0% found this document useful (0 votes)

22 views110 pages

Washington DC Platform Security 4-5-2024

Uploaded by

Honey Verma

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

22 views110 pages

Washington DC Platform Security 4-5-2024

Uploaded by

Honey Verma

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 110

Washington DC Platform security

Washington DC Platform
security
Last updated: April 5, 2024

PDF generated on April 5, 2024

©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in
the United States and/or other countries. Other company and product names may be trademarks of the respective companies with which
they are associated.
Washington DC Platform security

Some examples and graphics depicted herein are provided for

illustration only. No real association or connection to ServiceNow
products or services is intended or should be inferred.
This PDF was created from content on docs.servicenow.com. The web
site is updated frequently. For the most current ServiceNow product
documentation, go to docs.servicenow.com.

Company Headquarters
2225 Lawson Lane
Santa Clara, CA 95054
United States
(408)501-8550

PDF generated on April 5, 2024 2

ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
associated.
Washington DC Platform security

LDAP integration
An LDAP integration allows your instance to use your existing LDAP server
as the primary source of user data.

Administrators integrate with a Lightweight Directory Access Protocol

(LDAP) directory to streamline the user login process and to automate
administrative tasks such as creating users and assigning them roles. An
LDAP integration allows the system to use your existing LDAP server as the
primary source of user data. Typically, an LDAP integration is also part of
a single sign-on implementation.

The integration uses the LDAP service account credentials to retrieve the
user distinguished name (DN) from the LDAP server. Given the DN value
for the user, the integration then rebinds with LDAP with the user's DN and
password. The password that the user enters is contained entirely in the
HTTPS session. The integration never stores LDAP passwords.

The integration uses a read-only connection that never writes to the LDAP
directory. The integration only queries for information, and then updates
its internal database accordingly.

Note: For detailed information about setting up the integration, see

LDAP integration setup.

Note: If your instance is using an LDAP integration and the Active

Directory settings require users to reset their password upon login,
your users will not be able to log in the instance. The instance cannot
change any user's active directory password.

Features of LDAP integration

LDAP integration features include the following.

Scheduled LDAP refresh

A scheduled scan of your LDAP server is usually run once a night. It

queries all applicable user records' attributes and compares them with
the account on our servers. If there is a difference, we modify our user
record with the changed attribute. The load placed upon the LDAP
server during the refresh depends on how many records are queried, and

PDF generated on April 5, 2024 3

the number of attributes being compared. We recommend scheduling

the refresh during off-peak hours. A large refresh operation can affect
other scheduled operations, such as running reports, and should be
planned to minimize any conflicts.

LDAP listener

LDAP listener is our version of a persistent query (or persistent search).

We issue a standing query for changes made to your LDAP server,
and constantly listen for a response. Assuming your server supports a
persistent search, any changes made to any of your applicable LDAP
accounts are returned to the LDAP listener and sent to your instance
within approximately 10 seconds. This is an extremely useful tool, allowing
us to have a nearly real-time copy of your users' account details, without
having to wait for the next scheduled refresh.

On-demand LDAP login

After an LDAP integration is established, the instance can allow new users
to log in to the system even if they do not yet have an account on
the instance. When a new user attempts to log in to the instance, the
integration checks to see if this user has an account in the instance. If
the integration does not find an existing user account, it automatically
queries the LDAP server for the username that was entered. If a matching
LDAP account is found, the integration tries to authenticate with the
password the user entered. If the password is valid, the instance creates
an account for the user, populates the account with all applicable LDAP
information, and logs the user in to the instance.

On-demand login uses the LDAP User Import transform map. For more
information on transform map requirements, see LDAP transform maps.

LDAP data population

Note: Functionality described in this integration is not available

by default. This integration involves post-deployment customization
performed by an experienced administrator or by ServiceNow
professional services consultants.

An integration to the LDAP servers allows you to quickly and easily

populate the instance's database with user records from the existing
LDAP database. To prevent data inconsistencies, you can create, ignore,
or skip incoming LDAP records.

PDF generated on April 5, 2024 4

You can also limit the data the integration imports by specifying LDAP
attributes, thereby importing only the data that you want to expose to an
instance. Typically, the LDAP attributes you specify become part of the
integration transform map. If you do not specify any LDAP attributes, the
integration imports all available object attributes from the LDAP server.
The instance stores imported LDAP data in temporary import set tables,
so the more attributes you import, the longer the import time. For more
information, see Specify the LDAP attributes.

LDAP authentication

Use LDAP authentication to access using LDAP credentials.

When a user enters network credentials in the login page:

1. The instance passes the credentials to an LDAP server to find the

instance.

2. With RDNs, it validates the user's DN string. It validates only if at least

one of the LDAP OU configurations with table=sys_user has an
RDN configured.

3. The LDAP server responds with an authorized or unauthorized

message that the system uses to determine whether access should
be granted.

By authenticating against your LDAP server, users access the platform

with the same credentials that they use for other internal resources on
your network domain. Also, you can reuse any existing password and
security policies that are already in place. For example, the LDAP server
may already have account lockout and password expiration policies.

When you enable LDAP, the system updates user records with these
fields.

LDAP user record updates

Field Description

Identifies whether or not LDAP is

used to validate a user. If the
source starts with ldap, then the
Source
user is validated via LDAP. If the
source does not start with ldap,
then the password on the user

PDF generated on April 5, 2024 5

Field Description
record is used to validate the user
upon login.

Identifies which LDAP server

LDAP Server authenticates the user when there
are multiple LDAP servers.

Note: The system does not support LDAP password authentication

through a MID Server. An instance must be able to directly connect
with an LDAP server to support password authentication.

Understanding LDAP integration

An LDAP integration allows your instance to use your existing LDAP server
as the primary source of user data.

LDAP integration prerequisites

• The directory services server must be LDAP v3 compliant

• Inbound network access through the firewall must be allowed (to the
LDAP server)

• External IP or Name of the LDAP server

• User credentials with read-only access

• For LDAPS, a PKI certificate

LDAP integration timing

LDAP integrations are usually done before the instance Go Live, but can
be integrated at any time.

LDAP server data integrity

Some users are concerned about a third party (the instance in this case)
making changes (writing) to your LDAP server. In an LDAP integration,
your instance does not write to the internal LDAP directory. The instance
queries for information, and updates its database accordingly.

PDF generated on April 5, 2024 6

No changes are made to the internal LDAP server by the instance. The
service account is read only.

Most changes (including additions) to your LDAP server are available to

the instance within seconds, depending on how many components of
the full LDAP integration are in place.

To keep LDAP records synchronized, schedule a periodic scan of the

LDAP server to pick up changes.

The instance does not synchronize department records. Users and group
memberships are kept up-to-date by the LDAP Listener mechanism and
a daily full LDAP Browse, but the instance does not delete any of these
entries once they disappear from LDAP.

If an entry were to be deleted, the entire history would also get deleted,
and any references to it would be cleared or deleted. Configuration
Items (CIs), SLA Agreements, Software Licenses, Purchase Orders, and
Service Catalog Entries all have a reference to Department, and if
Department is deleted, then those references get cleared. There are
many references to Users, and so deleting a user would lose all history of
what that user did. Currently, the decision to delete or not to delete is
made by our customers.

Security

The connection is made from a single machine using a fixed IP address

through a specific port on your firewall. Authentication is done with a
read-only LDAP account of your choosing. You can use standard LDAP,
or load the public side of an SSL certificate installed on your directory,
in which case we can use LDAPS. To add another layer of security, we
also offer the option of a point-to-point IPSEC VPN tunnel. Speak to your
account manager for details and pricing.

Secure LDAP connections

Connection Description

To shield your LDAP server from

external network traffic, install a
MID Server
MID Server on the local network
and configure the system to

PDF generated on April 5, 2024 7

Connection Description
communicate with the MID Server
over a secure channel.

To establish an encrypted LDAPS

connection, load the public side of
your LDAP server's SSL certificate.
LDAPS The integration uses the certificate
to encrypt all communication
between the LDAP server and the
instance.

To secure the LDAP server with

an encrypted point-to-point IPSEC
VPN
VPN tunnel, speak to your account
manager for details and pricing.

Another security aspect to consider is the data shared in an LDAP

integration. To limit the data exposed to your instance, specify attributes
in your transform map. For more information, see LDAP transform maps.

Importing LDAP data to the instance

It is recommended that attributes are defined to import only required

data. Defined attributes get mapped into the instance user database.

We cannot answer the question of which specific attributes are needed

because this is determined by the scope of the project and business
requirements.

Supported types of LDAP servers

The instance has successfully integrated with Microsoft Active Directory,

Novell, Domino (Lotus Notes), and Open LDAP. We use JNDI to interface
with the LDAP Server. As long as your LDAP server is LDAP v3 compliant,
the integration is successful.

LDAP single-sign-on

Along with the data population functionality provided with the LDAP
import, you can use the External Authentication functionality supported

PDF generated on April 5, 2024 8

by the application to prevent your users from needing to sign on each

time.

Multiple LDAP domains

The recommended method for handling multiple domains is to create a

separate LDAP server record for each domain. Each LDAP server record
must point to a domain controller for that domain. This means the local
network must allow connections to each of the domain controllers.

After expanding to more than one network domain, it is critical that

you identify unique LDAP attributes for the application usernames and
import coalesce values. A common unique coalesce attribute for Active
Directory is objectSid. Unique usernames may vary based on the LDAP
data design. Common attributes are email or userPrincipalName.

Handling query limits

By default, Active Directory 2000/2003 has an LDAP query limit

(maxPageSize) of 1000 objects to prevent excessive loads and denial of
service attacks. We have two methods of dealing with this limit.

The default method is to break up the query to return less than 1000
objects at a time. For example, query only for object starting with the
letter 'a', then query for 'b' objects. The more efficient method for large
environments is to enable paging. Paging is supported by default on all
Microsoft Active Directory servers. It automatically splits the results into
multiple result sets, so we don't have to split up the query into multiple
requests.

LDAP query type

If an LDAP password is supplied then a "Simple Bind" is performed. If no

LDAP password is supplied then "none" is used, in which case the LDAP
server must allow anonymous login.

LDAP authentication

We use provided service account credentials for LDAP to retrieve the user
DN from the LDAP server. Given the DN value for the user, we then rebind
with LDAP given the users DN and the provided password.

PDF generated on April 5, 2024 9

Password storage

The password that the user enters is contained entirely in their HTTPS
session. We do not store that password anywhere.

Setting up LDAP authentication

These fields on the user record pertain to LDAP:

• Source: The Source field identifies whether or not a user is validated

using LDAP. If the source field starts with "ldap", then the user is
validated via LDAP. If the Source field does not start with "ldap", then
the password on the user record is used to validate the user upon login.

• LDAP Server: The instance supports multiple LDAP servers, so the LDAP
Server field determines which server should be used to authenticate the
user.

LDAP integration requirements

Review the requirements for LDAP integration, which include a PKI
certificate an LDAP compliant directory services server.

LDAP integration requires:

• An LDAP v3 compliant directory services server

• Allows inbound network access through the firewall (to the LDAP
server)

• (Optional) Accepts anonymous login

• (Optional) Supports paging for large LDAP queries

• The external IP address or fully-qualified domain name of the LDAP

server. You can also use a MID server.

• A read-only LDAP account of your choosing

• For multiple domains, network access for each domain controller

• For LDAPS, a PKI certificate

• For LDAP listener, a Microsoft Active Directory server that supports

persistent queries (ADNotify)

PDF generated on April 5, 2024 10

Supported LDAP servers

Using JNDI to interface with the LDAP server, the instance has successfully
integrated with the following servers:

• Microsoft Active Directory

• Novell

• Domino (Lotus Notes)

• Open LDAP

LDAP query limits

By default, Active Directory 2000/2003 has an LDAP query limit

(maxPageSize) of 1000 objects to prevent excessive loads and denial of
service attacks. The system has two methods of dealing with this limit.

• The default method is to break up the query to return fewer than 1000
objects at a time. For example, query only for objects starting with the
letter a, then query for b objects.

• The more efficient method for large environments is to enable paging,

which is supported by default on all Microsoft Active Directory servers.
Paging automatically splits the results into multiple result sets so the
integration does not have to split up the query into multiple requests.

LDAP integration setup

Administrators can enable LDAP integration to allow sign-on of users from
their company LDAP directory.

LDAP typically uses one of these types of communication channels.

LDAP communication channels

LDAP
LDAP import
Connection Description authentication
support?
support?

Communicates
MID Server
over HTTP on Yes No
connection
port 80 by

PDF generated on April 5, 2024 11

LDAP
LDAP import
Connection Description authentication
support?
support?
default. This
communication
channel does
not require
a certificate.
The connection
between the
MID Server and
the instance is
over HTTPS (port
443). You can
use the MID
Server to import
data over LDAP,
but you cannot
use the MID
Server for LDAP
authentication.
Proceed to
Define the LDAP
Server.

Communicates
over TCP on
port 389 by
default. This
communication
Standard LDAP
channel does Yes Yes
integration
not require
a certificate.
Proceed to
Define the LDAP
Server.

Communicates
over TCP on
SSL-encrypted
port 636 by
LDAP integration Yes Yes
default, This
(LDAPS)
communication
channel requires

PDF generated on April 5, 2024 12

LDAP
LDAP import
Connection Description authentication
support?
support?
a certificate.
Proceed to
Install the
LDAP X.509 SSL
certificate to
obtain and
upload the
certificate.

Communicates
over an IPSEC
tunnel. Purchase
or create
an IPSEC
VPN connection Yes Yes
tunnel on your
local network.
Proceed to
Define the LDAP
Server.
If using a MID Server, the MID Server connects to the instance and the
MID Server also connects to the LDAP server. In both cases, the MID
Server initiates the connection:

1. First, the MID Server connects to the LDAP server via LDAP on Port 389.

2. Then, the MID Server initiates an HTTPS encrypted connection to the

instance on Port 443 to push the data to the instance.

For more information about VPNs, Mid Servers, and LDAP, see You Don't
Need A VPN Part II on the community.

Install the LDAP X.509 SSL certificate

You can install an X.509 certificate for your LDAP integration.

Before you begin

Role required: admin

PDF generated on April 5, 2024 13

Procedure

1. Purchase or generate an SSL certificate on your LDAP server.

2. Navigate to LDAP > Certificate and click New.

3. Fill in the form fields:

Field Description

Name The certificate name.

Select this option to send a

notification to the users selected
Expiration notification
in the Notify on expiration field.
By default, this is enabled.

Select the users to revive the

notification regarding certificate
expiration. If no users are
Notify on expiration selected, the logged in user is
added by default, along with
the last two logged in users with
the administrator role.

The number of days before

expiration that the instance send
the notification. Enter a value of
Warn in days to expire at least 20. Instances upgraded
to Istanbul and later releases
have this value set to 20 unless
a greater value is specified.

A check box to indicate that this

Active
certificate is active.

Format The format of the certificate.

The certificate container. The

instance recognizes certificates
Type
from trust stores, Java keystore,
and PKCS#12 keystores.

PDF generated on April 5, 2024 14

Field Description

The instance automatically adds

the certificate valid from date to
Valid from this field. Attach the certificate
to the X.509 certificate record to
populate this field.

