I have three questions related to LDAP and Java.
is there any way to find the newly created users on the windows active directory using Java? Now I am get the all users from active directory loop through them and using the whencreated attribute for identify the new users.
same like previous one is there any way to find the users attributes that recently modified on active directory (like firstname changed or email changed like that) using Java? Currently I am identify using whenchanged attribute.
is there any way to identify the info about the user is locked/unlocked or he is in active/de-active like that?
LDAP search filters should give you what you need.
Use (&(objectClass=user)(whenCreated>=20110701000000.0Z)) to get user accounts created on or after July 1, 2011.
Use (&(objectClass=user)(whenChanged>=20110701000000.0Z)) to get user accounts changed on or after July 1, 2011.
Use (&(objectClass=user)(whenChanged>=20110701000000.0Z)(userAccountControl:1.2.840.113556.1.4.803:=2)) to get accounts changed on or after July 1, 2011 and that are disabled. Use a bitwise filter matching rule identifier to check for specific userAccountControl flags.
If these queries will be executed often, you might want to index the whenCreated and whenChanged attributes.
Active Directory does support notifying LDAP clients on change through persistent searches (note, however, the limit of 5 searches per connection). I haven't personally ever used this, but there are examples here, here, and here (in particular, notice that Active Directory apparently uses a different OID for these searches. Note that monitoring for ADDs is pretty straight-forward, but modifications will require some work on the part of your Java app, as Active Directory sends modify notifications on any modification operation, regardless of attribute.
#raddeman is exactly right regarding locks/unlocks and enabled/disabled. Simple bitwise operations on userAccountControl will help you get extract these values (e.g. userAccountControl & 2 == 2 indicates a user is disabled.
1)
LDAP is a protocol where you can not (what i know of) sort the result without doing it manually (in your case, in Java). Another thing that you might find is the value you searched for stored in its own field, as msSFU30MaxUidNumber in Active Directory to get the largest UNIX UID in the AD.
EDIT: As noted by #EJP, you can specify sorting if the LDAP-server supports it. In Java, look at javax.naming.ldap.SortControl
2) I think this is the same as 1.
3) Yes, look at the userAccountControl field. It contains values that could be found here: http://support.microsoft.com/kb/305144 such as ACCOUNTDISABLE (2).
Related
I'm making a project with java spring where i do specific searches to the content of some attributes from a user or ad group. Also i write some text input to specific attributes.
Now i want to go a little but futher ..
The idea is that i do an open search on a specific AD group of users. When in this group an attributes or something else from a user changes, then the AD must send a message to my java program or something to tell me "attention user x has changed".
If i know that, i can do a new search to look if the attributes has changed of that user.
I know that i can solve this to do every time a search on the timestamp of the users in this AD group .. But it is not the perfect solution. Because then i must do everytime searches to every timestamp. And if there are for example 5000 users in this group. And i start with user 1 and user 4000 has changed yeah .. then it wil take a minut or something until i know that user 4000 has changed.
So i want a real time search thing.
Can you help me with this ? Can you put me into a direction that i can search futher on the web to find a solution or something. Or is this just not possible ?
Thanks a lot
Active Directory does not have a push notification feature, so this is not possible to do. You will need to search periodically to find the accounts you want.
You can, however, change your criteria to only find the accounts you want. The whenChanged attributes has the date the account was last changed. You can make a query to ask for members of that group, which have recently changed.
For example:
(&(objectClass=User)(whenChanged>=20190108000000.0Z)(memberOf=CN=mygroup,OU=Groups,DC=domain,DC=com))
A description of the date format used with whenChanged is here.
The memberOf condition should match the distinguishedName of the group. If the group has other groups inside it and you want to find members of those too, then you can do a recursive search:
(&(objectClass=User)(whenChanged>=20190108000000.0Z)(memberOf:1.2.840.113556.1.4.1941:=CN=mygroup,OU=Groups,DC=domain,DC=com))
That crazy number is called LDAP_MATCHING_RULE_IN_CHAIN and described here.
I'm new to MarkLogic and trying to implement following scenario with its Java API:
For each user I'll have two directories, something like:
1.1. user1/xmls/recent/
1.2. user1/xmls/archived/
When user is doing something with his xml - it's put to the "recent" directory;
When user is doing something with his next xml and "recent" directory is full (e.g. has some amount of documents, let's say 20) - the oldest document is moved to the "archived" directory;
User can request all documents from the "recent" directory and should get no more than 20 records;
User can remove something from the "recent" directory manually; In this case, if it had 20 documents, after deleting one it must have 19;
User can do something with his xmls simultaneously and "recent" directory should never become bigger than 20 entries.
Questions are:
In order to properly handle simultaneous adding of xmls to the "recent" directory, should I block whole "recent" directory when adding new entry (to actually add it, check if there are more than 20 records after adding, select the oldest 21st one and move it to the "archived" directory and do all these steps atomically)? How can I do it?
Any suggestions on how to implement this via Java API?
Is it possible to change document's URI (e.g. replace "recent" with "archived" in my case)?
Should I consider using MarkLogic's collections here?
I'm open to any suggestions and comments (as I said I'm new to MarkLogic and maybe my thoughts on how to handle described scenario are completely wrong).
