields you highlighted are for redundant servers - i'm not sure it would even try hitting the second if it got the first.

Michael Fry1 · ‎06-07-2017

Yeah - different search directory would require another LDAP setup, but the transform map can be the same. I still would be shock if it doesn't blend the 2 together in same group.