install-path/bin/entrycmp [-D bindDN] [-w password] [-n] [-p port] [-j file] [-T timeout] [-J file] [-W keypassword] [-K keydbpath] [-N certname] [-P certdbpath] [-e SSL port] ServerSpec entryDN
The entrycmp command compares the same entry on two or more different servers. An entry is retrieved from the master and the nsuniqueid of the entry is used to retrieve the same entry from a specified consumer. All the attributes and values of the two entries are compared. If they are identical, the entries are considered to be the same.
The following options are supported:
The distinguished name with which to bind to the server. This parameter is optional if the server is configured to support anonymous access. If a DN is specified in the ServerSpec, this overrides the -D option.
If specifying the default password at the command-line poses a security risk, the password can be stored in a file. The -j option specifies this file.
Specifies that entrycmp should not run in interactive mode. Running in interactive mode allows you to re-enter the bindDN, password, host and port, if a bind error occurs.
The TCP port used by Directory Server. The default port is 389. If a port is specified in the ServerSpec, this overrides the -p option.
Specifies the number of seconds after which entrycmp will time out if the server connection goes down.
The password associated with the distinguished name specified by the -D option. If a password is specified in the ServerSpec, this overrides the -w option.
The DN of the entry that you wish to compare.
The server specification. The server specification is of one of the following forms.
-s|-S HostSpec [-c|-C HostSpec ...]
-c|-C HostSpec [-s|-S HostSpec ...]
Here, -s refers to the supplier replica. -c refers to the consumer replica. Lower case specifies non-SSL options. Upper case specifies SSL options.
The host specification, which takes the form [bindDN:[password]]@]host[:port]. The following is an example:
If you are using SSL, use -S and -C in the server specification. In this case, HostSpec specifies the certificate name and key password, rather than the bindDN and password. Specifying both more than one -s, and also more than one -c generates an error. If no -c option is specified, the -s HostSpec may refer to any server, either a consumer or a supplier.
You can use the following options to specify that entrycmp uses LDAPS when communicating with the Directory Server. You can also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured.
Default SSL port, 636.
This option has the same function as the -j option, for the key password.
Specifies the name of the certificate key used for certificate-based client authentication. For example, -K Server-Key.
Specifies the certificate name to use for certificate-based client authentication. For example, - N Server-Cert. If this option is specified, the -W option is required.
Specifies the location of the certificate database.
Specifies the password for the certificate database identified by the -P option. For example, -W serverpassword.
$ entrycmp -D cn=admin,cn=Administrators,cn=config -w mypword \ -s myserver:1389 "uid=csmith,ou=people,dc=example,dc=com"
The following exit values are returned:
Successful completion, that is a match was found.
An error occurred, and no match was found.
See attributes(5) for descriptions of the following attributes:
The node on which you are running the entrycmp, insync, and repldisc tools must be able to reach all the specified hosts. If these hosts are unavailable due to a firewall, VPN, or other network setup reasons, you will encounter difficulties using these tools. For the same reason ensure that all servers are up and running before using these tools.
When identifying hosts, you must use either symbolic names or IP addresses for all hosts since the replication monitoring commands do not address resolution between symbolic names and IP addresses. Using a combination of the two can cause problems. Moreover, on multi-homed hosts, referring to the same Directory Server instance using different names may cause unexpected results.
When SSL is enabled, the directory server on which you are running the tools must have a copy of all the certificates used by the other servers in the topology.
The replication monitoring tools rely on access to cn=config to obtain the replication status. This should be taken into account particularly when replication is configured over SSL.