LDAP Java development

I have three questions related to LDAP and Java.

1. is there any way to find the newly created users on the windows active directory using Java? Now I am get the all users from active directory loop through them and using the whencreated attribute for identify the new users.

2. same like previous one is there any way to find the users attributes that recently modified on active directory (like firstname changed or email changed like that) using Java? Cur开发者_JS百科rently I am identify using whenchanged attribute.

3. is there any way to identify the info about the user is locked/unlocked or he is in active/de-active like that?

LDAP search filters should give you what you need.

1. Use (&(objectClass=user)(whenCreated>=20110701000000.0Z)) to get user accounts created on or after July 1, 2011.
2. Use (&(objectClass=user)(whenChanged>=20110701000000.0Z)) to get user accounts changed on or after July 1, 2011.
3. Use (&(objectClass=user)(whenChanged>=20110701000000.0Z)(userAccountControl:1.2.840.113556.1.4.803:=2)) to get accounts changed on or after July 1, 2011 and that are disabled. Use a bitwise filter matching rule identifier to check for specific userAccountControl flags.

If these queries will be executed often, you might want to index the whenCreated and whenChanged attributes.

Active Directory does support notifying LDAP clients on change through persistent searches (note, however, the limit of 5 searches per connection). I haven't personally ever used this, but there are examples here, here, and here (in particular, notice that Active Directory apparently uses a different OID for these searches. Note that monitoring for ADDs is pretty straight-forward, but modifications will require some work on the part of your Java app, as Active Directory sends modify notifications on any modification operation, regardless of attribute.

@raddeman is exactly right regarding locks/unlocks and enabled/disabled. Simple bitwise operations on userAccountControl will help you get extract these values (e.g. userAccountControl & 2 == 2 indicates a user is disabled.

1) LDAP is a protocol where you can not (what i know of) sort the result without doing it manually (in your case, in Java). Another thing that you might find is the value you searched for stored in its own field, as msSFU30MaxUidNumber in Active Directory to get the largest UNIX UID in the AD.

EDIT: As noted by @EJP, you can specify sorting if the LDAP-server supports it. In Java, look at javax.naming.ldap.SortControl

2) I think this is the same as 1.

3) Yes, look at the userAccountControl field. It contains values that could be found here: http://support.microsoft.com/kb/305144 such as ACCOUNTDISABLE (2).