1LDAPSEARCH(1)               General Commands Manual              LDAPSEARCH(1)
2
3
4

NAME

6       ldapsearch - LDAP search tool
7

SYNOPSIS

9       ldapsearch   [-V[V]]   [-d debuglevel]  [-n]  [-v]  [-c]  [-u]  [-t[t]]
10       [-T path] [-F prefix] [-A]  [-L[L[L]]]  [-S attribute]  [-b searchbase]
11       [-s {base|one|sub|children}]  [-a {never|always|search|find}] [-l time‐
12       limit]  [-z sizelimit]  [-f file]   [-M[M]]   [-x]   [-D binddn]   [-W]
13       [-w passwd]  [-y passwdfile]  [-H ldapuri]  [-h ldaphost] [-p ldapport]
14       [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]  [-o opt[=opt‐
15       param]] [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm]
16       [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
17

DESCRIPTION

19       ldapsearch is a shell-accessible interface  to  the  ldap_search_ext(3)
20       library call.
21
22       ldapsearch  opens a connection to an LDAP server, binds, and performs a
23       search using specified parameters.   The filter should conform  to  the
24       string  representation  for  search filters as defined in RFC 4515.  If
25       not provided, the default filter, (objectClass=*), is used.
26
27       If ldapsearch finds one or more entries, the  attributes  specified  by
28       attrs  are returned.  If * is listed, all user attributes are returned.
29       If + is listed, all operational attributes are returned.  If  no  attrs
30       are  listed,  all user attributes are returned.  If only 1.1 is listed,
31       no attributes will be returned.
32
33       The search results are displayed using an  extended  version  of  LDIF.
34       Option -L controls the format of the output.
35

