Artsiom the Brave
Reputation: 192
Active Directory: tracking large group membership changes
I'm writing application that sync users and groups from Active Directory. Specifically, I need to track their IDs, DNs and group membership, save them to local database.
I'm afraid of member attribute, as it can possibly have millions of values.
Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.
How to track changes of such gigantic mutli-valued attributes?
I'm using LDAP, UnboundID SDK.
- Is it possible to query attribute value count?
- Is it possible to know, if multi-valued attribute has been updated without reading it?
- How to get iterative updates, similar to
DirSync, but withUSNChangedapproach?
Here is what I know
As mentioned in microsoft docs, there are three ways to do synchronization:
USNChanged-- the most compatible way.DirSync-- required near admin authorities, can sync only whole domain (partition), syncing arbitrary subtree is not possible. Returns only updated attributes, iterative updates for multi-valued attrs are possible.Change Notifications-- async search request, scope can be BASE or ONE_LEVEL, can have up to 5 searches per connection. Each change sends the whole object.
I'm implementing USNChanged, cuz it's advised.
This is how to read attribute with a lot of values.
Upvotes: 0
Views: 396
Answers (0)
Related Questions
- Performance Issue - Adding / Removing users from large Active Directory groups in .net
- Retrieve All Members of Large AD Groups
- View modified entries in LDAPusing UnboundId api
- LDAP changing user password on Active Directory
- UnboundID LDAP SDK: Get all groups for a user
- Why users are no longer members of active directory group after few minutes?
- Slow AD group membership lookup
- Active Directory. Persistent Search or Entry Change Notification
- LDAP group membership (including Domain Users)
- ldap nested group membership filter