How to configure LDAP integration for ServiceNow - Support and Troubleshooting

How to configure LDAP integration for ServiceNow Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Configure LDAP integration to use your existing LDAP server as the main source of user data for a ServiceNow instance. This article provides step-by-step instructions for connecting to an LDAP server, configuring OU definitions, and setting up scheduled data imports.

Important : Test this integration in a non-production instance before deploying to production.

For complete LDAP documentation, see Integration options .

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Beginning with the Orlando release

Instructions .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Step 1: Define LDAP server connection method Choose a method to expose your LDAP server to ServiceNow:

Option 1: MID Server (most common) This is the easiest method to configure and requires minimal effort from Active Directory administrators.

Requirements:

A configured MID Server Limitations:

Cannot use this method for user authentication (login) Cannot use SSL connections Note : To enable user authentication, configure SSO separately. Use LDAP integration to import users and groups, and SSO for authentication.

Option 2: VPN connection This method requires a VPN request through Now Support.

Considerations:

Relies on the ServiceNow VPN infrastructure Requires ongoing maintenance ServiceNow builds two VPN tunnels to your network for high availability Note : Site-to-site VPN connections are only used for traffic initiated by ServiceNow. Traffic destined for ServiceNow uses HTTPS over the internet.

Details from Now Support:

ServiceNow provides secure communications with customer networks over the public Internet using IPSEC VPN technology. A clustered pair of Cisco ASA devices are used as the termination point for encrypted IPSec tunnels. Please note, a site-to-site VPN connection between ServiceNow and your network is only used for traffic that is initiated by ServiceNow. Traffic destined for ServiceNow will always be HTTPS, and will always use the internet as a transport. As your ServiceNow instance is deployed into two ServiceNow datacenters for our Advanced High Availability, we will be building two VPN tunnels to your network.

Option 3: External IP address Expose an external IP address for your LDAP server to ServiceNow.

Requirements:

Configure your firewall to allow the ServiceNow application server to access the LDAP server If the LDAP server is on an internal network, configure NAT or port forwarding through the firewall Option 4: LDAPS with PKI certificate (most secure) Use LDAPS (LDAP over SSL) with a PKI certificate. This method provides the highest security but requires LDAPS configuration on your LDAP server.

Step 2: Create LDAP server record Go to All > System LDAP > Create New Server . Complete the form fields. For field descriptions, see Define an LDAP server . In the Attributes field, specify which LDAP attributes to import.

Important : Specify LDAP attributes to avoid exceeding the import set row size limit. Without specified attributes, the import set creates a field for every LDAP attribute.

Common attributes:

description,employeeNumber,managedby,department,division,description,dn,employeeID,givenname,mail,manager,member,memberof,mobile,objectguid,physicaldeliveryofficename,samaccountname,sn,source,telephonenumber,thumbnailPhoto,title,useraccountcontrol,userPrincipalName

Select Submit . Set the record to Active . The system tests the connection automatically. Green indicator : Connection successful Red indicator : Connection failed (review server settings) For secure LDAPS configuration, see Configure Microsoft Active Directory for secure LDAPS communication.

Step 3: Browse LDAP structure Before configuring OU definitions, browse your LDAP directory to identify where user and group data is stored. Each LDAP directory structure is different.

Open the LDAP server record you created. In the Related Links section, select Browse . Navigate the LDAP directory to locate user and group containers. Note the RDN (Relative Distinguished Name) paths for users and groups.

Step 4: Configure LDAP OU definitions Configure OU (Organizational Unit) definitions to specify where ServiceNow retrieves user and group data. The LDAP OU Definitions related list is located at the bottom of the LDAP server record.

After configuring each OU definition, select Browse to verify it points to the correct location.

Note : If user or group data exists in multiple directories that are not in a parent/child relationship, create additional OU definitions for each location.

LDAP OU Definition (User)

LDAP OU Definition (Groups)

Step 5: Configure data sources Each LDAP OU definition has an associated data source that controls where imported data is stored.

Open the data source record for an OU definition. Review the import set table where data will be loaded. Select Load All Records to import data into the import set. Repeat for each OU definition.

Step 6: Review import sets Import sets are staging tables where LDAP data is stored before being transformed into ServiceNow records.

Default import set tables:

Users: ldap_import Groups: ldap_group_import Verify data is not truncated:

Open the import set table. Review the imported data for each column. If data appears truncated, increase the column size in the import set table definition. Step 7: Configure transform maps Transform maps convert data from import sets into ServiceNow user and group records.

Important : Test transform map configurations in a non-production instance before deploying to production.

Configure the user transform map

The LDAP User Import transform map is the primary map to configure.

Common configurations:

Coalesce field: Set a coalesce field in the field map to prevent duplicate user records. Common coalesce fields include samaccountname or objectguid. Additional field mappings: Add mappings for any additional LDAP attributes you want to import. User photos: To import user photos, see Import User Photo from LDAP . Run the transform

Open the transform map record. In the Related Links section, select Transform. After the transform completes, review the log for errors. Step 8: Schedule data imports After verifying that data imports correctly, schedule regular imports to keep ServiceNow synchronized with your LDAP directory.

Go to System LDAP > Scheduled Loads . Select an existing scheduled load or create a new one. Set the Active field to true . Configure the run schedule. Daily imports during off-peak hours are common. Save the record. Scheduled Data Import

Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Define an LDAP server

Configure Microsoft Active Directory for secure LDAPS communication

Import User Photo from LDAP

LDAP integration troubleshooting

LDAP integration via MID Server

Multi-Provider SSO properties, tables, and scripts

Import sets

Transform Maps