Difference between revisions of "Samba-tool ldapcmp"

m (Mmuehlfeld moved page Samba4/ldapcmp to Samba-tool ldapcmp: ldapcmp is meanwhile integrated iin samba-tool)
(Refresh ldapcmp page. It's meanwhile integrated in samba-tool)
Line 1: Line 1:
=ldapcmp=
+
= Introduction =
  
  Location: source4/scripting/devel/ldapcmp
+
samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regarless if they are running Samba or Windows or mixed.
  
==What is it?==
 
  
Latest improvements to the already committed in Samba4 LDAP comparison tool that is meant to be used for testing LDAP replicating DCs no matter if they are Samba4, Windows AD or mixed. However it had the capacity to compare attributed of objects in DCs which are in different domains.
 
  
==What are the restrictions?==
 
  
1. It works only via LDAP (for now) so you must have LDAP servers that are up and accessible at port 389. This will be improved by having it connect to Ldb file or export/use LDIF file instead of live LDAP connection.
 
  
2. It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
+
= Restrictions =
  
3. There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs. This will be improved by additional switch for including all attributes no matter which they are and reporting excluded by default.
+
* The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
  
* How to use?
+
* It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  
1. Compare all attributes for all objects in the Default Naming Context:
+
* There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs.
  
<pre>
+
 
# ./scripting/devel/ldapcmp --host=10.x.x.x --username=administrator@test.domain --password=secretXX \
+
 
                            --host2=10.x.x.x --username2=administrator@test1.domain --password2=XsecretXX DOMAIN
+
 
</pre>
+
 
A neat trick (working for now on Samba4) is that you can do searches anonymously so if DCs are Samba4 it looks like:
+
= How to use? =
<pre>
+
 
# ./scripting/devel/ldapcmp --host=10.x.x.x --host2=10.x.x.x DOMAIN
+
* Compare the entire directory on Domain Controller DC1 and DC2:
</pre>
+
 
 +
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
 +
 
 +
* Compare single AD partitions on Domain Controller DC1 and DC2:
 +
 
 +
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
 +
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
 +
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
 +
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
 +
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest

Revision as of 22:16, 9 November 2014

Introduction

samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regarless if they are running Samba or Windows or mixed.



Restrictions

  • The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
  • It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  • There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs.



How to use?

  • Compare the entire directory on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
  • Compare single AD partitions on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest