Reputation: 91
Springboot LdapTemplate how to query deleted users on interval
I need to find the delta of users from AD to synchronize with another AD. Finding the newly created and modified users, with whenCreated and whenChanged attributes I can find those. But when if any users deleted means how to find them? I am using Springboot LdapTemplate to query the AD. Any help is appreciated. Thanks in advance
Currently I am using the query to fetch the users.
'''query().where("objectclass").is("person").and("whenCreated").gte(date).and("cn").like(""); query = query.or("whenChanged").gte(date).and("cn").like("");
ldapTemplate.search(query,new AttributesMapper() {
@Override public UserModel mapFromAttributes(Attributes attributes) throws NamingException { usermodel.setCn(null!=attributes.get("cn").get()?attributes.get("cn").get().toString():null); }'''
Upvotes: 0
Views: 112
Answers (1)
Reputation: 355
If you're using Active Directory, you can match against the userAccountControl attribute to query users with disabled accounts.
(&(objectCategory=person)
(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))
LdapWiki briefly mentions this query here and provides some background on how it works:
For information on why this works see how to use Filtering for Bit Fields and the Extensible Match Rule 1.2.840.113556.1.4.803.
The AD docs use the same LDIF query to demonstrate how to retrieve All disabled user objects. It briefly explains how the magic-looking numbers are involved with bit filtering.
The string 1.2.840.113556.1.4.803 specifies LDAP_MATCHING_RULE_BIT_AND. This specifies a bitwise AND of a flag attribute (an integer), like userAccountControl, groupType, or systemFlags, and a bit mask (like 2, 32, or 65536). The clause is True if the bitwise AND of the attribute value and the bit mask is non-zero, indicating the bit is set.
The value 2 is significant in this context because it is a magic bit that indicates an account is disabled. It is defined in Active Directory Technical Specification 2.2.16 - userAccountControl Bits:
D (ADS_UF_ACCOUNT_DISABLE, 0x00000002): Specifies that the account is not enabled for authentication.
Upvotes: 0
Related Questions
- How do I retrieve query parameters in a Spring Boot controller?
- How to print a query string with parameter values when using Hibernate
- How to set JAVA_HOME in Linux for all users
- SpringBoot LDAPTemplate Embedded vs Real LDAP
- how to see the query generated by spring ldapTemplate
- LDAP query for deleted users
- How to write LDAP query to test if user is member of a group?
- Why do we not have to specify objectclass for an ldap user when using ContextMapper?