LDAP Integration

 An LDAP integration allows your instance to use your existing LDAP server as the main source of user data.

STEP1: Define LDAP Server

Option1: LDAP Server with MID Server

This is the most common method as it is the easiest to configure and doesn’t require much effort from a company AD admin.

You’ll need to setup a midserver to use this method. Please note that you can’t authenticate (login) using this method and you can’t use a SSL connection.

For authentication, an SSO connection is often configured. So you use the LDAP Integration to pull in users/groups and SSO to authenticate (login).

Option2: LDAP Server with VPN

For this method, you need to ask ServiceNow for a VPN Request though HI Support. This method isn’t that preferred is that you are relying on the ServiceNow VPN to work and other maintenance concerns.

Option3: External IP Address

For this method, you expose an external IP Address to ServiceNow.

Option4: LDAPS with PKI Certificate

Most companies don’t have LDAPS (note the “S”). However for the companies that do, this is the superior method to connect in my opinion.

STEP2: Create LDAP Server

Left Navigator Bar > Create New Server

Example LDAP Server

Make sure to specify which LDAP Attributes to import. Without specifying the LDAP attributes, the import set creates many fields, which can exceed the row size limit during the import process.

Common Attributes

description,employeeNumber,managedby,department,division,description,dn,employeeID,givenname,mail,manager,member,memberof,mobile,objectguid,physicaldeliveryofficename,samaccountname,sn,source,telephonenumber,thumbnailPhoto,title,useraccountcontrol,userPrincipalName

3. Click Submit
4. When set to Active, the connection is tested. Red is bad. Green is good!

STEP3: LDAP Browse

In the following step, you need to specify the RDN and Filters for the User and Group accounts. The RDN and Filters, tell ServiceNow where to look for the data.

How do you know where the data is stored in LDAP? Every LDAP directory structure is different, so you need to Browse.

In the LDAP Server you setup in the last step, use the Related link Browse to browse the LDAP Server and find the data you want to pull.

STEP3: LDAP OU Definitions

After you determine the data you want to pull you update the LDAP OU Definitions (Located in the LDAP Server record at the bottom of the form).

Click the Browse button on the LDAP OU Definition after you set it up to verify it is going to the right location.

Sometimes you need to setup new extra LDAP OU Definitions if the data is in different directories and not just parent/child directories.

LDAP OU Definition (User)

LDAP OU Definition (Groups)

STEP4: Data Source

Under each LDAP OU Definition, there is a data source. In the data source you can run the import and see where what import set the data is being loaded into.

Click “Load All Records” to load the data into import sets.

STEP5: Import Sets

Import sets are temporary “staging tables” in ServiceNow that data sits before it is “transformed” into actual ServiceNow data. Out-of-the-box, the user import set is ldap_import, and the group import is ldap_group_import.

Go review the import set data and make sure the columns created for the data are big enough. You may need to increase the size of a column in the import set if the data is being truncated.

STEP6: Transform Maps

When you get to the Transform Maps, make sure you are testing this work in development first!

The transform maps convert the data from the import set into actual user an group records.

The LDAP User Import transform map is the one you typically modify. Some common configurations of the user transform map.

  • Coalesce Match. Important to choose a coalesce in the field map so that you don’t get duplicate user records. Companies often use samaccountname or objectguid for the coalesce field.

  • Additional fields. If you have additional fields to map, here’s the place.

  • When you are ready to transform, click the Transform Related Link in the Transform Map.

    View the Log after data load to see if any errors occur.

STEP7: Scheduled Loads

After your data is imported correctly. Schedule that data loads. This is done under System LDAP > Scheduled Loads. You activate the data import and set a run schedule. Most companies run it daily in the evening.


Comments

Popular posts from this blog

Background Scripts

Glide Record Cheat Sheet

Setup OAuth2 authentication for RESTMessageV2 integrations