1

I have three questions related to LDAP and Java.

  1. is there any way to find the newly created users on the windows active directory using Java? Now I am get the all users from active directory loop through them and using the whencreated attribute for identify the new users.

  2. same like previous one is there any way to find the users attributes that recently modified on active directory (like firstname changed or email changed like that) using Java? Currently I am identify using whenchanged attribute.

  3. is there any way to identify the info about the user is locked/unlocked or he is in active/de-active like that?

Improve this question
2
  • By "windows ldap server", do you mean Active Directory? Commented Aug 2, 2011 at 12:15
  • @skaffman: I can't imagine him meaning anything else. Commented Aug 2, 2011 at 12:17

3 Answers 3

Reset to default
2

LDAP search filters should give you what you need.

  1. Use (&(objectClass=user)(whenCreated>=20110701000000.0Z)) to get user accounts created on or after July 1, 2011.
  2. Use (&(objectClass=user)(whenChanged>=20110701000000.0Z)) to get user accounts changed on or after July 1, 2011.
  3. Use (&(objectClass=user)(whenChanged>=20110701000000.0Z)(userAccountControl:1.2.840.113556.1.4.803:=2)) to get accounts changed on or after July 1, 2011 and that are disabled. Use a bitwise filter matching rule identifier to check for specific userAccountControl flags.

If these queries will be executed often, you might want to index the whenCreated and whenChanged attributes.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

In this case, the directory server administrator should ensure that the whencreated attribute is indexed.
@TerryGardner Good observation; included note about indexing the attributes.
1

Active Directory does support notifying LDAP clients on change through persistent searches (note, however, the limit of 5 searches per connection). I haven't personally ever used this, but there are examples here, here, and here (in particular, notice that Active Directory apparently uses a different OID for these searches. Note that monitoring for ADDs is pretty straight-forward, but modifications will require some work on the part of your Java app, as Active Directory sends modify notifications on any modification operation, regardless of attribute.

@raddeman is exactly right regarding locks/unlocks and enabled/disabled. Simple bitwise operations on userAccountControl will help you get extract these values (e.g. userAccountControl & 2 == 2 indicates a user is disabled.

Improve this answer

Comments

1

1) LDAP is a protocol where you can not (what i know of) sort the result without doing it manually (in your case, in Java). Another thing that you might find is the value you searched for stored in its own field, as msSFU30MaxUidNumber in Active Directory to get the largest UNIX UID in the AD.

EDIT: As noted by @EJP, you can specify sorting if the LDAP-server supports it. In Java, look at javax.naming.ldap.SortControl

2) I think this is the same as 1.

3) Yes, look at the userAccountControl field. It contains values that could be found here: http://support.microsoft.com/kb/305144 such as ACCOUNTDISABLE (2).

Improve this answer

3 Comments

thanks for your reply. but user account control returns the unique numeric values for each user. how can i get the status is enabled or disabled.
@Saiyansharwan: The number is not unique, it's a composition of flags available for the field. You can e.g. use boolean expressions to see if the account is disabled (contains the ACCOUNTDISABLE flag or not).
@EJP thank you, I must have totally missed something while doing LDAP.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.