The instance automatically adds

the certificate expiration date to
Expires this field. Attach the certificate
to the X.509 certificate record to
populate this field.

The calculated number of days

Expires in days
to expiration.

Short description A description for the certificate.

The instance automatically adds

the certificate issuer to this
Issuer field. Attach the certificate to
the X.509 certificate record to
populate this field.

The instance automatically adds

the certificate subject to this
Subject field. Attach the certificate to
the X.509 certificate record to
populate this field.

Enter the value of the X509

PEM Certificate
certificate.

Note: The integration does not currently sign the certificate in

communications between the instance and the IdP.

4. Click Save.

What to do next

Click Validate Stores/Certificates to test the trust store and certificate.

PDF generated on April 5, 2024 15

Define an LDAP server

Create a new LDAP server record in the instance.

Before you begin

Role required: admin.

Procedure

1. Navigate to All > System LDAP > Create New Server.

2. Fill in the form fields.

In the Server URL field, the valid URLs of all servers appear separated
by a space. Servers are first ordered by operational status, with
servers that are Up listed first, then ordered by the Order value that
you specify. The first server listed is the primary LDAP server. The others
are redundant servers.

PDF generated on April 5, 2024 16

Note: There is a slight delay between the change in the actual

operational status and the display.

Alternatively, you can add a redundant LDAP server by navigating to

an existing LDAP server record and inserting a row in the LDAP Server
URLs embedded list.

3. Click Submit.
Note: You can also modify an existing LDAP server record
by navigating to System LDAP > LDAP Servers and making the
needed changes.

4. Make changes to the fields as necessary.

LDAP server form

Field Description

Name Enter the name of the server.

PDF generated on April 5, 2024 17

Field Description

Select this check box if the server

Active
is active.

Enter the URLs of the primary and

backup LDAP servers. Servers
are first ordered by operational
status, with servers that are Up
LDAP Server URLs listed first, then ordered by the
Order value that you specify. The
first server listed is the primary
LDAP server. The others are
redundant servers.

Enter the URL of the server.

Configure the form to add
this field if necessary. It is a
calculated read-only field that
shows the list of LDAP servers
Server URL
that you can also see in the
LDAP Server URLs field, separated
by a space, and ordered by
operational status and the order
values of the URLs.

Enter the distinguished name

(DN) of the user authenticating
the LDAP connection.

To access an LDAP directory

Login password Enter the server's password.

Enter the relative distinguished

Starting search directory name (RDN) of the default
search directory. All queries to

PDF generated on April 5, 2024 18

Field Description
this LDAP server will start from this
RDN.

Select the MID Server you want

to use to connect to the LDAP
server. Using a MID Server to
establish an LDAP connection
prevents you from having to
expose the LDAP server to
external network traffic. It also
eliminates the need to establish
a VPN tunnel between your
LDAP server and ServiceNow
data centers.

MID Server Note:

• The MID Server user must

have the user_admin
role in order to be able
to read LDAP server
configuration records.

• The following are not

available with the MID
Server:

• LDAP authentication

• SSL connection

If a MID Server is configured,

the connection times out after
Connect timeout 10 seconds, regardless of this
setting. This setting is hard-coded
and cannot be altered.

Specify the number of seconds

Read timeout the integration has to read LDAP
data. The integration stops

PDF generated on April 5, 2024 19

Field Description
reading LDAP data after the
connection exceeds the read
timeout. If you enable an SSL
connection, you can also set a
read timeout value with
thecom.glide.ssl.read.timeoutsyst
em property. If you enter timeout
values for both this field and the
system property, the lowest
timeout value takes
precedence.

Select this check box to require

the LDAP server to make an
SSL-encrypted connection. If you
selected a MID Server, this field is
not available.

SSL If you use an LDAPS integration

and the default SSL port is
636, no further configuration is
necessary; SSL is automatically
enabled. If the LDAPS integration
uses another SSL port, define
the alternate SSL connection
properties.

PDF generated on April 5, 2024 20

Field Description

Note:

Be sure a network
administrator configures the
local firewall to allow the
application server to access
the LDAP server. If the
LDAP server is located within
an internal network, the
firewall forwards (or NATs)
the application server's IP
address through the firewall
on the correct port.

Select this check box to enable

the integration to periodically
poll Microsoft Active Directory
servers or LDAP servers that
support persistent search request
Listener control. Additionally, if you
selected a MID Server, the
listener functionality is available
for that MID Server. See Enable
an LDAP listener and set system
properties for more information.

Specify the listener timeout value

in the number of minutes that
the integration listens for LDAP
Listen interval (timeout value) data with every connection.
The integration stops listening for
LDAP data after the connection
exceeds the listen interval.

Select this check box to have

Paging the LDAP server split up LDAP
attribute data into multiple result

PDF generated on April 5, 2024 21

Field Description
sets rather than submit multiple
queries.

Note: If you provide an LDAP password, the integration

performs a Simple Bind operation. If you do not provide an LDAP
password, the LDAP server must allow anonymous login or the
integration cannot bind to the LDAP server.

Result

When an LDAP Server record is set to active, the system automatically

tests every connection to validate it.

Validations include:

• The LDAP server is accessible at the provided URL and port

• The LDAP server URL is properly formatted

• The login credentials are valid

Starting with the Fuji release, the system displays colored dots next to
each server URL:

LDAP server connection icons

Color Description

The server if active and

Green
operational.

The server is neither active nor

Gray
operational.

The server is active but not

Red
operational.

PDF generated on April 5, 2024 22

LDAP server connection status

Enable an LDAP listener and set system properties

Enabling a listener is optional. If enabled, a listener notifies the system to
process LDAP records soon after there is an update on the LDAP server.

Before you begin

Role required: admin.

About this task

A listener is a dedicated process that periodically searches for changes

on the LDAP server.

The listener can be deployed on a Microsoft Active Directory server that

supports persistent queries (ADNotify), or on an LDAP server that supports
persistent search request control (with OID 2.16.840.1.113730.3.4.3).

If the LDAP server supports a persistent search, the LDAP listener

recognizes any user and group changes made to any of the applicable
LDAP accounts and forwards them to your instance within approximately
10 seconds. This allows the instance to have a nearly real-time copy of
your users' account details without having to wait for the next scheduled
refresh. The LDAP listener can only synchronize objects that map to the
User [sys_users] and Group [sys_user_group] tables.

PDF generated on April 5, 2024 23

Note: If a user is added via the listener, but the user does not
meet the requirements as defined by the OU filter, then the instance
ignores the record on the LDAP server. If it meets the criteria, the user
is added to the instance.

To enable a listener:

Procedure

1. Navigate to All > System LDAP > LDAP Servers.

2. Select the LDAP server to configure.

3. Select the Listener check box.

4. Click Update.
Note:

The system only imports user records that match the LDAP
OU filter. Incoming user records that do not meet the filter
requirements are flagged as invalid and ignored by the import.
Administrators can enable verbose LDAP logging to determine if
incoming records are not matching the LDAP OU filter.

5. (Optional) Navigate to the System Properties [sys_properties] table

and set LDAP listener system properties.
LDAP listener properties

Property Description

When true, the LDAP listener

is started as a background
transaction. By running the
LDAP listener as a background
glide.ldap.listener.use_backgrou
transaction, the quota rule LDAP
nd_transaction
Listener Start/Stop Transaction
can cancel the transaction
after the maximum duration is
reached, 5 minutes by default.

PDF generated on April 5, 2024 24

Property Description
This behavior prevents an LDAP
listener from waiting indefinitely.
Note: This property applies
only to LDAP connections
that do not use a MID
Server. Use
glide.ldap.listener.mid.use_b
ackground_transaction to
control the behavior of
LDAP connections that go
through a MID Server.

• Type: true | false

• Default value: false

• Location: Add to the System

Properties [sys_properties]
table

When true, the LDAP listener

is started as a background
transaction. By running the
LDAP listener as a background
transaction, the quota rule
LDAP Listener Start/Stop MID
Transaction can cancel the
transaction after the maximum
duration is reached, 5 minutes by
default. This behavior prevents
glide.ldap.listener.mid.use_back an LDAP listener from waiting
ground_transaction indefinitely.
Note: This property applies
only to LDAP connections
that use a MID Server. Use
glide.ldap.listener.use_back
ground_transaction to
control the behavior of
LDAP connections that do
not go through a MID Server.

PDF generated on April 5, 2024 25

Property Description
• Type: true | false

• Default value: false

• Location: Add to the System

Properties [sys_properties]
table

When true, only a single ECC

queue message is created
to start or stop the LDAP
listener through a MID Server.
When false, multiple ECC queue
messages can be created,
leading to the creation of
glide.ldap.listener.mid.one_listen multiple threads to start or stop
er the LDAP listener.

• Type: true | false

• Default value: true

• Location: Add to the System

Properties [sys_properties]
table

Specify the LDAP attributes

Specify the attributes included in LDAP server queries by using the LDAP
server Attributes field. This can enhance performance as well as security.

Before you begin

Role required: admin

About this task

By default, the system loads all of the attributes for each object that it has
permission to read from your LDAP server. Using the Attributes field, you
can specify and thereby limit the attributes the LDAP query returns. Using

PDF generated on April 5, 2024 26

this approach for large LDAP imports can greatly improve the speed of
those imports.

Procedure

Explicitly define attributes where possible.

If there is information that you do not want exposed to the instance,

exclude the attribute. If you do not specify LDAP server attributes,
user transactions may freeze for extended periods of time when new
attributes are added to an LDAP server object because the system will be
busy loading data from the new attributes.

Note: To use the manager lookup scripts described in Select

or Create a Transform Map for LDAP Data, specify manager and
dn (distinguished name) in the Attributes field. Neither attribute is
required to be a part of a transform map.

PDF generated on April 5, 2024 27

Test an LDAP connection

The instance tests the connection automatically every time a user
opens the LDAP Server form. Alternatively, you can manually test the
connection to the LDAP server from the LDAP server form.

Before you begin

Role required: admin

About this task

By default, error messages appear on the LDAP server form if there are
any issues connecting to the LDAP server.
Note: Employees can also verify connectivity between the instance
and the LDAP server. Contact Technical Support for assistance
verifying LDAP connectivity.

To manually test a connection:

Procedure

1. Navigate to All > System LDAP > LDAP Servers.

2. Select the LDAP server to test.

3. Under Related Links, click Test connection.

4. Under Related Links, click Browse to verify that the appropriate LDAP
directory structure is visible to the system.

5. (Optional) If the connection was successful, click Browse to view the

source LDAP directory structure that is visible to the instance.
Note: The Filter and RDN fields on the left of the Browse window
are ignored when you use the search field on the right.

Result

The instance changes the operational status of LDAP servers depending

on the result of the connection test.

PDF generated on April 5, 2024 28

• If your instance establishes a connection to a server that has a

Operational Status value of down, the Operational Status value is
automatically changed to up. This functionality is supported for both
automatic and manual connection tests.

• If a connection cannot be established to a server that has a

Operational Status value of up, the Operational Status value is
automatically changed to down. This functionality is supported for
automatic connection tests only, not manual tests.

Define LDAP organizational units

An organizational unit (OU) definition specifies the LDAP source
directories available to the integration.

Before you begin

Role required: admin.

About this task

OU definitions can contain locations, people, or user groups. Every LDAP

server definition contains two sample OU definitions: one for importing
groups into the system and the other for users.

Procedure

1. Navigate to All > System LDAP > LDAP Servers.

2. Select the LDAP server to configure.

3. In the LDAP OU Definitions related list, select either the Groups or Users
sample OU definition.

4. Complete the LDAP OU Definition form (see table).

5. Click Update.
The system automatically tests the connection to the LDAP server.

6. Under Related Links, click Browse to view the LDAP directory records
that the OU definition returns.

PDF generated on April 5, 2024 29

OU Definition form

Field Description

Specify the name the integration

uses when referencing this OU.
Name The name you enter here
becomes an LDAP target in the
data source record.

Specify the relative distinguished

name of the subdirectory
you want to search. This
RDN is combined with the
start-searching directory from
the LDAP server definition
to identify the subdirectory
containing information for this
RDN organizational unit. For example,
the sample OU definition uses
the RDN value of CN=Users
to search the LDAP directory
CN=Users,DC=service-
now,DC=com and any
directory below this point.
This field must match a
subdirectory in your LDAP system.

Specify the name of the

attribute within the LDAP server
Query field to query for records. The query
field must be unique in both
single and multiple domain

PDF generated on April 5, 2024 30

Field Description
instances. For best results,
use email addresses or other
credentials that uniquely identify
the user in a multiple domain
instance. Active Directory uses
the sAMAccountName attribute.
Other LDAP servers tend to use
the cn attribute.
Note: The Query field
must map to the User ID
field in the User [sys_user]
table. For example, if an
Active Directory user logs in
as joe.example, there must
be a user record with a User
ID value of joe.example and
an LDAP record with an
sAMAccountName value of
joe.example.

Select this check box to activate

the OU definition and to allow
administrators to test importing
Active data. However, the integration
can only bring data into
the system from active OU
definitions.

Specify the table that receives

the mapped data from your
Table LDAP server. For users, select User
(sys_user), and for groups, select
Group (sys_group).

Enter an LDAP filter string to

select specific records to import
Filter from the OU. The more specific
the LDAP filter query, the more
efficient the query is.

PDF generated on April 5, 2024 31

Field Description
For example, the Users LDAP
OU definition uses the following
filter to select records that are
classified as a person, have
an sn attribute value, are not
computers, and are not flagged
as inactive:

(&(objectClass=person)
(sn=*)(!
(objectClass=computer)) (!
(userAccountControl:1.2.84
0.113556.1.4.803:=2)))

You can find a description of

LDAP filter syntax by searching
the internet for LDAP Filters
RFC.

Example: Example organizational unit definitions

Suppose you have an LDAP server with the following directory structure:

dc=my-domain,dc=com

• ou=Groups

• cn=Development

• cn=HR

• cn=Sales

• ou=Users

• ou=Development

• ou=HR

• ou=Sales

PDF generated on April 5, 2024 32

Further suppose that you want to exclude the HR group and HR users
from the application. Do the following:

1. Create an LDAP server record with a starting search directory of

dc=my-domain,dc=com.

2. Create an OU definition record for ou=Groups with a filter to exclude

cn=HR.

3. Create an OU definition record for ou=Users with a filter to exclude

ou=HR.

If you do not specify additional attributes or filters with an OU definition,

the LDAP query returns the entire sub-tree from the starting directory and
RDN.

In these examples, an OU definition with the RDN value of ou=Groups

and no filter would have returned all groups. Likewise, an OU definition
with the RDN value of ou=Users and no filter would have returned all users
and child organizational units.

Create a data source for LDAP

Each LDAP organizational unit (OU) definition has its own related list of
data sources.

Before you begin

Role required: admin

PDF generated on April 5, 2024 33

About this task

Note: Both the LDAP Server and LDAP OU Definition must be active
for the test load action to function properly. When the test load is
activated for the first time, the system samples up to 20 records to
determine the length of the import set fields. If the sampled records
do not contain values for the User ID field, the system sets the field
length for all subsequent imports to the default length of 40. The
import truncates any imported data that exceeds the import set
table field length. Additionally, the User ID field is truncated to a
maximum of 40 characters. Be aware that the 20 loaded records
cannot be transformed and are for testing purposes only. If the test
records contain values for the User ID field, the field length is set
based on the field length of the longest user ID in the test records.

