1ldapsearch(1)                    User Commands                   ldapsearch(1)
2
3
4

NAME

6       ldapsearch - ldap search tool
7

SYNOPSIS

9       ldapsearch [-n] [-u] [-v] [-t] [-A] [-B] [-L] [-R] [-H]
10            [-?] [-t] [-T] [-B] [-E] [-J] [-e] [-l] [-Z] [-r]
11            [-M] [-d debuglevel] [-F sep] [-f file] [-D bindDN]
12            [-j filename] [-V version] [-Y proxyDN] [-O hopLimit]
13            [-i locale] [-k path] [-S [-] attribute] [-C pattern]
14            [-c authzid] [-P path] [-N certificate] [-w passwd]
15            [-h ldaphost] [-p ldapport] [-o attributename=value]
16            [-b searchbase] [-s scope] [-a deref] [-l timelimit]
17            [-z sizelimit] filter [attrs]...
18
19

DESCRIPTION

21       The ldapsearch utility opens a connection to an LDAP server, binds, and
22       performs a search using the filter filter.
23
24
25       If ldapsearch finds one or more entries, the  attributes  specified  by
26       attrs  are retrieved and the entries and values are printed to standard
27       output. If no attrs are listed, all attributes are returned.
28
29   Output Format
30       If one or more entries are found, each entry  is  written  to  standard
31       output in the form:
32
33         dn: Distinguished Name (DN)
34                 attributename: value
35                 attributename: value
36                 attributename: value
37         ...
38
39
40
41
42       Multiple  entries  are  separated  with  a single blank line. If the -F
43       option is used to specify a different separator character, this charac‐
44       ter  is  used instead of the : character. If the -t option is used, the
45       name of a temporary file is returned in place of the actual  value.  If
46       the  -A  option  is given, only the "attributename" is returned and not
47       the attribute value.
48