OPTIONS

37       -V[V]  Print  version info.  If -VV is given, exit after providing ver‐
38              sion info. Otherwise proceed with the specified search
39
40       -d debuglevel
41              Set the LDAP debugging level to debuglevel.  ldapsearch must  be
42              compiled  with  LDAP_DEBUG  defined  for this option to have any
43              effect.
44
45       -n     Show what would be done, but don't actually perform the  search.
46              Useful for debugging in conjunction with -v.
47
48       -v     Run  in  verbose mode, with many diagnostics written to standard
49              output.
50
51       -c     Continuous operation mode. Errors are reported,  but  ldapsearch
52              will  continue  with  searches.  The  default  is  to exit after
53              reporting an error.  Only useful in conjunction with -f.
54
55       -u     Include the User Friendly Name form of  the  Distinguished  Name
56              (DN) in the output.
57
58       -t[t]  A  single  -t  writes retrieved non-printable values to a set of
59              temporary files.  This is useful for dealing  with  values  con‐
60              taining  non-character data such as jpegPhoto or audio. A second
61              -t writes all retrieved values to files.
62
63       -T path
64              Write temporary files to directory specified by  path  (default:
65              /var/tmp/)
66
67       -F prefix
68              URL  prefix  for  temporary files.  Default is file://path where
69              path is /var/tmp/ or specified with -T.
70
71       -A     Retrieve attributes only (no values).  This is useful  when  you
72              just  want to see if an attribute is present in an entry and are
73              not interested in the specific values.
74
75       -L     Search results are  display  in  LDAP  Data  Interchange  Format
76              detailed  in  ldif(5).   A  single  -L  restricts  the output to
77              LDIFv1.
78               A second -L disables comments.  A third -L disables printing of
79              the  LDIF version.  The default is to use an extended version of
80              LDIF.
81
82       -S attribute
83              Sort the entries returned based on attribute. The default is not
84              to  sort entries returned.  If attribute is a zero-length string
85              (""), the entries are sorted by the components of their  Distin‐
86              guished  Name.   See  ldap_sort(3)  for  more details. Note that
87              ldapsearch normally prints out entries as it receives them.  The
88              use  of the -S option defeats this behavior, causing all entries
89              to be retrieved, then sorted, then printed.
90
91       -b searchbase
92              Use searchbase as the starting point for the search  instead  of
93              the default.
94
95       -s {base|one|sub|children}
96              Specify  the scope of the search to be one of base, one, sub, or
97              children to specify a base object, one-level, subtree, or  chil‐
98              dren search.  The default is sub.  Note: children scope requires
99              LDAPv3 subordinate feature extension.
100
101       -a {never|always|search|find}
102              Specify how aliases dereferencing is done.   Should  be  one  of
103              never, always, search, or find to specify that aliases are never
104              dereferenced, always dereferenced, dereferenced when  searching,
105              or  dereferenced  only  when  locating  the  base object for the
106              search.  The default is to never dereference aliases.
107
108       -l timelimit
109              wait at most timelimit seconds for  a  search  to  complete.   A
110              timelimit  of  0  (zero) or none means no limit.  A timelimit of
111              max means the maximum integer  allowable  by  the  protocol.   A
112              server  may  impose a maximal timelimit which only the root user
113              may override.
114
115       -z sizelimit
116              retrieve at most sizelimit entries for a search.  A sizelimit of
117              0  (zero)  or none means no limit.  A sizelimit of max means the
118              maximum integer allowable by the protocol.  A server may  impose
119              a maximal sizelimit which only the root user may override.
120
121       -f file
122              Read a series of lines from file, performing one LDAP search for
123              each line.  In this case, the filter given on the  command  line
124              is  treated  as a pattern where the first and only occurrence of
125              %s is replaced with a line from file.  Any other  occurrence  of
126              the the % character in the pattern will be regarded as an error.
127              Where it is desired that the search filter include a  %  charac‐
128              ter,  the character should be encoded as \25 (see RFC 4515).  If
129              file is a single - character, then the lines are read from stan‐
130              dard  input.  ldapsearch will exit when the first non-successful
131              search result is returned, unless -c is used.
132
133       -M[M]  Enable manage DSA IT control.  -MM makes control critical.
134
135       -x     Use simple authentication instead of SASL.
136
137       -D binddn
138              Use the Distinguished Name binddn to bind to the LDAP directory.
139              For SASL binds, the server is expected to ignore this value.
140
141       -W     Prompt for simple authentication.  This is used instead of spec‐
142              ifying the password on the command line.
143
144       -w passwd
145              Use passwd as the password for simple authentication.
146
147       -y passwdfile
148              Use complete contents of passwdfile as the password  for  simple
149              authentication.
150
151       -H ldapuri
152              Specify  URI(s)  referring to the ldap server(s); a list of URI,
153              separated by whitespace or commas is expected; only  the  proto‐
154              col/host/port  fields  are  allowed.   As  an  exception,  if no
155              host/port is specified, but a DN is, the DN is used to  look  up
156              the  corresponding  host(s) using the DNS SRV records, according
157              to RFC 2782.  The DN must be a non-empty sequence of AVAs  whose
158              attribute  type  is "dc" (domain component), and must be escaped
159              according to RFC 2396.
160
161       -h ldaphost
162              Specify an alternate host on which the ldap server  is  running.
163              Deprecated in favor of -H.
164
165       -p ldapport
166              Specify  an  alternate TCP port where the ldap server is listen‐
167              ing.  Deprecated in favor of -H.
168
169       -P {2|3}
170              Specify the LDAP protocol version to use.
171
172       -e [!]ext[=extparam]
173
174       -E [!]ext[=extparam]
175
176              Specify general extensions with -e and  search  extensions  with
177              -E.  ´!´ indicates criticality.
178
179              General extensions:
180                [!]assert=<filter>    (an RFC 4515 Filter)
181                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
182                [!]bauthzid           (RFC 3829 authzid control)
183                [!]chaining[=<resolve>[/<cont>]]
184                [!]manageDSAit
185                [!]noop
186                ppolicy
187                [!]postread[=<attrs>] (a comma-separated attribute list)
188                [!]preread[=<attrs>]  (a comma-separated attribute list)
189                [!]relax
190                sessiontracking
191                abandon,cancel,ignore (SIGINT sends abandon/cancel,
192                or ignores response; if critical, doesn't wait for SIGINT.
193                not really controls)
194
195              Search extensions:
196                !dontUseCopy
197                [!]domainScope                       (domain scope)
198                [!]mv=<filter>                       (matched values filter)
199                [!]pr=<size>[/prompt|noprompt]       (paged results/prompt)
200                [!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]  (server side sorting)
201                [!]subentries[=true|false]           (subentries)
202                [!]sync=ro[/<cookie>]                (LDAP Sync refreshOnly)
203                        rp[/<cookie>][/<slimit>]     (LDAP Sync refreshAndPersist)
204                [!]vlv=<before>/<after>(/<offset>/<count>|:<value>)  (virtual list view)
205                [!]deref=derefAttr:attr[,attr[...]][;derefAttr:attr[,attr[...]]]
206                [!]<oid>[=<value>]
207
208       -o opt[=optparam]
209
210              Specify general options.
211
212              General options:
213                nettimeout=<timeout>  (in seconds, or "none" or "max")
214                ldif-wrap=<width>     (in columns, or "no" for no wrapping)
215
216       -O security-properties
217              Specify SASL security properties.
218
219       -I     Enable  SASL  Interactive  mode.   Always prompt.  Default is to
220              prompt only as needed.
221
222       -Q     Enable SASL Quiet mode.  Never prompt.
223
224       -N     Do not use reverse DNS to canonicalize SASL host name.
225
226       -U authcid
227              Specify the authentication ID for SASL bind. The form of the  ID
228              depends on the actual SASL mechanism used.
229
230       -R realm
231              Specify  the  realm of authentication ID for SASL bind. The form
232              of the realm depends on the actual SASL mechanism used.
233
234       -X authzid
235              Specify the requested authorization ID for SASL  bind.   authzid
236              must be one of the following formats: dn:<distinguished name> or
237              u:<username>
238
239       -Y mech
240              Specify the SASL mechanism to be  used  for  authentication.  If
241              it's  not  specified, the program will choose the best mechanism
242              the server knows.
243
244       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
245              you  use  -ZZ, the command will require the operation to be suc‐
246              cessful.
247

