How To

How do I count the number of users in my ForgeRock deployment?

Last updated Aug 10, 2020

The purpose of this article is to provide information on counting the number of users in DS or IDM. By extension, this also allows you to count the number of users who are protected by AM.


Overview

This article outlines different approaches you can take to count users in your deployment. Depending on how you define and store users, some approaches may be more suitable to use than others.

The following options are available:

Additionally, the documentation demonstrates how to count users who have been active within a specific time period. See LDAP User Guide › Active Accounts for further information on setting this up and then searching for active users. 

Counting all objects within a particular branch of the directory

You can count all objects within a particular branch of the directory using an ldapsearch command such as the following:

  • DS 7 and later:
    $ ./ldapsearch --port 1389 --bindDN uid=admin --bindPassword password --baseDN ou=people,dc=example,dc=com --searchScope base "(objectclass=*)" numsubordinates
  • Pre-DS 7:
    $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN ou=people,dc=example,dc=com --searchScope base "(objectclass=*)" numsubordinates

Example response:

dn: ou=people,dc=example,dc=com
numsubordinates: 1027

Where this example shows there are 1027 objects (users) in the ou=people branch.

As you can see, there is no distinction on the type of object, which is why this approach only works if the branch is used solely for users.

Counting all objects in the directory with a user based objectClass​​​​​​​ search filter

You can count all objects in the directory that match a given search filter using a query such as the following providing you use the default schema objectClass=inetOrgPerson:

  • DS 7 and later:
    $ ./ldapsearch --port 1389 --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com --countentries objectClass=inetOrgPerson 
  • Pre-DS 7:
    $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com --countentries objectClass=inetOrgPerson 

Example response:

# Total number of matching entries: 874

Where this example shows there are 874 objects (users) that satisfy the search filter.

This approach will not work if you use the specified objectClass for real people objects as well as non-real person objects.

This example query is also useful for determining the number of users protected by AM. 

Counting all objects in the directory with a uid based RDN

You can use a query such as the following to return a total count of all users (with uid based RDNs) along with the DNs and user ID values of them all:

  • DS 7 and later:
    $ ./ldapsearch --port 1389 --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com --searchScope sub --countEntries "(uid=*)" uid 
  • Pre-DS 7:
    $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com --searchScope sub --countEntries "(uid=*)" uid 

Example response:

dn: uid=demo,ou=people,dc=example,dc=com
uid: demo

dn: uid=user1,ou=people,dc=example,dc=com
uid: user1

...

# Total number of matching entries: 2467

Where this example shows there are 2467 users.

Any users with a non-uid based RDN will not be returned with this query.

This example query is also useful for determining the number of users protected by AM. 

Counting managed/user objects in IDM

You can use a REST call such as the following to return a count of all users in a JDBC repository if you use the 'user' managed object for users:

$ curl -X GET -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" "http://localhost:8080/openidm/managed/user?_queryId=query-all-count"

This would give a response such as the following, which indicates you have 729 users:

{
    "result": [
        {
            "total": 729
        }
    ],
    "resultCount": 1,
    "pagedResultsCookie": null,
    "totalPagedResultsPolicy": "NONE",
    "totalPagedResults": -1,
    "remainingPagedResults": -1
}

If you use a different managed object, for example, person, you should adjust the URL accordingly, for example: 

"http://localhost:8080/openidm/managed/person?_queryId=query-all-count"

See Also

FAQ: Users in AM/OpenAM

DS LDAP User Guide › LDAP Search

IDM Object Modeling Guide › Managed Users

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...