hi this is Matt with fruition partners we're going to get our webinar started here in just a few minutes we've got over 80 people registered and so far about 15 have joined us and and I don't certainly don't expect a lady to show up but I do want to wait maybe two or three more minutes to give some other people a chance to join so we'll be getting started and let's say about three minutes and that should be about twelve thirty five thirty six eastern time if if you have any trouble hearing me go ahead and at any point during the presentation go ahead and post a question and we'll make sure that we're getting that addressed you you you okay so we'll get ready in just about a minute here but I brought up my screen and I just want to make sure that everyone is seeing that screen okay so if there's any problems with that go ahead and send a message our way and let us know but we might as well get started at this point as I mentioned earlier my name is Matt hawk I'm a technical consultant with fruition partners it's a pleasure to be doing this webinar with all of you today I've done a couple of webinars in the past and some of them have been posted on comm eventually we have these webinars archived so that we can go back to them in the future in case you missed anything here now let's see we got one message from somebody who's not able to see my screen would anyone else be able to post a question to confirm you can see it or otherwise okay great all right it looks like we've got people looking at our screen so we're ready to get started so just to let you know about fruition partners for those of you who have been on our webinars you've heard this a couple of times so bear with me for just a few minutes but the history of fruition partners is that we are an IT service management consulting and education company we have clients across the country and we have a few international clients as well we were founded in 2003 we have clients in a range of industries one that's not on the list is we have a couple of clients in the social media space we've really been experiencing some terrific growth we have 40 consultants at this point and really that that growth is due in no small part to the strong partnership that we have with service now providing implementation services for many of their clients all of our professionals are certified ITIL professionals we have people with foundations level certification like myself but then we also do have consultants who are involved in the more in the higher level service management consulting space we have consultants that go all the way up to the service manager and I think actually we have someone here who's a ITIL master as well and he's involved in some of our training and the last bullet point is that we try as a company to to really allow our practical fear-filled experience that we have with our clients provide feedback over to our education side and make the ITIL training experience more meaningful and vice versa of course we expect that theoretical education to really inform our engagements with our service now and other clients so from a service offering standpoint we offer services really in three different categories we have the education services that I had mentioned that's really geared towards both service now education as well as ITIL education and we offer service now administration training catalog workshop and then on the ITIL side we offer classes in day and bridge bridging v2 v3 and then something else new that we've started doing that kind of loosely is under education it's it's a health check service where we really try to help you assess your overall service service management processes and it can also be geared towards more of a technical assessment of your service now instances where we can point out where the instance that you're using may be really substantially deviating from some of the best practices that we've seen within administration we have a product that's or a service that's called virtual administration and this is really a way for your staff your staff of ServiceNow administrators to be augmented by ServiceNow administrators at fruition partners so you can buy a block of hours on a monthly basis where our administrators some of whom are involved in some of our most advanced implementations those administrators are basically at your disposal for either troubleshooting problems or building out new functionality however you'd like to use them and then in customization we have we do a lot of work in terms of building out entirely new modules and new functionality for our customers we we've built customizations that are on top of sort of the core applications like incidents change CMDB but we've also built custom applications from the ground up totally outside of those applications just using the ServiceNow platform as a really terrific place to start developing a custom solution and and one of the offerings that we have sort of within customization is that we're now beginning it's not mentioned right on this slide but we're now beginning to offer something called a solution offering and the solution offering is really these are these are modules of of ServiceNow customized software that we have seen several of our clients needing the same solution we've developed that solution we've provided it to clients in the past and now we're starting to see clients come back to us time and again with the same needs so we're able to take some of those solution offerings and package them and rather than going through a more typical consulting engagement we can turnaround delivery of these solutions on a much quicker basis - that we have right now that come to mind our time tracking solution as well as a the time tracking solution is to be clear is really to enhance ServiceNow so that you're right your entire IT staff both developers and operations folks can log all over their hours all 40 of their weekly hours in ServiceNow through a very easy-to-use interface and then we also have an LDAP enhancement which allows which enhances some of the on-demand functionality within LDAP for customers