The ldap-diff Command-Line Tool

Compare the contents of two LDAP servers.

This tool identifies the differences between data stored in two LDAPv3 servers and records the output in an LDIF file with the changes that may be applied (using a tool like ldapmodify or parallel-update) to the source server to bring its contents in sync with the target server. By default, all entries beneath the specified base DN will be compared, but you can use the --searchFilter argument to restrict the comparison to a specified set of entries. Also by default, all user attributes in each entry will be compared, and operational attributes will be ignored, but you can use trailing arguments to specify the set of attributes to request when retrieving entries.

This tool can be used on servers that are actively being updated by clients. It will attempt to avoid reporting false positives that result from replication delays by checking differing entries multiple times (as configured by the --numPasses and --secondsBetweenPasses arguments). The output is formatted so that deletes are included first, followed by modifies, and finally adds. Deletes will be listed in reverse order so that children will be removed before parents, and processing modifies before adds should help avoid problems resulting from uniqueness conflicts.

This tool tries to make efficient use of memory, but it must store compact representations of all entries in memory. For directories with a very large number of entries, this might require a substantial amount of memory. If processing progress slows dramatically, or if the tool reports an out of memory error, then you may need to increase the amount of memory available to the JVM when running the tool.

The accounts used for performing the searches must be sufficiently privileged to retrieve all the appropriate entries from each server, and all appropriate attributes from those entries.

Usage

ldap-diff {arguments} {attributes}

Source Connection and Authentication Arguments

Target Connection and Authentication Arguments

Processing Arguments

Additional Arguments

Dependent Argument Sets

Exclusive Argument Sets

Examples

    ldap-diff --sourceHostname source.example.com --sourcePort 636 \
         --sourceUseSSL --sourceBindDN "cn=Directory Manager" \
         --sourceBindPasswordFile /path/to/password.txt \
         --targetHostname target.example.com --targetPort 636 --targetUseSSL \
         --targetBindDN "cn=Directory Manager" \
         --targetBindPasswordFile /path/to/password.txt \
         --baseDN dc=example,dc=com --outputLDIF diff.ldif