LDAP integration troubleshooting

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of LDAP integration troubleshooting

    This guide assists ServiceNow customers in diagnosing and resolving common issues encountered during LDAP server integration. Proper LDAP integration is essential for user authentication and access management within your ServiceNow instance.

    Show full answer Show less

    Preliminary Checks

    • Ensure local administrator accounts exist to maintain instance access if LDAP becomes unavailable.
    • Verify the LDAP service account is active, not expired, or locked out.
    • Confirm username format by trying domain-qualified usernames (e.g., domain\username or username@domain).
    • Check that the systemid field on the ldapserverconfig record is correctly set and not unintentionally changed by update sets, as incorrect values disrupt LDAP connectivity.

    Error Codes and Logs

    LDAP integration logs include standard LDAP and Active Directory error codes, which help identify connection or authentication problems. LDAP error codes are two-digit, while AD codes are three-digit numbers. These codes are found in the wrapper log file and provide diagnostics for troubleshooting.

    Multiple Domain Integration

    • Support exists for integrating multiple domains within the same forest or non-trusted domains by creating separate LDAP server records for each domain.
    • Each LDAP server record must connect to a domain controller specific to its domain, requiring network access to each controller.
    • Integration with multiple AD forests using a single LDAP account is not supported.
    • When integrating multiple domains, identify unique LDAP attributes for usernames and configure coalesce values to avoid duplicates. Common unique attributes include objectSid, email, or userPrincipalName.

    Incoming Records Processing

    Use LDAP transform maps to control how incoming LDAP records without matching reference values are handled during import, ensuring correct user data mapping and creation.

    Common Authentication Errors

    • Invalid distinguished name (DN)
    • Invalid common name (CN)
    • Connection failures

    These errors typically indicate configuration or credential issues requiring verification of LDAP settings and user information.

    Automatic and Manual LDAP Connection Testing

    • ServiceNow automatically tests LDAP connections when the LDAP Server form is opened and via a scheduled job running every 15 minutes by default.
    • If a connection test fails, a retry occurs after five minutes or half the scheduled job’s repeat interval, whichever comes first.
    • Error messages display directly on the LDAP Server form to aid troubleshooting.
    • Connection tests also support LDAP servers accessed through a MID server.

    These automated tests help maintain reliable LDAP connectivity and provide early detection of integration issues.

    If you are integrating your LDAP server and have questions, these items may help you troubleshoot the issue.

    Preliminary checks

    • If the LDAP is unavailable, users cannot log in to the instance. A good practice is to have local accounts for administrators so that if the LDAP is down, administrators can still access the instance.
    • Check the service account to ensure that it is not expired or locked out.
    • Check the format of the username. Instead of using just the username, try using the domain with the username, or username@domain.
    • Verify that you have changed the system_id entry on the ldap_server_config record. If you modify the system_id unintentionally with an update set, system_id points to the wrong node for the target instance and does not work.

    Error codes

    The LDAP log file lists industry standard error codes for both LDAP and Active Directory (AD). The LDAP log file is contained in the wrapper file. The LDAP error codes are two-digit numbers, while the Active Directory error codes are three-digit numbers. For a list of the most-common error codes, see LDAP Error Codes.

    Multiple domain integration

    You can integrate multiple domains within the same forest or in completely non-trusted domains. It is recommended that you create a separate LDAP server record for each domain. Each LDAP server record must point to a domain controller for that given domain. This means you will have to allow connections to each of the domain controllers. Multiple AD forests through LDAP with one LDAP account is not supported.

    When you expand to more than one domain, it is critical that you identify unique LDAP attributes for the application usernames and import coalesce values. A common unique coalesce attribute for Active Directory is objectSid. Unique usernames will vary based on your LDAP data design. Common unique attributes are email or userPrincipalName.

    Incoming records

    See LDAP transform maps to set how the integration processes incoming LDAP records that are missing matching values in reference fields.

    Common authentication errors

    • User Cannot Log In (Invalid DN)
    • Invalid CN
    • Invalid Connection

    Automatic LDAP connection tests

    You can manually test connections to LDAP servers or allow ServiceNow to automatically test the connections.

    The system tests the connection automatically:
    • Every time a user opens the LDAP Server form.
    • Through the LDAP Connection Test scheduled job, which runs every 15 minutes by default.

      You can change how often this scheduled job runs. If this scheduled job is not able to establish a connection, a new one-time schedule job retries the connection test after either five minutes, or half the Repeat Interval value in the scheduled job, whichever occurs first.

    Error messages appear on the form if there are any issues connecting to the LDAP server. Also supported are test connections for servers behind a MID server.