You can achieve atomicity of a sequence of transactions using Multi-Statement Transactions (MST)
It is possible to MST from the Java API: http://docs.marklogic.com/guide/java/transactions#id_79848
It's not possible to change a URI. However, it is possible to use an MST to delete the old document and reinsert a new one using the new URI in one an atomic step. This would have the same effect.
Possibly, and judging from your use case, unless you must have the recent/archived information as part of the URI, it may be simpler to store this information in collections. However, you should read the documentation and evaluate for yourself: http://docs.marklogic.com/guide/search-dev/collections#chapter
Personally I would skip all the hassle with separate directories as well as collections. You would endlessly have to move files around, or changes their properties. It would be much easier to not calculate anything up front, and simply use lastModified property, or something alike, to determine most recent items at run-time.
HTH!
I have a list of users across various companies who are using one of the functionality that our website provides. Whenever they contact our business group , we need to send a url via email to the requestor in order for them to upload some data. All these external users do not have any dedicated account. However we do not want a static link to be provided to them as this can be accessed by anyone over the internet. We want dynamic links to be generated. Is this something that is usually done? Is there an industry accepted way of doing this? Should we ensure that the dynamic link expires after a certain amount of time - if so , are there any design options?
Thanks a lot!
Usually, parameters to urls and not the actual urls are what's dynamic. Basically you generate params that are stored somewhere, typically on the database, and send email with the url and the parameter(s). This url is valid for only a limited period of time and possibly only for one request.
Answers to questions:
yes, this is something that is quite commonly used in, for example, unsubscribing from a mailing list or validating an account with a working email address
I'm not aware of any single way that is "industry accepted", there are many ways of doing it, but the idea is not that complex - you just need to decide on a suitable token format
normally you should ensure that the link expires after a certain amount of time. Depending on the use case that can be some days, a week or something else. In practice, you'd remove or disable the generated parameters in your database. However, if this data is something that might be needed for extended periods of time, you might want to think up a functionality so that it can be retrieved later on.
You may have a static URL taking a token as parameter. Eg. http://www.mycompany.com/exchange/<UUID> or http://www.mycompany.com/exchange?token=<UUID>.
The UUID could have a validity in a time range or be limited to a single use (one access or one upload).
Other variant is to use exists cookies on that site in web browser (of course, if they are).
But there are some drawbacks in this solution:
User can open link in different machine, different browser. User can clean all cookies or they can expire after it was visited your site last time when user try to go on granted URL. In these cases user won't access your page.
I am trying to query nearly all users in Active Directory.
My normal users are in various OUs, and I want to retrieve those. But my system users are stored in the Users CN, and I don't want to retrieve those.
It looks a lot like another question, but their answer didn't help me. I'm using the hint provided here, but its not helping out either.
I am querying in Active Directory using JNDI. My query is:
(&(objectClass=user)(!(cn:dn:=Users)))
This means all objects of class user, which are not in the Users subtree. Yet, this query nevertheless returns something like this:
CN=__vmware__,CN=Users,DC=SIREDRM,DC=com
So, why is that filter not working? How else can I make it work?
With (!(distinguishedName=*,CN=Users= DC=mydomain,DC=com)), you are trying to use an attribute with DN syntax [Object(DS-DN)], for these LDAP attributes, you cannot use wildcards in LDAP filters.
Attribute "distinguishedName":
http://msdn.microsoft.com/en-us/library/ms675516%28VS.85%29.aspx
LDAP Syntax "Object(DS-DN)"
http://msdn.microsoft.com/en-us/library/ms684431%28VS.85%29.aspx
In the second link, you will find the statement about the forbidden wildcard.
In general, you could use an LDAP extensible matching rule for excluding some containers from a subtree search, in your case the syntax would be similar to this
(!(cn:dn:=Users))
or something like that. The bad thing: AD doesn't support these kind of extensible match either:
http://msdn.microsoft.com/en-us/library/cc223241%28PROT.10%29.aspx
Read the first paragraph.
So the conclusion is: YOU CANNOT DO THIS WITH ONE SINGLE FILTER IN AN ACTIVE DIRECTORY ENVIRONMENT. Sorry.
The only solution appears to be to use a client-side tool. The script here from Microsoft will show you how to exactly what you need (except you want Users, not Computers).
http://blogs.technet.com/heyscriptingguy/archive/2004/12/07/how-can-i-return-a-list-of-all-my-computers-except-those-in-a-specified-ou.aspx
The other thing you could look at is a virtual directory to act as a proxy to AD, which would allow you to configure filters and permissions without touching AD.
(mostly copied from the hyphen site)
I am looking to right an application that limits the number of times a user can print something, its there anything in Java that will allow me to control the printing dialogue to this aim?
Im going to look into these:
http://www.wildcrest.com/Software/J2PrinterWorks/documentation/J2Printer14.html
http://www.softframeworks.com/products/products.php
This is probably something you'll need to implement yourself as it is too-specific a requirement to have been included in the JDK's API.
Assuming you've developed a standalone Swing application you could consider using the Preferences class to store the number of times a user has printed a document for a given date. On Windows this translates to storing information in the registry and is therefore "hidden" from the user to a certain extent, but would allow you to reset the value in an emergency using regedit.
The advantage of this approach is that the user cannot circumvent the print-threshold by simply restarting the application.
I decided to go with J2Printer. I allows the suppression of the print dialogue.