How do I retrieve a list of only those users and groups that have been added since a certain date from an LDAP directory?

Question

My application does an LDAP query once a day and fetches all the users and groups in a given container. Once it is fetched, my app goes iterates through the list of users of groups, adding only the new ones to my application's database (it adds only username).

If there are 50,000 users, my application server is busy for 45 minutes every day performing this operation.

Is there any way to specify that I need a "delta" in my LDAP query so that I retrieve only those users who got added/modified/deleted since my last LDAP query?

pjp · Answer 1 · 2009-08-17T08:36:56.193

2

I think there should be a modifyTimestamp on each entry. Take a peek with something like softerra ldap browser (http://download.softerra.com/files/ldapbrowser26.msi). If it exists you should be able to add a condition to your ldap query to look for entries that have been changed since you last ran the sync job.

edited Aug 17 '09 at 08:36

answered Aug 17 '09 at 07:28

pjp

17,039
6
33
58

Any better idea? Because as far as I know that `modifyTimestamp ` is not replicated. – Ender Jul 11 '17 at 07:10

score 2 · Answer 2 · answered Jan 09 '19 at 15:47

For users try:

directorySearcher.Filter = "(&(objectCategory=person)(objectClass=user)(whenChanged>=" + yourLastQueryDate.ToString("yyyyMMddHHmmss") + ".0Z))";

For groups try:

directorySearcher.Filter = "(&(objectCategory=group)(whenChanged>=" + yourLastQueryDate.ToString("yyyyMMddHHmmss") + ".0Z))";

And then:

SearchResultCollection adSearchResults = dSearcher.FindAll();

Note: be sure your last query date is in UTC/Zulu time OR use the ".nZ" suffix to adjust for your timezone.

score 1 · Answer 3 · answered Aug 17 '09 at 07:45

1

It depends on your directory. There should be an attribute such as a timestamp or sequence number that you can use to filter your LDAP query with. In Active Directory for instance, the value is 'uSNChanged'.

answered Aug 17 '09 at 07:45

Andrew Strong

4,303
2
24
26

score 1 · Answer 4 · answered Aug 17 '09 at 14:30

1

There are two main choices for tracking changes: polling and DirSync. These articles should give you some background and help you to choose what's best for you.

http://support.microsoft.com/kb/891995

http://msdn.microsoft.com/en-us/library/ms677974(VS.85).aspx

and here's some .NET stuff:

http://msdn.microsoft.com/en-us/library/system.directoryservices.directorysynchronization.aspx

answered Aug 17 '09 at 14:30

serialhobbyist

4,768
5
43
65

thanks guys , I shall try all of them . Between i use openLDAP and e-directory – Aug 18 '09 at 15:26
1

Ah, apologies: I was talking about AD rather than LDAP in general. – serialhobbyist Aug 18 '09 at 16:27

score 0 · Answer 5 · answered Jan 17 '12 at 23:32

You need to check the operational attributes for your Directory .

With OpenLDAP you can add + sign to get operational attributes and check from createTimestamp:

It is always in Zulu format i.e. YYYYMMDDHHMMSSZ. With other DS like fedora-ds You need to search for the operation attribute.

ldapsearch -x < other_options > createTimestamp

How do I retrieve a list of only those users and groups that have been added since a certain date from an LDAP directory?

5 Answers5