who have extra large LDAP servers we have one one customer who has over two million accounts within their LDAP server which I like to point out to them is one percent of the adult US population and they they had a need to basically pull over users from their LDAP server on an on-demand fashion which as you can imagine when you're trying to identify a caller on an incident there are some interesting challenges that come up in in that situation so that's another solution offering where if your organization has the same kind of challenge we can be available to help deploy a solution for that particular problem the next slide is quite a lot to digest it's just some quotes that we've received from our from our customers my favorite is the one right in the LB shortest and it kind of summarizes everything else which is that evening excellent customer references so we're very proud of our ability to take our customs our existing customer base and receive recommendations from them for new services and so really what it all adds up to is a an approach where we're trying to become the ITSM one-stop shop and that really involved that ties together the three the three areas education consulting and service now gear development and customization so that we can we can provide both the the business focused process consulting but also the very technical high level of expertise that's required in successfully deploying ServiceNow but really you know extending its usage and expanding how you use it within your organization over time so that's sort of a summary of fruition partners and like I said for those of you who have been in these webinars before thank you for your patience and listening to that piece about fruition partners so today we're going to be talking about LDAP and certainly LDAP can be sort of a basic piece of service now but we've been involved in projects where suddenly all deaf becomes a source of a challenge and so we've seen kind of a range from very straightforward LDAP implementations to the kind of implementation I just mentioned where there's an issue with just the sheer quantity of users and and security concerns about who's being mirrored within ServiceNow when and so on so today in the webinar agenda what I had I thought I'd go through is an overview of LDAP itself and some basics of configuring it within ServiceNow then I'll talk a little bit about two sort of problem areas that I think some of our consult or some of our clients wind up needing to come up with a solution for so I can talk about bees it's basically how do you handle account deactivations people who leave your organization and how do you how do you have those deactivations reflected within ServiceNow and then the last one is managing accounts across multiple instances a lot of customers who use LDAP especially customers who have been live for a while those customers will run into issues if they continue to use LDAP in all of their instances including dev QA or tests as well as production so I want to point out some some issues to be on the lookout for if you do have multiple instances and how LDAP should ideally fit into a multi instance scenario so as far as sort of an overview of LDAP I thought it would be helpful to kind of really reiterate some of the key points that come from the ServiceNow wiki and what they say about LDAP integration and it's important to note that LDAP really serves two different purposes they're certainly related but they really are separate and one purpose is that LDAP is used to manage ServiceNow user and group records within ServiceNow so what this is is that basically any user that wants to be able to use ServiceNow needs to have a record in the user table in the ServiceNow user table so LDAP integration can manage the creation the updating and the deactivating although not the leading of those user records and additionally LDAP can manage records within the group table so really the end goal of all of this integration is you need to have user records in the user table in the case of that large client I mentioned earlier they still had that requirement they admit they they still eventually needed to get to the point where users were listed the user table they just wanted to bring them over on an as-needed basis so there's really no way of getting around needing to have that user record or that group record from a the second purpose that l def serves is its really serving as a way to authenticate your sessions so when somebody logs in LDAP can validate the username and password they supply in this way ServiceNow user records don't need to contain passwords so I guess a sort of a high-level point to make about this because I saw it mentioned on the wiki I thought I would repeat it which is that ServiceNow its integration with LDAP is on a read-only basis so ServiceNow does not need any permissions to write or alter any of your records it's you merely need to give it an account to log into your LDAP server that's capable of reading records and that account is used both for the management and population of your user and group records and ServiceNow and then that that account is also used when it comes time to actually authenticate somebody's login so just as in terms of terminology what I've seen come up with talking to our clients and this is just sort of casual terminology but it might help to think about it at the bottom in italics I mentioned that a user record in ServiceNow that contains both a user name and password a lot of a lot of people will call that a local account and I guess that's a concept that probably spans a lot of different applications besides ServiceNow but the the difference there is a more typical user record is going to contain a use just the user name and rely on something like LDAP for authentication and we usually just refer to those as accounts generally and it's kind of assumed that those are using an external authentication source most typically the local accounts are administrators the the actual two or three administrators that you have for service now most people don't bother putting those in their LDAP server