ldapdiff

ldapdiff

The LDAP replica synchronization command line utility.
This command could run for a long time depending on the number of entries (and attributes for those entries) that are replicated.

Synopsis

(Compares and synchronizes data entries between two servers within a replication environment.)
ldapdiff -b baseDN -sh host -ch host [-a] [-C countnumber]
 [-cD dn] [-cK keyStore] [-cw password] -[cN keyLabel]
 [-cp port] [-cP keyStorePwd]  [-cZ] [-F] [-L filename] [-sD dn] [-sK keyStore]
 [-sw password] -[sN keyLabel] [-sp port] [-sP keyStorePwd]
 [-sZ] [-v]
or
(Compares the schema between two servers.)
 ldapdiff -S -sh host -ch host [-a] [-C countnumber][-cD dn]
 [-cK keyStore] [-cw password] -[cN keyLabel] [-cp port]
 [-cP keyStorePwd] [-cZ] [-L filename] [-sD dn]
 [-sK keyStore] [-sw password] [-sN keyLabel] [-sp port]
 [-sP keyStorePwd] [-sZ] [-v]
Description

This tool synchronizes a replica server with its master. To display syntax help for ldapdiff, type:
ldapdiff -?
Options

The following options apply to the ldapdiff command. There are two subgroupings that apply specifically to either the supplier server or the consumer server.

-a

Specifies to use server administration control for writes to a read-only replica.

-b baseDN

Use searchbase as the starting point for the search instead of the default. If -b is not specified, this utility examines the LDAP_BASEDN environment variable for a searchbase definition.

-C countnumber

Counts the number of entries to fix. If more than the specified number of mismatches are found, the tool exits.

-F

This is the fix option. If specified, content on the consumer replica is modified to match the content of the supplier server. This cannot be used if the -S is also specified.

-L

If the -F option is not specified, use this option to generate an LDIF file for output. The LDIF file can be used to update the consumer to eliminate the differences.

-S

Specifies to compare the schema on both of the servers.

-v

Use verbose mode, with many diagnostics written to standard output.

Options for a replication supplier

The following options apply to the consumer server and are denoted by an initial 's' in the option name.

-sD dn

Use dn to bind to the LDAP directory. dn is a string-represented DN.

-sh host

Specifies the host name.

-sK keyStore

Specify the name of the SSL key database file with default extension of kdb. If this parameter is not specified, or the value is an empty string (-sK"") the system keystore is used. If the key database file is not in the current directory, specify the fully-qualified key database filename.

-sN keyLabel

Specify the label associated with the client certificate in the key database file. If a label is specified without specifying a keystore, the label is an application identifier in the Digital Certificate Manager (DCM). The default label (application id) is QIBM_GLD_DIRSRV_CLIENT. If the LDAP server is configured to perform server authentication only, a client certificate is not required. If the LDAP server is configured to perform client and server authentication, a client certificate is required. keyLabel is not required if a default certificate/private key pair has been designated. Similarly, keyLabel is not required if there is a single certificate/private key pair in the designated key database file. This parameter is ignored if neither -sZ nor -sK is specified.

-sp ldapport

Specify an alternate TCP port where the ldap server is listening. The default LDAP port is 389. If -sp is not specified and -sZ is specified, the default LDAP SSL port 636 is used.

-sP keyStorePwd

Specify the key database password. This password is required to access the encrypted information in the key database file, which can include one or more private keys. If a password stash file is associated with the key database file, the password is obtained from the password stash file, and the -sP parameter is not required. This parameter is ignored if neither -sZ nor -sK is specified. The password is not used if there is a stash file for the keystore being used.

-st trustStoreType

Specify the label associated with the client certificate in the trust database file. If the LDAP server is configured to perform server authentication only, a client certificate is not required. If the LDAP server is configured to perform client and server authentication, a client certificate might be required. trustStoreType is not required if a default certificate/private key pair has been designated as the default. Similarly, trustStoreType is not required if there is a single certificate/private key pair in the designated key database file. This parameter is ignored if neither -sZ nor -sT is specified.

-sZ

Use a secure SSL connection to communicate with the LDAP server.

Options for a replication consumer

The following options apply to the consumer server and are denoted by an initial 'c' in the option name. For convenience, if -cZ is specified without specifying values for -cK, -cN or -cP, these options use the same value specified for the supplier SSL options. To override the supplier options and use the defaults setting, specify -cK "" -cN "" -cP "".

-cD dn

Use dn to bind to the LDAP directory. dn is a string-represented DN.

-ch host

Specifies the host name.

-cK keyStore

Specify the name of the SSL key database file with default extension of kdb. If the value is an empty string (-sK"") the system keystore is used. If the key database file is not in the current directory, specify the fully-qualified key database filename.

-cN keyLabel

Specify the label associated with the client certificate in the key database file. If the LDAP server is configured to perform server authentication only, a client certificate is not required. If a label is specified without specifying a keystore, the label is an application identifier in the Digital Certificate Manager (DCM). The default label (application id) is QIBM_GLD_DIRSRV_CLIENT. If the LDAP server is configured to perform client and server authentication, a client certificate is required. keyLabel is not required if a default certificate/private key pair has been designated. Similarly, keyLabel is not required if there is a single certificate/private key pair in the designated key database file. This parameter is ignored if neither -cZ nor -cK is specified.

-cp ldapport

Specify an alternate TCP port where the ldap server is listening. The default LDAP port is 389. If -cp is not specified and -cZ is specified, the default LDAP SSL port 636 is used.

-cP keyStorePwd

Specify the key database password. This password is required to access the encrypted information in the key database file, which can include one or more private keys. If a password stash file is associated with the key database file, the password is obtained from the password stash file, and the -cP parameter is not required. This parameter is ignored if neither -cZ nor -cK is specified.

-cw password | ?

Use password as the password for authentication. Use the ? to generate a password prompt.

-cZ

Use a secure SSL connection to communicate with the LDAP server.

Examples
ldapdiff -b <baseDN> -sh <supplierhostname> -ch <consumerhostname> [options]
or
ldapdiff -S  -sh <supplierhostname> -ch <consumerhostname> [options]
Diagnostics

Exit status is 0 if no errors occur. Errors result in a non-zero exit status and a diagnostic message being written to standard error.

Parent topic:
Directory Server command line utilities

Related tasks

Managing replication queues