can i sync data from ldap server by pull(every some time sync the changed data) with ldapsdk ?

[bossfriday]

hope some example code. thank you very much!

[dirmgr]

This ultimately depends on the type of server that you’re using, as different servers offer different ways of discovering changes. Some of them include:

• Some servers support the LDAP content synchronization mechanism described in RFC 4533. This defines a set of LDAP controls that may be used to retrieve an initial full copy of the data, and then to retrieve information about changes that have been made since that initial full copy. The LDAP SDK supports using the content synchronization mechanism through the ContentSyncRequestControl.

• Some servers offer an LDAP-accessible changelog, based on the specification in draft-good-ldap-changelog, that allows the changes to be retrieved and examined. You can periodically check the changelog for new changes, or you may be able to use a persistent search to have the server notify you when there are new changes. The LDAP SDK supports parsing changelog entries via the ChangeLogEntry class, and the RootDSE class provides access to other important attributes like the location of the changelog and the first and last change numbers. Note, however, that some servers implementing changelog support may not have change numbers synchronized across multiple instances (e.g., if two different servers process changes concurrently, then the order that those changes appear in each server’s changelog might be different), so you may need some logic that attempts to detect and handle already-processed changes if the process reading the changelog has to fail over from one server to another.

• If you’re using the Ping Identity Directory Server (formerly UnboundID Directory Server), then it does support the changelog mechanism, but it also offers additional information in changelog records that are accessible via the UnboundIDChangeLogEntry class. In addition, it provides support for a GetChangelogBatchExtendedRequest that can be used to efficiently retrieve changes from the server in a manner that eliminates the headache of failing over from one server to another.

• If you’re using Active Directory, then you’ll probably want to use the DirSync control, which is supported by the ActiveDirectoryDirSyncControl class in the LDAP SDK.

• If you happen to be using a type of directory server in which none of the above methods is an option, then it may still be possible to detect which entries have been recently added or changed by searching based on the createTimestamp or modifyTimestamp attributes. While this may make it possible to be able to identify entries that have been recently updated, it doesn’t really make it possible to know what specific changes were made to those entries (although if you have a copy of data from an older version of the entry, then you can compare it with the same information from the newer entry to identify those changes). Also, while this mechanism can be used to identify new entries that were added to the server and existing entries that were updated, it’s not great for identifying entries that have been removed.

[bossfriday]

thank and appreciate your help firstly , follow your advice, i try to use ContentSyncRequestControl to accomplish the sync. i think, it shouldn't give any cookie when retrieve an initial full copy of the data , and it should give a cookie when retrieve a changed data. So i have the bellow try , but i met 2 question: 1： if open "baseSearchRequest.addControl(syncRequestCtl);", it will get error: resultCode=12 (unavailable critical extension) 2: it always "hasn't any ResponseControl", so i have no way to get the cookie ;

i can't find any example code about this in /ldap-sdk/docs/examples/index.html , can you help me correct the below test code ? thank you very much and hopes your help ...

` public static void main(String[] args) throws Exception {

    LDAPConnection conn = new LDAPConnection(LDAP_HOST, LDAP_PORT, LDAP_BIND_DN, LDAP_BIND_PASSWORD);
    SearchRequest baseSearchRequest = new SearchRequest(LDAP_BASE_DN, SearchScope.ONE, LDAP_EAB_SEARCH_FILTER);
    ContentSyncRequestControl syncRequestCtl = new ContentSyncRequestControl(ContentSyncRequestMode.REFRESH_ONLY);
    baseSearchRequest.addControl(syncRequestCtl);
    SearchResult searchResult = conn.search(baseSearchRequest);
    for (SearchResultEntry entry : searchResult.getSearchEntries()) {
        System.out.println(entry.toString());
    }

    if (searchResult.hasResponseControl()) {
        ContentSyncDoneControl syncReqDoneCtrl = (ContentSyncDoneControl) searchResult.getResponseControl(ContentSyncDoneControl.SYNC_DONE_OID);
        if (syncReqDoneCtrl != null) {
            ASN1OctetString cookie = syncReqDoneCtrl.getCookie();
            System.out.println(cookie.stringValue());
        }
    } else {
        System.out.println("hasn't any ResponseControl");
    }
}

`

[dirmgr]

A result of "unavailable critical extension" means that either the directory server you're trying to use doesn't support that control, or perhaps there's something else that doesn't permit you to use it. For example, maybe the server needs some special configuration to enable support for that control, or maybe the authenticated client doens't have permission to use it.

What type of server are you using? The best way to determine what controls a server supports would be to retrieve the root DSE (the entry with a DN of "") and look at its supportedControl attribute. If you see a value of "1.3.6.1.4.1.4203.1.9.1.1" for that attribute, then that indicates that it does support that control. However, if you don't see that OID, then that means that either the server doesn't support that control, or maybe that it hasn't been configured to enable it. You could also see if the root DSE gives any clue about what else it might support (for example, if there are other supported control values that might relate to a control that could be used to provide synchronization, or if there are other attributes that indicate the presence of a changelog or something like that).

I can assist you with the LDAP SDK, but I'm not the best person to try to help you with whatever type of server you're using. I believe that all of the most common directory server implementations support at least one of the mechanisms I outlined above, but none of them support all of them. I'm not really in a position to assist with directory server-specific configuration for most types of servers. Those questions are probably better suited to people more directly involved with those products.

[bossfriday]

thank u very much firstly ! I decide to do full sync every time in order to suit to most situation, so i have to implement the changed sync by myself in an other way (use db as a buffer and get the changed data by myself, at last notify the changed data to someone ).