OPTIONS

50       The following options are supported:
51
52       -A
53
54           Retrieve attributes only (no values). This is useful when you  just
55           want to see whether an attribute is present in an entry and are not
56           interested in the specific value.
57
58
59       -a deref
60
61           Specify how aliases dereferencing is done. The possible values  for
62           deref  are  never,  always, search, or find to specify respectively
63           that aliases are never dereferenced, always dereferenced,  derefer‐
64           enced  when  searching,  or dereferenced only when finding the base
65           object for the search. The default is to never dereference aliases.
66
67
68       -B
69
70           Display non-ASCII values and use  the  old  non-LDIF  format.  This
71           option disables the default -L option.
72
73
74       -b searchbase
75
76           Use  searchbase as the starting point for the search instead of the
77           default.
78
79
80       -C pattern
81
82           Persistent search. Perform a search that keeps the connection  open
83           and displays results whenever entries matching the scope and filter
84           of the search are added, modified, or removed.  With  this  option,
85           the  ldapsearch  tool runs indefinitely; you must type Control-c to
86           stop it. The pattern has the following format:
87
88             ps:changeType[:changesOnly[:entryChangeControls]]
89
90
91
92
93       -c authzid
94
95           Specifies the getEffectiveRights control authzid. For example:
96
97             dn:uid=bjensen,dc=example,dc=com
98
99
100
101
102       -D bindDN
103
104           Use the distinguished name bindDN to bind to the directory.
105
106
107       -d debuglevel
108
109           Set the LDAP  debugging  level.  Useful  levels  of  debugging  for
110           ldapsearch are:
111
112           1      Trace
113
114
115           2      Packets
116
117
118           4      Arguments
119
120
121           32     Filters
122
123
124           128    Access control
125
126           To request more than one category of debugging information, add the
127           masks. For example, to request trace and filter information,  spec‐
128           ify a debuglevel of 33.
129
130
131       -E
132
133           Ask server to expose (report) bind identity by means of authentica‐
134           tion response control.
135
136
137       -e
138
139           Minimize base-64 encoding of values.
140
141
142       -F sep
143
144           Use sep as the field separator between attribute names and  values.
145           If this option has been specified, the -L option is ignored.
146
147
148       -f file
149
150           Read  a  series  of lines from file, performing one LDAP search for
151           each line. In this case, the filter given on the  command  line  is
152           treated  as  a pattern where the first occurrence of %s is replaced
153           with a line from file. If file is a single -  character,  then  the
154           lines are read from standard input.
155
156
157       -G pattern
158
159           Virtual  list  view.  Retrieve  only  a  portion of all results, as
160           determined by the index or value of the search target and the  num‐
161           ber  of  entries  to  be returned before and after the target. This
162           option always requires the -S and -x options to specify the sorting
163           order on the server.
164
165
166       -?
167
168           Display the usage help text that briefly describes all options.
169
170
171       -H
172
173           Display the usage help text that briefly describes all options.
174
175
176       -h ldaphost
177
178           Specify  an  alternate host on which the secure LDAP server is run‐
179           ning.
180
181
182       -i locale
183
184           Specify the character  set  to  use  for  command-line  input.  The
185           default  is  the  character  set  specified in the LANG environment
186           variable. You might want to use this option to perform the  conver‐
187           sion  from the specified character set to UTF8, thus overriding the
188           LANG setting. Using this argument, you can input the bind DN,  base
189           DN,  and  the search filter pattern in the specified character set.
190           The ldapsearch tool converts the input from these arguments  before
191           it  processes the search request. For example, -i no indicates that
192           the bind DN, base DN, and search filter are provided in  Norwegian.
193           This argument only affects the command-line input. If you specify a
194           file containing a search filter (with the  -f  option),  ldapsearch
195           does not convert the data in the file.
196
197
198       -j filename
199
200           Specify a file containing the password for the bind DN or the pass‐
201           word for the SSL client's key database. To  protect  the  password,
202           use this option in scripts and place the password in a secure file.
203           This option is mutually exclusive of the -w and -W options.
204
205
206       -J [:criticality[:value|::b64value|b64value|:fileurl]]
207
208           Criticality is a boolean value (default is false).
209
210
211       -k path
212
213           Specify the path to a  directory  containing  conversion  routines.
214           These routines are used if you want to specify a locale that is not
215           supported by default by your directory server. This is for NLS sup‐
216           port.
217
218
219       -L
220
221            Display  search  results in LDIF format. This option also turns on
222           the -B option. This behavior is the default.
223
224
225       -l timelimit
226
227           Wait at most timelimit seconds for a search to complete.
228
229
230       -M
231
232           Manage smart referrals. When they are the target of the  operation,
233           search  the  entry  containing  the  referral  instead of the entry
234           obtained by following the referral.
235
236
237       -N certificate
238
239           Specify the certificate name to use  for  certificate-based  client
240           authentication. For example: -N "Directory-Cert".
241
242
243       -n
244
245           Show  what  would  be done, but do not actually perform the search.
246           Useful in conjunction with -v and -d for debugging.
247
248
249       -O hopLimit
250
251           Specify the maximum number of referral hops to follow while finding
