The PingDirectory Server provides an ldap-diff tool to compare
the data on two LDAP servers to determine any differences that they may contain. The
differences are identified by first issuing a subtree search on both servers under the base DN
using the default search filter (objectclass=*)
to retrieve the DNs of all
entries in each server. When the tool finds an entry that is on both servers, it retrieves the
entry from each server and compares all of its attributes. The tool writes any differences it
finds to an LDIF file in a format that could be used to modify the content of the source
server, so that it matches the content of the target server. Any non-synchronized entries can
be compared again for a configurable number of times with an optional pause between each
attempt to account for replication delays.
You can control the specific entries to be compared with the --searchFilter
option. In addition, only a subset of attributes can be compared by listing those attributes
as trailing arguments of the command. You can also exclude specific attributes by prepending a
^ character to the attribute. (On Windows operating systems, excluded attributes must be
quoted, for example, "^attrToExclude
".) The @objectClassName
notation can be used to compare only attributes that are defined for a given objectclass.
The ldap-diff tool can be used on servers actively being modified by checking differing entries multiple times without reporting false positives due to replication delays. By default, it will re-check each entry twice, pausing two seconds between checks. These settings can be configured with the --numPasses and --secondsBetweenPass options. If the utility cannot make a clean comparison on an entry, it will list any exceptions in comments in the output file.
ds-cfg-default-root-privilege-name: unindexed-search ds-cfg-default-root-privilege-name: bypass-acl ds-rlim-size-limit: 0 ds-rlim-time-limit: 0 ds-rlim-idle-time-limit: 0 ds-rlim-lookthrough-limit: 0
The ldap-diff
tool tries to make efficient use of memory, but it must store
the DNs of all entries in memory. For Directory Servers that contain hundreds of
millions of entries, the tool might require a few gigabytes of memory. If the progress of the
tool slows dramatically, it might be running low on memory. The memory used by the
ldap-diff tool can be customized by editing the
ldap-diff.java-args
setting in the config/java.properties
file and running the dsjavaproperties command.
dn: cn=this is the first dn dn: cn=this is the second dn and it is wrapped cn=this is the third dn # The following DN is base-64 encoded dn:: Y249ZG9uJ3QgeW91IGhhdmUgYmV0dGVyIHRoaW5ncyB0byBkbyB0aGFuIHNlZSB3aGF0IHRoaXMgc2F5cw== # There was a blank line above dn: cn=this is the final entry.