问题
I am on a project where are creating a generic LDAP interface to integrate with an LDAP compliant directory (Active Directory, etc). Our design REQUIRES us replicate the users/groups (not passwords) from the LDAP directory into a separate database (I won't go into the reasons for this here).
On some interval our plan is to query the directory through LDAP, pull all the user/group information, and sync that with what we have. The first hit would require we get everything, but subsequent requests could be much more efficient if there is a way to query for everything that has changed since the last time we checked.
Does LDAP support this type of "just give me what has changed" type of mechanism? And, if yes, what would the LDAP query look like?
回答1:
You'd use something like this:
(&(objectClass=User)(objectCategory=person)(whenChanged>=20160406000000.0Z))
Notice that the format of the date starts with YYYYMMDD.
The whenChanged attribute won't be the same on all domain controllers since whenChanged itself does not replicate, but it gets updated on each DC as whatever change was made replicates. See here for an explanation of that.
Also note that the act of a user logging in will update the whenChanged date.
来源:https://stackoverflow.com/questions/36457494/ldap-query-for-changes