1LDAPSEARCH(1) General Commands Manual LDAPSEARCH(1)
2
3
4
6 ldapsearch - LDAP search tool
7
9 ldapsearch [-n] [-u] [-v] [-t[t]] [-T path] [-F prefix] [-A] [-L[L[L]]]
10 [-M[M]] [-S attribute] [-d debuglevel] [-f file] [-x] [-D binddn] [-W]
11 [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport]
12 [-b searchbase] [-s base|one|sub|children]
13 [-a never|always|search|find] [-P 2|3] [-e [!]ext[=extparam]]
14 [-E [!]ext[=extparam]] [-l timelimit] [-z sizelimit] [-O security-prop‐
15 erties] [-I] [-Q] [-U authcid] [-R realm] [-X authzid] [-Y mech]
16 [-Z[Z]] filter [attrs...]
17
19 ldapsearch is a shell-accessible interface to the ldap_search_ext(3)
20 library call.
21
22 ldapsearch opens a connection to an LDAP server, binds, and performs a
23 search using specified parameters. The filter should conform to the
24 string representation for search filters as defined in RFC 4515. If
25 not provided, the default filter, (objectClass=*), is used.
26
27 If ldapsearch finds one or more entries, the attributes specified by
28 attrs are returned. If * is listed, all user attributes are returned.
29 If + is listed, all operational attributes are returned. If no attrs
30 are listed, all user attributes are returned. If only 1.1 is listed,
31 no attributes will be returned.
32
34 -n Show what would be done, but don't actually perform the search.
35 Useful for debugging in conjunction with -v.
36
37 -u Include the User Friendly Name form of the Distinguished Name
38 (DN) in the output.
39
40 -v Run in verbose mode, with many diagnostics written to standard
41 output.
42
43 -t[t] A single -t writes retrieved non-printable values to a set of
44 temporary files. This is useful for dealing with values con‐
45 taining non-character data such as jpegPhoto or audio. A second
46 -t writes all retrieved values to files.
47
48 -T path
49 Write temporary files to directory specified by path (default:
50 /var/tmp/)
51
52 -F prefix
53 URL prefix for temporary files. Default is file://path/ where
54 path is /var/tmp/ or specified with -T.
55
56 -A Retrieve attributes only (no values). This is useful when you
57 just want to see if an attribute is present in an entry and are
58 not interested in the specific values.
59
60 -L Search results are display in LDAP Data Interchange Format
61 detailed in ldif(5). A single -L restricts the output to
62 LDIFv1. A second -L disables comments. A third -L disables
63 printing of the LDIF version. The default is to use an extended
64 version of LDIF.
65
66 -M[M] Enable manage DSA IT control. -MM makes control critical.
67
68 -S attribute
69 Sort the entries returned based on attribute. The default is not
70 to sort entries returned. If attribute is a zero-length string
71 (""), the entries are sorted by the components of their Distin‐
72 guished Name. See ldap_sort(3) for more details. Note that
73 ldapsearch normally prints out entries as it receives them. The
74 use of the -S option defeats this behavior, causing all entries
75 to be retrieved, then sorted, then printed.
76
77 -d debuglevel
78 Set the LDAP debugging level to debuglevel. ldapsearch must be
79 compiled with LDAP_DEBUG defined for this option to have any
80 effect.
81
82 -f file
83 Read a series of lines from file, performing one LDAP search for
84 each line. In this case, the filter given on the command line
85 is treated as a pattern where the first and only occurrence of
86 %s is replaced with a line from file. Any other occurence of
87 the the % character in the pattern will be regarded as an error.
88 Where it is desired that the search filter include a % charac‐
89 ter, the character should be encoded as \25 (see RFC 4515). If
90 file is a single - character, then the lines are read from stan‐
91 dard input.
92
93 -x Use simple authentication instead of SASL.
94
95 -D binddn
96 Use the Distinguished Name binddn to bind to the LDAP directory.
97
98 -W Prompt for simple authentication. This is used instead of spec‐
99 ifying the password on the command line.
100
101 -w passwd
102 Use passwd as the password for simple authentication.
103
104 -y passwdfile
105 Use complete contents of passwdfile as the password for simple
106 authentication.
107
108 -H ldapuri
109 Specify URI(s) referring to the ldap server(s); only the proto‐
110 col/host/port fields are allowed; a list of URI, separated by
111 whitespace or commas is expected.
112
113 -h ldaphost
114 Specify an alternate host on which the ldap server is running.
115 Deprecated in favor of -H.
116
117 -p ldapport
118 Specify an alternate TCP port where the ldap server is listen‐
119 ing. Deprecated in favor of -H.
120
121 -b searchbase
122 Use searchbase as the starting point for the search instead of
123 the default.
124
125 -s base|one|sub|children
126 Specify the scope of the search to be one of base, one, sub, or
127 children to specify a base object, one-level, subtree, or chil‐
128 dren search. The default is sub. Note: children scope requires
129 LDAPv3 subordinate feature extension.
130
131 -a never|always|search|find
132 Specify how aliases dereferencing is done. Should be one of
133 never, always, search, or find to specify that aliases are never
134 dereferenced, always dereferenced, dereferenced when searching,
135 or dereferenced only when locating the base object for the
136 search. The default is to never dereference aliases.
137
138 -P 2|3 Specify the LDAP protocol version to use.
139
140 -e [!]ext[=extparam]
141
142 -E [!]ext[=extparam]
143
144 Specify general extensions with -e and search extensions with
145 -E. ´!´ indicates criticality.
