0

I'm writing application that sync users and groups from Active Directory. Specifically, I need to track their IDs, DNs and group membership, save them to local database.

I'm afraid of member attribute, as it can possibly have millions of values.

Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.

How to track changes of such gigantic mutli-valued attributes?

I'm using LDAP, UnboundID SDK.

  1. Is it possible to query attribute value count?
  2. Is it possible to know, if multi-valued attribute has been updated without reading it?
  3. How to get iterative updates, similar to DirSync, but with USNChanged approach?

Here is what I know

As mentioned in microsoft docs, there are three ways to do synchronization:

  • USNChanged -- the most compatible way.
  • DirSync -- required near admin authorities, can sync only whole domain (partition), syncing arbitrary subtree is not possible. Returns only updated attributes, iterative updates for multi-valued attrs are possible.
  • Change Notifications -- async search request, scope can be BASE or ONE_LEVEL, can have up to 5 searches per connection. Each change sends the whole object.

I'm implementing USNChanged, cuz it's advised.

This is how to read attribute with a lot of values.

Artsiom the Brave
  • 192
  • 2
  • 10
  • Ldap memebership can be accessed either by queriying the user entry and thus using member, or querying the groups themselfs, and thus using ismemberOf. this might help adressing the size issue. – Hamza Tahiri Nov 04 '20 at 13:39
  • @HamzaTahiri For user object `memberOf` is a computed attribute, so it doesn't actually exist, and `usnChanged` is not updated for user object when his membership changes. So it doesn't help( – Artsiom the Brave Nov 04 '20 at 17:32

0 Answers0