1LDAPSEARCH(1) General Commands Manual LDAPSEARCH(1)
2
6 ldapsearch - LDAP search tool
7
9 ldapsearch [-V[V]] [-d debuglevel] [-n] [-v] [-c] [-u] [-t[t]]
10 [-T path] [-F prefix] [-A] [-L[L[L]]] [-S attribute] [-b searchbase]
11 [-s {base|one|sub|children}] [-a {never|always|search|find}] [-l time‐
12 limit] [-z sizelimit] [-f file] [-M[M]] [-x] [-D binddn] [-W]
13 [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport]
14 [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=opt‐
15 param]] [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm]
16 [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
17
19 ldapsearch is a shell-accessible interface to the ldap_search_ext(3)
20 library call.
21 ldapsearch opens a connection to an LDAP server, binds, and performs a
23 search using specified parameters. The filter should conform to the
24 string representation for search filters as defined in RFC 4515. If
25 not provided, the default filter, (objectClass=*), is used.
26 If ldapsearch finds one or more entries, the attributes specified by
28 attrs are returned. If * is listed, all user attributes are returned.
29 If + is listed, all operational attributes are returned. If no attrs
30 are listed, all user attributes are returned. If only 1.1 is listed,
31 no attributes will be returned.
32 The search results are displayed using an extended version of LDIF.
34 Option -L controls the format of the output.
35
37 -V[V] Print version info. If -VV is given, exit after providing ver‐
38 sion info. Otherwise proceed with the specified search
39 -d debuglevel
41 Set the LDAP debugging level to debuglevel. ldapsearch must be
42 compiled with LDAP_DEBUG defined for this option to have any ef‐
43 fect.
44 -n Show what would be done, but don't actually perform the search.
46 Useful for debugging in conjunction with -v.
47 -v Run in verbose mode, with many diagnostics written to standard
49 output.
50 -c Continuous operation mode. Errors are reported, but ldapsearch
52 will continue with searches. The default is to exit after re‐
53 porting an error. Only useful in conjunction with -f.
54 -u Include the User Friendly Name form of the Distinguished Name
56 (DN) in the output.
57 -t[t] A single -t writes retrieved non-printable values to a set of
59 temporary files. This is useful for dealing with values con‐
60 taining non-character data such as jpegPhoto or audio. A second
61 -t writes all retrieved values to files.
62 -T path
64 Write temporary files to directory specified by path (default:
65 /var/tmp/)
66 -F prefix
68 URL prefix for temporary files. Default is file://path where
69 path is /var/tmp/ or specified with -T.
70 -A Retrieve attributes only (no values). This is useful when you
72 just want to see if an attribute is present in an entry and are
73 not interested in the specific values.
74 -L Search results are display in LDAP Data Interchange Format de‐
76 tailed in ldif(5). A single -L restricts the output to LDIFv1.
77 A second -L disables comments. A third -L disables printing of
78 the LDIF version. The default is to use an extended version of
79 LDIF.
80 -S attribute
82 Sort the entries returned based on attribute. The default is not
83 to sort entries returned. If attribute is a zero-length string
84 (""), the entries are sorted by the components of their Distin‐
85 guished Name. See ldap_sort(3) for more details. Note that
86 ldapsearch normally prints out entries as it receives them. The
87 use of the -S option defeats this behavior, causing all entries
88 to be retrieved, then sorted, then printed.
89 -b searchbase
91 Use searchbase as the starting point for the search instead of
92 the default.
93 -s {base|one|sub|children}
95 Specify the scope of the search to be one of base, one, sub, or
96 children to specify a base object, one-level, subtree, or chil‐
97 dren search. The default is sub. Note: children scope requires
98 LDAPv3 subordinate feature extension.
99 -a {never|always|search|find}
101 Specify how aliases dereferencing is done. Should be one of
102 never, always, search, or find to specify that aliases are never
103 dereferenced, always dereferenced, dereferenced when searching,
104 or dereferenced only when locating the base object for the
105 search. The default is to never dereference aliases.
