ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyldapdiff.htm

212 lines
12 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - ldapdiff</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahyldapdiff"></a>
<h3 id="rzahyldapdiff">ldapdiff</h3>
<p>The LDAP replica synchronization tool.</p>
<a name="wq387"></a>
<div class="notetitle" id="wq387">Note:</div>
<div class="notebody">This command could run for a long time
depending on the number of entries (and attributes for those entries) that
are replicated.</div>
<p><span class="bold">Synopsis</span></p>
<p>(Compares and synchronizes data entries between two servers within
a replication environment.)</p>
<pre class="xmp">ldapdiff -b baseDN -sh host -ch host [-a] [-C countnumber]
[-cD dn] [-cK keyStore] [-cw password] -[cN keyLabel]
[-cp port] [-cP keyStorePwd] [-cZ] [-F] [-L filename] [-sD dn] [-sK keyStore]
[-sw password] -[sN keyLabel] [-sp port] [-sP keyStorePwd]
[-sZ] [-v]</pre>
<p>or</p>
<p>(Compares the schema between two servers.)</p>
<pre class="xmp"> ldapdiff -S -sh host -ch host [-a] [-C countnumber][-cD dn]
[-cK keyStore] [-cw password] -[cN keyLabel] [-cp port]
[-cP keyStorePwd] [-cZ] [-L filename] [-sD dn]
[-sK keyStore] [-sw password] [-sN keyLabel] [-sp port]
[-sP keyStorePwd] [-sZ] [-v]</pre>
<p><span class="bold">Description</span></p>
<p>This tool synchronizes a replica server with its master. To display
syntax help for <span class="bold">ldapdiff</span>, type: </p>
<pre class="xmp">ldapdiff -?</pre>
<p><span class="bold">Options</span></p>
<p>The following options apply to the<span class="bold"> ldapdiff</span> command. There are two subgroupings that apply specifically to either
the supplier server or the consumer server.</p>
<dl>
<dt class="bold">-a</dt>
<dd>Specifies to use server administration control for writes to a read-only
replica.
</dd>
<dt class="bold">-b <span class="italic">baseDN</span></dt>
<dd>Use searchbase as the starting point for the search instead
of the default. If <span class="bold">-b</span> is not specified,
this utility examines the LDAP_BASEDN environment variable for a searchbase
definition.
</dd>
<dt class="bold">-C <span class="italic">countnumber</span></dt>
<dd>Counts the number of entries to fix. If more than the specified
number of mismatches are found, the tool exits.
</dd>
<dt class="bold">-F</dt>
<dd>This is the fix option. If specified, content on the consumer
replica is modified to match the content of the supplier server. This cannot
be used if the <span class="bold">-S</span> is also specified.
</dd>
<dt class="bold">-L</dt>
<dd>If the <span class="bold">-F</span> option is not specified, use this option
to generate an LDIF file for output. The LDIF file can be used to update the
consumer to eliminate the differences.
</dd>
<dt class="bold">-S</dt>
<dd>Specifies to compare the schema on both of the servers.
</dd>
<dt class="bold">-v</dt>
<dd>Use verbose mode, with many diagnostics written to standard
output.
</dd>
</dl>
<p><span class="bold">Options for a replication supplier</span></p>
<p>The following options apply to the consumer server and are denoted by an
initial 's' in the option name.</p>
<dl>
<dt class="bold">-sD <span class="italic">dn</span></dt>
<dd>Use <span class="bold-italic">dn</span> to bind to the
LDAP directory. <span class="bold-italic">dn</span> is a string-represented
DN.
</dd>
<dt class="bold">-sh <span class="italic">host</span></dt>
<dd>Specifies the host name.
</dd>
<dt class="bold">-sK <span class="italic">keyStore</span></dt>
<dd>Specify the name of the SSL key database file with default
extension of <span class="bold">kdb</span>. If this parameter is not
specified, or the value is an empty string (-sK"") the system keystore is
used. If the key database file is not in the current directory, specify the
fully-qualified key database filename.
</dd>
<dt class="bold">-sN <span class="italic">keyLabel</span></dt>
<dd>Specify the label associated with the client certificate in
the key database file. If a label is specified without specifying a keystore,
the label is an application identifier in the Digital Certificate Manager
(DCM). The default label (application id) is QIBM_GLD_DIRSRV_CLIENT. If the
LDAP server is configured to perform server authentication only, a client
certificate is not required. If the LDAP server is configured to perform client
and server authentication, a client certificate is required. <span class="bold-italic">keyLabel</span> is not required if a default certificate/private key pair has
been designated. Similarly, <span class="bold-italic">keyLabel</span> is
not required if there is a single certificate/private key pair in the designated
key database file. This parameter is ignored if neither <span class="bold">-sZ</span> nor <span class="bold">-sK</span> is specified.
</dd>
<dt class="bold">-sp <span class="italic">ldapport </span></dt>
<dd>Specify an alternate TCP port where the ldap server is listening.
