Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Define an LDAP server

Log in to subscribe to topics and get notified when content changes.

Define an LDAP server

Create a new LDAP server record in the instance.

Before you begin

Role required: admin


  1. Navigate to System LDAP > Create New Server.
  2. Fill in the form fields.
    Create a new LDAP server record

    In the Server URL field, the valid URLs of all servers appear separated by a space. Servers are first ordered by operational status, with servers that are Up listed first, then ordered by the Order value that you specify. The first server listed is the primary LDAP server. The others are redundant servers.

    Note: There is a slight delay between the change in the actual operational status and the display.

    Alternatively, you can add a redundant LDAP server by navigating to an existing LDAP server record and inserting a row in the LDAP Server URLs embedded list.

  3. Click Submit.
    Note: You can also modify an existing LDAP server record by navigating to System LDAP > LDAP Servers and making the needed changes.
  4. Make changes to the fields as necessary.
    Figure 1. LDAP server form
    LDAP server form
    Field Description
    Name Enter the name of the server.
    Active Select this check box if the server is active.
    LDAP Server URLs Enter the URLs of the primary and backup LDAP servers. Servers are first ordered by operational status, with servers that are Up listed first, then ordered by the Order value that you specify. The first server listed is the primary LDAP server. The others are redundant servers.
    Server URL Enter the URL of the server. Configure the form to add this field if necessary. It is a calculated read-only field that shows the list of LDAP servers that you can also see in the LDAP Server URLs field, separated by a space, and ordered by operational status and the order values of the URLs.
    Login distinguished name Enter the distinguished name (DN) of the user authenticating the LDAP connection.

    The Login distinguished name fields accepts several formats.

    To access a Microsoft Active Directory (AD) server, use one of the following:
    •, domain\user
    • cn=user,ou=users,dc=domain,dc=com>
    To access a different LDAP directory server, the username must be in the full distinguished name format:
    • cn=user,ou=users,dc=domain,dc=com
    Login password Enter the server's password.
    Starting search directory Enter the relative distinguished name (RDN) of the default search directory. All queries to this LDAP server will start from this RDN.
    MID Server Select the MID Server you want to use to connect to the LDAP server. Using a MID Server to establish an LDAP connection prevents you from having to expose the LDAP server to external network traffic. It also eliminates the need to establish a VPN tunnel between your LDAP server and ServiceNow data centers.
    • The MID Server user must have the user_admin role in order to be able to read LDAP server configuration records.
    • The following are not available with the MID Server:
      • LDAP authentication
      • SSL connection
    Connect timeout Specify the maximum number of seconds that the instance has to establish an LDAP connection. If no connection is made by this time, the connection is terminated.
    Read timeout Specify the number of seconds the integration has to read LDAP data. The integration stops reading LDAP data after the connection exceeds the read timeout. If you enable an SSL connection, you can also set a read timeout value with property. If you enter timeout values for both this field and the system property, the lowest timeout value takes precedence.

    Select this check box to require the LDAP server to make an SSL-encrypted connection. If you selected a MID Server, this field is not available.

    If you use an LDAPS integration and the default SSL port is 636, no further configuration is necessary; SSL is automatically enabled. If the LDAPS integration uses another SSL port, define the alternate SSL connection properties.


    Be sure a network administrator configures the local firewall to allow the application server to access the LDAP server. If the LDAP server is located within an internal network, the firewall forwards (or NATs) the application server's IP address through the firewall on the correct port.

    Listener Select this check box to enable the integration to periodically poll Microsoft Active Directory servers or LDAP servers that support persistent search request control. Additionally, if you selected a MID Server, the listener functionality is available for that MID Server. See Enable an LDAP listener and set system properties for more information.
    Listen interval (timeout value) Specify the listener timeout value in the number of minutes that the integration listens for LDAP data with every connection. The integration stops listening for LDAP data after the connection exceeds the listen interval.
    Paging Select this check box to have the LDAP server split up LDAP attribute data into multiple result sets rather than submit multiple queries.
    Note: If you provide an LDAP password, the integration performs a Simple Bind operation. If you do not provide an LDAP password, the LDAP server must allow anonymous login or the integration cannot bind to the LDAP server.


When an LDAP Server record is set to active, the system automatically tests every connection to validate it.

Validations include:

  • The LDAP server is accessible at the provided URL and port
  • The LDAP server URL is properly formatted
  • The login credentials are valid

Starting with the Fuji release, the system displays colored dots next to each server URL:

Table 1. LDAP server connection icons
Color Description
Green The server if active and operational.
Gray The server is neither active nor operational.
Red The server is active but not operational.
Figure 2. LDAP server connection status