[There doesn't seem to be an active general LDAP list anymore, so I hope it's OK to post here instead.]

I need an ldif-diff utility (take two LDIF dumps and produce an .LDIF to change one to the other) and maybe an LDIF->LDAP sync program like this:

- Give me some control of the order in which entries are output.

I need to ensure that when a "mail:" value moves from one entry to another, it should temporarily occur in both entries rather than in neither. Usually that means output the 2nd entry first.

- Fairly fast, but a slower and smarter mode would be nice.

Fast mode can be crude, e.g. it need not know that "foo:: eHk=" means "foo: xy" and DN cn=x+uid=y,... matches uid=y+cn=x,...

- Not resource-hungry. (Don't slurp the entire LDIFs into memory. Scan them to build a mapping {dn: filepos} or something.)

- Don't generate a huge "replace: member" change when it instead can generate a small "delete:" + "add:" for the attribute change.

(So it must be configured to know which attrs have an EQUALITY matching rule, at least when there is no server to ask.)

- Preferably LDAP-novice-friendly error messages.

It does *not* need to: - Detect renamed entries. - Certainly not convert anything to/from Unicode. Sometimes I've had to battle tools to stop them from deciding I want Latin1->UTF-8. - Preserve entry/attribute order. (But preserved attr.value order is nice for some attributes, even if LDAP does not guarantee it.)