The PingDirectory Server provides an
ldap-diff tool to compare the data on two LDAP servers to determine any
differences that they may contain. The differences are identified by first issuing a subtree
search on both servers under the base DN using the default search filter
(objectclass=*)
to retrieve the DNs of all entries in each server. When the
tool finds an entry that is on both servers, it retrieves the entry from each server and
compares all of its attributes. The tool writes any differences it finds to an LDIF file in a
format that could be used to modify the content of the source server, so that it matches the
content of the target server. Any non-synchronized entries can be compared again for a
configurable number of times with an optional pause between each attempt to account for
replication delays.
You can control the specific entries to be compared with the --searchFilter
option. In addition, only a subset of attributes can be compared by listing those attributes
as trailing arguments of the command. You can also exclude specific attributes by prepending a
^ character to the attribute. (On Windows operating systems, excluded attributes must be
quoted, for example, "^attrToExclude
".) The @objectClassName
notation can be used to compare only attributes that are defined for a given objectclass.
The ldap-diff tool can be used on servers actively being modified by checking differing entries multiple times without reporting false positives due to replication delays. By default, it will re-check each entry twice, pausing two seconds between checks. These settings can be configured with the --numPasses and --secondsBetweenPass options. If the utility cannot make a clean comparison on an entry, it will list any exceptions in comments in the output file.
ds-cfg-default-root-privilege-name: unindexed-search ds-cfg-default-root-privilege-name: bypass-acl ds-rlim-size-limit: 0 ds-rlim-time-limit: 0 ds-rlim-idle-time-limit: 0 ds-rlim-lookthrough-limit: 0
The ldap-diff
tool tries to make efficient use of memory, but it must store
the DNs of all entries in memory. For Directory Servers that contain hundreds of
millions of entries, the tool might require a few gigabytes of memory. If the progress of the
tool slows dramatically, it might be running low on memory. The memory used by the
ldap-diff tool can be customized by editing the
ldap-diff.java-args
setting in the config/java.properties
file and running the dsjavaproperties command.
dn: cn=this is the first dn dn: cn=this is the second dn and it is wrapped cn=this is the third dn # The following DN is base-64 encoded dn:: Y249ZG9uJ3QgeW91IGhhdmUgYmV0dGVyIHRoaW5ncyB0byBkbyB0aGFuIHNlZSB3aGF0IHRoaXMgc2F5cw== # There was a blank line above dn: cn=this is the final entry.