The PingDirectory Server provides an ldap-diff tool to compare the data on two LDAP servers to determine any differences that they may contain. The differences are identified by first issuing a subtree search on both servers under the base DN using the default search filter (objectclass=*) to retrieve the DNs of all entries in each server. When the tool finds an entry that is on both servers, it retrieves the entry from each server and compares all of its attributes. The tool writes any differences it finds to an LDIF file in a format that could be used to modify the content of the source server, so that it matches the content of the target server. Any non-synchronized entries can be compared again for a configurable number of times with an optional pause between each attempt to account for replication delays.

You can control the specific entries to be compared with the --searchFilter option. In addition, only a subset of attributes can be compared by listing those attributes as trailing arguments of the command. You can also exclude specific attributes by prepending a ^ character to the attribute. (On Windows operating systems, excluded attributes must be quoted, for example, "^attrToExclude".) The @objectClassName notation can be used to compare only attributes that are defined for a given objectclass.

The ldap-diff tool can be used on servers actively being modified by checking differing entries multiple times without reporting false positives due to replication delays. By default, it will re-check each entry twice, pausing two seconds between checks. These settings can be configured with the --numPasses and --secondsBetweenPass options. If the utility cannot make a clean comparison on an entry, it will list any exceptions in comments in the output file.

The Directory Server user specified for performing the searches must be privileged enough to see all of the entries being compared and to issue a long-running, unindexed search. For the Directory Server, the out-of-the-box cn=Directory Manager user has these privileges, but you can assign the necessary privileges by setting the following attributes in the user entry:
ds-cfg-default-root-privilege-name: unindexed-search 
ds-cfg-default-root-privilege-name: bypass-acl 
ds-rlim-size-limit: 0 
ds-rlim-time-limit: 0
ds-rlim-idle-time-limit: 0 
ds-rlim-lookthrough-limit: 0

The ldap-diff tool tries to make efficient use of memory, but it must store the DNs of all entries in memory. For Directory Servers that contain hundreds of millions of entries, the tool might require a few gigabytes of memory. If the progress of the tool slows dramatically, it might be running low on memory. The memory used by the ldap-diff tool can be customized by editing the setting in the config/ file and running the dsjavaproperties command.

If you do not want to use a subtree search filter, you can use an input file of DNs for the source, target, or both. The format of the file can accept various syntaxes for each DN:
dn: cn=this is the first dn 
dn: cn=this is the second dn and it is wrapped cn=this is the third dn 
# The following DN is base-64 encoded dn:: 
# There was a blank line above dn: cn=this is the final entry.
CAUTION: Do not manually update the servers when the tool identifies differences between two servers involved in replication. First contact your authorized support provider for explicit confirmation, because manual updates to the servers risk introducing additional replication conflicts.