- ldapdiff 
- (c) 2000-2003 Thomas.Reith@rhoen.de
- Sun Feb  2 15:04:45 MET 2003

Sections
0. compile 
1. intro
2. commandline options
3. config file options
4. plugins
5. thanks

0. compile ldapdiff

run ./configure --with-ldap-dir=[your ldap SDK] 

[necessary] openldap is located at ftp://ftp.openldap.org
[optional ] libiconv is located at ftp://ftp.gnu.org. 

libiconv has been integrated into glibc now. on 
modern linux distributions the --with-iconv-dir option
should not be necessary. if you run into compiler or linker 
problems like:

...
ldapiconv.c:29: iconv.h: No such file or directory
make: *** [ldapiconv.o] Error 1
...
/tmp/ldapdiff-0.9.1/ldapiconv.c:39: undefined reference to `libiconv_open'
ldapiconv.o: In function `ldificonv':
/tmp/ldapdiff-0.9.1/ldapiconv.c:56: undefined reference to `libiconv'
ldapiconv.o: In function `ldificonvclose':
/tmp/ldapdiff-0.9.1/ldapiconv.c:68: undefined reference to `libiconv_close'
collect2: ld returned 1 exit status
...

your glibc/libc doesn't contain the iconv functions and you should use
"configure --with-iconv-dir=[your iconv SDK] --with-ldap-dir=[your ldap SDK]" 
instead

1. intro

ldapdiff combines classical "diff" and "patch" functionality in one 
application. the difference is, that ldapdiff is not designed for use 
on flat ascii files, it is designed for "patching" ldap directories 
using ldif files.

many people using ldap based directories have problems updating their 
ldap directory automatically, because the only offline interface between 
the company database and the ldap directory are ldif files. 
with ldap protocol version 3 it is possible to add, modify and delete 
entries based on ldif statements.

normally the primary instance which stores most of a company's data, 
is a relational database. since there are no ldap servers available, 
which request informations directly from a relational database, it
is difficult, to keep a ldap directory up to date. one could create 
"ldif formatted deltas" for every database change, but it is time 
consuming and difficult. with no access to the database application and
schema, it is nearly impossible. much easier is it, to implement a procedure, 
which dumps the whole data pool into a ldif formatted file and run ldapdiff.

with ldapdiff it is possible to check every entry/attribute of an ldif file 
against a running ldap directory. ldapdiff is able to produce ldif delta 
files in ldap version 3 format, which can be fed, into tools like 
"ldapmodify", "ldapdelete" etc. ldapdiff is also able to modify, delete
and add entries/attributes online.

the main idea of ldapdiff, is not to synchronize two different ldap
directories. this can be done much better with the internal
replication mechanisms (e.g. slurpd). ldapdiff's main operational
area are updates of user, groups etc. branches, normally organized in
ldap ou trees.

with version 0.7.0 and above ldadiff is able to convert the input stream to
the necessary "UTF-8" charset online.

2. commandline options

most of the options are stored in the file "ldapdiff.conf", but there
are still some commandline options:

-c            : name of the config file
                default: ./ldapdiff.conf

-f ldiffile   : ldiffile is a ldif formatted file, which will be compared
                with the running ldap server. 
                - "changetypes:" are no allowed
                if this option is not used, stdin will be used

-l logfile    : name of the logfile
                default: stdout

-p profile    : profile is specified in ldapdiff.conf. profiles are all other 
                sections not named [global]

-s local[0-7] : use syslog, example for /etc/syslog.conf
                local4.*\t/var/log/ldapdiff.log 

-v            : print version and exit

3. config file options

the structure of the config file (normally ./ldapdiff.conf) is
structured into sections and variables. every mentioned variable
has to set. there are no optional variables, yet. 

3.1 section [global]

ldaphost:         hostname, where the ldapserver is running
ldapport:         port, where the ldapserver is running
rootdn:           rootdn of the ldap directory
rootpw:           cleartext password of rootdn (will be improved by upcoming 
                  releases)
modfile:          delta file for found differences in existing 
                  entries/attributes
addfile:          delta file for new entries, which doesn't exist in the ldap 
                  server
onlineupdate:     if "yes", ldapdiff tries to update the ldapserver directly
                  (ATTENTION ATTENTION ATTENTION) 
                  especially take care in combination with the option 
                  "deleteentry: yes"  and "deleteattribute: yes"
offlineupdate:    if "yes", ldapdiff creates "modfile" and "addfile" with the
                  differences in ldif format.
onlineerrfatal:   if "yes", every error updating the ldap server online
                  causes ldapdiff to exit. it can be useful to set this 
                  parameter to "no", if there are a lot of entries to
                  check and ldapdiff should ignore these errors
plugin:           if "yes", ldapdiff tries to enable the plugin
pluginfile:       the path where the plugin is located
pluginfunction:   the name of function, which will be called from ldapdiff
iconv:            if "yes" libiconv is used for conversion between different
                  charset
ldifcharset:      name of the source charset (eg. "ISO-8859-3" for western 
                  europe). see (iconv_open 3) for the available charsets
ldapcharset:      name of the ldap charset (recommendet "UTF-8")
                  see (iconv_open 3) for the available charsets
schemacheck:      if "yes" the attributetypes will be requested from
                  the ldapserver (works with openldap)
                  feel free to send me an email how get schema on
                  iPlanet, thanks
schemabase:       the basedn of the ldapserver to query the schema.
                  openldap: "cn=subschema"
schemafilter:     the filter for querying schema objectclasses
                  openldap: "objectClass=*"
schemaattribute:  schema attribute to query 
                  openldap: "attributetypes"
schemahack:       if "yes", a workaround for buggy schema attributes like
                  "jpegPhoto, facsimileTelephoneNumber etc." will be 
                  enabled
                  1. the ietf schema defines EQUALITY and MULTIVALUE
                     for the above attributes, but it's not possible
                     to add more then one of them. (OpenLDAP)
                     - this attributes will be enforced from ldapdiff's
                       compare methods to be single valued.
                  2. the ietf schema doesn't define SYNTAX and EQUALITY for
                     attributes like "l, c, cn etc.", but with no EQUALITY
                     method, it's not possible to add more than one
                     value. since OpenLDAP accepts multible values
                     for these attributes.
                     - ldapdiff enforces a default EQUALITY method, to be
                       able, to add more than one value.