To create a new data source:

Procedure

1. Navigate to All > System LDAP > LDAP Servers.

2. Select the LDAP server to configure.

3. In the LDAP OU Definitions related list, select an item, such as Groups

or Users.

4. In the Data Sources related list, click New.

5. Complete the Data Source form (see table).

6. Click Submit.

7. Under Related Links, click Test Load 20 Records to test whether the
data source can bring LDAP data into the import table.
Data Sources form

Field Description

Specify the name the integration

Name uses when referencing this data
source.

PDF generated on April 5, 2024 34

Field Description

Enter the name of the

staging table where the system
temporarily places the imported
LDAP records and attributes.
Import set table name
Review this table to view
imported LDAP records. You can
use the same import set table
name for all LDAP data sources.

Select LDAP to indicate the

imported data is LDAP data.
Type After you select the type LDAP,
the form displays the LDAP target
field.

Select the LDAP OU definition

LDAP target
associated with this data source.

Auto provision LDAP users

You automatically provision users who are in the LDAP server but not yet
in your instance.

Before you begin

Role required: admin

Procedure

Create the following properties in the System Properties [sys_properties]

table:
LDAP properties

LDAP property Description

Enables LDAP authentication by

using LDAP to authenticate users.
glide.ldap.authentication
Set this property to true (the
default value).

PDF generated on April 5, 2024 35

LDAP property Description

Enables LDAP the system to

automatically create users in the
User [sys_user] table when the user
glide.ldap.user.autoprovision
exists in LDAP but is not yet in the
instance. Set this property to true
(the default value).

Both of these properties must be set to true for auto-provisioning to work.

LDAP integration via MID Server

Administrators can integrate using an LDAP data source over a
Management, Instrumentation, and Discovery (MID) Server.

The MID Server enables communication and movement of data

between the Now Platform and external applications, data sources, and
services. For details on installing a MID Server, see MID Server installation.

Using a MID Server to establish an LDAP connection prevents you from

having to expose the LDAP server to external network traffic. It eliminates
the need to establish a VPN tunnel between your LDAP server and
datacenters. The MID Server user must have the user_admin role to be
able to read LDAP server configuration records.
Note: The MID Server does not allow
using the UI action <instance>/sys_ui_action.do?
sys_id=1b4f7ef30a0001060058e223c9a5744c to refresh user and
group records from LDAP.
A MID Server connection communicates over HTTP on port 80 by
default. This communication channel does not require a certificate. The
connection between the MID Server and the instance is over HTTPS (port
443). The instance connects to the LDAP server directly, using LDAP or
LDAPS. This connection can either be over the internet or through a VPN
tunnel.
Note: LDAP cannot communicate via the MID Server with password
authentication.
For a secure communication over SSL, you must add an SSL certificate
for the MID Server. Change the LDAP server URL from LDAP to LDAPS and

PDF generated on April 5, 2024 36

change to port 636.

Note: If you create a new LDAP server, the MID Server SSL flag sets
to false by default. You can ignore this behavior.

To set connection properties for a specific LDAP server, see Define an

LDAP server.

Configure LDAP connection monitoring

Change or disable LDAP connection monitoring and notifications.

Before you begin

Role required: admin

About this task

The instance automatically sends an email to users configured in the

LDAP Admins group when an LDAP server connection fails. This uses
the email notification, which is launched by the LDAP Connection
Testscheduled job. This email notification is enabled by default.
Note: The instance does not send the email notification unless there
is at least one member in the LDAP Admins group. Make sure to
populate this group with the users you want to receive the email.

By default, the scheduled job tests the connection every 15 minutes. To

change this interval or disable monitoring:

Procedure

1. Navigate to All > System Definition > Scheduled Jobs.

2. Open LDAP Connection Test.

3. Do one of the following:

• Change the interval in the Repeat Interval field.

PDF generated on April 5, 2024 37

• Disable monitoring by clearing the Active check box.

Import binary data through a MID Server

As an administrator, you can import binary large object (BLOB) data with
an LDAP integration through the MID Server.

Before you begin

Role required: admin

About this task

Procedure

1. Add the name of the LDAP column you want to import binary data
from to the system property glide.ldap.binary_attributes.

2. Add a MID Server property with the Name

glide.ldap.binary_attributes and the same value you set for
the system property.

Troubleshooting LDAP integration via MID Server

You may encounter issues in the following areas while integrating LDAP
via MID Server.

You can troubleshoot these issues by viewing the outputs found in the
External Communication Channel (ECC) Queue (Discovery > Output and
Artifacts > ECC Queue).

Test Connection Issues

When defining OUs within the server, there is a Test connection related
list that is used to verify the LDAP connection. When you click this link,
the ECC Queue should show a single output message with a topic name
of LDAPConnectionTesterProbe. After the test has completed on the MID
Server, the ECC Queue should show an input message with the same
topic name. If the Name column for the input message shows true, the
test was successful. Drill down into the record to view the payload and
ensure it does not contain error messages.

PDF generated on April 5, 2024 38

Test Connection

Browse Issues

When defining OUs within the server, there is a Browse related list that is
used to view the LDAP directory records that the OU definition returns.
When you click this link, the ECC Queue should show a single output
message with a topic name of LDAPBrowseProbe. After data has been
returned from the MID Server, the ECC Queue should show an input
message with the same topic name. If the Name column for the input
message shows true, the test was successful. Drill down into the record to
view the payload and ensure it does not contain error messages.

Load Import Issues

When uploading data (for example, using the Test Load 20 Records
feature), the ECC Queue should show a single output message with a
topic name of LDAPProbe.

After data has been returned from the MID Server, the ECC Queue
should show another input message called LDAPProbeCompleted. The
Name column for this input message shows the total number of records
returned.

An additional input messages, also named LDAPProbe, is displayed. The

Name column for this input message displays the highest record number
in the batch. If the total number of records returned is 258 and the batch
size is 200 (the default), two LDAPProbe (200, 258) incoming messages will
be received, and one LDAPProbeCompleted (258) incoming message
will be received.

Drill down into the record to view the payload and ensure it does not
contain error messages.
Import Load

Also keep an eye out for an output message called LDAPProbeError.

PDF generated on April 5, 2024 39

Error message

Click the link in the Name column to view the details of the error.

LDAP paging

LDAP paging does not work if the paging size on the LDAP server is less
than 1000. Set the MID Server property glide.ldap.max_results to a value
less than or equal to the LDAP server paging size.

LDAP fails to import binary data

To import binary data via LDAP, such as a user photo, you

must include the binary attribute in the MID Server property
glide.ldap.binary_attributes. For the user photo example, the attribute
may be jpegphoto.

Import and map data

LDAP import maps match fields in your LDAP database to fields in your
instance.

Note: LDAP mapping has a performance effect, so the

recommended approach is to schedule it during off-peak hours, or
process a few records at a time to maintain system availability.

Define a transform map that only imports the needed or required

attributes. Depending on the version of the instance you are using, the
method for specifying LDAP mapping relationships varies.

The easiest way to know whether or not you are running a version which
uses the System LDAP application for LDAP integration is to find the
application from the application navigator.

The Run Business Rules option is applied only for the target table. Only
transform maps associated to the target table run the business rules
associated with different tables. If you are updating a user group and
have business rules running on a user group table, the group must have
roles defined.

PDF generated on April 5, 2024 40

LDAP import mapping options

System LDAP application? Map

Use a transform map to specify

Yes
your mapping.

Use a LDAP legacy import map

to specify your mapping, or the
default LDAP transform that is
No included in baseline instances.
Remember to adjust the Coalesce
field to match against the correct
fields.

Scheduled imports

A scheduled import allows administrators to import LDAP data on a

regular schedule. By default, the LDAP integration includes two sample
scheduled imports:

• Example LDAP User Import

• Example LDAP Group Import

Neither example is active by default. Change these scheduled imports to

meet your company's business needs.

LDAP transform maps

The transform map moves data from the import set table to the target
table (User or Group).

The LDAP integration uses standard import sets and transform maps. You
can also create custom LDAP transform maps.
Important: Whether you select or create custom LDAP transform
maps, there should be one active transform map for a set of source
and target tables. Enabling multiple transform maps for the same
source and target tables can produce duplicate entries in the target
table unless you coalesce against the matching fields.

PDF generated on April 5, 2024 41

Default LDAP transform maps

By default, the system provides two transform maps for LDAP data.
Default LDAP transform maps

Transform Map Source Table Target Table Description

Default
transform map
for creating
user records
from LDAP
LDAP User credentials as
[ldap_import] [sys_user]
Import part of LDAP
on-demand
login. Contains
mappings for an
Active Directory
LDAP server.

Default
transform map
for creating
group records
LDAP Group [ldap_group_im
[sys_user_group] from LDAP
Import port]
OUs. Contains
mappings for an
Active Directory
LDAP server.

Note: By default, the system does not have a transform map for
LDAP department records.

Requirements for custom LDAP transform maps

If you choose to create a custom transform map, the transform map must
meet the following mapping requirements.

PDF generated on April 5, 2024 42

Requirements for custom LDAP transform maps

Source Source Target

Target Field Coalesce Description
Table Field Table

The
u_source
field
identifies
the LDAP
DN of the
imported
user or
group. The
system
uses this
ldap_imp field to
u_source sys_user source false
ort determine
that a user
requires
LDAP
authentic
ation, to
find a
user's
manager,
and to put
users into
groups.

If LDAP
Select one integrates
of the to Active
following Directory,
fields: select
u_samacc
ldap_imp user_nam
• sys_user true ountname
ort e
u_samac as the
countna source
me field. If
other
• u_dn LDAP
directories

PDF generated on April 5, 2024 43

Source Source Target

Target Field Coalesce Description
Table Field Table
are used,
select
• u_cn u_dn or
u_cn as
the source
field.

Differences between LDAP transform maps and legacy import

maps

When specifying LDAP mapping relationships using transform maps, there

is a major difference in how reference fields are set for manager and
department.

When using a transform map, it is necessary to use a transform script to

create references. This is because the value associated with an LDAP
attribute like "manager" is the distinguished name (DN) of the manager.

Without some extra logic in place, the result is the creation of a user
record with a manager name that is the distinguished name of that
user in LDAP. The integration includes a transform script to facilitate
the creation of these references. The default transform map "LDAP User
Import" includes transform scripts for these references.

Existing mapping relationships

When updating legacy import maps to transform maps, you can retain
the LDAP mapping relationships that existed prior to the addition of the
System LDAP application. The LDAP server has a Map field that is a
reference to the legacy import map.
Note: By default this field is hidden, so you have to configure the
form to display it.
If you want to transition to using a transform map, clear the reference to
the legacy import map.

LDAP import map settings

Verify and use attributes to limit the fields the integration imports from the
LDAP source. Additionally, it is important to map the user_name field to
the LDAP attribute that contains the user's login ID. For Active Directory

PDF generated on April 5, 2024 44

this is usually the sAMAccountName attribute. If you would like to import

and coalesce on a binary attribute (such as objectSID or objectGUID),
you have to create a custom transform script.
Note: Any value mapped to the user_name field must be unique.

If you do not specify a transform map (such as LDAP User Import), the
integration uses the following default mappings:

LDAP import default mapping

User field or variable LDAP attribute

user_name sAMAccountName

email mail

phone telephoneNumber

home_phone homePhone

mobile_phone mobile

first_name givenName

last_name sn

title title

department department

manager manager

middle_name initials

u_memberof groups

u_member members

u_manager manager

PDF generated on April 5, 2024 45

LDAP data transformation

If an LDAP attribute contains simple data, the transform map links an

imported LDAP attribute to an appropriate field in the target table (User
or Group). For example, sample data in the sAMAccountName attribute
maps to the User ID field in the User table.

If the imported LDAP data maps to a reference field, the instance

searches for an existing matching record. If no matching record exists,
the instance creates a new record for the reference field unless the field
mapping specifies otherwise.

For example, suppose the LDAP attribute l maps to the Location

reference field in the User table. Whenever the import brings in an
attribute value that does not match an existing location record value,
the transform map creates a new location record. The new location
record has the same value as the imported attribute, and the imported
user record now has a link to the new location record.

However, there are times when LDAP attribute returns a distinguished

name (DN), which is essentially a reference to another record within the
LDAP directory. For example, the manager attribute typically contains
the distinguished name for the manager of the current LDAP directory
entry. An imported DN typically uses a long text string such as: cn=Beth
Anglin,ou=Users,dc=my-domain,dc=com.
Warning: Make sure your target fields are long enough to contain a
DN. Many text fields use the default length of 40, which may not be
long enough for some DN values. The ServiceNow system truncates
any value that exceeds the field length.

Administrators do not typically want the system to create new users

from the DN value because the new user has no association with
an existing user. Instead, administrators want the import to locate
the manager's existing user record and associate it with the newly
imported user. The LDAPUtils script include contains the setManager
and processManagers functions that can parse a DN and search for
an existing user. For best results, use these functions to create a custom
transform map.

For example, the LDAP User Import transform map script calls the
setManager function:

PDF generated on April 5, 2024 46

//
// The manager coming in from LDAP is the DN value for th
e manager.
// The line of code below will locate the manager that ma
tches the
// DN value and set it into the target record. If you ar
e not
// interested in getting the manager from LDAP then remov
e or
// comment out the line below
ldapUtils. setManager (source , target ) ;
In some cases, the integration imports a user's record before importing
the associated manager's user record. To handle such cases, you
may want to call the processManagers function after the transform
completes. For example, the LDAP User Import transform map uses an
onComplete transform script to call the processManagers function.
// It is possible that the manager for a user did not exi
st in the database when // the user was processed and the
refore we could not locate and set the manager field. // T
he processManagers call below will find all those records
for which a manager could // not be found and attempt t
o locate the manager again. This happens at the end of th
e // import and therefore all users should have been cre
ated and we should be able to // locate the manager at t
his point
ldapUtils. processManagers ( ) ;

Remove or comment out the setManager and processManagers

function calls if your LDAP integration does not use the manager
attribute.

LDAP scripting
Create custom transform maps, scripts, and business rules to specify
requirements when importing data.

Custom transform maps should include onStart and onAfter transform

scripts.

PDF generated on April 5, 2024 47

The onStart script should call the LDAPUtils script include and start
logging. For example, the LDAP User Import transform map has an
onStart script that uses this code:
gs.include ( "LDAPUtils" ) ; var ldapUtils = new LDAPUti
ls ( ) ;
ldapUtils. setLog (log ) ;
The onAfter script should call the addMembers function. For example:
ldapUtils.addMembers (source , target ) ;

Set disabled Active Directory users to inactive

Use the following script to automatically deactivate users when the

associated AD user is disabled.

Before you begin

Role required: admin

About this task

You can identify disabled Active Directory users by checking the value
of the userAccountControl attribute. This rule executes whenever the
userAccountControl value changes and deactivates user accounts if
the User Account Control signifies a disabled AD account.

Use the following script to automatically deactivate users when the

associated AD user is disabled.

