install-path/dsrk/bin/ldapcmp [-h host1 -p port1 [-h host2 -p port2]] [options] -b basedn
The ldapcmp command compares a Lightweight Directory Access Protocol (LDAP) entry or subtree of entries from one directory with the an entry or subtree of entries from another directory. It detects entries that do not appear in both directories and detects attribute differences in entries that do appear in both directories.
The ldapcmp command reports comparison results using the following output syntax:
Entry appears only in the first directory specified.
Entry appears only in the second directory specified.
Entry appears in both directories, attributes differ. The ldapcmp command then explains the differences found:
Entries differed by attribute value.
Specified attribute found only in one directory.
Specified value found in first directory.
Specified value found in second directory.
Although the -h (host) and -p (port) options are not required, you generally use these options to specify how to access the two directories. If you do not specify any -h or -p options, the ldapcmp command compares the content of the directory listening on the default port of the localhost system with itself.
Unless the LDAP_BASEDN environment variable is set, you must at minimum provide a basedn argument to the -b option. The basedn argument specifies the distinguished name (DN) of the LDAP entry at the base of the search scope.
The following additional options are supported:
Ignore LDAP library version mismatches.
When this option is omitted, the default behavior is to assert that the revision number of the LDAP API be greater than or equal to that used to compile the tool. Also, if the library and the tool have the same vendor name, the tool will assert that the vendor version number of the API be greater than or equal to that used to compile the tool. Revision and version numbers are based on the contents of the LDAPAPIInfo structure defined in <ldap.h> or header files included by<ldap.h>.
Check host names in SSL certificates.
Allow binary values to be printed, even if the -o option is used.
Use the specified bind DN for accessing both directories, usually enclosed in double quotes ("") for the shell.
If the bind DN and its password are omitted, the ldapcmp command binds anonymously. The bind DN determines what entries and attributes appear in the comparison results, according to the search permissions for the bind DN.
Request that the directories expose (report) bind identities.
Display usage information.
Read SSL key password for the client key database specified using the -P option from filename.
The default is key3.db.
Use the specified control OID.
The criticality is false by default.
An LDAP control can be associated with a value. Proxy authorization takes a proxy authorization ID, for example, passed with the control OID, and criticality. If a value is necessary you specify it using value, base64value, or <fileurl.
Use the SSL key database located in pathname, the full path to the key database file.
The default is to search for the key database file, key3.db, in the directory specified by the -P option.
Manage referrals, returning the entry containing the referral instead of the entry obtained by following the referral.
Use the specified certificate for certificate-based client authentication, for example: -N "Directory-Cert".
Both directories must recognize the specified certificate to perform the comparison.
Follow at maximum limit referral hops. Default is 5.
Use the certificate database located in filename, the full path to the certificate database file.
The default is to search for the certificate database file, cert8.db, in the current directory.
Use PKCS 11.
Do not follow referrals automatically.
Use LDAP protocol version n, where n is 2 or 3. Default is 3.
Prompt for the password for the client key database specified using the -P option.
The -W option is required for certificate-based client authentication.
Specify the password for the client key database specified using the -P option.
The -W option is required for certificate-based client authentication.
Use the specified proxy DN for accessing both directories, usually enclosed in double quotes ("") for the shell.
Use SSL to provide certificate-based client authentication.
The -Z option requires the -N and -W options and any other SSL options needed to identify the certificate and the key database.
Set LDAP debug level to the specified value.
The following debug levels are supported:
Display verbose debugging messages; LDAP_DEBUG_TRACE.
Display messages about the content of network packets; LDAP_DEBUG_PACKETS.
Display messages about LDIF parsing; LDAP_DEBUG_PARSE.
Display informational messages; LDAP_DEBUG_ANY.
Use the sum of the levels to specify more than one debug level. For example, to set the debug level to display both verbose debugging messages, and messages about the content of network packets, specify -d 3.
Contact the LDAP server on the specified host, which may be a host name or an IP address.
The default is localhost.
Specify the host twice to specify hosts for each of the two directories. When you specify the host twice, the first host specified corresponds to the first directory, and the second host corresponds to the second, regardless of the order of other options.
Use the specified character set to override the value of the LANG environment variable. This option is useful, as the command converts certain arguments you specify to UTF-8 before sending the request to the server. The following arguments are converted: base DN, bind DN, LDAP filter, and password.
You can prevent the command from converting passwords by using the -k option.
Examples of charset values include ISO8859-1, ISO8859-15, ibm-1275, and windows-1251.
Read the bind password for simple authentication from the specified file.
Do not convert the passwords to UTF-8.
Interrupt the comparison if the specified time limit is exceeded.
Use the security module database located in the specified directory.
Use the -m option if the security module database is in a different directory from the certificate database itself.
