active directory - How to synch LDAP users and groups when LDAP does not support Unique Identifier? -

i import reference ldap users , groups database. therefore, need synch these users , groups periodically.

it clear me how synch these object when ldap supports unique identifier (uid). example active directory support objectguid attribute.

in case when user (or group) moved other place in ldap tree , therefore dn changed still can find using uid , update user.

what when ldap not support uid , dn changed?

if looking using old dn can not find user (or group) , need remove user.

but how can distinguish between use cases when user moved other place in ldap tree (its dn changed) , user deleted ldap?

when moved should find , update new dn. when deleted need remove it.

i not know how it.

can use username (login name) user synchronization?

what should use ldap group?

in case want support multiple ldap servers sensible option making id configurable, i.e. ask users unique attribute during deployment. work in 100% of cases if customers use ldap authentication, since directory server doesn't support unique attributes itself, have keep @ least 1 of them unique manually in order enable connected systems authenticate against ldap unlikely can find software operate when there duplicates in authentication backend.

of course, during deployment can suggest default attribute known unique in ldap implementation (like samaccountname in ad) , hit correct 1 in cases.