LDAP Integration

Generally organizations are in need of a single user account directory to login into varied applications instantly. Moreover companies maintain different users and group stores for the transferring of data or information in the form of an LDAP system. Here we will learn about what is LDAP integration, features and steps to establish LDAP integration.

Let's start discussing one after the other.

What is LDAP integration?

With an LDAP integration, your instance can use your existing LDAP server as the primary source of user data. Administrators integrate with a Lightweight Directory Access Protocol (LDAP) directory to automate administrative tasks such as creating users and assigning them roles. An LDAP integration enables the system to use your existing LDAP server as the primary storage location.The system can use your existing LDAP server as the primary source of user data with an LDAP integration. An LDAP integration is typically included as part of a single sign-on implementation.

The LDAP service account credentials are used by the integration to retrieve the user distinguished name (DN) from the LDAP server. Given the user's DN, the integration rebinds with LDAP using the user's DN and password. The password entered by the user is completely contained within the HTTPS session. LDAP passwords are never saved by the integration.The integration makes use of a read-only connection, which never writes to the LDAP directory. The integration only queries for data and then updates its internal database as needed.

 Become a Servicenow Certified professional by learning this HKR Servicenow Training !

Prerequisites for LDAP integration:

The following are the prerequisites for LDAP integration. They are:

  • A directory services server that is LDAP v3 compliant allows inbound network access through the firewall (Service Now to LDAP)
  • The Servicenow IP addresses that will be permitted are 199.x.x.x (obtain from HI)
  • The LDAP server's external IP address or fully-qualified domain name.
  • A read-only LDAP account of your choice Secure internet connection between ServiceNow and LDAP servers.

However secured connection can be achieved in two ways namely:

  1. Secure connection through SSL
  2. Secure connection through IPSecVPN tunnel.

Generally there are two aspects of integration. They are:

  1. Data population and 
  2. Authentication

Data population:

Integration with LDAP servers allows for the quick and easy import of user records from an existing LDAP database into ServiceNow. Configuration flags are present to help either create OR ignore/skip the incoming LDAP records to be processed in order to avoid data inconsistencies. By specifying LDAP attributes, one can also limit the data that the integration imports. If no attributes are specified, all objects are regarded for import under process.

Authentication:

When users attempt to log in in an LDAP-integrated ServiceNow environment, their credentials are sent to all defined LDAP servers. After processing the credentials, the LDAP server sends a response with the authorization status, granting access to the ServiceNow application.

One example of LDAP integration

LDAP integration

Servicenow Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

Steps to establish LDAP Integration

The following are the steps required to establish LDAP integration. They are:

Step1:Identify the LDAP Communication Channel

By default, an SSL-encrypted LDAP integration (LDAPS) communicates over TCP on port 636. This communication channel necessitates the use of a certificate. To obtain and upload the certificate, proceed to Step 2. An IPSEC tunnel is used to communicate with a VPN connection. On their local network, one must purchase or create an IPSEC tunnel. In this section, we will go over LDAP Integration with a PEM certificate. The customer can obtain a PEM certificate, which is a type of X.509 certificate.

Step2: upload the X.509 Certificate.

If it has not already been completed as part of the ServiceNow Go-Live activities checklist, an administrator can:

  • Obtain or create an SSL certificate for the LDAP server.
  • Then, on the server, upload the new LDAP certificate.

You need to fill all the required fields such as:

  • Name – The certificate's name should be unique.
  • Expiration notification – to send a notification in advance of a certificate expiration.
  • Active – Use the certificate for request signing and secure communication.
  • Short Description [Optional] – A description that includes any certificate attributes such as the requester name or server name.
  • Issuer – As soon as the certificate is attached, ServiceNow automatically adds the certificate issuer to this field.
  • Subject – As soon as the certificate is attached, ServiceNow automatically adds the certificate subject to this field.
  • PEM Certificate – In the case of a PEM certificate, copy the certificate content from beginning to end. ServiceNow decodes the certificate automatically.
  • Format – Choose a certificate format. PEM and DER file formats are supported by ServiceNow. See Create a Certificate for more information.
  • Type – Choose a certificate container. Certificates from trust stores, Java key stores, and PKCS12 key stores are all recognized by ServiceNow.
  • Valid from – ServiceNow auto-populated data from the certificate attribute 'Valid from'.
  • Expires – Information derived from the certificate attribute ‘Expiration date'.

Step3: you need to define the LDAP server:

To add a new LDAP server record to ServiceNow, follow these steps:

  • Select System LDAP > Create New Server.
  • Fill in the blanks in the connection settings.
  • Click the Submit button.

