diff --git a/src/auditsource.js b/src/auditsource.js
index 946938bd2..18c297cdd 100644
--- a/src/auditsource.js
+++ b/src/auditsource.js
@@ -5,6 +5,7 @@ exports = module.exports = {
     HEALTH_MONITOR: { userId: null, username: 'healthmonitor' },
     SYSADMIN: { userId: null, username: 'sysadmin' },
     APP_TASK: { userId: null, username: 'apptask' },
+    EXTERNAL_LDAP_TASK: { userId: null, username: 'externalldap' },
 
     fromRequest: fromRequest
 };
diff --git a/src/externalldap.js b/src/externalldap.js
index 86e1a0723..e9f12cf75 100644
--- a/src/externalldap.js
+++ b/src/externalldap.js
@@ -10,10 +10,13 @@ exports = module.exports = {
 };
 
 var assert = require('assert'),
+    auditsource = require('./auditsource.js'),
     debug = require('debug')('box:ldapclient'),
     ldap = require('ldapjs'),
     settings = require('./settings.js'),
     tasks = require('./tasks.js'),
+    users = require('./users.js'),
+    UserError = users.UsersError,
     util = require('util');
 
 function ExternalLdapError(reason, errorOrMessage) {
@@ -137,20 +140,37 @@ function sync(progressCallback, callback) {
                 scope: 'sub'
             };
 
+            // TODO this needs pagination!
             client.search(externalLdapConfig.baseDn, opts, function (error, result) {
                 if (error) return callback(new ExternalLdapError(ExternalLdapError.EXTERNAL_ERROR, error));
 
-                result.on('searchEntry', function(entry) {
-                    console.log('entry: ' + JSON.stringify(entry.object));
+                result.on('searchEntry', function (entry) {
+                    const user = entry.object;
 
-                    // TODO ensure db record for user
+                    console.log('Ldap user: ', user);
+
+                    users.getByUsername(user.uid, function (error, result) {
+                        if (error && error.reason !== UserError.NOT_FOUND) return console.error(error);
+
+                        if (error) {
+                            users.create(user.uid, null, user.mail, user.displayName, { source: 'ldap' }, auditsource.EXTERNAL_LDAP_TASK, function (error) {
+                                if (error) console.error('Failed to create user', user, error);
+                            });
+                        } else if (result.email !== user.mail || result.displayName !== user.displayName) {
+                            users.update(result.id, { email: user.mail, displayName: user.displayName }, auditsource.EXTERNAL_LDAP_TASK, function (error) {
+                                if (error) console.error('Failed to update user', user, error);
+                            });
+                        } else {
+                            // user known and up-to-date
+                        }
+                    });
                 });
 
                 result.on('error', function (error) {
                     callback(new ExternalLdapError(ExternalLdapError.EXTERNAL_ERROR, error));
                 });
 
-                result.on('end', function(result) {
+                result.on('end', function (result) {
                     console.log('status: ' + result.status);
                     callback();
                 });
diff --git a/src/userdb.js b/src/userdb.js
index 2659a208f..55a77f3e1 100644
--- a/src/userdb.js
+++ b/src/userdb.js
@@ -175,10 +175,11 @@ function add(userId, user, callback) {
     assert.strictEqual(typeof user.resetToken, 'string');
     assert.strictEqual(typeof user.displayName, 'string');
     assert.strictEqual(typeof user.admin, 'boolean');
+    assert.strictEqual(typeof user.source, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    const query = 'INSERT INTO users (id, username, password, email, fallbackEmail, salt, createdAt, modifiedAt, resetToken, displayName, admin) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)';
-    const args = [ userId, user.username, user.password, user.email, user.fallbackEmail, user.salt, user.createdAt, user.modifiedAt, user.resetToken, user.displayName, user.admin ];
+    const query = 'INSERT INTO users (id, username, password, email, fallbackEmail, salt, createdAt, modifiedAt, resetToken, displayName, admin, source) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)';
+    const args = [ userId, user.username, user.password, user.email, user.fallbackEmail, user.salt, user.createdAt, user.modifiedAt, user.resetToken, user.displayName, user.admin, user.source ];
 
     database.query(query, args, function (error) {
         if (error && error.code === 'ER_DUP_ENTRY' && error.sqlMessage.indexOf('users_email') !== -1) return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS, 'email already exists'));
diff --git a/src/users.js b/src/users.js
index 54b2a950a..4df3c779f 100644
--- a/src/users.js
+++ b/src/users.js
@@ -137,7 +137,7 @@ function validatePassword(password) {
 
 // remove all fields that should never be sent out via REST API
 function removePrivateFields(user) {
-    return _.pick(user, 'id', 'username', 'email', 'fallbackEmail', 'displayName', 'groupIds', 'admin', 'active');
+    return _.pick(user, 'id', 'username', 'email', 'fallbackEmail', 'displayName', 'groupIds', 'admin', 'active', 'source');
 }
 
 // remove all fields that Non-privileged users must not see
@@ -155,6 +155,7 @@ function create(username, password, email, displayName, options, auditSource, ca
 
     const isOwner = !!options.owner;
     const isAdmin = !!options.admin;
+    const source = options.source || '';        // empty is local user
     const invitor = options.invitor || null;
 
     var error;
@@ -197,7 +198,8 @@ function create(username, password, email, displayName, options, auditSource, ca
                 modifiedAt: now,
                 resetToken: '',
                 displayName: displayName,
-                admin: isOwner || isAdmin
+                admin: isOwner || isAdmin,
+                source: source
             };
 
             userdb.add(user.id, user, function (error) {