Feature: Add ldif-diff option to ignore delete operations

[ahochsteger]

Use Case: In our case some LDAP entries are managed both manually as well as automatically. So we have ab auto-generated LDIF files which represents the target LDIF file and an exported LDIF file from the LDAP server which represents the source LDIF file. Both are compared by ldif-diff to create the delta operations to update the LDAP server. Unfortunately manually added entries or attributes result in delete operations which cause them to be removed from the LDAP server and therefore have to be manually removed before importing it.

Therefore it would be great to have an option to skip delete operations in the resulting LDIF file to eliminate this manual step.

[dirmgr]

I've committed a change to the ldif-diff tool to help with this. The tool now offers an optional --changeType argument that you can use to indicate what types of changes (add, delete, or modify; ldif-diff doesn't include modify DN records, since they would be seen as a delete of the original entry and an add of the new entry) you want to include in the output. By default, all change types will be included, but you can choose to include only certain types (and you can provide the argument multiple times, so if you use --changeType add --changeType modify, then delete change records will be omitted).

I also added support for the following additional arguments:

• --includeFilter -- Only include changes to entries matching the given filter. This can be provided multiple times, and if you provide multiple values, then an entry will be included as long as it matches at least one of the given filters.
• --excludeFilter -- Omit changes to entries matching the given filter. This can be provided multiple times, and if you provide multiple values, then an entry will be excluded if it matches any of the given filters.
• --includeAttribute -- Only include the specified attribute in change records. This can be provided multiple times to specify multiple include attributes. If a change record doesn't include any of the include attributes, then the entire change record will be omitted.
• --excludeAttribute -- Omit the specified attribute from change records. This can be provided multiple times to specify multiple exclude attributes. If all attributes in a change record are excluded, then the entire change record will be omitted.

[ahochsteger]

Again thanks for the quick update! :-) It works as expected for the LDIF change types but there's an edge case that does not work when testing my use cases: When a member is removed from a group the LDIF files reports that as "changetype: modify" with "delete: member". It would be great, if that could be filtered too to support my use case to don't touch manually added group members by automated processes.

[dirmgr]

The "delete" change type is for delete operations, which remove an entire entry. An operation that alters an entry (whether to add, delete, replace, or increment attribute values in that entry) falls under the "modify" change type.

The use case that you describe sounds like it's out of the scope for the ldif-idff tool. You could certainly use ldif-diff to identify changes between two LDIF files, and can tell it to only report certain types of changes, to use filters to identify which entries to examine, and to include or exclude certain attributes. But if you want to further edit the content of the resulting LDIF file, then that's probably not something that's appropriate for ldif-diff itself.