0

I need to sync users and groups from LDAP server. Currently only Active Directory is required.

I've looked at whenChanged attribute as suggested here. But it will be tricky to detect delete operations, I guess.

Are there any protocols to do that, standard or AD specific?

Currently my "TODO" consists of: AD dirSync, AD Connect, RFC4533 (LDAP Sync Operation), RH syncRepl. Additional pointers are appreciated!

Community
  • 1
  • 1
Artsiom the Brave
  • 192
  • 2
  • 10

1 Answers1

1

For Microsoft Active Directory use of the LDAP_SERVER_DIRSYNC_OID control is the correct method.

You can Google for examples of its use.

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • [I've read](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/end-of-support-for-dirsync-and-azure-ad-sync-is-rapidly/ba-p/245242) that `dirsync` is deprecated. Is it deprecated only for sync with Azure AD and fine for custom needs? – Artsiom the Brave Oct 21 '20 at 14:36
  • I'm facing problems with DIRSYNC_OID (code 53, unwilling to perform), could you help? – Artsiom the Brave Oct 28 '20 at 16:45
  • There are tow permissions required depending on what you are trying to accomplish: - Replicate Directory Changes - Replicate Directory Changes All – jwilleke Oct 29 '20 at 18:12