Procedure

1. Configure the User form and create a new integer field called User
Account Control.

2. Add mapping for userAccountControl (external) to the new field.

3. Create a new business rule with the following properties:

Disable AD Users business rule

Business rule field Value

Name Disable AD Users

PDF generated on April 5, 2024 48

Business rule field Value

Table User [sys_user]

When Before

current.u_user_account_control.
Condition
changes()

The Script field should contain the following:

var disabledFlag = 2;
//perform a bitwise comparison on userAccountControl t
o see if the 2 bit flag is enabled
if (current.u_user_account_control & disabledFlag) {
gs.log('Disabling user: ' + current.user_name + 'use
rAccountControl=' + current.u_user_account_control);
current.active='false';
current.locked_out='true';
}

Assign LDAP field values

You can use a script to assign a value to any field for which there is a field
mapping.

For example, to assign a value to the sys_user.company field, create a

field map for the company field and add a transform script of:

company = "Don's Sporting Goods";

Exclude particular LDAP users

If you cannot completely filter the LDAP user list using LDAP filter
properties, you can exclude users with a map script.

After you have run the logic to identify a user that should not be
imported, set the user_name field to an empty string and this user will
not be imported.

user_name='';

PDF generated on April 5, 2024 49

One way to identify users to filter out is to look for a string in

the distinguishedName attribute. For example, this script excludes
accounts that are not in a Users OU. You might use this script if you have
too many Users OU to include in the target OU LDAP Option.

//vdn is a variable mapped to distinguishedName

gs.include("LDAPUtils");
var vdn = source.getElement(this.distinguishedName);
if (vdn.indexOf('OU=Users')<0) {
user_name='';
gs.log('LDAP Import Skipping User: ' + vdn);
}

A more complex method of filtering is to use regular expressions.

//vcn is a variable mapped to cn

//vdn is a variable mapped to distinguishedName
//c is the regular expression string
gs.include("LDAPUtils");
var vdn = source.getElement(this.distinguishedName);
var vcn = source.getElement(this.cn);
var c = /^[a-z][a-z][a-z][0-9][0-9][0-9]$/;
var nvcn = vcn.toLowerCase();
//test to see if the cn is in the form of 3 letters follo
wed by 3 numbers, only import these
if (c.test(nvcn)) {
user_name = nvcn;
} else {
gs.log("LDAP import rejected username: " + vcn +
" for DN: " + vdn);
user_name = "";
}

Set choice action for reference field imports

The LDAP transform map determines how fields in the Import Set table
map to fields in existing tables such as Incident or User.

Before you begin

Role required: admin

PDF generated on April 5, 2024 50

About this task

If the LDAP transform map updates a field in the import set table, the
integration automatically creates a new record whenever there is a new
record in the LDAP data. If the LDAP transform map updates a reference
field storing data from another table, the administrator can choose to
create, ignore, or reject new LDAP records.

For example, if the integration receives a new department record that

does not match any existing department, you may want to update all of
the other LDAP record fields without creating a new department record
in the instance. The transform map allows you to set the record creation
options for each reference field.

Procedure

1. Navigate to All > System LDAP > Transform Maps.

2. In the Field Maps related list, select one of the following actions from
the Choice action field:

• create – creates a new reference field record if a matching

record does not exist.

• ignore – ignores new records in the reference field and

completes processing of all other fields in the transform map.

• reject – stops the transform for the entire record.

Note: The field map only displays the Choice action field for
reference fields.

Verify LDAP mapping

After creating an LDAP transform map, refresh the LDAP data to verify the
transform map works as expected.

Before you begin

Role required: admin

PDF generated on April 5, 2024 51

Procedure

1. Navigate to All > System LDAP > Scheduled Loads.

2. Click your LDAP import job.

3. Click Execute Now.

LDAP integration troubleshooting

If you are integrating your LDAP server and have questions, these items
may help you troubleshoot the issue.

Preliminary checks

• If the LDAP is unavailable, users cannot log in to the instance. A good

practice is to have local accounts for administrators so that if the LDAP
is down, administrators can still access the instance.

• Check the service account to ensure that it is not expired or locked out.

• Check the format of the username. Instead of using just the username,
try using the domain with the username, or username@domain.

• Verify that you have changed the system_id entry on

the ldap_server_config record. If you modify the system_id
unintentionally with an update set, system_id points to the wrong
node for the target instance and does not work.

Error codes

The LDAP log file lists industry standard error codes for both LDAP and
Active Directory (AD). The LDAP log file is contained in the wrapper file.
The LDAP error codes are two-digit numbers, while the Active Directory
error codes are three-digit numbers. For a list of the most-common error
codes, see LDAP Error Codes.

Multiple domain integration

You can integrate multiple domains within the same forest or in

completely non-trusted domains. It is recommended that you create a
separate LDAP server record for each domain. Each LDAP server record
must point to a domain controller for that given domain. This means you

PDF generated on April 5, 2024 52

will have to allow connections to each of the domain controllers. Multiple

AD forests through LDAP with one LDAP account is not supported.

When you expand to more than one domain, it is critical that you
identify unique LDAP attributes for the application usernames and
import coalesce values. A common unique coalesce attribute for
Active Directory is objectSid. Unique usernames will vary based on
your LDAP data design. Common unique attributes are email or
userPrincipalName.

Incoming records

See LDAP transform maps to set how the integration processes incoming
LDAP records that are missing matching values in reference fields.

Common authentication errors

• User Cannot Log In (Invalid DN)

• Invalid CN

• Invalid Connection

Automatic LDAP connection tests

You can manually test connections to LDAP servers or allow ServiceNow

to automatically test the connections.

The system tests the connection automatically:

• Every time a user opens the LDAP Server form.

• Through the LDAP Connection Test scheduled job, which runs every 15
minutes by default.

You can change how often this scheduled job runs. If this scheduled
job is not able to establish a connection, a new one-time schedule job
retries the connection test after either five minutes, or half the Repeat
Interval value in the scheduled job, whichever occurs first.

Error messages appear on the form if there are any issues connecting to
the LDAP server. Also supported are test connections for servers behind a
MID server.

PDF generated on April 5, 2024 53

View the LDAP monitor

You can view current information about LDAP servers and listeners using
LDAP monitor.

Before you begin

Role required: admin

About this task

The available states are:

• Active

• Inactive

• Error

• Active (Shutting down...)

• Error (Shutting down...)

In addition to its current state, the monitor also shows:

• The last message detected by the listener, such as waiting for LDAP
changes, error connecting, and so forth.

• The last LDAP user change, such as new user, updated user, and so
forth.

• The last error that occurred.

To view LDAP monitor:

Procedure

Navigate to All > LDAP > System LDAP > LDAP Monitor.

PDF generated on April 5, 2024 54

See the table for descriptions of the properties and fields in the screen.

LDAP monitor

Field Description

You can configure the refresh rate

by clicking the Refresh field in
the LDAP Server Monitor header
Refresh bar, and selecting the number
of seconds between each data
refresh. You can also select None
to suppress refreshing.

The server connection indicator is

located on the right side, above
the LDAP Listener Status fields.
When the server is connected,
the box is green and shows
Connection Status Connected. When the server is not
connected, the box is red and
shows Not Connected. When the
server connection is being tested,
the box is yellow and shows Testing
Connection.

PDF generated on April 5, 2024 55

Field Description

LDAP Server Properties

As you monitor LDAP servers,

you can make changes to the
Edit
properties by clicking Edit in the
LDAP Server Monitor screen.

The combination of the server

name and server port where the
LDAP Server is listening. Frequently,
the port is set to one of the
following:

• 389: the default port for

connecting to LDAP in clear text

• 636: the standard port for

connecting to LDAP via an SSL
connection

Example value: ldap://

10.10.10.3:389/
Server URL Your LDAP Server may have
more than one URL address.
This does NOT establish multiple
directory structures from which
you can import data, which is
done by creating another LDAP
Server entry, but does provide
for redundancy when you have
multiple LDAP Servers to avoid
a single point of failure. The
LDAP URL addresses are separated
with a space character, and the
system automatically tries each
server address in turn until a valid
connection can be made.

PDF generated on April 5, 2024 56

Field Description

The starting directory or RDN

(Relative Distinguished Name)
where the system begins searching
for users or groups.

Example value: DC=service-

now,DC=com
Starting search directory
No data ABOVE this point is
available for import. The instance
has visibility into the specified
directory and directories BELOW it
in the LDAP hierarchy.

The current connection status of

MID Server Status
the MID Server.

LDAP Listener Status

This indicates whether the listener is

Current Status
active.

This shows the last message the

LDAP server received relating to
Last Info Message
user and group changes, and the
time the message was received.

This shows the last change made

Last Change to the LDAP server, and the time it
was made.

This shows the last error that

Last Error occurred on to the LDAP server,
and the time it occurred.

LDAP error codes

The LDAP Log file lists industry standard error codes for both LDAP and
Active Directory (AD).

PDF generated on April 5, 2024 57

Standard error codes

Standard LDAP errors

Error / data code Text Description

Indicates the
requested client
0 LDAP_SUCCESS
operation completed
successfully.

Indicates that the

server has received an
LDAP_PROTOCOL_ERR
2 invalid or malformed
OR
request from the
client.

Indicates that the

operation's time limit
specified by either the
LDAP_TIMELIMIT_EXCEE client or the server
3
DED has been exceeded.
On search operations,
incomplete results are
returned.

Indicates that in a
search operation, the
size limit specified by
LDAP_SIZELIMIT_EXCEE
4 the client or the server
DED
has been exceeded.
Incomplete results are
returned.

Does not indicate

an error condition.
LDAP_COMPARE_FALS
5 Indicates that the
E
results of a compare
operation are false.

Does not indicate

6 LDAP_COMPARE_TRUE an error condition.
Indicates that the

PDF generated on April 5, 2024 58

Error / data code Text Description

results of a compare
operation are true.

Indicates that during

a bind operation
LDAP_AUTH_METHOD_ the client requested
7
NOT_SUPPORTED an authentication
method not supported
by the LDAP server.

Indicates one of the

following: In bind
requests, the LDAP
server accepts only
strong authentication.
In a client request,
the client requested
an operation such
as delete that
LDAP_STRONG_AUTH_ requires strong
8
REQUIRED authentication. In an
unsolicited notice of
disconnection, the
LDAP server discovers
the security protecting
the communication
between the client
and server has
unexpectedly failed or
been compromised.

9 Reserved.

Does not indicate

an error condition. In
LDAPv3, indicates that
the server does not
10 LDAP_REFERRAL
hold the target entry
of the request, but
that the servers in the
referral field may.

PDF generated on April 5, 2024 59

Error / data code Text Description

Indicates that an
LDAP server limit set
LDAP_ADMINLIMIT_EXC
11 by an administrative
EEDED
authority has been
exceeded.

Indicates that the

LDAP server was
unable to satisfy
a request because
one or more critical
LDAP_UNAVAILABLE_C extensions were not
12
RITICAL_EXTENSION available. Either the
server does not
support the control
or the control is not
appropriate for the
operation type.

Indicates that the

session is not
protected by a
LDAP_CONFIDENTIALIT protocol such as
13
Y_REQUIRED Transport Layer
Security (TLS), which
provides session
confidentiality.

Does not indicate

an error condition,
but indicates that
the server is ready
LDAP_SASL_BIND_IN_P for the next step
14
ROGRESS in the process. The
client must send
the server the same
SASL mechanism to
continue the process.

15 Not used.

PDF generated on April 5, 2024 60

Error / data code Text Description

Indicates that the

attribute specified
LDAP_NO_SUCH_ATTRI in the modify or
16
BUTE compare operation
does not exist in the
entry.

Indicates that the

attribute specified in
the modify or add
17 LDAP_UNDEFINED_TYPE
operation does not
exist in the LDAP
server's schema.

Indicates that the

matching rule
LDAP_INAPPROPRIATE_ specified in the search
18
MATCHING filter does not match
a rule defined for the
attribute's syntax.

Indicates that the

attribute value
specified in a modify,
add, or modify DN
LDAP_CONSTRAINT_VI operation violates
19
OLATION constraints placed on
the attribute. The
constraint can be one
of size or content
(string only, no binary).

Indicates that the

attribute value
specified in a modify
LDAP_TYPE_OR_VALUE
20 or add operation
_EXISTS
already exists as
a value for that
attribute.

PDF generated on April 5, 2024 61

Error / data code Text Description

Indicates that the

attribute value
specified in an
add, compare, or
21 LDAP_INVALID_SYNTAX
modify operation is
an unrecognized or
invalid syntax for the
attribute.

22-31 Not used.

Indicates the target

object cannot be
found. This code
is not returned on
following operations:
LDAP_NO_SUCH_OBJE
32 Search operations that
CT
find the search base
but cannot find any
entries that match
the search filter. Bind
operations.

Indicates that an
error occurred when
33 LDAP_ALIAS_PROBLEM
an alias was
dereferenced.

Indicates that the

syntax of the DN is
incorrect. (If the DN
syntax is correct, but
the LDAP server's
LDAP_INVALID_DN_SY
34 structure rules do not
NTAX
permit the operation,
the server returns code
53:
LDAP_UNWILLING_TO_
PERFORM.)

PDF generated on April 5, 2024 62

Error / data code Text Description

Indicates that the

specified operation
cannot be performed
on a leaf entry.
35 LDAP_IS_LEAF (This code is not
currently in the LDAP
specifications, but
is reserved for this
constant.)

Indicates that during

a search operation,
either the client does
LDAP_ALIAS_DEREF_PR not have access rights
36
OBLEM to read the aliased
object's name or
dereferencing is not
allowed.

37-47 Not used.

Indicates that during

a bind operation, the
client is attempting to
use an authentication
method that the
client cannot use
correctly. For example,
either of the following
LDAP_INAPPROPRIATE_ cause this error: The
48
AUTH client returns simple
credentials when
strong credentials
are required...OR...The
client returns a DN
and a password for a
simple bind when the
entry does not have a
password defined.

PDF generated on April 5, 2024 63

Error / data code Text Description

Indicates that during

a bind operation
one of the following
occurred: The client
passed either an
incorrect DN or
password, or the
LDAP_INVALID_CREDE
49 password is incorrect
NTIALS
because it has
expired, intruder
detection has locked
the account, or
another similar reason.
See the data code for
more information.

Indicates an Active
Directory (AD)
AcceptSecurityContex
t error, which is
returned when the
AD_INVALID username is valid but
49 / 52e
CREDENTIALS the combination of
password and user
credential is invalid.
This is the AD
equivalent of LDAP
error code 49.

Indicates an Active
Directory (AD)
AcceptSecurityContex
49 / 525 USER NOT FOUND
t data error that is
returned when the
username is invalid.

Indicates an Active
Directory (AD)
NOT_PERMITTED_TO_L
49 / 530 AcceptSecurityContex
OGON_AT_THIS_TIME
t data error that is
logon failure caused

PDF generated on April 5, 2024 64

Error / data code Text Description

because the user is
not permitted to log
on at this time. Returns
only when presented
with a valid username
and valid password
credential.

Indicates an Active
Directory (AD)
AcceptSecurityContex
t data error that is
logon failure caused
RESTRICTED_TO_SPECIFI because the user is
49 / 531
C_MACHINES not permitted to log
on from this computer.
Returns only when
presented with a valid
username and valid
password credential.