so they just configure those as service now local accounts okay so configuration basics I thought maybe I would look at record management first that's the sort of the first piece is how do we go about getting user records into ServiceNow and really there's a very basic set up that a lot of people used by default and that's just using standard ServiceNow integration modules so it's kind of kind of neat that when you look at the LDAP integration application within ServiceNow all of the different pieces of it that you're looking at they really are just pieces that are built out of standard ServiceNow integration tools like import set tables transform Maps data sources and schedules jobs so really it's it's very similar although certainly it has its differences it's very similar to just synchronizing records from a database or some other batch job that you might have running on ServiceNow so in addition to those basic integration modules there's two additional features that are provided in ServiceNow one is the LDAP listener and the other is LDAP on-demand login the LDAP listener the purpose of that is to allow changes in your LDAP server to be pushed quote-unquote to be pushed to the l2 the ServiceNow instance so if for example you have a user that has their last name changed if they have their last name changed at noon and they and they'd like that name to be reflected in their in their instance as quickly as possible then the LDAP listener is a mechanism by which the the update to that user record with an LDAP can be pushed immediately to ServiceNow rather than waiting for a scheduled job such as as what's listed at the top of the slide rather than waiting for maybe midnight that night for that that change to get pulled over second feature is El LDAP on-demand login which is kind of similar to listener but it's a little bit different the purpose of this is to allow new users that have not been synced new users that have not yet been synced from I'm sorry somebody just passed me a question that was was raised give me one second to make sure we don't have any technical issues here okay it looks like these are just some suggested questions for later sorry about that so LD upon demand login so this is for people who are new in the LDAP server they haven't been brought over at midnight that night this provides a way for them to actually log in and and what ServiceNow does is as soon as the person tries to log in it looks for that user in the user table if they don't find it it then goes to LDAP next and tries to pull over the user record on an as-needed basis at that point in time so that's service now functionality that they that they provide with LDAP integration so if we take a look at if we take a look at the actual setup of these records I'm using our own internal sandbox here at fruition partners and what I thought I'd do is just show you how easily you can how easily you can create a login for let me let me just pull up this I a what I've got is a locally running LDAP server here that I thought I would use just real quickly for demonstration purposes so let me just pull up my here we go so I'm going to delete the server and I'll recreate a so I can show you the steps that are involved so basically when you're ready to integrate with your LDAP server on the left hand side of service now if you type in LDAP it'll pull up all of the modules that you'll need to use in the integration you can click create new server and in this case I'm using open LDAP I don't have an active directory server running so I'm going to choose other and of course the one thing I didn't manage to write down is what's my IP so I'm going to go to what's my IP address dork I'll paste that in there I'll paste that in the hostname and then you need to once you supply the address of the LDAP server you need to supply a username and password now let me see it what point in the slide I talked about security because I know that security is probably big concern that's coming up under security back to that so to login into this server I set up an account for myself on the LDAP server I'm going to provide that username the password I believe is ServiceNow and the starting search directory I'm going to start at the top this is just a dummy in a dummy LDAP server but at the top of it we have we have the base level directory so let's see if I save that there was a right click say that I just did in case the screen refreshed and catch it okay and then you can do a couple of things with just the server record to make sure that the server record itself is working the way that you want and you can either test the connection you you and you know what I apologize I didn't realize when I had set this up in my cubicle a minute in here I really apologize for this give me two or three minutes here and I'll get this set up again and going for us you you you you you you you you you you you you you you you so I'm just trying to get this little virtual machine appliance running again I had the LDAP server running here just a minute ago it should have occurred to me when I moved to a different office so you all could hear me okay I screwed up the IP addresses so I apologize for that okay so let me see if I can pull up this administration Center again you all right so for those of you are curious I'm just running this virtual appliance which has open LDAP installed as well as this PHP LDAP admit admin all right so let's see if I can test this connection again you you I'll shoot you let me try one more thing and then if I can't get this going after a minute I will I will move on without them and straining the creation of these records I apologize hold on one second you you you okay thankfully I've got it working I guess what's my IP address reported the wrong IP address at first I have no idea why it would do that so I've got my IP address and and I guess this is kind of a setup that might mirror something you would have to do in your production environment which is on our own firewall on our land I needed to set up some port forwarding to to forward to the internal address that we have here so