You need to fill all the required fields such as:

  • Active Directory is the default LDAP server type (ADAM). If this does not apply to your LDAP configuration, select Other.
  • Server Name – Enter a name that will be used to identify this LDAP server in lists and log details. LDAP Asia, for example, identifies the corporate directory of users in Asia.
  • Server URL – Specify the communication protocol, the LDAP server IP address or fully-qualified domain name, and communication port on which the LDAP server listens. For example :ldap://host-name:389/
  • Starting search directory – Specify the directory (or Relative Distinguished Name) where ServiceNow begins searching for users and/or groups. In the company’s LDAP directory, there are several OU’s under the root:ou=computers, ou=users, ou=servers, and ou=misc. Since all company users are located in the users OU, the starting search directory is ou=users,dc=domain,dc=com.
  • This prevents the LDAP browser tool from having to search through the other OUs, saving time and resources.After saving all the details, we will get the screen which has fields like Login, distinguish Name, password etc.
  • MID Server – Choose the MID Server to connect to the LDAP Server.
  • Connect timeout – Specify how long the integration must wait before making an LDAP connection. When the current connection request exceeds the connection timeout, the integration terminates it.
  • Read timeout – Specify the number of seconds that the integration must read LDAP data before stopping.
  • SSL – Allows the LDAP Server to initiate an SSL-encrypted connection.
  • Listen interval – The number of minutes that the integration listens for LDAP data for each connection before stopping reading the data.
  • Paging – instead of submitting multiple sets, divide LDAP attribute data into multiple result sets.

Subscribe to our youtube channel to get new updates..!

Step4:Providing LDAP server login details:

What organizational units the integration can see is determined by the LDAP login credentials. Servers that allow anonymous login generally restrict the organizational unit (OU) data that anonymous connections can access.

  • From the filter navigator, go to System LDAP > LDAP Servers.
  • Choose an LDAP server to configure.
  • Under Login distinguished name, enter the credentials of a user account that has read access to the directory levels from which users or groups are to be imported. If no password is supplied, an anonymous login to the LDAP server is attempted. The Login distinguished name fields support a variety of formats.

For Microsoft Active Directory (AD) server, format can be:

user@domain.com, domain\user

cn=user,ou=users,dc=domain,dc=com

For any other, the username should be provided as the full distinguished name:

cn=user,ou=users,dc=domain,dc=com

  • Enter the LDAP user's password in Login password.
  • The integration performs a Simple Bind operation if you provide an LDAP password. Otherwise, the LDAP server must allow anonymous login; otherwise, the integration will fail to connect to the LDAP server.
  • Check the box next to Active.
  • Click the Update button.

Step5: Test the connection

Every time a user opens the LDAP Server form, ServiceNow automatically establishes a test connection.If there are any problems connecting to the LDAP server, error messages appear on the form.

  • Using the filter navigator, navigate to System LDAP > LDAP Servers.
  • Choose an LDAP server to test.
  • Click Test connection under Related Links.
  • You can use the Browse option to confirm the visibility of the appropriate LDAP directory structure.

Step6:Define OUs within the server

An OU definition specifies the LDAP source directories that the integration can access. Locations, people, and user groups are all included in OU definitions. Every LDAP server definition includes two OU definitions: one for importing groups and the other for users.

  • Using the filter navigator, navigate to System LDAP > LDAP Servers.
  • Choose the LDAP server that must be configured.
  • Select Groups or Users as a sample OU definition from the related list.
  • Fill out the LDAP OU Definition form.
  • Click the Update button.
  • The related link is no longer listed after Dublin, and the connection is automatically tested.
  • Prior to proceeding to Dublin, go to Related Links and click Test connection to confirm the connection.
  • Click Browse under Related Links to view the records returned by the OU definition.

Fill all the required fields as described below.

  • Name – The name of the integration to be used when referring to this OU; the record created becomes an LDAP target in the data source record.
  • RDN – Relative distinguished name of the to-be-searched subdirectory.
  • The query field (the attribute against which the records are queried) must be unique across all domains/instances.
  • Active – the OU definition is activated, allowing administrators to test data import.
  • Table – A ServiceNow table that receives mapped data from an LDAP server. Select the necessary users and groups.
  • Filter – An LDAP filter string that can be used to select specific records to import from the OU.

Step7: Creating a data source

Each LDAP OU definition has its own list of data sources associated with it.

To create a new data source, follow these steps:

  • Select System LDAP > LDAP Servers.
  • Choose an LDAP server to configure.
  • Select an item from the LDAP OU Definitions related list, such as Groups or Users.
  • Click New in the Data Sources related list.
  • Fill out the Data Source form (see table).
  • Click the Submit button.
  • Click Test Load 20 Records under Related Links to see if the data source can bring LDAP data into the import table.

