OpenDJ ldif-diff

Among the cool utilties that come with the OpenDJ server is ldif-diff. The time is soon coming for it to show its “quality”. Some caveats below.

After trying out ldif-diff and the related ldifdiff from the OpenDJ SDK, I was disappointed to discover some limitations that mean these tools won’t be replacing the beloved ldifdiff.pl any time soon.

First, both tools appear to misuse the terms “source” and “target”. In testing I found that what they mean by target is the directory from which the desired changes will come, while the source is the directory that will receive those changes. That’s seriously counterintuitive and going to cause a lot of confusion among the troops.

Next, both produce what looks at first to be some questionable LDIF code. For example, after comparing the same entry on two different directories that are known to have different userpassword values, this is what it produced:

dn: uid=123456,ou=Corp,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: {SSHA}PDoTnOTZqNh0bY92QrbjUcjiaChhltfZcOZM1A==
-
delete: userPassword
userPassword: {SSHA}WAH9IivhPplHACsiKWCNMhX7uVP+D1sq3nhnJA==

What you’d normally expect to see there is something like this output from ldifdiff.pl:

dn: uid=123456,ou=Corp,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}PDoTnOTZqNh0bY92QrbjUcjiaChhltfZcOZM1A==

Clearly this difference is the result of treating every attribute as multi-valued, and may actually work most of the time. I need to do some further testing to be sure.

Another issue relates only to ldif-diff, and is actually found in a year-old bug report, OPENDS-2606.

Basically the problem is that ldif-diff won’t process moderately sized LDIF files without throwing an out-of-memory error.

Lastly, ldif-diff can only be run by the “directory server owner”, and permissions its output to rw for user only. So it the directory is “owned” by root and you need to run it with sudo and the resulting file cannot be read by your sudo user. This is the same behavior exhibited by the export-ldif tool. It’s not a show-stopper, but still annoying. I much prefer to have file level security left in my own barely capable hands.

There isn’t much doc to go along with either of these tools, so here’s the output of the interactive help:

ldifdiff --help

Usage:  ldifdiff  {options} source target

This utility can be used to compare two LDIF files and report the differences
in LDIF format

Command options:

-o, --outputLDIF {file}
    Write differences to {file} instead of stdout
    Default value: stdout

General options:

-V, --version
    Display Directory Server version information
-?, -H, --help
    Display this usage information
ldif-diff --help

This utility can be used to compare two LDIF files and report the differences
in LDIF format

Usage:  ldif-diff  {options}
        where {options} include:

-s, --sourceLDIF {file}
    LDIF file to use as the source data
-t, --targetLDIF {file}
    LDIF file to use as the target data
-o, --outputLDIF {file}
    File to which the output should be written
-a, --ignoreAttrs {file}
    File containing a list of attributes to ignore when computing the
    difference
-e, --ignoreEntries {file}
    File containing a list of entries (DN) to ignore when computing the
    difference
-O, --overwriteExisting
    Any existing output file should be overwritten rather than appending to it
-S, --singleValueChanges
    Each attribute-level change should be written as a separate modification
    per attribute value rather than one modification per entry
--checkSchema
    Takes into account the syntax of the attributes as defined in the schema to
    make the value comparison.  The provided LDIF files must be conform to the
    server schema

General Options

-V, --version
    Display Directory Server version information
-?, -H, --help
    Displays this usage information