when I when we get into security we'll talk about the different forms of architecture that you can set up for your LDAP server but in this case I'm just forwarding port 389 which is the basic LDAP port so that service now can talk to that LDAP server that I have running so what I had mentioned earlier so within an LDAP server a record you can do testing of the connection and you can do browsing as well and browsing is a really important feature if you click that browse link it's a really important feature to make sure that you're seeing within your server you're seeing the objects that you expect to see so we see right now I've got a user called default user and the users Oh you and then within something I set up called users inactive we have somebody else called Bob Smith so just real quick if I create somebody new over here I want to do this anyway commit because when I run the import I want to be sure to pick up somebody besides just the default user so if I create a user account accounts actually that's going to be the last name so we've got s Johnson I'm going to make that her password as well whoa so let's make sure yep so there's Sally so now that she's in the LDAP server I should be able to go back to the server record here and click browse and see her listed there as well as default user yep there she is okay so that's the first layer you first need the server record which I just created and tested then within the server record down at the bottom you have öyou definitions and these are sort of the next layer down which help you identify key Oh use within your LDAP hierarchy and in this case I'm going to just set up one of them so I'm gonna get rid of groups and focus just on setting up this users oh you and now you can you can name the oh you anything you want but it should be sort of descriptive of what it is I'm trying to pull in so in this case I'm going to be pulling in users and within my particular instance what I'm actually going to be looking within is I'm going to be looking within oh you equals users so if we look at my hierarchy we know that the server record I set up gets me this far which is which is a equals directory now I need to dive within then go to oh you equals users so I'll do that usually you don't change the query field CN that's a unique identifier for the user record and I think this is all that I need to do to this record and oh you records work the same way as the server record I can browse them and when I do that browsing we see that now it's dumping me directly within that users piece of the tree so I don't have to first go into users and own user groups so now basically I have a server record I have the oh you record attached to it and now what I'm ready to do is attach a data source record to it and by default ServiceNow will already have a data source record attached to it and the data source is really what bridges the gap between those those standards integration module as I mentioned earlier like load and transform and scheduled job and import sets it's it's what bridges that with the LDAP records that I just configured so in this case what I'm going to do is it's already given me a default data source record I don't need to change anything on this record although if I wanted to what I could do is I could do a test load of 20 records and what this will do is it will create an import set table if it doesn't already exist and it'll dump just do a straight dump of the records from from LDAP into that table so if I take a look at the data that it loaded then we can see I'm now looking at our import set table which of course if I go to the import and transform module I can also get to the table through that on the left hand side we see underneath system import sets we see this table listed right here so it's loaded some of the sample data some of that data was already in there because I did a load earlier so let me go back to the data source record and then I'll show you the transform map so ldap data sources and now I'm going to come into I think we're gonna let me make sure I get this right I'll come to it through the server record instead okay wait I don't know if I don't know if our ISP just changed your IP address today or what but that was strange usually our IP address chain does not change so okay so we have user records here the user data source let me go into that real quick I just did a test load of twenty records now the transform map that's of course what's going to actually take values from that import set table and put it into the user table I'll just do this real quick because I know we're we've got to get onto these other topics and my technical difficulties kind of slowed me down there so we've already got some good field maps that are established here it looks to me like this is probably all we need to use you may have to adjust the field maps in my case I had to change I think by default it sets it up with Sam account name as the unique identifier and of course that's active directory in this case I wanted to use UID and other than that you can really you can do the field mappings that that are appropriate for your for your instance so now that I have now that I have that transform map in place what I can do is actually go into the data source into the transform and now I'll just go ahead and and run the transform and that's successful so now if we go to our users table and this is our like I said this is our fruition stand back so we have a lot of our a lot of our employees are listed in here I know that we have we should have Bob Smith in here and that was brought over from LDAP I think it was brought over just now but I'll will double check this when I start talking about the when I start talking about the LDAP multi-user aren't sorry LDAP deactivations so let's go back real quick to the the presentation so I showed you how to set up the server record the the oh you records and then that once you have those in place you're ready to set up a standard import set a transform map I showed you data source the data source record is what points to the server and oh you records I didn't