106 -l timelimit
108 wait at most timelimit seconds for a search to complete. A
109 timelimit of 0 (zero) or none means no limit. A timelimit of
110 max means the maximum integer allowable by the protocol. A
111 server may impose a maximal timelimit which only the root user
112 may override.
113 -z sizelimit
115 retrieve at most sizelimit entries for a search. A sizelimit of
116 0 (zero) or none means no limit. A sizelimit of max means the
117 maximum integer allowable by the protocol. A server may impose
118 a maximal sizelimit which only the root user may override.
119 -f file
121 Read a series of lines from file, performing one LDAP search for
122 each line. In this case, the filter given on the command line
123 is treated as a pattern where the first and only occurrence of
124 %s is replaced with a line from file. Any other occurrence of
125 the the % character in the pattern will be regarded as an error.
126 Where it is desired that the search filter include a % charac‐
127 ter, the character should be encoded as \25 (see RFC 4515). If
128 file is a single - character, then the lines are read from stan‐
129 dard input. ldapsearch will exit when the first non-successful
130 search result is returned, unless -c is used.
131 -M[M] Enable manage DSA IT control. -MM makes control critical.
133 -x Use simple authentication instead of SASL.
135 -D binddn
137 Use the Distinguished Name binddn to bind to the LDAP directory.
138 For SASL binds, the server is expected to ignore this value.
139 -W Prompt for simple authentication. This is used instead of spec‐
141 ifying the password on the command line.
142 -w passwd
144 Use passwd as the password for simple authentication.
145 -y passwdfile
147 Use complete contents of passwdfile as the password for simple
148 authentication.
149 -H ldapuri
151 Specify URI(s) referring to the ldap server(s); a list of URI,
152 separated by whitespace or commas is expected; only the proto‐
153 col/host/port fields are allowed. As an exception, if no
154 host/port is specified, but a DN is, the DN is used to look up
155 the corresponding host(s) using the DNS SRV records, according
156 to RFC 2782. The DN must be a non-empty sequence of AVAs whose
157 attribute type is "dc" (domain component), and must be escaped
158 according to RFC 2396.
159 -h ldaphost
161 Specify an alternate host on which the ldap server is running.
162 Deprecated in favor of -H.
163 -p ldapport
165 Specify an alternate TCP port where the ldap server is listen‐
166 ing. Deprecated in favor of -H.
167 -P {2|3}
169 Specify the LDAP protocol version to use.
170 -e [!]ext[=extparam]
172 -E [!]ext[=extparam]
174 Specify general extensions with -e and search extensions with
176 -E. ´!´ indicates criticality.
177 General extensions:
179 [!]assert=<filter> (an RFC 4515 Filter)
180 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
181 [!]bauthzid (RFC 3829 authzid control)
182 [!]chaining[=<resolve>[/<cont>]]
183 [!]manageDSAit
184 [!]noop
185 ppolicy
186 [!]postread[=<attrs>] (a comma-separated attribute list)
187 [!]preread[=<attrs>] (a comma-separated attribute list)
188 [!]relax
189 sessiontracking
190 abandon,cancel,ignore (SIGINT sends abandon/cancel,
191 or ignores response; if critical, doesn't wait for SIGINT.
192 not really controls)
193 Search extensions:
195 !dontUseCopy
196 [!]domainScope (domain scope)
197 [!]mv=<filter> (matched values filter)
198 [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
199 [!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...] (server side sorting)
200 [!]subentries[=true|false] (subentries)
201 [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
202 rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
203 [!]vlv=<before>/<after>(/<offset>/<count>|:<value>) (virtual list view)
204 [!]deref=derefAttr:attr[,attr[...]][;derefAttr:attr[,attr[...]]]
205 [!]<oid>[=<value>]
206 -o opt[=optparam]
208 Specify any ldap.conf(5) option or one of the following:
210 nettimeout=<timeout> (in seconds, or "none" or "max")
211 ldif_wrap=<width> (in columns, or "no" for no wrapping)
212 -O security-properties
215 Specify SASL security properties.
216 -I Enable SASL Interactive mode. Always prompt. Default is to
218 prompt only as needed.
