PingDirectory

Comparing two PingDirectory servers using ldap-diff

Steps

  1. Use ldap-diff to compare the entries in two PingDirectory server instances.

    Ignore the userpassword attribute because of the one-way password hash used for the password storage scheme.

    Example:

    $ bin/ldap-diff --outputLDIF difference.ldif \
      --sourceHost server1.example.com --sourcePort 1389 \
      --sourceBindDN "cn=Directory Manager" --sourceBindPassword secret1 \
      --targetHost server2.example.com --targetPort 2389 \
      --targetBindDN "cn=Directory Manager" --targetBindPassword secret2 \
      --baseDN dc=example,dc=com --searchFilter "(objectclass=*)" "^userpassword"
  2. Open the output file in a text editor to view any differences.

    The file is set up so that you can re-apply the changes without any modification to the file contents. The file shows any deletes, modifies, and adds from the perspective of the source server as the authoritative source.

    Example:

    # This file contains the differences between two LDAP servers.
    #
    # The format of this file is the LDIF changes needed to bring server
    # ldap://server1.example.com:1389 in sync with server
    # ldap://server2.example.com:2389.
    #
    # These differences were computed by first issuing an LDAP search at both
    # servers under base DN dc=example,dc=com using search filter (objectclass=*)
    # and search scope SUB to first retrieve the DNs of all entries. And then each
    # entry was retrieved from each server and attributes: [^userpassword] were
    # compared. # # Any entries that were out-of-sync were compared a total of 3 times
    # waiting a minimum of 2 seconds between each attempt to account for replication
    # delays.
    #
    # Comparison started at [24/Feb/2010:10:34:20 -0600]
    # The following entries were present only on ldap://server2.example.com:2389 and
    # need to be deleted. This entry existed only on ldap://server1.example.com:1389
    # Note: this entry might be incomplete. It only includes attributes:
    # [^userpassword]dn: uid=user.200,ou=People,dc=example,dc=com
    # objectClass: person
    # objectClass: inetOrgPerson
    ... (more attributes not shown) ...
    # st: DC
    dn: uid=user.200,ou=people,dc=example,dc=com
    changetype: delete
    
    # The following entries were present on both servers but were out of sync.
    
    dn: uid=user.199,ou=people,dc=example,dc=com
    changetype: modify
    add: mobile
    mobile: +1 300 848 9999
    -
    delete: mobile
    mobile: +1 009 471 1808
    
    # The following entries were missing on ldap://server2.example.com:2389 and need
    # to be added. This entry existed only on ldap://server2.example.com:2389
    # Note: this entry might be incomplete. It only includes attributes:
    
    # [^userpassword]
    dn: uid=user.13,ou=People,dc=example,dc=com
    changetype: add
    objectClass: person
    objectClass: inetOrgPerson
    ... (more attributes not shown) ...
    # Comparison completed at [24/Feb/2010:10:34:25 -0600]