Indicates an Active
Directory (AD)
AcceptSecurityContex
t data error that is a
logon failure. The
49 / 532 PASSWORD_EXPIRED specified account
password has expired.
Returns only when
presented with valid
username and
password credential.

Indicates an Active
Directory (AD)
AcceptSecurityContex
t data error that is a
49 / 533 ACCOUNT_DISABLED
logon failure. The
account is currently
disabled. Returns only
when presented with

PDF generated on April 5, 2024 65

Error / data code Text Description

valid username and
password credential.

Indicates that during

a log-on attempt,
the user's security
context accumulated
too many security
ERROR_TOO_MANY_C
49 / 568 IDs. This is an issue
ONTEXT_IDS
with the specific LDAP
user object/account
which should be
investigated by the
LDAP administrator.

Indicates an Active
Directory (AD)
AcceptSecurityContex
t data error that is a
logon failure. The user's
49 / 701 ACCOUNT_EXPIRED
account has expired.
Returns only when
presented with valid
username and
password credential.

Indicates an Active
Directory (AD)
AcceptSecurityContex
t data error. The user's
password must be
USER MUST RESET
49 / 773 changed before
PASSWORD
logging on the first
time. Returns only
when presented with
valid user-name and
password credential.

Indicates that the

LDAP_INSUFFICIENT_A
50 caller does not have
CCESS
sufficient rights to

PDF generated on April 5, 2024 66

Error / data code Text Description

perform the requested
operation.

Indicates that the

LDAP server is too busy
to process the client
request at this time but
51 LDAP_BUSY
if the client waits and
resubmits the request,
the server may be
able to process it then.

Indicates that the

LDAP server cannot
process the client's
52 LDAP_UNAVAILABLE
bind request, usually
because it is shutting
down.

Indicates an Active
Directory (AD)
AcceptSecurityContex
t error, which is
returned when the
username is valid but
AD_INVALID the combination of
52e
CREDENTIALS password and user
credential is invalid.
This is the AD
equivalent of LDAP
error code 49:
LDAP_INVALID_CREDE
NTIALS.

Indicates that the

LDAP server cannot
process the request
LDAP_UNWILLING_TO_
53 because of server-
PERFORM
defined restrictions.
This error is returned for
the following reasons:

PDF generated on April 5, 2024 67

Error / data code Text Description

The add entry request
violates the server's
structure
rules...OR...The modify
attribute request
specifies attributes
that users cannot
modify...OR...Password
restrictions prevent the
action...OR...Connecti
on restrictions prevent
the action.

Indicates that the

client discovered an
54 LDAP_LOOP_DETECT alias or referral loop,
and is thus unable to
complete this request.

55-63 Not used.

Indicates that the

add or modify DN
operation violates the
schema's structure
rules. For example,
The request places
the entry subordinate
LDAP_NAMING_VIOLA to an alias. The
64
TION request places the
entry subordinate to
a container that is
forbidden by the
containment rules. The
RDN for the entry uses
a forbidden attribute
type.

Indicates that the

LDAP_OBJECT_CLASS_
65 add, modify, or modify
VIOLATION
DN operation violates

PDF generated on April 5, 2024 68

Error / data code Text Description

the object class rules
for the entry. For
example, the following
types of request return
this error: The add
or modify operation
tries to add an entry
without a value for
a required attribute.
The add or modify
operation tries to add
an entry with a value
for an attribute which
the class definition
does not contain.
The modify operation
tries to remove
a required attribute
without removing the
auxiliary class that
defines the attribute
as required.

Indicates that the

requested operation is
permitted only on leaf
entries. For example,
the following types
of requests return
LDAP_NOT_ALLOWED_
66 this error: The client
ON_NONLEAF
requests a delete
operation on a parent
entry. The client
request a modify DN
operation on a parent
entry.

Indicates that the

modify operation
LDAP_NOT_ALLOWED_
67 attempted to remove
ON_RDN
an attribute value
that forms the entry's

PDF generated on April 5, 2024 69

Error / data code Text Description

relative distinguished
name.

Indicates that the add

operation attempted
to add an entry that
already exists, or that
68 LDAP_ALREADY_EXISTS the modify operation
attempted to rename
an entry to the name
of an entry that
already exists.

Indicates that the

modify operation
LDAP_NO_OBJECT_CL
69 attempted to modify
ASS_MODS
the structure rules of
an object class.

LDAP_RESULTS_TOO_LA
70 Reserved for CLDAP.
RGE

Indicates that the

modify DN operation
moves the entry from
LDAP_AFFECTS_MULTIP
71 one LDAP server to
LE_DSAS
another and requires
more than one LDAP
server.

72-79 Not used.

Indicates an unknown
error condition. This is
the default value for
80 LDAP_OTHER
NDS error codes which
do not map to other
LDAP error codes.

USER_ACCOUNT_LOCK Indicates users are

775
ED unable to log in

PDF generated on April 5, 2024 70

Error / data code Text Description

because the user
account is locked.

Customized error codes

Customized LDAP error codes

Error / data code Text

10000 LDAP_ERROR_GENEREL

10001 LDAP_ERROR_MAL_FORMED_URL

LDAP_ERROR_UNAUTHENTICATED_B
10002
IND

LDAP_ERROR_COMMUNICATION_E
10300
XCEPTION

10301 LDAP_ERROR_SOCKET_TIMEOUT

LDAP_ERROR_CONNECTION_REFUS
10302
ED

10303 LDAP_ERROR_CONNECTION_RESET

10304 LDAP_ERROR_NO_ROUTE

10305 LDAP_ERROR_UNKNOW_HOST

10400 LDAP_ERROR_SSL_EXCEPTION

LDAP_ERROR_SSL_EMPTY_CERT_STO
10401
RE

LDAP_ERROR_SSL_CERT_NOT_FOUN
10402
D

10403 LDAP_ERROR_SSL_CERT_EXPIRED

PDF generated on April 5, 2024 71

Error / data code Text

LDAP_ERROR_INVALID_SEARCH_FIL
10500
TER_EXCEPTION

Send a one-time password when the LDAP server is

down
An LDAP property is available to send a one-time password to a user
if the user is unable to log in because the LDAP server is down. You
can also configure another property to control how long the password is
valid.

Before you begin

Role required: admin

To receive a one-time password, the user must have notifications

enabled on their user profile. The notification is an email message only.
SMS messages are not supported.

About this task

Both properties are enabled by default. The default value for property
that controls password validity is 10 minutes.

Procedure

1. Open the list of system properties by entering sys_properties.list

in the filter of the application navigator.

2. Find the glide.ldap.onetime.password.enabled property.

3. Set the property to true.

4. To change the password validity time for a user, set

the following property to an integer number of minutes:
glide.authenticate.onetime.password.validity.

PDF generated on April 5, 2024 72

LDAP record synchronization

Administrators can synchronize inactive, disabled, or deleted LDAP
records with their LDAP records.

LDAP record synchronization is the process of detecting inactive records

on the LDAP server and updating the corresponding LDAP records.
Detecting inactive LDAP records involves defining consistent data
indicators for each user object, importing LDAP data, and evaluating the
data indicators.

A data indicator can be:

• A date field

• Membership in a specific OU (identify by parsing the dn attribute), using

the useraccountcontrol attribute

• A combination of these indicators

Imported data comes into the instance through import set tables where
the data can be evaluated and processed.

The import process can use LDAP refresh filterson multiple import jobs to
divide different types of user records and segregarte records for separate
processing.

LDAP refresh filters

Filters on the LDAP refresh process can be used to specify processing that
ignores inserts of disabled users.

You can loosen the LDAP OU filter to bring all of the data in to your
import set table (including inactive users) and then specify processing
that ignores inserts of disabled users. The sample ‘Users’ OU definition that
the instance provides in its out-of-box LDAP sample contains a filter.

This filter is important because it defines which user records are brought
into the import set table to be evaluated. While achieving a smaller
data load, a limitation of this filter is that it filters out inactive users, so
the inactive user records are not imported into the import set temporary
tables. Since there is not visibility of the inactive user records, there is no
ability to evaluate the record indicators.

PDF generated on April 5, 2024 73

LDAP OU filter

To use filtering within the main LDAP refresh process, change the filter to
bring in all of the user records. The result is that all the records will be
loaded into the import set temporary table where they can be evaluated
and transformed.
Note: There is a precaution here: because the filtering brings in all
the records, you may end up with a vast amount of older inactive
LDAP accounts that should not be inserted into the instance. A user
record should never be created for a disabled user.

LDAP extraction
An LDAP extraction process can be implemented to detect disabled
users.

An extract from your LDAP source can filtered for disabled users using
an active flag that can be set for every record in the import to ‘false’.
Specify (‘target.active=false’) and copy into the Script field directly on
the Table Transform Map record.

Benefits
Benefits to this method include:

• Simple scripting

• Existing user records are not involved in processing

• Inactive users are not loaded into a temporary import table

• No performance impact

PDF generated on April 5, 2024 74

Drawbacks
Drawbacks to this method include:

• An additional process is created

• The extract set must be placed in a location where your data source
can access it

Alternative method
LDAP refresh filters use multiple import jobs to divide different types of user
records, segregating records for separate processing.

Inactive LDAP user accounts

Detect that an existing, current, user account is inactive or has been
disabled or deleted from an Active Directory (AD) LDAP.

A common LDAP integration issue is how to detect disabled or deleted

users in an Active Directory (AD) and then deactivate them in the
instance. In an Active Directory LDAP, a filter is usually set to exclude
inactive users when refreshing, so the instance is not aware of users that
are disabled or deleted in AD. The issue is how to detect that an existing,
current user is inactive or has been deleted from AD.

Note: The recommended approach is to deactivate user records

and all other types of records, not delete them. Each record is
linked to other records, and deleting a record destroys all the
relationships to those other records. Deactivating records keeps
those relationships in place.

Find inactive LDAP accounts by using the

userAccountControl field
Identify when an Active Directory (AD) user is deleted (or made inactive).

Before you begin

Role required: admin

PDF generated on April 5, 2024 75

About this task

One method is to track the active status of AD users and create a

business rule to update corresponding accounts when an AD account
is inactive.

Procedure

1. Create a new string field on the User [sys_user] table to track the
value of the AD userAccountControl field.
For example: u_ad_user_account.

2. Create an LDAP transform script to set the field value.

target.u_ad_user_account = source.userAccountControl

3. Update the LDAP filter to show disabled AD accounts.

Here is an example of a filter.
(&(objectClass=person)(sn=*)(!(objectClass=computer))(
!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Here is an example of a replacement filter you can use.

(&(objectClass=person)(sn=*)(!(objectClass=computer)))

4. Create an onChange business rule to set the active field to false

whenever the u_ad_user_account field has the value 514.
'514' indicates an inactive account.

LDAP script examples

The following script examples assume you use an Active Directory (AD)
for your LDAP server.

userAccountControl attribute values script

This example tests the source for the userAccountControl attribute values
associated with a disabled user (514 or 546).
//Deactivate LDAP-disabled users during transform based o
n 'userAccountControl' attribute
if(source.u_useraccountcontrol == '514' || source.u_usera
ccountcontrol == '546'){

PDF generated on April 5, 2024 76

target.active=false;
target.locked_out=true;
}

Here is an example using a bitwise check:

if(source.u_useraccountcontrol & 2){

active = false;
}

userAccountControl attribute script

This example examines the userAccountControl attribute but does not
test for specific values. It also contains the option of reactivating LDAP
user accounts.
/*
* Deactivate LDAP-disabled users during transform based o
n 'userAccountControl' attribute
* Convert the userAccountControl attribute back to a hex
value
*/
var ctrl = parseInt(source.u_useraccountcontrol, 10);
ctrl = ctrl.toString(16);

/*
* The only digit we care about is the final one
* A final hex digit value of '2' in 'ctrl' means disabled
*/
if(ctrl.substr(-1) == "2"){

//Deactivate and lock the user account

target.active = false;
target.locked_out = true;

//Ignore any insert of a disabled record

if(action == 'insert'){
ignore = true;
}
}
/* Optional: Uncomment else block to reactivate and unloc
k the user account
else {

PDF generated on April 5, 2024 77

target.active = true;
target.locked_out = ctrl.substr(-2, 1) == "1";
}
*/

onBefore transform map script

Here is an example of a onBefore transform map script. The script
identifies disabled records and records being inserted. If an insert of
a disabled user is occurring, then the operation transform ignores the
record.
//Ignore any insert of a disabled record as defined by th
e 'userAccountControl' attribute
var uc = source.u_useraccountcontrol;
if((uc == '514' || uc == '546') && action == 'insert'){
ignore = true;
}

DN member script
This script example introduces flexibility by not relying on the 546 and
514 userAccountControl values, but instead checking whether the user
is a member of a particular Distinguished Name (DN). You can use this
script either in the Script field of the ‘Table Transform Map’ record or in an
onBefore transform map script.
//Deactivate LDAP-disabled users during transform based o
n OU membership in 'dn'
if(source.u_dn.indexOf('OU=Disabled Accounts') > -1){
target.active = false;
target.locked_out = true;
}

Active Directory Application Mode (ADAM)

Active Directory Application Mode (ADAM) is an Lightweight Directory
Access Protocol (LDAP)-compliant directory service.

Note: A basic level of understanding with Microsoft Windows

Server and Active Directory is needed for understanding this topic.
You must also have administrator permissions on the server you are
configuring for ADAM.

PDF generated on April 5, 2024 78

These are sample procedures. Due to installation and environment

variations, we cannot offer direct support. We recommend working with
a Microsoft consultant.

ADAM has a simple install and runs as a service on Windows

operating systems. It can be fully customized and distributed as an
application component or used as a stand-alone LDAP directory.
ADAM uses the same technologies found on Active Directory Domain
Controllers (including replication and delegation features) and has
its own administration and customization features. It can be run
as a Windows service. ADAM can be installed on Windows XP,
2000, 2003, and 2008 operating systems. ADAM is included as
part of Windows Server 2003 R2 and Windows Server 2008. A
download is available at http://www.microsoft.com/downloadshttp://
www.microsoft.com/downloads for earlier operating systems.

Security

Some company security policies prohibit external vendors and partners

from connecting directly to an Active Directory (AD) Domain Controller. If
exposing certain AD objects or attributes to an external vendor or partner
is prohibited, access to objects and attributes can be blocked using
AD Security Access Control Entries (ACE or ACL). Depending on security
requirements, this method can introduce complexity in the integration.
Consolidating multiple domains and forests is recommended. If all LDAP
imports and authentications need to be channeled through a single
source, ADAM can be used as a consolidated source. With the release
of Windows 2008 this functionality has been renamed to Light-Weight-
Directory Service, LDS. Installation and configuration is similar to Windows
Server 2003 R2.

Recommended Knowledge

For this task, you must understand AD, object classes and attributes. To
have a successful integration, you need to be knowledgeable of the
current AD object structure, familiar with Active Directory delegations,
and have a strategy on how to use ADAM and for what purposes. If you
are not familiar with AD or ADAM, work with your AD administrator to
configure a new ADAM environment.