show you scheduled job but of course you can schedule you can schedule your LDAP loads to occur on a recurring basis so it within the LDAP integration module you can come down here to schedules loads and identify create a new load for example this this load here I could I could either run it now or I could set up a schedule over on the right here on how often I want that load to run so that's what's actually going to create your records within ServiceNow and most people run that once a night now from enough education standpoint remember I said earlier it's LDF is doing record management and authentication so authentication usually you don't have to do anything but the the important point to make here is that if you're looking into a single sign-on scenario then maybe single sign-on will take the place of ServiceNow authenticating directly with LDAP but however it cannot take the place of still needing LDAP to furnish those user records so sometimes when we start getting into sync you know sir single sign-on types of configurations with our clients that you know it can start to get confusing what is single sign-on doing and it's only it's important to make you know to make the point that single sign-on is really taking care of the authentication piece of this integration but that you still need LDAP to actually somehow provide those actual user records within ServiceNow and then the last thing on configuration is from a security standpoint I've just reproduced the the answer that they provide in the wiki from a security standpoint certainly LDAP can be configured in a secure fashion there's several options for LDAP integration generally and some of them are secure so one option is the to expose LDAP through a firewall using standard LDAP that's basically what I've done for the demonstration that we're looking at right now but of course most of our clients are going to be using the second or third option which is to expose LDAP through the firewall but use it with a secure certificate so that you can use secure Elda Elda FS and then we also have some customers that prefer to establish a secure VPN tunnel between ServiceNow as data center and your own data center and then LDAP communication takes place over that tunnel and I believe this is sold as an add-on so it's it's not included necessarily with every single ServiceNow implementation okay so one of the issues that I've run into with a lot of clients is that we need to give some attention to how we want to handle account the activations so as so the important point here is that the first thing you need to realize is that this is not necessarily a crisis situation if you don't address it right away you know as long as LDAP does not authenticate a user so as long as somebody has been deactivated in LDAP and LDAP is going to reject the authentication of that user they're not going to be able to log into ServiceNow however what this addresses is that you still probably want your user records and ServiceNow to be updated and be marked inactive so that they're removed from lists throughout ServiceNow so you know what I'm what I'm talking about is you know if you're on an incident for example and you want to assign a user a caller to that incident when you actually go into this list of users you know over time you're going to want to start pulling people who have left the company you're going to want to start pulling them off of that list so you are going to want some kind of LDAP integration to address the deactivation of your users and that's something that that fairly fairly often is overlooked an important point to make here to kind of the second paragraph there is to never delete user accounts and service now I mean it's not like never never ever ever and ever but it's you know it's something where you usually want to leave your user accounts in there so that the references on all of your incidents and change tickets and so on those references still point to informative records about who the user is rather than just I don't know if you've ever seen in ServiceNow when you when you delete a record and there's other records that reference it then what you get is these funny-looking sis IDs that you know don't really mean anything and it makes it look like ServiceNow it's completely broken and really all it is is that you've removed that underlying referenced record so different organizations I've seen they kind of do deactivations in LDAP in different ways some of them will use an attribute on the LDAP record itself and then others will do some combination of that along with moving users to a separate oh you so in my little demo instance I had an example of users that become inactive and I moved I'm moving this guy Bob Smith to a different oh you called users and active and so if you want to pick those up what you could do is you could create we've already got the the data source well actually I think we would need a new data source record let me go to the server record here so what you need to do to pick up your deactivations in this situation I've already got a no you defined for users I need to create a second oh you because now I'm identifying a second branch in the tree that I want to look look within oops actually you know it would be easier in this situation just open up the one that's already there they give you one by default I had if you recall I had to tweak it a little bit to use my to use my distinguished name so what I'm going to do is I'm just going to actually rename this one and remember from my PHP admin it said it was users inactive and then I'll do an insert and stay so insert and stay basically created a new oh you definition record and let me browse this just to make sure that now I'm looking in yep there we go so bobber if you might recall as my inactive user so now when I look at the server I've got users and I've got users inactive now that alone isn't really going to do anything in terms of synchronization so what I would need to do is create a datasource record that goes along with it and let's see that'll do we're going to do LDAP so I'm going to identify a target of