extend discovery to query ldap for server attributes

CBartram · ‎12-07-2022

I need to extend our discovery process to include a call out to our enterprise ldap server to retrieve various elements specific to the server (owner, description, lifecycle, even the name of the app/service they belong to). Trying to create a discovery pattern extension using the "ldap query" call but there is nowhere on the form to provide the ldap credentials (a simple username/pass combo for a readonly account in my case). None of the standard "credential types" seem to apply?

Where/how do I provide the (readonly) ldap username+password credentials?

More importantly I suppose- is there a better/easier way to link all our servers to a "lookup" function (linux to LDAP and Windows to AD) where we grab those kind of attributes as they're discovered?

*Note in my case a host-based (command line) ldapsearch command isn't viable as some servers (like in the DMZ) can't actually reach the authoritative ldap servers with all the configuration data on them.

Daniel Borkowi1 · ‎12-09-2022

Hi, is your user for the Server discovery not allowed to query the LDAP?

CBartram · ‎12-09-2022

Correct. We use an ssh private key for server auth but our ldap server requires username+password authentications. I'm told the ldap server doesn't even support a ssh-key authentication - especially since our ssh (discovery) "account" only allows key auth (there IS no password associated with it). *These are Linux servers I'm discovering FYI.

Daniel Borkowi1 · ‎12-12-2022

Unfortunately this operation is badly documented. Is it maybe possible to add the username and password in the ldap Query field? Add least you can try to use the command operation with something like that:

ldapsearch -x -LLL -h ip -D 'cn=admin,dc=ivhdev,dc=local' -w password -b 'dc=users,dc=local' -s sub '(objectClass=*)' 'givenName=username*'

-D is the user and after -w the password. You can use the set parameter operation and pre/post processing scripts to query the password and user name somehow from a configuration. See: https://www.servicenow.com/community/itom-blog/using-pre-post-processing-scripts-to-handle-reference...

CBartram · ‎12-12-2022

I tried overloading the input fields - though I couldn't get it to work... and since the form specifically has fields for (only) Base DN, Host, Port, Query, Scope, and Variable Table it wasn't apparent that they're actually using ldapsearch in the background or simple a java (or other) library call.

I can (and am temporarily) using a host-based (remote command parse) of ldapsearch for my Linux hosts at least until I get this working, but I can't use that in production since some of our hosts (like DMZ machines and all our Windows servers among others) can't execute the ldapsearch command directly.. so I really need it to be done from the MID server.

Thanks very much for the other link though! One of my next questions was going to be how to replace some of the values I'm getting from LDAP with their corresponding sys_ids from the cmdb and I had NO idea how to go about that.