PDF generated on April 5, 2024 79

Trusts

If userProxy objects is used, the computer hosting ADAM needs to be a

member of the domain that has the AD accounts, or a member of a
trusted domain.

Internal Connectivity

If userProxy objects is used, the ADAM computer must be able

to connect to the related Domain Controllers to perform proxy
authentication.

Configuring an instance with ADAM

The first install copies the ADAM files to your computer, registers requires
components, and creates the application shortcuts.

Before you begin

Role required: admin

About this task

By default, all of the application files are installed to %systemroot%

\ADAM.

• Windows Server 2003 R2 - ADAM can be installed using the Control

Panel > Add and Remove Programs > Optional Component Manager.

• Windows Server 2000 & Windows XP - Downloaded http://

www.microsoft.com/downloads from Microsoft.

Create the first instance service which functions as the first directory
service hosted by ADAM. Do one of the following:

Procedure

• Run adaminstall.exe from the ADAM folder.

• Use the Create an ADAM instance shortcut from the Start Menu >
Programs > ADAM folder.

1.• Select the A unique instance install option.

PDF generated on April 5, 2024 80

Note: You can use this option to install an instance replica on

a second server to provide a fault tolerant system.

2.• Complete the fields.

ADAM Instance

Field Description

used primarily to identify the

Instance Name Windows Service name and
display name

sets the port numbers to be

used for LDAP and LDAPS
Listeners. The default LDAP port
is 389, LDAPS is 636. If these
Ports ports are in use on the server,
the setup wizard selects new
ports. Work with your network
administrator to determine the
best ports to use

creates an application
directory partition. Not needed
at this step, we recommend
creating the new partition
now. A good practice is to
use the same distinguished
name as your forest or
Application Directory Partition domain, but replace the
highest level domain with adam
instead of com or local. For
example, if your forest partition
is dc=myCompany,dc=com,
you could create the
ADAM partition as
dc=myCompany,dc=adam

selects the location(s) for the

File Locations
ADAM partition data.

PDF generated on April 5, 2024 81

Field Description

selects a service account that

the instance runs as. For stand-
alone services, you can use
the default network service
Service Account Selection
account. If you plan on using
replicas, you need to use an
account that has access to all
ADAM instances.

the delegation on the

ADAM directory that
leverages Windows integrated
authentication. This is how the
initial access is granted for
administration. Once the initial
account is granted rights, this
ADAM Administrators
user or group delegates rights
to other Windows users or
ADAM users. You can select
the default to only grant admin
access to the current user, or
grant access to a different user
or group based on your needs.

the files to import. MS-UserProxy

is the most important file to
import, but it’s worth adding all
available files since there is little
overhead to the schema and
Import LDIF Files
you won’t have to worry about
extending it later if your needs
expand. Confirm the details
and the wizard complete the
configuration.

Set up the ADAM console

Set up the ADAM console. Even though there are many similarities
between ADAM and Active Directory, the administration can be very
different since there is no Users and Computers management console.

PDF generated on April 5, 2024 82

Before you begin

Role required: admin

About this task

Most of the general administration is performed using the ADAM ADSI

MMC console available from the ADAM start menu. The first time you run
the ADAM ADSI console, you must connect to the partition you created.

Procedure

1. Right-click the ADAM ADSI Edit item in the left frame.

2. Give the new connection a name and update the server name and
port fields with the information used when you created the instance.

3. Select distinguished name or naming context and specify the

distinguished name of the application partition you created earlier.
You can connect to the Configuration and Schema partitions for
advanced configuration options.
You should now be able to see into the partition and the default
containers for LostAndFound, NTDS Quotas, and Roles. The Roles
container has not been configured yet.

Create containers and organizational units for ADAM

Logically group objects stored in ADAM into containers and
organizational units (OU) just as they would be in Active Directory.

Before you begin

Role required: admin

Procedure

1. Right-click the root partition and navigate to New > Object >
organizationalUnit.
Note: You can also view the list of other objects that
are available. This list varies based on the schema extensions
installed when you imported the LDF files.

PDF generated on April 5, 2024 83

2. When prompted for a value, enter the name of the OU such as

Users.
The screen displays a More Attributes button.

3. Use the button to assign values to additional attributes.

For the OUs and containers, no additional values are needed.
After creating the OUs, the new OUs are listed as a child of the root
object.

Delegation with ADAM

Once the OU structure is created, define the permission delegations to
properly secure the objects to limited users.

As with Active Directory, there are two general ways to grant permissions:

• Add users to a group that already has the appropriate permissions

assigned.

• Define new permissions on the ADAM objects.

For this task, we discuss object level permissions. Refer to the Group
Administration section for information on group memberships.

Since we don’t have a Users and Computers console for ADAM, all
object level permissions are defined using the Active Directory utility
DSACLS.exe. This file is found in the ADAM program directory. When
running ADAM utilities it is best to launch the ADAM Tools Command
Prompt. This ensures the proper versions of the tools. DSALCS is used to
view and set object access rights.

Example: "dsacls \\localhost:50010\dc=myCompany,dc=adam"

displays the permissions assigned to the root of partition
dc=myCompany,dc=adam running on the localhost, port 50010. DSACLS
is a complex tool used to create complex delegation. Run "DSACLS /?"
for usage notes.

Related tasks

• Create containers and organizational units for ADAM

PDF generated on April 5, 2024 84

Related concepts

• Use ADAMSync to populate ADAM

Populating ADAM Objects

ADAM Objects include User Objects, UserProxy Object, and Group
Objects.

User Objects

Users can be created using the ADAM ADSI Edit console just as we did
for OU creation. Users can also be administered using AD command line
tools, which is beyond the scope of this document. The only mandatory
attribute for new user objects is the cn, which is a short name or the user’s
full name. There are also a wide range of optional attributes similar to
Active Directory user attributes. You can access the full list of attributes by
selecting properties from the user object.

UserProxy Objects

For ServiceNow LDAP integration we recommend you use UserProxy

objects in ADAM which creates a proxy account that links to the related
AD user account. This allows you to have ADAM authenticate logon
credentials using AD usernames and passwords from the domain without
ServiceNow directly connecting to the Domain Controller. UserProxy
objects are very similar to AD and ADAM User objects except that do not
store passwords and has an objectSID attribute that contains the SID from
the linked AD User object. This is how the proxy works. UserProxy objects
are created using the ADSIEdit console or command line tools, but this
can be tedious. It is recommended that you use an automated process
as defined below.

Group Objects

Groups are created using the ADSIEdit console and AD command-line

tools. Group concepts are similar to AD and are used to integrate groups
and members to ServiceNow. The biggest difference is ADAM groups can
contain members from ADAM or from trusted AD Domains.

PDF generated on April 5, 2024 85

Automating ADAM Object Creation

If you are interested in synchronizing Active Directory accounts to ADAM,

we recommend you use Microsoft ADAMSync tool. This is the most
common use of ADAM for ServiceNow LDAP integration.

About Permission Delegation

ADAM contains some built-in groups with default permissions. These

groups are found in the container cn=roles,dc=myCompany,dc=adam.
These are similar to domain level groups and have rights to
objects in the current partition. Similar to AD Forests you can
also set a higher level of permissions using the default groups
in cn=roles,cn=configuration,dc=myCompany,dc=adam. You must
connect to the configuration partition in ADSIEdit. The Administrators
group by default includes the account specified during the setup. This
member is not always visible since it’s inherited through the configuration
groups. Administrators have full control of all partition objects. The
Readers group does not contain any members by default and has read
access to all objects in the partition. The Users group is a dynamic group
just as it is in Active Directory. Transitively it includes all ADAM users
created in the partition.

Testing and troubleshooting ADAM setup

The primary tool used for testing is LDP. This allows you to fully test user
authentication.

Most of the object management can be completed using the ADAM

ADSI Edit console which will provide access to the entire collection of
objects and attributes. The highest level of control and troubleshooting
ADAM services is using the Windows service created during the instance
setup. The service name will vary and depends on the name of the
instance created. This service must be running in order for the ADAM
service to run. If you are experiencing connection problems, you should
review the network configurations to ensure you have the appropriate
network access to connect to the server and ADAM port. For each
ADAM instance installed, a Windows Event Log is created. This is also a
great tool for troubleshooting ADAM services.

The Windows Security Event Log is also helpful when troubleshooting

userProxy authentications. All userProxy logon attempts are logged in
the Security Log and reference the remote client device address, the

PDF generated on April 5, 2024 86

distinguished name of the user trying to log on, and the result or status
code.

Backup and recovery with ADAM

All ADAM data can be backed up using standard file system backup
methods.

Redundancy

ADAM has built-in replication utilities based on the same technology as

AD. A full read and write replica of an ADAM partition can exist on
the same or different computer. You can use this replica in a variety of
ways to provide a fault-tolerant LDAP integration with the instance. One
option is to expose both partitions to the instance through the firewall
and define both servers in the LDAP Properties server field.

Related concepts

• Active Directory Application Mode (ADAM)

Use LDAPS with ADAM

The default configuration for userProxy object authentication is to
enforce LDAPS (secure LDAP) communications. LDAPS requires SSL
certificates to secure the network traffic.

To remove this requirement make the following change using the

ADSIEdit console connected to the configuration partition.
Object: CN=Directory Service, CN=Windows NT, CN=Services
, CN=Configuration
Attribute: msDS-Other-Setings
Value: change RequiresSecureProxyBind from 1 (enforced) t
o 0 (disabled)

Restart the ADAM service to use the new setting.

To support secure binds and encrypt the user and password information
being transmitted, a SSL certificate must be installed on the server and
any LDAP client. Since there is limited and controlled uses to the ADAM
service, it is feasible to use a self-signed certificate which would meet the
needs without incurring certificate costs or building a Certificate Authority

PDF generated on April 5, 2024 87

(CA) infrastructure. If you already have a CA, you can issue a certificate.
Otherwise, create a self-signed certificate.

Creating a Self-Signed Certificate

To use the selfssl utility, Internet Information Services (IIS) must be installed.
This service can be removed after you generate the certificate. You can
get the selfssl.exe utility from the IIS Resource Kit. If IIS is already installed,
create a new website so that the current sites will not be impacted
during the certificate generation. Selfssl needs to temporarily attach the
new self-issued certificate to a valid web site.

Selfssl is a command-line tool and has the following common parameters.

Selfssl Parameter Descriptions

Parameter Description

Adds the cert to ‘Trusted

/T
Certificates’ on the local machine

Set the common name of the

certificate. This must match the
/N:cn fully qualified domain name of
the server running the web service
using the certificate

Sets the strength of the key size in

/K
bits

/V Number of days the cert is valid

Web site ID to attach the

/S
certificate to

/P IP port of the web service

The common name attribute should match the external name or address
that the instance will use to connect to your ADAM computer. You will
need to get the IIS Website site id unless you are using the default website
which is 1 and does not need to be defined in the selfssl command. A
sample command to generate a certificate for myCompany would be:

PDF generated on April 5, 2024 88

selfssl /N:CN=myCompany.externaldomain.com /K:1024 /V:365

0 /S:12345 /P:50001 /T

This statement creates a certificate that is valid for 10 years. Set the
value to any duration, but be aware the new certificate must be
generated and submitted to the instance before the old one expires.
We recommend making a note of the expiration date on the certificate.

Once the certificate is generated you can remove it from the website, or
delete the entire web site if you created a temporary site.

Assign the certificate to ADAM

Install an SSL certificate on the server and any LDAP client to support
secure binds and encrypt the user and password information being
transmitted.

Before you begin

Role required: admin

About this task

Because there is limited and controlled uses to the ADAM service,

it is feasible to use a self-signed certificate to meet your needs
without incurring certificate costs or building a Certificate Authority (CA)
infrastructure.

Procedure

1. Open the Certificates MMC console and create two console

connections, one for Local Computer Certificates, and the other for
Local Computer Services Certificates on the new ADAM service.
The new certificate can be found under Certificates (Local
Computer)\Personal\Certificates.

2. Copy the certificate to the container for the ADAM service

Certificates – Service (ADAM Service Name)\ADAM_ADAM Service
Name\Trusted Root Certificates\Certificates and copy the certificate
to Certificates – Service (ADAM Service Name)\ADAM_ADAM
Service Name\Personal\Certificates.

PDF generated on April 5, 2024 89

3. Open the details tab on the certificate that you copied, note the
Valid from date stamp, and assign read access to the certificate key
file.
Go to C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys and identify the
certificate with the matching time stamp. Assign Read & Execute
rights to the service account running ADAM. By default, this is
Network Service.

4. Restart the ADAM service to activate the new certificate.

Export the public key certificate

LDAPS clients, including the instance need the public key certificate in
order to make a secure connection to ADAM.

Before you begin

Role required: admin

About this task

From the server certificate consoles you used above, export a public key
to be used by the clients.

Procedure

1. Select the certificate, right-click, and select all tasks/export.

Do not export the private key. Select the default DER encoded binary
X.509 format and specify the export file name.

2. Install the public certificate on the LDAP clients that connect to the
server using LDAPS.
When prompted, add the certificate to the Trusted Root Certificate
Authorities store.

Active Directory Application Mode (ADAM) Access

Account
The system requires a user account to read the Active Directory
Application Mode (ADAM) object information that is imported into the
application instance.

PDF generated on April 5, 2024 90

Create the account by using one of the following methods:

• Create a local ADAM user account and assign it a password and

assign permissions.

• Assign permission to a Windows domain account on the ADAM

partition.

• Use a userProxy account.

When using ADAM as an LDAP source, you must specify the fully qualified
distinguished name (FQDN) of the ADAM account in the instance's LDAP
server's Login distinguished name field.

Related concepts

• Active Directory Application Mode (ADAM)

Test the LDAPS connections

Test the LDAPS connections. There are two console connections, one for
Local Computer Certificates, and the other for Local Computer Services
Certificates on the new ADAM service.

Before you begin

Role required: admin

Procedure

1. Run LDP.exe from the ADAM install folder c:\windows\adam.

Verify that the ADAM version is selected because this is not the
standard Windows LDP client.

2. Open a new connection by using the Connection/Connect menu.

The server name must match the CN that is assigned to the
certificate.

3. Enter the LDAPS port and select the SSL check box.
The results of a successful connection are some general server
information and no errors.

4. Bind (log in) to the service.

PDF generated on April 5, 2024 91

To replicate typical LDAP client connections, select the Simple bind

option. Enter a valid ADAM user or userProxy distinguished name in
the user field and the associated password.
If you see a return message stating ‘Authenticated as:….’ then you
have successfully connected using LDAPS.

Use ADAMSync to populate ADAM

Administrators use MS ADAMSync to populate LDAP directories that use
MS ADAM.

Note:

This document assumes you have at least a basic level of

understanding with Microsoft Windows Server, Active Directory, and
ADAM and that you already have a functional Active Directory
Application Mode (ADAM) instance with a partition.

These are sample procedures. Due to the complexity and the fact
that it is running in your environment, we cannot offer direct support.
We recommend you work with Microsoft or a Microsoft consultant if
you run into any trouble.

Once ADAM has been installed and the first partition has been created,
you can populate it with objects.

The following options are available:

• Manual object creation using GUI or scripts. This option is inefficient and
slow.