Fill all the required fields as described below:

  • Name – The integration name that is used to refer to this data source.
  • Import set table name – the name of the staging table where ServiceNow stores the imported LDAP records and attributes.
  • Type – Select LDAP – indicates that the imported data is of the LDAP format.
  • LDAP target – the LDAP OU definition that corresponds to this data source.

Step8:Choose/Create an LDAP Transform Map:

The Data Transform map is the vehicle for moving data from the import set table to the target table, which in this case is the User or Group table. Standard import sets and transform maps are used in the LDAP integration.We use scripting to add the company to the LDAP configuration. We specify the company for which LDAP configuration has been completed using a script. Scripts can also update reference fields such as Manager.

Step9:Make and run a scheduled import

A scheduled import is a feature of the import set that enables administrators to import LDAP data on a regular basis. There are two LDAP integration sample scheduled imports by default:

  • Example LDAP User Import
  • Example LDAP Group Import

The above imports need to be activated when required.

Step10:Check the LDAP Mapping

After you've created an LDAP transform map, refresh it to ensure it's still working as it should.

  • Using the filter navigator, navigate to System LDAP > Scheduled Loads.
  • Select the LDAP import job that needs to be validated.
  • Click the Execute Now button.

Thus you need to follow the above stated steps to establish LDAP integration successfully.

Now let's discuss the important features of it.

Features of LDAP integration:

The following are the list of features of LDAP integration. They are:

  • LDAP refresh on a regular basis: A scheduled scan of your LDAP server is typically performed once per night. It queries the attributes of all applicable user records and compares them to the account on our servers. If there is a difference, we update our user record to reflect the new attribute.The load placed on the LDAP server during the refresh is determined by the number of records queried and the number of attributes compared. We recommend that you schedule the refresh during off-peak hours. A large refresh operation can interfere with other scheduled operations, such as running reports, and should be planned to avoid conflicts.
    Listener for LDAP:Our version of a persistent query is the LDAP listener (or persistent search). We send a standing query to your LDAP server to check for changes and are constantly listening for a response. If your server supports persistent searches, any changes made to any of your applicable LDAP accounts are returned to the LDAP listener and sent to your instance within about 10 seconds.This is a very useful tool because it allows us to have a near-real-time copy of your users' account information without having to wait for the next scheduled refresh.
  • LDAP login on demand:After establishing an LDAP integration, the instance can allow new users to log in to the system even if they do not yet have an account on the instance. When a new user attempts to log in to the instance, the integration determines whether the user already has an account in the instance.If the integration cannot find an existing user account, it will automatically query the LDAP server for the entered username. If a matching LDAP account is found, the integration attempts to authenticate using the password entered by the user. If the password is correct, the instance creates an account for the user, populates it with all relevant LDAP information.
  • LDAP Data Population: An LDAP server integration allows you to quickly and easily populate the instance's database with user records from the existing LDAP database. You can create, ignore, or skip incoming LDAP records to avoid data inconsistencies.You can also limit the data imported by the integration by specifying LDAP attributes, importing only the data you want to expose to an instance. The LDAP attributes you specify are typically included in the integration transform map.If no LDAP attributes are specified, the integration imports all available object attributes from the LDAP server. Because the instance stores imported LDAP data in temporary import set tables, the longer the import time, the more attributes you import.
  • LDAP authorization:To gain access, use LDAP authentication and your LDAP credentials.When a user enters network credentials in the login page, the instance sends the credentials to an LDAP server, which uses the credentials to locate the instance.It validates the user's DN string when using RDNs. It only validates if at least one of the LDAP OU configurations with table=sys user contains an RDN.The LDAP server replies with an authorized or unauthorized message, which the system uses to decide whether or not access should be granted.Users access the platform with the same credentials they use for other internal resources on your network domain by authenticating against your LDAP server. Additionally, you can reuse any existing passwords and security policies. 

 Top 30 frequently asked Servicenow Interview Questions !

Servicenow Training

Weekday / Weekend Batches

Conclusion

In the above blog post we had discussed the LDAP integration in depth. If you have any doubts or queries please drop your comments, we will resolve your doubts on stand.

Find our upcoming Servicenow Training Online Classes

  • Batch starts on 5th Dec 2021, Weekend batch

  • Batch starts on 9th Dec 2021, Weekday batch

  • Batch starts on 13th Dec 2021, Weekday batch

Global Promotional Image
 

Categories

Request for more information

Manikanth
Manikanth
Research Analyst
As a Senior Writer for HKR Trainings, Sai Manikanth has a great understanding of today’s data-driven environment, which includes key aspects such as Business Intelligence and data management. He manages the task of creating great content in the areas of Digital Marketing, Content Management, Project Management & Methodologies, Product Lifecycle Management Tools. Connect with him on LinkedIn and Twitter.