(Or: how do I get my LDIF nice and clean so I only get the objects which actually contain the information I want?)

I was working on a big directory with hundreds of thousands of entries, for which I wrote Access Control Instructions. The only problem was: how do I get those ACIs out of the directory? Of course, first we need an ldif containing the relevant information, in this case:
ldapsearch -x -h localhost -D "cn=Directory Manager" -w password -b dc=example,dc=com aci > aci.ldif


The only problem with this is that this dump turned out to contain every single entry in the directory, so I had tens of megabytes worth of LDIF, for the 25KB of ACIs I actually needed. Here, awk comes to the rescue:
awk 'BEGIN { RS = "dn: " } /aci:/ { print "dn:", $0 }' aci.ldif > filtered-aci.ldif

This only dumps stanzas from the ldif-file which contain “aci:”. Obviously you can use this for any kind of ldif from which you only need objects with a specified attribute. Maybe the mozldap utilities handle this better, but I haven’t investigated.