• Integrate with Active Directory using Microsoft Integration Information

Server. This option ultimately provides the most flexibility and
functionality but does require some advanced configurations. There is
a free version of MIIS available that is compatible with Active Directory,
ADAM, andMicrosoft Global Address Lists from Exchange. Unless you
already have experience with MIIS we advise that you don’t attempt to
implement a new environment for LDAP integration only.

• Use ADAMSync, a synchronization tool that Microsoft provides with

ADAM. This is the option that is explained here.

PDF generated on April 5, 2024 92

Define ADAM user accounts

Define user accounts in ADAM. One user account is used for the instance
to connect with and the other user account is for ADAMSync.

Before you begin

Role required: admin

About this task

These accounts can be local ADAM User objects, UserProxy objects, or a

Windows account from a trusted domain.

The ADAM User account requires read-only access to the directory

structure you are importing to your instance. The best way to accomplish
this is to add the account to the member attribute on the Readers group
found in cn=roles,dc=myCompany,dc=adam.

New ADAM User accounts are disabled by default. You will need to
enable the new accounts and set a password.

Procedure

1. Enable users by changing the attribute msDS-UserAccountDisabled to

FALSE.

2. Right-click the user object and reset the password.

3. Test the new accounts by using LDP as defined in Active Directory

Application Mode (ADAM) to make sure they can connect.
Use the LDAP > View/Tree option, leaving the Base DN blank to make
sure that you can view the objects in the directory by using the
new accounts. The Configuration, Schema, and the domain partition
should be visible in the left pane. Traverse the domain partition. If
you are using a new local ADAM account, it will show ‘No Children’
which means that you don’t have read access to the objects. Verify
the Setup group memberships and re-test.

ADAMSync uses the ADAMSync User account to manage objects in

the ADAM partition. This account requires admin level rights since it
will create, update, and delete ADAM objects.

PDF generated on April 5, 2024 93

ADAMSync uses the ADAMSync AD account to read the AD objects

that will be synchronized to ADAM.

Set up ADAMSync
ADAMSync is included with Windows Server 2003 R2. Download and
install ADAMSync if you are using a different OS.

Extending the schema

The ADAM schema needs to be extended to support ADAMSync.

1. Run the following command from c:\windows\adam to import

the ADAMSync schema extensions. You may have to change the
server:port and add credentials if the current user doesn't have
access. See the AdamSyncMetadata.ldf file for details.
ldifde -i -f MS-AdamSyncMetadata.LDF -s localhost:5000
0 -j . -c "cn=Configuration,dc=X" #configurationNamingCo
ntext

2. Do the same with MS-AdamSchemaW2k3.ldf to support Windows

2003 attributes.
ldifde -i -u -f MS-AdamSchemaW2K3.LDF -s localhost:500
00 -j . -c "cn=Configuration,dc=X" #configurationNamingC
ontext

Recommended schema changes

Here are some additional schema changes we recommend.

1. Open a new MMC console and add the ADAM Schema Snap-in.

2. Connect to the ADAM instance.

3. Expand the Classes folder and locate the userProxy class, open
Properties.

4. Verify the following optional attributes on the Attributes tab, add any
that do not already exist.

• company

• department

PDF generated on April 5, 2024 94

• givenNane

• mail

• physicalDeliveryOfficeName

• sAMAccountName

• sn

• telephoneNumber

• title

• userAccountControl

• userPrincipalName

5. Restart the ADAM Service to enable the new settings.

Install the ADAM configuration file

Install the ADAM configuration file through the Windows command line.

Before you begin

Role required: admin

Procedure

1. Install the configuration file.

C:\WINDOWS\adam>adamsync /install localhost:50000 MS
-AdamSyncConf-SNC.XML

2. Run the synchronization file to log to the console.

C:\WINDOWS\adam>adamsync /sync localhost:50000 "ou=us
ers,dc=service-now,dc=adam" /log -

3. Review the results by using the ADSIEdit console.

You should see the new objects and attributes that were created by
ADAMSync.

4. Run ldap to test the UserProxy authentication.

PDF generated on April 5, 2024 95

Automating the sync process

Set up the sync process as a Windows Scheduled Task. You must

either provide the credentials in the config file, command line, or run
the Scheduled Task with an account that has access.

Special notes

• You can create multiple configuration files and scheduled jobs to

sync ADAM from multiple sources.

This example imports the sAMAccountName attribute which can

be used as the application logon. If you are going to sync
source you need to make sure you have a unique attribute value
that can be used for the logon credentials. sAMAccountName
is guaranteed to be unique within a domain, but not across
multiple domains.

• If you are using Microsoft Exchange, we recommend

excluding cn=SystemMailbox* objects as part of the object-filter
configuration.

All of the configurations for ADAMSync are stored in xml files.

Default configuration file with comments

There is a default configuration file called MS-AdamSyncConf.xml
included with the ADAMSync install. Make a copy of this file so you have
a base example to refer to in the future. This example is the default
configuration file with comments added.
<?xml version="1.0"?>
<doc>
<configuration>

<description>MyCompany ADAMSync Configuration</description>
<security-mode>object</security-mode>;
;
<source-ad-name>;fully.qualified.domain.name.of.domain.c
ontroller</source-ad-name>;
;
<source-ad-partition>;dc=myCompany,dc=com</source-ad-par
tition>;
;

PDF generated on April 5, 2024 96

;

<source-ad-account>;</source-ad-account>;

<account-domain>;</account-domain>;
;
<target-dn>;ou=servicenow users,dc=myCompany,dc=adam</ta
rget-dn>;
<query>;
;
<base-dn>;dc=myCompany,dc=com</base-dn>;
;
;
<object-filter>;(objectCategory=person)</object-filter>;
<attributes>;
;
<include>;objectSID</include>;
<include>;givenName</include>;
<include>;sn</include>;
<include>;description</include>;
<include>;title</include>;
<include>;company</include>;
<include>;department</include>;
<include>;mail</include>;
<include>;physicalDeliveryOfficeName</include>;
<include>;telephoneNumber</include>;
<include>;sAMAccountName</include>;
</attributes>;
</query>;
;
<user-proxy>;
<source-object-class>;user</source-object-class>;
<target-object-class>;userProxy</target-object-class>;
</user-proxy>;
<schedule>;
<aging>;
<frequency>;0</frequency>;
<num-objects>;0</num-objects>;
</aging>;
<schtasks-cmd>;</schtasks-cmd>;
</schedule>;

PDF generated on April 5, 2024 97

</configuration>;
<synchronizer-state>;
<dirsync-cookie>;</dirsync-cookie>;
<status>;</status>;
<authoritative-adam-instance>;</authoritative-adam-insta
nce>;
<configuration-file-guid>;</configuration-file-guid>;
<last-sync-attempt-time>;</last-sync-attempt-time>;
<last-sync-success-time>;</last-sync-success-time>;
<last-sync-error-time>;</last-sync-error-time>;
<last-sync-error-string>;</last-sync-error-string>;
<consecutive-sync-failures>;</consecutive-sync-failures>
;
<user-credentials>;</user-credentials>;
<runs-since-last-object-update>;</runs-since-last-object
-update>;
<runs-since-last-full-sync>;</runs-since-last-full-sync>
;
</synchronizer-state>;
</doc>;

LDAP filters configuration file

You can provide any level of filtering in the object-filter value in the
configuration file. Use standard LDAP query syntax with the following xml
escape characters in place of the standard operators.

• AND = "&" replace with &

• OR = "|" (vertical line) replace with |

• NOT = "!" replace with !

Reference configuration file

Here's an actual configuration file that can be referenced as a sample.
<?xml version="1.0"?>;
<doc>;
<configuration>;
<description>;SNCTest ADAMSync Configuration</description>;
<security-mode>;object</security-mode>;
<source-ad-name>;domaincontroller.service-now.com</sourc
e-ad-name>;
<source-ad-partition>;dc=service-now,dc=com</source-ad-p

PDF generated on April 5, 2024 98

artition>;
<source-ad-account>;</source-ad-account>;

<account-domain>;</account-domain>;
<target-dn>;ou=servicenow users,dc=service-now,dc=adam</
target-dn>;
<query>;
<base-dn>;dc=service-now,dc=com</base-dn>;
<object-filter>;(objectCategory=person)</object-filter>;
<attributes>;
<include>;objectSID</include>;
<include>;givenName</include>;
<include>;sn</include>;
<include>;description</include>;
<include>;title</include>;
<include>;company</include>;
<include>;department</include>;
<include>;mail</include>;
<include>;physicalDeliveryOfficeName</include>;
<include>;telephoneNumber</include>;
<include>;userAccountControl</include>;
</attributes>;
</query>;
<user-proxy>;
<source-object-class>;user</source-object-class>;
<target-object-class>;userProxy</target-object-class>;
</user-proxy>;
<schedule>;
<aging>;
<frequency>;0</frequency>;
<num-objects>;0</num-objects>;
</aging>;
<schtasks-cmd>;</schtasks-cmd>;
</schedule>;
</configuration>;
<synchronizer-state>;
<dirsync-cookie>;</dirsync-cookie>;
<status>;</status>;
<authoritative-adam-instance>;</authoritative-adam-insta
nce>;
<configuration-file-guid>;</configuration-file-guid>;
<last-sync-attempt-time>;</last-sync-attempt-time>;
<last-sync-success-time>;</last-sync-success-time>;
<last-sync-error-time>;</last-sync-error-time>;

PDF generated on April 5, 2024 99

<last-sync-error-string>;</last-sync-error-string>;
<consecutive-sync-failures>;</consecutive-sync-failures>
;
<user-credentials>;</user-credentials>;
<runs-since-last-object-update>;</runs-since-last-object
-update>;
<runs-since-last-full-sync>;</runs-since-last-full-sync>
;
</synchronizer-state>;
</doc>;

Configure Microsoft Active Directory for secure LDAPS

communication
Use certificate pairs to enable Microsoft Active Directory (AD) LDAPS
communications.

Note: These procedures were designed and tested using Windows

2003 R2 Standard Edition and work with all versions of Windows 2003.

Secure LDAP (LDAPS) communication is similar to SSL (HTTPS)

communication in that both encrypt the data between servers and
clients. To accomplish this, the server and clients share common
information by using certificate pairs. The server holds the private
key certificate and the clients hold the public key certificate. These
certificates are required to enable Microsoft Active Directory (AD) LDAPS
communications.

To configure LDAPS for Active Directory you must:

• Ensure that the Active Directory domain is set up and that the instance
is able to connect to the Active Directory server through the firewall.

• Verify that there is a Certificate Authority (CA) that can issue a

certificate for the domain controller (DC). If you don't already have
a CA infrastructure there are two options.

• Setup a stand-alone CA to issue the certificate

• Request a third party certificate

PDF generated on April 5, 2024 100

• If you already have a CA in place, you can generate a certificate from

an internal CA.

All certificates have a defined expiration date which can be viewed in

the certificate properties. If the certificate expires, all LDAPS traffic fails,
and your users can no longer log into the instance. To resolve this, a new
certificate must be issued and installed on your instance.

The default expiration for Microsoft CA certificates is one year. External

CA certificates are usually purchased in one year increments. Note when
your certificate expires, or use the application's Expiration Notification
function (located in System LDAP > Certificates). Ensure that you have a
new certificate ready before the old one expires. This gives you time to
install and test the new certificate before the old one expires.

Set up a stand-alone certificate authority for active

directory
The first step to configure Microsoft Active Directory for SSL access is to set
up a stand-alone Certificate Authority (CA).

Before you begin

Role required: admin

About this task

Do not worry about addition resource utilization because both of

the required services (IIS & CA) can be disabled after issuing the
certificate(s).

Procedure

1. Install Internet Information Server (IIS).

2. Install Certificate Authority Services in stand-alone mode.

3. Verify the Certificate Services web application is installed and active.

PDF generated on April 5, 2024 101

What to do next

Using the IIS Manager console, expand the local computer and select
Web Sites. The state of Default Web Site should be Running. You should
also see a CertSrv application listed under the Default Web Site. If the
site is not running or the application is missing, you must resolve the issue
before you proceed.

Generate a certificate from an internal certificate

authority
When you configure Microsoft Active Directory for SSL access, you must
generate an internal certificate and request the external certificate.

Before you begin

Role required: admin

About this task

These steps apply to Microsoft CA services. If you have a different internal

CA platform, see your local CA administrator for assistance.

Procedure

1. From the domain controller (DC) you want to create a certificate

for, browse to http://localhost/certsrv or specify the CA server
name if it is on a remote server.

2. From the Welcome page, click Request a certificate and select

advanced certificate request.

3. On the Advanced Certificate Request page, select Create and

submit a request to this CA.

4. Complete the Advanced Certificate Request as follows:

PDF generated on April 5, 2024 102

Advanced Certificate Request fields

Field Entry

The fully qualified domain name

Name (FQDN) of the DC that is
requesting the certificate.

The email address of the person

E-Mail
responsible for the certificate.

Company Your company name.

Key Options settings

Create new key set Select it.

Microsoft RSA SChannel

CSR
Cryptographic Provider.

Key Usage Exchange.

1024 is recommended. The

Key Size
instance supports up to 2048.

Automatic key container name Select it.

Store certificate in the local

Select it.
computer certificate store

5. Click Submit.
You are directed to a page that provides your Request ID, make note
of this ID.

6. To process the pending request, complete the following:

a. Open the Certificate Authority management console.

b. Expand the server node and select Pending Requests.

c. Locate the Request ID for the request you just submitted, right-
click, and select All Tasks/Issue to approve the request and issue
the certificate.

PDF generated on April 5, 2024 103

7. To retrieve the issued certificate, complete the following:

a. From the DC you made the request from, browse to http://

localhost/certsrv, or specify the CA server name if it is on a
remote server.

b. Select View the status of a pending certificate

request.

c. Select the link to the new certificate.

d. Select the link to Install this certificate.

What to do next

You need to request a third party certificate. Certificates from external

CAs can be purchased for as little as $30 per year. For detailed
procedures on requesting a certificate from an external CA, see
Microsoft article 321051. After it is received, installed, and tested, follow
the export procedure.

Test the LDAPS connectivity locally

Test the LDAPS connectivity after installing the internal and third party
certificates when you configure Microsoft Active Directory for SSL access.

Before you begin

Role required: admin

Procedure

1. Ensure that Windows Support Tools are installed on the domain

controller (DC).
The Support Tools setup (suptools.msi) can be found in the
\Support\Tools directory on your Windows Server CD.

2. Navigate to Start > All Programs > Windows Support Tools >
Command Prompt.
On the command line, enter ldp to start the tool.

3. From the ldp window, select Connection > Connect and supply the
local FQDN and port number (636).

PDF generated on April 5, 2024 104

Also select the SSL.

If successful, a window displays and lists information related to the
Active Directory SSL connection. If the connection is unsuccessful, try
restarting your system and repeat this procedure.

Export the public key certificate to trust the LDAP

certificate
Export the public key certificate and import it into the application when
you configure Microsoft Active Directory for SSL access.

