Summary
The configured LDAP server is "Connected Successfully" But still the user sync is not working. The LDAP administrator claim that the required permissions are given to the user.
The behaviour which is seen:
- On system LDAP --> LDAP server. The LDAP server shows "Connected Successfully".
- But the uses import fails.
Release
All releases.
Instructions
For the LDAP users to sync the configured user should have the read permission to the directory tree or the DN which is synched on the LDAP server.
The verification of the permission for the configured account can be verified using the below steps:
Check the LDAP configuration.
- System Ldap --> LDAP servers.
- Open the record for the LDAP server in question.
- From the related link click on "Browse".
- You will be redirected to "LDAP Browse", Expand the "LDAP Nodes"
If the user configured has permission to read the directory tree you will see the tree structure when you expand "LDAP Nodes".
If the user does not have permission it will be blank.
Sometime we might come into a situation where the LDAP admin says that the user has permission to read and suspects the issue to be with ServiceNow. In order to confirm the above and rule out ServiceNow from the equation, you could check the connecting and browsing the directory tree using a different LDAP browser.
Below you can find the steps to verify the same using the LDAP browser from Microsoft windows.
- From the LDAP server or any member server in the network click on Start --> Run.
- Type in ldp.exe and hit enter.
- This will open up the ldp application.
- Click on Connections --> Connect.
- Enter the ip address of the ldap server, Specify the port i.e for LDAP 389, LDAPS 636.
- Click on OK.
- Click on Connection --> Bind.
- On the Bind select Bind type as "Bind with credentials".
- Enter Username(The username configured on servicenow LDAP server configuration).
- Enter the password and Domain and click on OK.
- Verify if the connection is successful from the pane on the right hand side of the ldp application, You should see something like.
- Once the connection is successful and the user is authenticated, Click on View--> Tree.
- Select the Base DN, this is the DN where the user should be found.
- In my test, I will select the root which is DC=anshul, DC=com.
- Expand the DN from the left pane.
- If you see the same to be blank(No Children), then that means that the user does not have the permission to read the directory tree(the DN).
- If the connected user has permissions to read the DN you will see the entire tree like the one as seen below.
This is the best way to isolate the permission and authentication issues with the service account used for the LDAP configuration.
I hope this helps in troubleshooting some of the issues related to LDAP integration.
Happy troubleshooting. :)