3.2 section [profile]

since there are a lot of different objectclasses in a running ldap server, 
ldapdiff needs to know what kind of objectclasses have to be checked. this 
can be done with the "group" parameter. ldapdiff needs a unique attribute
for every group, which can be configured with "filter". (dn can't be used)

example:
for me, it is only of interest to update user and groups. all other 
entries are stored with php or other graphical frontends. my
relational database dumps two ldif formatted files every hour.
the first file contains every person with the necessary attributes. the
second file contains the groups where the persons are grouped together.
so, I need two profiles in "ldapdiff.conf": [user] and [group].

basedn:           ldapdiff uses the library function ldap_search with the
                  scope LDAP_SCOPE_SUBTREE. this mean that ldapdiff
                  searches recursively from the beginning of "basedn"
                  for objects. in large ldap directories, it's good
                  idea to store ldapdiff's searchbase in a separate "ou"
filter:           the filter is the unique attribute, which ldapdiff uses to 
                  search for.
                  hint: use an "eq" index for this attribute to boost 
                  performance
                  for "objectclass: posixAccount" its usually "uid")
                  DON'T USE "DN", WHICH DOESN'T WORK, YET
group:            the grouping filter will be "ANDed" to the filter above, to 
                  match only the objectclass you want to update.
                  hint: use an attribute, which is unique for the
                  group of entries you want to match. 
                  example:
                  "objectClass=posixAccount" for person account entries
                  is always a good idea
ignore:           a comma seperated list of attributes, which will be ignored
                  by ldapdiff. "none" if no attributes have to be ignored
multi:            if "schemacheck" is disabled, this attribute  tells 
                  ldapdiff in a comma separated list, which ldap attributes
                  are able to occur more than once in an entry. 
                  "none" if there are no multible attributes in the ldif source.
noequality:       if "schemacheck" is disabled, this attribute tells 
                  ldapdiff in a comma separated list, which ldap attributes
                  are not defined with an "EUQALITY" function (e.g. jpegPhoto,
                  facsimilieTelephoneNumber etc.)
                  "none", if there are no such attributes in the ldif source.
                  this option is necessary, because ldap attributes with no 
                  "EUQALITY" method cannot be replaced. they have to 
                  be deleted and then added again.
mapalias:         "alias=realname, ..." 
                  there are some attributetypes, which are aliasnames, like
                  fax and facsimileTelephoneNumber, since openldap stores
                  an attributes with it's real name, ldapdiff becomes
                  confused. therefore a parameter "fax=facsimileTelephoneNumber"                  can be configure, which tells ldapdiff to use the real
                  name for further operations.
                  if "schemacheck" is enabled this attribute will be ignored,
                  since this information will be retrieved from the schema
                  automatically.
deleteentry:      if "yes" ldapdiff tries to delete every entry (dn), which 
                  matches the "group" filter and cannot be found in the ldap 
                  server.
                  (ATTENTION ATTENTION ATTENTION) 
                  especially take care in combination with the option 
                  "onlineupdate: yes"!!!
deleteattribute:  if "yes" ldapdiff tries to delete a attribute from an entry
                  which is listed in the ldif file, and cannot be found in
                  the ldapserver
                  (ATTENTION ATTENTION ATTENTION) 
                  especially take care in combination with the option 
                  "onlineupdate: yes"!!!

4. plugins

ldapdiff plugins (shared objects) can be used to iterate through the
struct s_mod and s_modentry. these structs store the information about 
changed entries and attributes. 
with this feature it is possible to add additional output functions to 
ldapdiff. it is possible to update databases, write ascii files etc.

there is a demo plugin "ldapskeleton.c" in the plugins directory. 
simply complete this code with your needs and enable it in ldapdiff.conf. 

5. thanks

Tzafrir Cohen 
- for contributing the rpm spec file ldapdiff.spec