219 -Q Enable SASL Quiet mode. Never prompt.
221 -N Do not use reverse DNS to canonicalize SASL host name.
223 -U authcid
225 Specify the authentication ID for SASL bind. The form of the ID
226 depends on the actual SASL mechanism used.
227 -R realm
229 Specify the realm of authentication ID for SASL bind. The form
230 of the realm depends on the actual SASL mechanism used.
231 -X authzid
233 Specify the requested authorization ID for SASL bind. authzid
234 must be one of the following formats: dn:<distinguished name> or
235 u:<username>
236 -Y mech
238 Specify the SASL mechanism to be used for authentication. If
239 it's not specified, the program will choose the best mechanism
240 the server knows.
241 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
243 you use -ZZ, the command will require the operation to be suc‐
244 cessful.
245
247 If one or more entries are found, each entry is written to standard
248 output in LDAP Data Interchange Format or ldif(5):
249 version: 1
251 # bjensen, example, net
253 dn: uid=bjensen,dc=example,dc=net
254 objectClass: person
255 objectClass: dcObject
256 uid: bjensen
257 cn: Barbara Jensen
258 sn: Jensen
259 ...
260 If the -t option is used, the URI of a temporary file is used in place
262 of the actual value. If the -A option is given, only the "attribute‐
263 name" part is written.
264
266 The following command:
267 ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
269 will perform a subtree search (using the default search base and other
271 parameters defined in ldap.conf(5)) for entries with a surname (sn) of
272 smith. The common name (cn), surname (sn) and telephoneNumber values
273 will be retrieved and printed to standard output. The output might
274 look something like this if two entries are found:
275 dn: uid=jts,dc=example,dc=com
277 cn: John Smith
278 cn: John T. Smith
279 sn: Smith
280 sn;lang-en: Smith
281 sn;lang-de: Schmidt
282 telephoneNumber: 1 555 123-4567
283 dn: uid=sss,dc=example,dc=com
285 cn: Steve Smith
286 cn: Steve S. Smith
287 sn: Smith
288 sn;lang-en: Smith
289 sn;lang-de: Schmidt
290 telephoneNumber: 1 555 765-4321
291 The command:
293 ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
295 will perform a subtree search using the default search base for entries
297 with user id of "xyz". The user friendly form of the entry's DN will
298 be output after the line that contains the DN itself, and the jpegPhoto
299 and audio values will be retrieved and written to temporary files. The
300 output might look like this if one entry with one value for each of the
301 requested attributes is found:
302 dn: uid=xyz,dc=example,dc=com
304 ufn: xyz, example, com
305 audio:< file:///tmp/ldapsearch-audio-a19924
306 jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924
307 This command:
309 ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
311 will perform a one-level search at the c=US level for all entries whose
313 organization name (o) begins with University. The organization name
314 and description attribute values will be retrieved and printed to stan‐
315 dard output, resulting in output similar to this:
316 dn: o=University of Alaska Fairbanks,c=US
318 o: University of Alaska Fairbanks
319 description: Preparing Alaska for a brave new yesterday
320 description: leaf node only
321 dn: o=University of Colorado at Boulder,c=US
323 o: University of Colorado at Boulder
324 description: No personnel information
325 description: Institution of education and research
326 dn: o=University of Colorado at Denver,c=US
328 o: University of Colorado at Denver
329 o: UCD
330 o: CU/Denver
331 o: CU-Denver
332 description: Institute for Higher Learning and Research
333 dn: o=University of Florida,c=US
335 o: University of Florida
336 o: UFl
337 description: Warper of young minds
338 ...
340
342 Exit status is zero if no errors occur. Errors result in a non-zero
343 exit status and a diagnostic message being written to standard error.
344
346 ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), ldap.conf(5),
347 ldif(5), ldap(3), ldap_search_ext(3), ldap_sort(3)
348
350 The OpenLDAP Project <http://www.openldap.org/>
351
353 OpenLDAP Software is developed and maintained by The OpenLDAP Project
354 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
355 versity of Michigan LDAP 3.3 Release.
356OpenLDAP 2021/06/03 LDAPSEARCH(1)