How do I count the number of objects in my ForgeRock deployment?

Last updated Jan 12, 2023

The purpose of this article is to provide information on counting the number of objects (such as users) in DS or IDM. By extension, this also allows you to count the number of users who are protected by AM. The process described in this article should not be used to determine licensing compliance with ForgeRock. Please contact your ForgeRock Sales representative so they can provide guidance with regard to compliance.

5 readers recommend this article

Overview

This article outlines different approaches you can take to count objects in your deployment. Depending on how you define and store users, some approaches may be more suitable than others if you want to count users.

The following options are available:

Count all objects within a particular branch of the directory - you can use this option as long as all objects of the same type are stored within the same branch of the directory and the branch is not used for any other objects (for example, only users are stored there).
Count all objects in the directory with a user based objectClass search filter - you can use this option if the objectClass used in the search filter is only used for real people objects.
Count all objects in the directory with a uid based RDN - you can use this option if you use uid based RDNs, for example, uid=jdoe.
Counting managed/user objects in IDM - you can use this option to count all users in your repository provided you are using a JDBC repository. If you use a DS repository, you should use one of the DS options outlined above.

Additionally, the documentation demonstrates how to count users who have been active within a specific time period. See Active Accounts for further information on setting this up and then searching for active users.

Counting all objects within a particular branch of the directory

You can count all objects within a particular branch of the directory using a ldapsearch command such as the following:

DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN ou=people,dc=example,dc=com --searchScope base "(objectclass=*)" numsubordinates
DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN ou=people,dc=example,dc=com --searchScope base "(objectclass=*)" numsubordinates
DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN ou=people,dc=example,dc=com --searchScope base "(objectclass=*)" numsubordinates

Example response:

dn: ou=people,dc=example,dc=com numsubordinates: 1027

Where this example shows there are 1027 objects in the ou=people branch. Providing this branch is only used for users, you can deduce there are 1027 users.

Counting all objects in the directory with a user based objectClass search filter

You can count all objects in the directory that match a given search filter using a query such as the following providing you use the default schema objectClass=inetOrgPerson:

DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com --countentries objectClass=inetOrgPerson
DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com --countentries objectClass=inetOrgPerson
DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com --countentries objectClass=inetOrgPerson

Example response:

# Total number of matching entries: 874

Where this example shows there are 874 objects (users) that satisfy the search filter.

This approach will not work if you use the specified objectClass for real people objects as well as non-real person objects.

This example query is also useful for determining the number of users protected by AM.

Counting all objects in the directory with a uid based RDN

You can use a query such as the following to return a total count of all users (with uid based RDNs) along with the DNs and user ID values of them all:

DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com --searchScope sub --countEntries "(uid=*)" uid
DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com --searchScope sub --countEntries "(uid=*)" uid
DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com --searchScope sub --countEntries "(uid=*)" uid

Example response:

dn: uid=demo,ou=people,dc=example,dc=com uid: demo dn: uid=user1,ou=people,dc=example,dc=com uid: user1 ... # Total number of matching entries: 2467

Where this example shows there are 2467 users.

Any users with a non-uid based RDN will not be returned with this query.

This example query is also useful for determining the number of users protected by AM.

Counting managed/user objects in IDM

You can use one of these REST calls to return a count of all users in a JDBC repository if you use the 'user' managed object for users:

IDM 7 and later: $ curl -X GET -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Accept-API-Version: resource=1.0" "http://localhost:8080/openidm/managed/user?_queryId=query-all-ids"

Example response, which indicates you have 729 users:{ "result": [ {"_id":"ea018740-50ce-4742-b255-b3592eae613f","_rev":"000000006a72d15f"}, {"_id":"bddb135d-f6b7-4933-bb9e-525d436d48bb","_rev":"00000000d895bbb1"}, ... ], "resultCount": 729, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }

Pre-IDM 7: $ curl -X GET -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" "http://localhost:8080/openidm/managed/user?_queryId=query-all-count"

Example response, which indicates you have 729 users:{ "result": [ { "total": 729 } ], "resultCount": 1, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }

If you use a different managed object for users, for example, person, or you want to count a different managed object, you should adjust the URL being called. For example, in IDM 7: "http://localhost:8080/openidm/managed/person?_queryId=query-all-ids"

Related Training

N/A

Related Issue Tracker IDs

N/A