Python Ldap Get Modified Users
In many systems when you want to implement an integration with LDAP services, normally you get all users details in every sync action which sometimes this amount of size is large and it’s not good action to sync all users on every sync action.
To handle this situation we could implement several ways to increase sync performance and avoid duplicate or get already synced user again.
To handle this issue, you need to get openldap internal fields by adding a
+ sign at the end of search query like so:
$ ldapsearch -h localhost -w 'admin' -x -D "cn=admin,dc=example,dc=org" -b "DC=example,DC=org" +
And in python code it would like this:
r = l.search_ext("dc=example,dc=org", ldap.SCOPE_SUBTREE, "objectClass=*", ["+",], 0)
Then it returns internal fields which are important like
Or if you want to get all internal fields and user attributes in one request, just add
'*' '+' like this:
r = l.search_ext("dc=example,dc=org", ldap.SCOPE_SUBTREE, "objectClass=*", ["*", "+"], 0)
If you want to get last changed user after a specific date, try to add
modifyTimestamp on query like this:
$ ldapsearch -h localhost -w 'admin' -x -D "cn=admin,dc=example,dc=org" -b "DC=example,DC=org" "modifyTimestamp>=20171012152507Z
To get more info about history, try to enable
overlay accesslog in your ldap and use it:
ldapsearch -x -b cn=accesslog
- Active directory `whenChanged` field: Microsoft MSDN doc
- Open ldap `modifyTimestamp` field: RFC4512
- Open ldap all default attributes: LDAP default schema attributes
- Active Directory all default attributes: Active Directory default schema attributes
- ldapsearch to return operational attributes
- Internal attributs: Internal attributes (Python org mail)
- Internal attributes (conversation node on Python org mail)
- Access log: OpenLDAP access logging
- How to check the login history of users on openldap: OpenLDAP login history of users
All contents are under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.
Top banner picture by Unsplash.