ldapdiff
The LDAP replica synchronization tool.
Note:
This command could run for a long time
depending on the number of entries (and attributes for those entries) that
are replicated.
Synopsis
(Compares and synchronizes data entries between two servers within
a replication environment.)
ldapdiff -b baseDN -sh host -ch host [-a] [-C countnumber]
[-cD dn] [-cK keyStore] [-cw password] -[cN keyLabel]
[-cp port] [-cP keyStorePwd] [-cZ] [-F] [-L filename] [-sD dn] [-sK keyStore]
[-sw password] -[sN keyLabel] [-sp port] [-sP keyStorePwd]
[-sZ] [-v]
or
(Compares the schema between two servers.)
ldapdiff -S -sh host -ch host [-a] [-C countnumber][-cD dn]
[-cK keyStore] [-cw password] -[cN keyLabel] [-cp port]
[-cP keyStorePwd] [-cZ] [-L filename] [-sD dn]
[-sK keyStore] [-sw password] [-sN keyLabel] [-sp port]
[-sP keyStorePwd] [-sZ] [-v]
Description
This tool synchronizes a replica server with its master. To display
syntax help for ldapdiff, type:
ldapdiff -?
Options
The following options apply to the ldapdiff command. There are two subgroupings that apply specifically to either
the supplier server or the consumer server.
- -a
- Specifies to use server administration control for writes to a read-only
replica.
- -b baseDN
- Use searchbase as the starting point for the search instead
of the default. If -b is not specified,
this utility examines the LDAP_BASEDN environment variable for a searchbase
definition.
- -C countnumber
- Counts the number of entries to fix. If more than the specified
number of mismatches are found, the tool exits.
- -F
- This is the fix option. If specified, content on the consumer
replica is modified to match the content of the supplier server. This cannot
be used if the -S is also specified.
- -L
- If the -F option is not specified, use this option
to generate an LDIF file for output. The LDIF file can be used to update the
consumer to eliminate the differences.
- -S
- Specifies to compare the schema on both of the servers.
- -v
- Use verbose mode, with many diagnostics written to standard
output.
Options for a replication supplier
The following options apply to the consumer server and are denoted by an
initial 's' in the option name.
- -sD dn
- Use dn to bind to the
LDAP directory. dn is a string-represented
DN.
- -sh host
- Specifies the host name.
- -sK keyStore
- Specify the name of the SSL key database file with default
extension of kdb. If this parameter is not
specified, or the value is an empty string (-sK"") the system keystore is
used. If the key database file is not in the current directory, specify the
fully-qualified key database filename.
- -sN keyLabel
- Specify the label associated with the client certificate in
the key database file. If a label is specified without specifying a keystore,
the label is an application identifier in the Digital Certificate Manager
(DCM). The default label (application id) is QIBM_GLD_DIRSRV_CLIENT. If the
LDAP server is configured to perform server authentication only, a client
certificate is not required. If the LDAP server is configured to perform client
and server authentication, a client certificate is required. keyLabel is not required if a default certificate/private key pair has
been designated. Similarly, keyLabel is
not required if there is a single certificate/private key pair in the designated
key database file. This parameter is ignored if neither -sZ nor -sK is specified.
- -sp ldapport
- Specify an alternate TCP port where the ldap server is listening.
The default LDAP port is 389. If -sp is
not specified and -sZ is specified,
the default LDAP SSL port 636 is used.
- -sP keyStorePwd
- Specify the key database password. This password is required to access
the encrypted information in the key database file, which can include one
or more private keys. If a password stash file is associated with the key
database file, the password is obtained from the password stash file, and
the -sP parameter is not required. This
parameter is ignored if neither -sZ nor -sK is specified. The password is not used
if there is a stash file for the keystore being used.
- -st trustStoreType
- Specify the label associated with the client certificate in
the trust database file. If the LDAP server is configured to perform server
authentication only, a client certificate is not required. If the LDAP server
is configured to perform client and server authentication, a client certificate
might be required. trustStoreType is
not required if a default certificate/private key pair has been designated
as the default. Similarly, trustStoreType is not required if there is a single certificate/private key pair in
the designated key database file. This parameter is ignored if neither -sZ nor -sT is specified.
- -sZ
- Use a secure SSL connection to communicate with the LDAP server.
Options for a replication consumer
The following options apply to the consumer server and are denoted by an
initial 'c' in the option name. For convenience, if -cZ is specified without
specifying values for -cK, -cN or -cP, these options use the same value specified
for the supplier SSL options. To override the supplier options and use the
defaults setting, specify -cK "" -cN "" -cP "".
- -cD dn
- Use dn to bind to the
LDAP directory. dn is a string-represented
DN.
- -ch host
- Specifies the host name.
- -cK keyStore
- Specify the name of the SSL key database file with default
extension of kdb. If the value is an empty string (-sK"") the system keystore
is used. If the key database file is not in the current directory, specify
the fully-qualified key database filename.
- -cN keyLabel
- Specify the label associated with the client certificate in
the key database file. If the LDAP server is configured to perform server
authentication only, a client certificate is not required. If a label is specified
without specifying a keystore, the label is an application identifier in the
Digital Certificate Manager (DCM). The default label (application id) is QIBM_GLD_DIRSRV_CLIENT.
If the LDAP server is configured to perform client and server authentication,
a client certificate is required. keyLabel is not required if a default certificate/private key pair has been designated.
Similarly, keyLabel is not required
if there is a single certificate/private key pair in the designated key database
file. This parameter is ignored if neither -cZ nor -cK is specified.
- -cp ldapport
- Specify an alternate TCP port where the ldap server is listening.
The default LDAP port is 389. If -cp is
not specified and -cZ is specified,
the default LDAP SSL port 636 is used.
- -cP keyStorePwd
- Specify the key database password. This password is required to access the
encrypted information in the key database file, which can include one or more
private keys. If a password stash file is associated with the key database
file, the password is obtained from the password stash file, and the -cP parameter is not required. This parameter is ignored if neither -cZ nor -cK is specified.
- -cw password | ?
- Use password as the
password for authentication. Use the ? to generate a password prompt.
- -cZ
- Use a secure SSL connection to communicate with the LDAP server.
Examples
ldapdiff -b <baseDN> -sh <supplierhostname> -ch <consumerhostname> [options]
or
ldapdiff -S -sh <supplierhostname> -ch <consumerhostname> [options]
Diagnostics
Exit status is 0 if no errors occur. Errors result in a non-zero
exit status and a diagnostic message being written to standard error.