OUTPUT FORMAT

249       If one or more entries are found, each entry  is  written  to  standard
250       output in LDAP Data Interchange Format or ldif(5):
251
252           version: 1
253
254           # bjensen, example, net
255           dn: uid=bjensen,dc=example,dc=net
256           objectClass: person
257           objectClass: dcObject
258           uid: bjensen
259           cn: Barbara Jensen
260           sn: Jensen
261           ...
262
263       If  the -t option is used, the URI of a temporary file is used in place
264       of the actual value.  If the -A option is given, only  the  "attribute‐
265       name" part is written.
266

EXAMPLE

268       The following command:
269
270           ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
271
272       will  perform a subtree search (using the default search base and other
273       parameters defined in ldap.conf(5)) for entries with a surname (sn)  of
274       smith.   The  common name (cn), surname (sn) and telephoneNumber values
275       will be retrieved and printed to standard  output.   The  output  might
276       look something like this if two entries are found:
277
278           dn: uid=jts,dc=example,dc=com
279           cn: John Smith
280           cn: John T. Smith
281           sn: Smith
282           sn;lang-en: Smith
283           sn;lang-de: Schmidt
284           telephoneNumber: 1 555 123-4567
285
286           dn: uid=sss,dc=example,dc=com
287           cn: Steve Smith
288           cn: Steve S. Smith
289           sn: Smith
290           sn;lang-en: Smith
291           sn;lang-de: Schmidt
292           telephoneNumber: 1 555 765-4321
293
294       The command:
295
296           ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
297
298       will perform a subtree search using the default search base for entries
299       with user id of "xyz".  The user friendly form of the entry's  DN  will
300       be output after the line that contains the DN itself, and the jpegPhoto
301       and audio values will be retrieved and written to temporary files.  The
302       output might look like this if one entry with one value for each of the
303       requested attributes is found:
304
305           dn: uid=xyz,dc=example,dc=com
306           ufn: xyz, example, com
307           audio:< file:///tmp/ldapsearch-audio-a19924
308           jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924
309
310       This command:
311
312           ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
313
314       will perform a one-level search at the c=US level for all entries whose
315       organization  name  (o)  begins with University.  The organization name
316       and description attribute values will be retrieved and printed to stan‐
317       dard output, resulting in output similar to this:
318
319           dn: o=University of Alaska Fairbanks,c=US
320           o: University of Alaska Fairbanks
321           description: Preparing Alaska for a brave new yesterday
322           description: leaf node only
323
324           dn: o=University of Colorado at Boulder,c=US
325           o: University of Colorado at Boulder
326           description: No personnel information
327           description: Institution of education and research
328
329           dn: o=University of Colorado at Denver,c=US
330           o: University of Colorado at Denver
331           o: UCD
332           o: CU/Denver
333           o: CU-Denver
334           description: Institute for Higher Learning and Research
335
336           dn: o=University of Florida,c=US
337           o: University of Florida
338           o: UFl
339           description: Warper of young minds
340
341           ...
342

DIAGNOSTICS

344       Exit  status  is  zero if no errors occur.  Errors result in a non-zero
345       exit status and a diagnostic message being written to standard error.
346

SEE ALSO

348       ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1),  ldap.conf(5),
349       ldif(5), ldap(3), ldap_search_ext(3), ldap_sort(3)
350

AUTHOR

352       The OpenLDAP Project <http://www.openldap.org/>
353

ACKNOWLEDGEMENTS

355       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
356       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
357       versity of Michigan LDAP 3.3 Release.
358
359
360
361OpenLDAP 2.4.46                   2018/03/22                     LDAPSEARCH(1)
Impressum