perlknight has asked for the wisdom of the Perl Monks concerning the following question:

fellow monks, I need to compare ldap data between two ldap server. One is the primary and the other secondary. I am thinking of just going through each dn and comapring entries between the two. I know I get use the dn method call to get the dn, but how do I know that I am at the last dn and how to handle how to get attribute value from the last dn.

Does any know how to avoid going into a few dn? I want to start my comarison at the base, ou=mycomany,ou=com. But I want to avoid goin into ou=people,ou=mycomany,ou=com and ou=systemuser,ou=mycompany,ou=com? Thanks.

Replies are listed 'Best First'.
Re: Comparing ldap data using net ldap
by g0n (Priest) on Jan 26, 2007 at 09:47 UTC
    The simplest way to do this is to search the entire master directory, and iterate over the record set.

    use strict; use Net::LDAP; my $ld = Net::LDAP->new('myserver'); $ld->bind(dn=>'username',password=>'passwd'); my $result = $ld->search(base=>'cn=mydir', scope=>'sub', filter=>'(objectclass=*)'); while (my $entry = $result->entry()) { #do comparison here }

    You'll probably need to use page support and/or async searching if your directory contains much in the way of data.

    One thing to watch out for: I've done this sort of thing a few times, and tended to find that detecting when entries/attributes aren't there is the trickiest bit. It's also worth noting that there are commercial apps available that will do this sort of thing for you.


    "If there is such a phenomenon as absolute evil, it consists in treating another human being as a thing."
    John Brunner, "The Shockwave Rider".

        Thanks. The callback may work for me since I am walking the entire ldap tree and comparing entries against the secondary ldap entries.
Re: Comparing ldap data using net ldap
by strat (Canon) on Jan 26, 2007 at 11:17 UTC

    Another way could be to dump the contents of both directories to LDIF files (e.g. with Net::LDAP::LDIF or ldap server tools), sorted by dn (e.g. with Net::LDAP::Control::SortResult) and then iterate over the two LDIF files and compare objects one by one.

    if o1 eq o2: no change, read next both objects if o1 lt o2: add, read next object from LDIF1 if o1 gt o2: delete, read next object from LDIF2

    Disadvantage: this way you usually can't compare values from userPassword.

    Best regards,
    perl -e "s>>*F>e=>y)\*martinF)stronat)=>print,print v8."

      my ldap entries have millions entry. Would Net::LDAP::LDIF be able to handle it; does it has a call back option? Thanks.

        I haven't tried Net::LDAP::LDIF with several million entries, but I think it can do it. For writing the objects to the LDIF you don't need callbacks from Net::LDAP::LDIF, only the callback from Net::LDAP::Search could be a good idea. If you dump your search result in a sorted way, you can read the objects one-by-one from the LDIF with a code similar to the synopsis from Net::LDAP::LDIF.

        Best regards,
        perl -e "s>>*F>e=>y)\*martinF)stronat)=>print,print v8."