Reputation: 31333
LDAP query for changes
I am on a project where are creating a generic LDAP interface to integrate with an LDAP compliant directory (Active Directory, etc). Our design REQUIRES us replicate the users/groups (not passwords) from the LDAP directory into a separate database (I won't go into the reasons for this here).
On some interval our plan is to query the directory through LDAP, pull all the user/group information, and sync that with what we have. The first hit would require we get everything, but subsequent requests could be much more efficient if there is a way to query for everything that has changed since the last time we checked.
Does LDAP support this type of "just give me what has changed" type of mechanism? And, if yes, what would the LDAP query look like?
Upvotes: 1
Views: 6399
Answers (1)
Reputation: 40998
You'd use something like this:
(&(objectClass=User)(objectCategory=person)(whenChanged>=20160406000000.0Z))
Notice that the format of the date starts with YYYYMMDD.
The whenChanged attribute won't be the same on all domain controllers since whenChanged itself does not replicate, but it gets updated on each DC as whatever change was made replicates. See here for an explanation of that.
Also note that the act of a user logging in will update the whenChanged date.
Upvotes: 5
Related Questions
- What are CN, OU, DC in an LDAP search?
- Moodle LDAP integration - LDAP-module cannot connect to any servers
- LDAP Server Updates and Event Notifications
- Where to check LDAP query from Cloudera Navigator?
- What are the differences between LDAP and Active Directory?
- LDAP implementations between different directory services providers
- LDAP through Ruby or Rails
- LDAP: Is the memberOf/IsMemberOf attribute reliable for determining group membership: SunONE/ActiveDirectory / OpenLDAP
- Group import from Active Directory via LDAP
- Active Directory query troubleshooting