How LDAP Imports Link Users with Groups (Group Membership) - Support and Troubleshooting

How LDAP Imports Link Users with Groups (Group Membership) Summary This is done by the OOB onAfter() script of Transform Map LDAP Group Import ( /nav_to.do?uri=sys_transform_script.do?sys_id=0dc646160a0a0b26007beb877ee7cdf9) . The onAfter() script runs even if the record was ignored during the transform (due to no changes). This onAfter() script will update Group Membership[sys_user_grmember], adding or deleting records as appropriate. More Details The Script Include that the onAfter script calls relies on the value of the member[u_member] field of the imported LDAP Group Imports[ldap_group_import] record. member[u_member] should have a '^' separated list of all users who are members of that group, for example: CN=John Smith,OU=IT,DC=ad,DC=ACME,DC=com^CN=Jane Doe,OU=IT,DC=ad,DC=ACME,DC=com The mechanism that the onAfter() script uses is in the code in the GlideLDAPGroups class (in the Java code). Basically this code splits the value of the member field in the staging table ( ldap_group_import ) record on the '^' character. Each of the sub-strings is the DN of a user who should be added to the group. To add the user to the group, the code queries the sys_user table with the filter 'source=ldap: '. Any pre-existing sys_user_grmember records for users who are no longer seen in that member[u_member] field are removed Related Links LDAP Scheduled Data Import Not Updating Group Membership[sys_user_grmember] On some versions the example LDAP Group Import Scheduled Data Import has the Run as field blank, meaning the import runs as the system user. In London PRB1168978/KB0689665 was fixed, which involved a lot of changes around which users are allowed to give group memberships (and therefore roles, which are tied in to group membership) to others. It looks like this resulted in the system user no longer being able to create or delete Group Membership[sys_user_grmember] records when doing so would grant certain roles to a user. The recommendation is to create an admin Role user specifically for LDAP imports (with a random unknown password) and set that in the Run as field on the LDAP Group Import Scheduled Data Import. Users' group membership is not updated via LDAP import You can refer to KB0727831 for more information.