Before you begin

Role required: admin

About this task

If your Certificate Authority is not a trusted third party vendor, you must
export the certificate for the issuing CA so we can trust it, and, by
association, trust the LDAP server certificate. For MS Certificate Services
users, you can view the certificate path by viewing the certificate in the
console used to export; select the Certificate Path tab. You must export
all certificates in the chain. You can find the CA certificate in the same
folder as the LDAP certificate by looking for the name in the Certificate
Path. Submit all certificates for importing to your instance.

Procedure

1. From a current or new MMC console, add the Certificate (Local

Computer) snap-in.

2. Open the Personal/Certificates folder.

3. Locate the new certificate.

The Issued to column shows the FQDN of the domain controller.

4. Right-click the certificate and select All Tasks/Export.

5. Export to DER or Base-64 format.

Name the file using the format MyCompany.cer. This is the public key
certificate the needs to be used on the instance to communicate
securely with your domain controller.

PDF generated on April 5, 2024 105

6. Test LDAPS locally before you submit the certificate to the instance.

What to do next

After completing this procedure, import the public key certificate into the
application.

See Install the LDAP X.509 SSL certificate to upload the certificate into the
application.

LDAP global catalog usage

A DC can be granted the Global Catalog (GC) role. Global Catalog
(GC) role is an LDAP-compliant directory consisting of a partial
representation of every object from every domain within a forest.

Administrators configure Active Directory to host Lightweight Directory

Access Protocol (LDAP) directory information using one of the following
hosting methods.

• The common method of hosting LDAP directory information is to use

the default LDAP or LDAPS (secure LDAP) on ports 389 or 636. These
standard LDAP ports always exist on a Domain Controller (DC) and are
rarely changed. Accessing this directory partition provides access to all
of the objects within the domain that is hosted on the DC. There is no
way to access objects from other domains using this method.

• A DC can also be granted the Global Catalog (GC) role. Global

Catalog (GC) role is an LDAP-compliant directory consisting of a partial
representation of every object from every domain within the forest. This
LDAP directory can be accessed on port 3268, with LDAPS on port
3269. LDAPS and the default LDAP ports' certificate requirements are
the same.

Global Catalog LDAP dependencies

• The domain controller that your instance connects to must have the
Global Catalog role enabled.

• Firewall rules must allow inbound traffic to the domain controller on port
3268 (LDAP) or 3269 (LDAPS).

PDF generated on April 5, 2024 106

Special notes

• Not all attributes are replicated to the GC partition. Common attributes

such as first name, last name, email, phone number, description, and
address are included. Additional attributes can be added to the GC
but should be limited to minimize the impact to forest replication traffic.

• Standard LDAP integrations usually use sAMAccountName as the

instance's UserID and as the coalesce key in the LDAP import map since
this is guaranteed to be unique within a domain. This attribute is no
longer unique when viewing an entire forest of domains. A new unique
attribute needs to be identified and as the UserID and the coalesce
key. These do not need to be the same attribute and may vary based
on your forest design. Consult your Active Directory administrator.
Typically, the userPrinicpalName is a unique attribute across domains
but this may not be a user-friendly name to login with, but it could be
used for the unique identifier on imports. A common attribute that is
used for the UserID is email address. These decisions impact the LDAP
Properties and LDAP Mapping.

• The value used for the coalesce key on the LDAP import map must be
unique and exist on every object being imported. If it is not unique or
does not exist, incorrect records are updated with changes.

• If you already have an LDAP integration and wish to change it to a GC,

change the import coalesce key. The new key values must be imported
before you can change the coalesce key.

• If you make any changes to your LDAP integration that break your
integration, your first step should be to revert those changes. After
that, contact Customer Service and Support with complete information
about what you're attempting.

OpenLDAP minor schema modification

In OpenLDAP 2.3 systems that use the back-bdb (Berkley backend),
administrators make a minor modification to their schema to facilitate
the integration.

PDF generated on April 5, 2024 107

Warning: The customization described here was developed for

use in specific instances, and is not supported by Now Support. This
method is provided as-is and should be tested thoroughly before
implementation. Post all questions and comments regarding this
customization to our community forum.

In OpenLDAP 2.3, back-bdb has limited support for inequality

indexing (ordering). It is implemented only for generalizedTime and
ChangeSequenceNumber syntax. It cannot be supported on syntax that
support substrings. Search filters containing inequalities are processed
using the presence index.

We recommend creating a custom attribute for this purpose, instead of

changing what is already indexed or present in the schema (for example,
servnowid).

Modify the OpenLDAP schema

Modify the OpenLDAP schema. These steps detail a schema modification
to OpenLDAP 2.3 provided by one of our customers that helped them
integrate with their instance.

Before you begin

Role required: admin

About this task

Warning: The customization described here was developed for

To modify the OpenLDAP schema for integration with the instance:

Procedure

1. Create a custom attribute.

PDF generated on April 5, 2024 108

attribute ( 1.3.6.1.4.1.3403000.2.1.8

NAME 'servnowid'
ORDERING caseIgnoreOrderingMatch
EQUALITY caseIgnoreMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

2. Include the attribute in the selected objectclass OID.

objectclass ( 1.3.6.1.4.1.3403000.2.2.1
NAME 'BcfUserIdentifiers' SUP top AUXILIARY
MAY ( uniqid $ unixid $ servnowid ) )
In OpenLDAP 2.3, you can dynamically change the server
configurations, but you can only extend the schema. You cannot
modify or delete the existing schema. Instead of creating another
objectclass for this attribute in the dynamic configuration, use the
static configuration file, slapd.conf.

3. In slapd.conf, include indexing for the new attribute in the bdb

section of your main database backend.
database bdb (configs here) ....

index servnowid pres

(other indexes here) .....

4. As root, run slapindex to index this attribute to make it available in

search filters.
Make sure that the OpenLDAP daemon is not running or is in read-
only mode before starting slapindex.

Record LDAP deletions

By default, the instance does not delete any entries after they disappear
from LDAP.

Deleting an entry, also referred to as a record, also deletes the entire

history and references to the deleted entry.

For example, configuration items (CIs), SLA agreements, software

licenses, purchase orders, and service catalog entries all have a
reference to Department, and if a department is deleted, then the

PDF generated on April 5, 2024 109

integration clears all references to the department. Also, deleting a user

results in losing all history of what that user did.

Decide whether to retain or Delete all records from a table according to

your organization's needs.

PDF generated on April 5, 2024 110

CMDB Documentation
No ratings yet
CMDB Documentation
1,796 pages
SN-SNF-L010 ServiceNow Fundamentals
100% (7)
SN-SNF-L010 ServiceNow Fundamentals
323 pages
Lpic3 Slide
No ratings yet
Lpic3 Slide
354 pages
LDAP I Ntegration
No ratings yet
LDAP I Ntegration
11 pages
Ansible PowerScale v1.2.0
No ratings yet
Ansible PowerScale v1.2.0
75 pages
Utah Platform Security 1-8-2024
No ratings yet
Utah Platform Security 1-8-2024
6 pages
Ldap Read
No ratings yet
Ldap Read
117 pages
CRTE Latest
No ratings yet
CRTE Latest
21 pages
Igi Servicenow Book
No ratings yet
Igi Servicenow Book
48 pages
ServiceNow Platform Overview
100% (1)
ServiceNow Platform Overview
8 pages
Discovery (Horizontal Discovery) - Setup Guide
No ratings yet
Discovery (Horizontal Discovery) - Setup Guide
18 pages
Servicenow Steps For CMDB - Discovery Project
No ratings yet
Servicenow Steps For CMDB - Discovery Project
22 pages
Redp5387 Enabling LDAP For IBM FlashSystem A9000 and A9000R With Microsoft Active Directory
No ratings yet
Redp5387 Enabling LDAP For IBM FlashSystem A9000 and A9000R With Microsoft Active Directory
26 pages
Vancouver Platform Security 1-22-2024
No ratings yet
Vancouver Platform Security 1-22-2024
8 pages
Snow User Administration
No ratings yet
Snow User Administration
9 pages
Practical LDAP and Linux
100% (1)
Practical LDAP and Linux
28 pages
Enabling LDAP For IBM FlashSystem A9000
No ratings yet
Enabling LDAP For IBM FlashSystem A9000
28 pages
LDAP Implementation HOWTO
No ratings yet
LDAP Implementation HOWTO
11 pages
Ds Security Operations
No ratings yet
Ds Security Operations
3 pages
ServiceNow CSA
No ratings yet
ServiceNow CSA
37 pages
Implementer StudyGuide
89% (9)
Implementer StudyGuide
22 pages
ServiceNow Vault First Call Deck
No ratings yet
ServiceNow Vault First Call Deck
19 pages
LDAP
No ratings yet
LDAP
3 pages
DirectoryServer Enu
No ratings yet
DirectoryServer Enu
22 pages
Washington DC Now Platform Administration Domain Separation and Contextual Search 2024-05-27-13-32-54
No ratings yet
Washington DC Now Platform Administration Domain Separation and Contextual Search 2024-05-27-13-32-54
5 pages
ASS0002510 - Solution Overview Template
No ratings yet
ASS0002510 - Solution Overview Template
9 pages
Business
No ratings yet
Business
18 pages
Discovery PreWorkshop Readiness Kickoff
No ratings yet
Discovery PreWorkshop Readiness Kickoff
30 pages
BPD03 Credentials Oct2022
No ratings yet
BPD03 Credentials Oct2022
2 pages
2021 ITOM Visibility
No ratings yet
2021 ITOM Visibility
30 pages
Webinar 1.2 - LDAP Systems and Good Practices
No ratings yet
Webinar 1.2 - LDAP Systems and Good Practices
30 pages
Rome - Service Now .Incident
No ratings yet
Rome - Service Now .Incident
8 pages
SM LDAP Best Practices
No ratings yet
SM LDAP Best Practices
48 pages
Base Platform Stories
No ratings yet
Base Platform Stories
6 pages
Washington DC Platform Security 4-20-2024
No ratings yet
Washington DC Platform Security 4-20-2024
62 pages
Using LDAP To Manage Users
50% (2)
Using LDAP To Manage Users
57 pages
How To AD LDAP Configuration
No ratings yet
How To AD LDAP Configuration
3 pages
Keys For
100% (1)
Keys For
2 pages
Utah Platform Security 4-20-2024
No ratings yet
Utah Platform Security 4-20-2024
54 pages
HL 1
No ratings yet
HL 1
6 pages
Using LDAP To Manage Users Document
100% (1)
Using LDAP To Manage Users Document
57 pages
Participant Guide Servicenow Module 1 Compress
No ratings yet
Participant Guide Servicenow Module 1 Compress
80 pages
LDAP Integration With ServiceNow
No ratings yet
LDAP Integration With ServiceNow
7 pages
LDAP Tutorial
No ratings yet
LDAP Tutorial
3 pages
Ebk Now Platform Reference Guide
No ratings yet
Ebk Now Platform Reference Guide
27 pages
How To Setup AD-LDAP Authentication in NetWorker 18 and 19
No ratings yet
How To Setup AD-LDAP Authentication in NetWorker 18 and 19
3 pages
Ds Discovery
No ratings yet
Ds Discovery
3 pages
LDP
No ratings yet
LDP
25 pages
Solution Overview Template
No ratings yet
Solution Overview Template
9 pages
Participant Guide Servicenow Module
No ratings yet
Participant Guide Servicenow Module
80 pages
Understanding Active Directory - Level 100 - Document
No ratings yet
Understanding Active Directory - Level 100 - Document
54 pages
Service Now Application Product Overview
No ratings yet
Service Now Application Product Overview
10 pages
Secure Wireless Data Transmission Report
50% (2)
Secure Wireless Data Transmission Report
75 pages
Ution!: Ones Ory Sen Understanding and Direct' Nding Direct1
No ratings yet
Ution!: Ones Ory Sen Understanding and Direct' Nding Direct1
20 pages
Servicenow Admin: Unit 1
No ratings yet
Servicenow Admin: Unit 1
6 pages
Cyber Crime Complete Unit-1
0% (1)
Cyber Crime Complete Unit-1
29 pages
Service Now Learning
No ratings yet
Service Now Learning
10 pages
Security Reference Handbook
No ratings yet
Security Reference Handbook
76 pages
Madrid Servicenow Product Overview
No ratings yet
Madrid Servicenow Product Overview
9 pages
PNPKI Individual Certificate Application Form Fillable
No ratings yet
PNPKI Individual Certificate Application Form Fillable
4 pages
Active Directory Fundamentals
No ratings yet
Active Directory Fundamentals
6 pages
Service Now Guide
No ratings yet
Service Now Guide
10 pages
Cryptography & Network Security: Chester Rebeiro IIT Madras
No ratings yet
Cryptography & Network Security: Chester Rebeiro IIT Madras
29 pages
Mid Server
No ratings yet
Mid Server
2 pages
Privacy and Security Issues in The Age of Big Data - Business
No ratings yet
Privacy and Security Issues in The Age of Big Data - Business
13 pages
Common Errors in BW Related To SSL
No ratings yet
Common Errors in BW Related To SSL
24 pages
8.26 15：41 科技英语基础阅读（第二版） - 最终PDF
No ratings yet
8.26 15：41 科技英语基础阅读（第二版） - 最终PDF
142 pages
JasperReports Server Security Guide
No ratings yet
JasperReports Server Security Guide
92 pages
Test Procedures 08may2024
No ratings yet
Test Procedures 08may2024
47 pages
7th NEP (2025-2026) Orientation & Sensitization Programme 1
No ratings yet
7th NEP (2025-2026) Orientation & Sensitization Programme 1
1 page
Baudelaire, Aghomo Noumedem
No ratings yet
Baudelaire, Aghomo Noumedem
6 pages
OWASP Checklist v4
No ratings yet
OWASP Checklist v4
13 pages
Online Safety and Security
No ratings yet
Online Safety and Security
15 pages
Microsoft SDL Threat Modeling: Michael Howard
No ratings yet
Microsoft SDL Threat Modeling: Michael Howard
43 pages
OWASP Mobile Checklist Final
No ratings yet
OWASP Mobile Checklist Final
6 pages
Colonial Pipeline Complaint
No ratings yet
Colonial Pipeline Complaint
46 pages
Iss Dcs2221 Chapter 1
No ratings yet
Iss Dcs2221 Chapter 1
19 pages
Acct Bazaar
No ratings yet
Acct Bazaar
1 page
Mrrobot Writeup 06282016
No ratings yet
Mrrobot Writeup 06282016
9 pages
Question Bank-InfoSec
No ratings yet
Question Bank-InfoSec
1 page
Radius
No ratings yet
Radius
24 pages
SatCom Ground Terminals Terrasat Communications Cyber Hardened IBUCs White Paper - 2021 Spring
No ratings yet
SatCom Ground Terminals Terrasat Communications Cyber Hardened IBUCs White Paper - 2021 Spring
13 pages
Daftar Vaksin Update 2021
No ratings yet
Daftar Vaksin Update 2021
2 pages
Application Permutation in Cryptography
No ratings yet
Application Permutation in Cryptography
3 pages
How To Setup ZNN Node
No ratings yet
How To Setup ZNN Node
8 pages
LetsEncrypt Project Instructions
No ratings yet
LetsEncrypt Project Instructions
11 pages
Model Examinations-Psd3B Model Examinations - Psd3B
No ratings yet
Model Examinations-Psd3B Model Examinations - Psd3B
1 page