Saturday, Nov 11, 2017

Python Ldap Get Modified Users

In many systems when you want to implement an integration with LDAP services, normally you get all users details in every sync action which sometimes this amount of size is large and it’s not good action to sync all users on every sync action.

To handle this situation we could implement several ways to increase sync performance and avoid duplicate or get already synced user again.

To handle this issue, you need to get openldap internal fields by adding a + sign at the end of search query like so:

$ ldapsearch -h localhost -w 'admin' -x -D "cn=admin,dc=example,dc=org" -b "DC=example,DC=org" +

And in python code it would like this:

r = l.search_ext("dc=example,dc=org", ldap.SCOPE_SUBTREE, "objectClass=*", ["+",], 0)

Then it returns internal fields which are important like modifyTimestamp.

Or if you want to get all internal fields and user attributes in one request, just add '*' '+' like this:

r = l.search_ext("dc=example,dc=org", ldap.SCOPE_SUBTREE, "objectClass=*", ["*", "+"], 0)

If you want to get last changed user after a specific date, try to add modifyTimestamp on query like this:

$ ldapsearch -h localhost -w 'admin' -x -D "cn=admin,dc=example,dc=org" -b "DC=example,DC=org" "modifyTimestamp>=20171012152507Z

To get more info about history, try to enable overlay accesslog in your ldap and use it:

ldapsearch -x -b cn=accesslog


All rights reserved by Morteza NourelahiAlamdari (mortymacs) ©
All contents are under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.
Top banner picture by Unsplash.