146
147 General extensions:
148 [!]assert=<filter> (an RFC 4515 Filter)
149 [!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
150 [!]manageDSAit
151 [!]noop
152 ppolicy
153 [!]postread[=<attrs>] (a comma-separated attribute list)
154 [!]preread[=<attrs>] (a comma-separated attribute list)
155 abandon, cancel (SIGINT sends abandon/cancel; not really controls)
156
157 Search extensions:
158 [!]domainScope (domain scope)
159 [!]mv=<filter> (matched values filter)
160 [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
161 [!]subentries[=true|false] (subentries)
162 [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
163 rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
164
165 -l timelimit
166 wait at most timelimit seconds for a search to complete. A
167 timelimit of 0 (zero) or none means no limit. A timelimit of
168 max means the maximum integer allowable by the protocol. A
169 server may impose a maximal timelimit which only the root user
170 may override.
171
172 -z sizelimit
173 retrieve at most sizelimit entries for a search. A sizelimit of
174 0 (zero) or none means no limit. A sizelimit of max means the
175 maximum integer allowable by the protocol. A server may impose
176 a maximal sizelimit which only the root user may override.
177
178 -O security-properties
179 Specify SASL security properties.
180
181 -I Enable SASL Interactive mode. Always prompt. Default is to
182 prompt only as needed.
183
184 -Q Enable SASL Quiet mode. Never prompt.
185
186 -U authcid
187 Specify the authentication ID for SASL bind. The form of the ID
188 depends on the actual SASL mechanism used.
189
190 -R realm
191 Specify the realm of authentication ID for SASL bind. The form
192 of the realm depends on the actual SASL mechanism used.
193
194 -X authzid
195 Specify the requested authorization ID for SASL bind. authzid
196 must be one of the following formats: dn:<distinguished name> or
197 u:<username>
198
199 -Y mech
200 Specify the SASL mechanism to be used for authentication. If
201 it's not specified, the program will choose the best mechanism
202 the server knows.
203
204 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
205 you use -ZZ, the command will require the operation to be suc‐
206 cessful.
207
209 If one or more entries are found, each entry is written to standard
210 output in LDAP Data Interchange Format or ldif(5):
211
212 version: 1
213
214 # bjensen, example, net
215 dn: uid=bjensen,dc=example,dc=net
216 objectClass: person
217 objectClass: dcObject
218 uid: bjensen
219 cn: Barbara Jensen
220 sn: Jensen
221 ...
222
223 If the -t option is used, the URI of a temporary file is used in place
224 of the actual value. If the -A option is given, only the "attribute‐
225 name" part is written.
226
228 The following command:
229
230 ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
231
232 will perform a subtree search (using the default search base and other
233 parameters defined in ldap.conf(5)) for entries with a surname (sn) of
234 smith. The common name (cn), surname (sn) and telephoneNumber values
235 will be retrieved and printed to standard output. The output might
236 look something like this if two entries are found:
237
238 dn: uid=jts,dc=example,dc=com
239 cn: John Smith
240 cn: John T. Smith
241 sn: Smith
242 sn;lang-en: Smith
243 sn;lang-de: Schmidt
244 telephoneNumber: 1 555 123-4567
245
246 dn: uid=sss,dc=example,dc=com
247 cn: Steve Smith
248 cn: Steve S. Smith
249 sn: Smith
250 sn;lang-en: Smith
251 sn;lang-de: Schmidt
252 telephoneNumber: 1 555 765-4321
253
254 The command:
255
256 ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
257
258 will perform a subtree search using the default search base for entries
259 with user id of "xyz". The user friendly form of the entry's DN will
260 be output after the line that contains the DN itself, and the jpegPhoto
261 and audio values will be retrieved and written to temporary files. The
262 output might look like this if one entry with one value for each of the
263 requested attributes is found:
264
265 dn: uid=xyz,dc=example,dc=com
266 ufn: xyz, example, com
267 audio:< file:///tmp/ldapsearch-audio-a19924
268 jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924
269
270 This command:
271
272 ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
273
274 will perform a one-level search at the c=US level for all entries whose
275 organization name (o) begins begins with University. The organization
276 name and description attribute values will be retrieved and printed to
277 standard output, resulting in output similar to this:
278
279 dn: o=University of Alaska Fairbanks,c=US
280 o: University of Alaska Fairbanks
281 description: Preparing Alaska for a brave new yesterday
282 description: leaf node only
283
284 dn: o=University of Colorado at Boulder,c=US
285 o: University of Colorado at Boulder
286 description: No personnel information
287 description: Institution of education and research
288
289 dn: o=University of Colorado at Denver,c=US
290 o: University of Colorado at Denver
291 o: UCD
292 o: CU/Denver
293 o: CU-Denver
294 description: Institute for Higher Learning and Research
295
296 dn: o=University of Florida,c=US
297 o: University of Florida
298 o: UFl
299 description: Warper of young minds
300
301 ...
302
304 Exit status is zero if no errors occur. Errors result in a non-zero
305 exit status and a diagnostic message being written to standard error.
306
308 ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), ldap.conf(5),
309 ldif(5), ldap(3), ldap_search_ext(3), ldap_sort(3)
310
312 The OpenLDAP Project <http://www.openldap.org/>
313
315 OpenLDAP is developed and maintained by The OpenLDAP Project
316 (http://www.openldap.org/). OpenLDAP is derived from University of
317 Michigan LDAP 3.3 Release.
318
319
320
321OpenLDAP 2.3.34 2007/2/16 LDAPSEARCH(1)