The default LDAP port is 389. If <span class="bold">-sp</span> is
not specified and <span class="bold">-sZ</span> is specified,
the default LDAP SSL port 636 is used.
</dd>
<dt class="bold">-sP <span class="italic">keyStorePwd</span></dt>
<dd>Specify the key database password. This password is required to access
the encrypted information in the key database file, which can include one
or more private keys. If a password stash file is associated with the key
database file, the password is obtained from the password stash file, and
the <span class="bold">-sP</span> parameter is not required. This
parameter is ignored if neither <span class="bold">-sZ</span> nor <span class="bold">-sK</span> is specified. The password is not used
if there is a stash file for the keystore being used.
</dd>
<dt class="bold">-st <span class="italic">trustStoreType</span></dt>
<dd>Specify the label associated with the client certificate in
the trust database file. If the LDAP server is configured to perform server
authentication only, a client certificate is not required. If the LDAP server
is configured to perform client and server authentication, a client certificate
might be required. <span class="bold-italic">trustStoreType</span> is
not required if a default certificate/private key pair has been designated
as the default. Similarly, <span class="bold-italic">trustStoreType</span> is not required if there is a single certificate/private key pair in
the designated key database file. This parameter is ignored if neither <span class="bold">-sZ</span> nor <span class="bold">-sT</span> is specified.
</dd>
<dt class="bold">-sZ</dt>
<dd>Use a secure SSL connection to communicate with the LDAP server.
</dd>
</dl>
<p><span class="bold">Options for a replication consumer</span></p>
<p>The following options apply to the consumer server and are denoted by an
initial 'c' in the option name. For convenience, if -cZ is specified without
specifying values for -cK, -cN or -cP, these options use the same value specified
for the supplier SSL options. To override the supplier options and use the
defaults setting, specify -cK "" -cN "" -cP "".</p>
<dl>
<dt class="bold">-cD <span class="italic">dn</span></dt>
<dd>Use <span class="bold-italic">dn</span> to bind to the
LDAP directory. <span class="bold-italic">dn</span> is a string-represented
DN.
</dd>
<dt class="bold">-ch <span class="italic">host</span></dt>
<dd>Specifies the host name.
</dd>
<dt class="bold">-cK <span class="italic">keyStore</span></dt>
<dd>Specify the name of the SSL key database file with default
extension of kdb. If the value is an empty string (-sK"") the system keystore
is used. If the key database file is not in the current directory, specify
the fully-qualified key database filename.
</dd>
<dt class="bold">-cN <span class="italic">keyLabel</span></dt>
<dd>Specify the label associated with the client certificate in
the key database file. If the LDAP server is configured to perform server
authentication only, a client certificate is not required. If a label is specified
without specifying a keystore, the label is an application identifier in the
Digital Certificate Manager (DCM). The default label (application id) is QIBM_GLD_DIRSRV_CLIENT.
If the LDAP server is configured to perform client and server authentication,
a client certificate is required. <span class="bold-italic">keyLabel</span> is not required if a default certificate/private key pair has been designated.
Similarly, <span class="bold-italic">keyLabel</span> is not required
if there is a single certificate/private key pair in the designated key database
file. This parameter is ignored if neither <span class="bold">-cZ</span> nor <span class="bold">-cK</span> is specified.
</dd>
<dt class="bold">-cp <span class="italic">ldapport </span></dt>
<dd>Specify an alternate TCP port where the ldap server is listening.
The default LDAP port is 389. If <span class="bold">-cp</span> is
not specified and <span class="bold">-cZ</span> is specified,
the default LDAP SSL port 636 is used.
</dd>
<dt class="bold">-cP <span class="italic">keyStorePwd</span></dt>
<dd>Specify the key database password. This password is required to access the
encrypted information in the key database file, which can include one or more
private keys. If a password stash file is associated with the key database
file, the password is obtained from the password stash file, and the <span class="bold">-cP</span> parameter is not required. This parameter is ignored if neither <span class="bold">-cZ</span> nor <span class="bold">-cK</span> is specified.
</dd>
<dt class="bold">-cw <span class="italic">password</span> | ?</dt>
<dd>Use <span class="bold-italic">password</span> as the
password for authentication. Use the ? to generate a password prompt.
</dd>
<dt class="bold">-cZ</dt>
<dd>Use a secure SSL connection to communicate with the LDAP server.
</dd>
</dl>
<p><span class="bold">Examples</span></p>
<p> </p>
<pre class="xmp">ldapdiff -b &lt;<span class="italic">baseDN</span>> -sh &lt;<span class="italic">supplierhostname</span>> -ch &lt;<span class="italic">consumerhostname</span>> [<span class="italic">options</span>]</pre><p class="indatacontent"> or </p>
<pre class="xmp">ldapdiff -S -sh &lt;<span class="italic">supplierhostname</span>> -ch &lt;<span class="italic">consumerhostname</span>> [<span class="italic">options</span>]</pre>
<p><span class="bold">Diagnostics</span></p>
<p>Exit status is 0 if no errors occur. Errors result in a non-zero
exit status and a diagnostic message being written to standard error.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>