this is going to be this users inactive oh you that I created let me see if I can just get rid of these others right now because it keeps confusing me every time I open this and there we go so we've got just the two OU's that I've created with you during this webinar so there's users inactive and so now that I've created the datasource I can go into the data source and I can attach I can attach the transform map to it now so here's what's cool so I don't have I don't have anything in the user record that identifies it as being inactive so what I'm going to do the only way that I know from from this LDAP sir the only way that I know that this users deactivated is by nature of them being in that oh you so in this case when I set up a when I set up the import and transform hold on one second let me go back to the data source I want to I want to actually load some records here let me I apologize I'm trying to keep up with some naming conventions here and they're not coming to me off the top of my head so I think what we probably want is to Crete go back to this data source users inactive and let's make this let's make it named kind of like the other one so let me save that and then the only other thing that I'm wondering is why am I not able to test load these records maybe there we go so it looks like when you're creating you know a new oh you rather than using the oh you that they give you by default within a server record when you're when you're using a new one and then attaching a data source to it you do need to go ahead and and give your import set table a name and then when you save that data source it will pull up load load all records so I'm going to I'm going to go ahead and load these we should see just Bob Smith in there yeah let's go to load of data yep there's Bob Smith now again we know that because he's in this oh you he's going to be deactivated so now I'm ready to go back to my data source here it is it's easier to find now it's up at the top actually I'm going to do one more thing I am so confused about these IP addresses I'm going to just get rid of those other ones okay so I'm going to go back into users and now that I've got my import set table ready it's going to identify that as the as the default source table and then I'm going to point this to the user table and then here's so here's how we're going to set this map up I'm going to save that and then I'm just going to do two fields I'm going to set up one field which is going to map the the UID to the users Oh what is it user name I think user ID there we go and I'm going to coalesce on this field of course because it's the unique identifier for user records and then the only other thing I need to do anyone who's found in this oh you anyone who's found during this this load and transform they're all going to have the same value for the target field active and in this case to give it a fixed value what I'm going to do is just say answer equals false so using that little script I'm able to give basically a constant value to anybody who gets transformed through this transform so if I run this transform it says transform is complete let me go to the users table again and see if I can confirm that Bob Smith here it looks like he was pulled off the list so that's a good sign let's let's type in over on the left-hand I think there's a filter on this one that's showing me only active users so I'm going to type in cyst user dot list come in to Bob Smith here and we can see that he is active checkmark is unchecked so you'll do so the whole take away from here is that you'll need to set up a separate source and a trip load and transform if you're going to capture those those additional users all right so I have one last thing to make there's no demonstration component of it I think I can describe it through these slides and then I'll try to take I'll try to quickly review a question and see if we can get to that so I wanted to make a call something out as far as managing accounts in multiple instances a lot of people will have a dev a test and the production instance and and the important takeaway from that is that if you have LDAP running and all of the if you have all if you have LDAP running in all of your instances you're eventually going to run into some inconsistencies that may break that may break new functionality that you're trying to deploy from one instance to another using update sets so a lot of clients this is kind of like a sleeper issue because a lot of clients don't run into it right off the bat and the reason why is because if we look at this scenario that I've got on the screen right now this scenario actually works and I kind of put there it works luckily so you're you're kind of in luck and and so just to step through this real quickly you start over here on the left with developing in dev right and you activate LDAP in your dev environment because you're trying to get everything working and so maybe then after you get help LDAP working and you continue to do some development in dev now you create a workflow in that in that environment and part of that workflow is that it sends an approval to Bob Smith ok so like this is an example of where you're you create a workflow specifically sending an approval to somebody that you pull up from the user list can you say send this approval to Bob Smith there's other places where this might happen like you might be configuring an outbound email notification and you might be notifying somebody specific maybe somebody who's over your infrastructure you know issue team or something like that so it's the same kind of idea you're creating new functionality where you're singling out individuals as part of the configuration and then the last step here is the third line is that you clone from dev to production so in this situation the user record for Bob basically is recreated it's cloned and it's totally identical in the production instance so in that situation you're you're in luck because the workflow that's dependent on that user record and is in fact identifying that user record using an internal sis ID it's going to continue