Show what would be done, but do not actually do it.
Use the specified attribute values when performing SASL authentication.
The following attrname arguments are supported:
Use the specified authentication identity.
Use the specified authorization identity.
Request the specified SASL mechanism for the bind.
Use the specified realm to complete the bind.
Use the specified security level.
The attrvalue is a valid value corresponding to the attrname you specify.
Contact the LDAP server on the specified port.
The default is 389 (636 if SSL is used).
Specify the port twice to specify ports for each of the two directories. When you specify the port twice, the first port specified corresponds to the first directory, and the second port corresponds to the second, regardless of the order of other options.
Use the specified search scope.
The following values are supported for scope:
Examine only the entry specified by the argument to the -b option.
Examine only to the entry specified by the argument to the -b option and its immediate children.
(Default) Examine the subtree whose root is the entry specified by the argument to the -b option.
Run in verbose mode, displaying diagnostics on standard output.
Prompt for the bind password for simple authentication.
Use the specified bind password for simple authentication.
Interrupt the comparison if the specified maximum number of entries returned is exceeded.
All examples in this section use the following conventions:
All entries to compare are stored under dc=example,dc=com.
The directories have been configured to support anonymous access for search and read. Therefore, you do not have to specify any bind information.
The directory servers are located on systems named host1 and host2.
The servers both listen on port number 389, the default.
When you specify the root DN of the suffix as the base DN, ldapcmp compares all entries of the entire suffix in both directories.
$ ldapcmp -h host1 -h host2 -b "dc=example,dc=com"
You should have some idea of the size and differences between your directories before comparing them. Comparing two directories is useful for finding small difference between directories. When comparing completely different subtrees, the output can be very large. Narrow your comparison by specifying the base DN of a similar subtree in both directories.
The following command compares a single user entry in both directories:
$ ldapcmp -h host1 -h host2 -s base \ -b "uid=bjensen,ou=People,dc=example,dc=com"
The following commands set the LDAP_BASEDN environment variable, and then compare all entries of the entire base suffix in both directories, running in verbose mode. The syntax of the first command may not work for your shell. Refer to the documentation about your shell for instructions on setting environment variables.
$ LDAP_BASEDN="dc=example,dc=com"; export LDAP_BASEDN $ ldapcmp -v -h host1 -h host2
The following command compares root DSE entries for both directories:
$ ldapcmp -h host1 -h host2 -s base -b ""
The following command compares schema entries for both directories:
$ ldapcmp -h host1 -h host2 -b "cn=schema"
The exit status returned reflects the return values of the underlying functions used, which may depend on return values sent by the server. The return values are defined through <ldap.h> files both on the client side and on the server side. Common exit status codes follow:
Successful completion; LDAP_SUCCESS; 0x00.
Server encountered errors while processing the request; LDAP_OPERATIONS_ERROR; 0x01.
Server encountered errors, such as a BER-decoding error, while processing the request; LDAP_PROTOCOL_ERROR; 0x02.
Search exceeded the time limit for operations on the server; LDAP_TIMELIMIT_EXCEEDED; 0x03.
Search returned more results than the maximum number allowed by the server; LDAP_SIZELIMIT_EXCEEDED; 0x04.
Base DN belongs to an entry handled by neither server, and the referral URL identifies another server that handles the entry; LDAP_REFERRAL; 0x0a.
Search returned more results than the maximum number a client application is allowed by the server to retrieve; LDAP_ADMINLIMIT_EXCEEDED; 0x0b.
Base DN belongs to an entry handled by neither server, and no referral URL is available for the entry; LDAP_NO_SUCH_OBJECT; 0x20.
Bind DN user does not have permission to read the entry from the directory; LDAP_INSUFFICIENT_ACCESS; 0x32.
One of the directories did not respond to the request, or the connection was lost; LDAP_SERVER_DOWN; 0x51.
An error occurred while receiving results; LDAP_LOCAL_ERROR; 0x52.
The request could not be BER-encoded; LDAP_ENCODING_ERROR; 0x53.
A result could not be decoded; LDAP_DECODING_ERROR; 0x54.
The search exceeded the time limit specified using the -l option; LDAP_TIMEOUT; 0x55.
An option or argument is not valid; LDAP_PARAM_ERROR; 0x59.
Needed memory could not be allocated; LDAP_NO_MEMORY; 0x5a.
A specified host name or port is not valid; LDAP_CONNECT_ERROR; 0x5b.
At least one server supports only LDAPv2, and the -V 2 option was not used; LDAP_NOT_SUPPORTED; 0x5c.
See attributes(5) for descriptions of the following attributes:
ldapcompare(1), ldapdelete(1), ldapmodify(1), ldappasswd(1), ldapsearch(1)