Nick Milas wrote:
If a non-root DN is used for replication, then only the parts of the DIT that are accessible by that DN will be replicated.
Additionally, slapcat outputs operational attributes too, which I think can not be identical on both ends.
Because it is possible to initialize a replica with a slapcat output, we need all attributes which are in this output. All other operational attributes are not needed.
I have not done this in practice but I believe one may try it this way.
Assume you have an entry cn=111. So we slapcat this entry and do a temporarely search. attributes which are in slapcat and NOT in search must be added to the final search. Then compare the output of both operations.
slapcat -n1 -H 'ldap:///???(cn=111)' 2>/dev/null |cut -d: -f1 dn cn objectClass UIFtype UIFsource structuralObjectClass entryUUID creatorsName createTimestamp entryCSN modifiersName modifyTimestamp
ldapsearch -xAMMLLL 'cn=111' '*' 2>/dev/null |cut -d: -f1 dn cn objectClass UIFtype UIFsource
In this case, a db which is not a replica, we must add this attributes: structuralObjectClass entryUUID creatorsName createTimestamp entryCSN modifiersName modifyTimestamp
so the final search is: ldapsearch -xMMLLL 'cn=111' '*' structuralObjectClass entryUUID creatorsName createTimestamp entryCSN modifiersName modifyTimestamp 2>/dev/null
The used switches MM and LLL are important.
So now we have a way to partial slapcat a DIT and do a search which produces the same result if the user who is doing the search, has the rights to see all attributes.
Use the mentioned perl tools to sort and diff the output.