LDAP group import errors
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2023 07:38 AM
Hi,
We are running a daily LDAP Group Import to sync some AD groups in servicenow. For some reason, some of the group fail to import - or at least it looks that way since the last sync time on the failed ones is showing years ago, and the group itself is going inactive whent the import runs (can set active manually but goes inactive at time of import). The groups in AD are enabled and the OU's are correct both in AD and servicenow. The errors I'm seeing aren't very informative:
"Error during update of sys_user_group (<group name here>)"
Does anyone have any idea what's going on with this?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2023 10:17 PM
Hi @castle11
The error message you mentioned is not very informative and could be various reasons causing this, it seems that there might be some issues with the LDAP Group Import configuration or the synchronization process.
Here are some possible reasons why the groups are failing to import:
1. Connection issues: Check if there are any connectivity issues between ServiceNow and AD. Make sure the LDAP server information and credentials are correct and up to date.
2. Group membership: Check if the group membership has changed in AD. The group might have been removed or renamed, or the users might have been removed from the group.
3. ServiceNow configuration issues: Check if the LDAP Group Import configuration in ServiceNow is correct and up to date. Verify that the group attributes mapping and filters are set up correctly.
4. ServiceNow access rights: Check if the ServiceNow user account used for the LDAP Group Import has the appropriate access rights to read the AD groups.
5. Group naming conventions: Check if the group name conventions in AD comply with the ServiceNow requirements. Some characters or special characters might cause import issues.
To troubleshoot the issue further, you try checking the logs for more detailed error messages or enable LDAP debugging to get more information about the import process. You can also try manually importing the failed groups and see if you encounter any errors.
Please mark helpful/correct, if your query is addressed and/or answered!
Thanks,
Vamshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2023 02:54 AM - edited 04-25-2023 02:55 AM
Hi @Rao Vamshi
Thanks for your reply. I think I might have found the issue - the error I mentioned was showing in scheduled import sets, but when I checked in ldap group imports instead the groups that are failing to import are showing another error - it's saying there are duplicate groups with the same object guid. After filtering group table for object for one of the affected object guid I can see there are in fact duplicate groups but the difference is the name - the duplicate group is prefixed with 'stale - ', so I think this is maybe an old group in AD or something that's been duplicated. Thinking this should be fixed once the duplicate is removed but I will let you know anyway
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2023 09:24 AM
Hi @castle11
Great, it looks like you have identified the root cause.
Also, keep in mind that removing the duplicate group in AD may not automatically update the ServiceNow record for that group. You may consider to manually update the group record in ServiceNow or run a full import to ensure that the correct group information is synchronized.
Happy to help!
Thanks,
Vamshi