to work because that underlying sis ID hasn't changed when you cloned to prod but here's where you run into trouble the scenario where things are going to break let's say you're already live in prod and you're using LDAP in dev and prod and and then what happens is Sally Johnson is hired in she's put in LDAP and her user record is now going to be created separately in dev and prod and they're going to have different sis IDs so you've got LDAP turned on in both instances and and now she's getting created in both instances using these different sis IDs you go in dev to create a workflow and that workflow is going to point to Sally Johnson using the dev sis ID and then you deploy the workflow to your Protestants and now it's totally broken because the sis ID has changed sally was created directly in the prod instance through the LDAP integration so there was there was no aligning or matching of the actual user records so let me go back one slide because at the top there's a recommendation that I want to make sure you get and the recommendation and actually ServiceNow reiterates this in the in the wiki is that that you should not once you go live you should not have LDAP activated in both your production and your development and test instances so basically when you go live you basically use the users that you have in the dev instance as the basis for your development and then and and then that that's so that you can rely on that clone functionality so that you know from that point forward any user records that you do have and Dev they're going to have the same assist ideas production so then the question becomes well what happens if we do hire Sally and we do need to put her on a workflow and in that case what you do need to do even though it's kind of it's kind of a long process you can of course you can clone production back to two dev that's one option and in fact that's one of the reasons why it's recommended that you clone your production instances very frequently to test less frequently to death one of the reasons is so that they actually pick up all these users but the what you have to do is if that's not an option then what you need to do is you need to actually export that user from the production instance using XML export and then you can route and then you can import that user into the dev instance using XML import and then that way they'll have identical sucide so I thought I'd and I I do apologize for the limited amount of time that we have so one question that I have that supposed to say I don't know how complicated this is I'm not I have not had a chance to read it yet it says we have over a dozen different LDAP domains we need to authenticate users with I need to be able to extract from each to a table with a command and what's provided is basically an LDAP query we only saw a very simple LDAP query and in our little run-through I cannot load directly into our user file these domains have much irrelevant information and some of the extracted LDAP users are going to be replacements for user records already in service now so every day I want each domain to append to a staging table with newly created user records which we will review and process but cannot put straight into ServiceNow well there's a lot in this question and I and I don't know if I could address the entire question end to end but what I will point out though is that within within LDAP integration you know once you setup your LDAP server and the oh you definitions within it like I mentioned earlier the datasource record is what bridges the gap between these servers and oh youth being configured and then the more traditional data source import set table target table and transform map that you're given to work with on the other end so what you could do is you could create a let's say you wanted to create a data source here that we're going to call this users you know users review and so let me you know I'll just give it some stupid name for the import set table and for the LDAP target let's just for now for purposes of demonstration I'm just I'm going to use this inactive thing again but let's say instead of actually processing the deactivation directly and this is kind of similar to the question let's say you wanted to put it into your own table well when you actually go now that we can go into review when I go to create my transform map it identifies the staging table here this import set table and that's standard but you don't necessarily have to target the user's table it's a standard transform app you could target any table and in in all of ServiceNow including if you wanted you could target the you know a table that you create called users to review and then that table is where you could do some customization to provide a way to review the records and then provide some UI actions that allow you to to copy those records into the user table once they have been reviewed so the key point here is because it's using the the standard integration modules and ServiceNow you have a lot of flexibility to point the transform to any table besides user besides the user table and then of course within the transform map then you setup the mappings of individual fields from the staging table which basically is a mirror of your LDAP data source from the staging table to that target so I hope that that addresses the one question that was sent to us ahead of time I am very sorry I don't have time to get to any other questions I don't see any of them posted in my little question popup window anyway I hope this was helpful and informative I will end with my contact information again up on the screen feel free to send me any questions that you have about this presentation or if you have you know a fairly quick LDAP question I'm I would be more than happy to feel those questions as well and look again for our eldest look for our webinar series to continue next month I'm not sure exactly what the topic is going to be but I certain communication and you can also check the webinars agenda on fruition partners calm thank you very much everybody and I look forward to future webinars you