252           an entry to modify. By default, there is no limit.
253
254
255       -o attributename=value
256
257           For  SASL mechanisms and other options such as security properties,
258           mode of operation, authorization  ID,  authentication  ID,  and  so
259           forth.
260
261           The different attribute names and their values are as follows:
262
263           secProp="number"    For defining SASL security properties.
264
265
266           realm="value"       Specifies SASL realm (default is realm=none).
267
268
269           authzid="value"     Specify  the  authorization  ID  name  for SASL
270                               bind.
271
272
273           authid="value"      Specify the authentication ID for SASL bind.
274
275
276           mech="value"        Specifies the various SASL mechanisms.
277
278
279
280       -P path
281
282           Specify the path and filename of the client's certificate database.
283           For example:
284
285             -P /home/uid/.netscape/cert7.db
286
287
288           When  using  the  command on the same host as the directory server,
289           you can use the server's own certificate database. For example:
290
291             -P installDir/lapd-serverID/alias/cert7.db
292
293
294           Use the -P option alone to specify server authentication only.
295
296
297       -p ldapport
298
299           Specify an alternate TCP port where the secure LAPD server is  lis‐
300           tening.
301
302
303       -R
304
305           Do not automatically follow referrals returned while searching.
306
307
308       -r
309
310           Display the output of the ldapsearch command in the old format.
311
312
313       -S [-]attribute
314
315           Specify  an  attribute  for  sorting  the  entries  returned by the
316           search. The sort criteria is alphabetical on the attribute's  value
317           or reverse alphabetical with the form -attribute. You can give mul‐
318           tiple -S options to refine the sorting, For example:
319
320             -S sn -S givenname
321
322
323           By default, the entries are not sorted. Use the -x option  to  per‐
324           form server-side sorting.
325
326
327       -s scope
328
329           Specify  the  scope of the search. The possible values of scope are
330           base, one, or sub to specify respectively a base object, one-level,
331           or subtree search. The default is sub.
332
333
334       -T
335
336           Format the output of search results so that no line breaks are used
337           within individual attribute values.
338
339
340       -t
341
342           Write retrieved values to a set of temporary files. This is  useful
343           for dealing with non-ASCII values such as jpegPhoto or audio.
344
345
346       -U
347
348           URL  format  (valid  only with the -t option). When using temporary
349           file output, the standard output of the tool includes  the  URL  of
350           the file instead of the attributes value. For example:
351
352             jpegPhoto:< file:/tmp/ldapsearch-jpegPhoto-YzaOMh
353
354
355
356
357       -u
358
359           Include  the  user-friendly  form of the Distinguished Name (DN) in
360           the output.
361
362
363       -V version
364
365           Specify the LDAP protocol version number to be used for the  delete
366           operation,  either  2 or 3. LDAP v3 is the default. Specify LDAP v2
367           when connecting to servers that do not support v3.
368
369
370       -v
371
372           Run in verbose mode, with diagnostics written to standard output.
373
374
375       -W password
376
377           Specify the password for the client's key database given in the  -P
378           option.  This  option  is  required  for  certificate-based  client
379           authentication. Specifying password on the command line  has  secu‐
380           rity  issues because the password can be seen by others on the sys‐
381           tem by means of the ps command. Use the -j instead to  specify  the
382           password from the file. This option is mutually exclusive of -j.
383
384
385       -w passwd
386
387           Use  passwd  as  the  password for authentication to the directory.
388           When you use -w passwd to specify  the  password  to  be  used  for
389           authentication,  the password is visible to other users of the sys‐
390           tem by means of the ps command, in script files or  in  shell  his‐
391           tory.  If  you  use the ldapsearch command without this option, the
392           command prompts for the password and read it from standard in. When
393           used  without  the  -w option, the password is not visible to other
394           users.
395
396
397       -x
398
399           Use with the -S option to specify that search results be sorted  on
400           the  server  rather  than  by the ldapsearch command running on the
401           client. This is useful if you want to sort according to a  matching
402           rule, as with an international search. It is usually faster to sort
403           on the server, if that is supported, rather than on the client.
404
405
406       -Y proxyDN
407
408           Specify the proxy DN (proxied authorization id) to use for the mod‐
409           ify operation, usually in double quotes (" ") for the shell.
410
411
412       -Z
413
414           Specify  that  SSL  be  used  to  provide  certificate-based client
415           authentication. This option requires the -N and  SSL  password  and
416           any other of the SSL options needed to identify the certificate and
417           the key database.
418
419
420       -z sizelimit
421
422           Retrieve at most sizelimit entries for a search to complete.
423
424

EXAMPLES

426       Example 1 Performing a Subtree Search
427
428
429       The following command performs a  subtree  search  (using  the  default
430       search base) for entries with a commonName of "mark smith". The common‐
431       Name and telephoneNumber values is retrieved and  printed  to  standard
432       output. Use the -r option to display this output in the old format.
433
434
435         example% ldapsearch "cn=mark smith" cn telephoneNumber
436
437
438
439
440       The output looks something like this:
441
442
443         dn: Mark D Smith, ou=Sales, ou=Atlanta, ou=People, o=XYZ, c=US
444         cn: Mark Smith
445         cn: Mark David Smith
446         cn: Mark D Smith 1
447         cn: Mark D Smith
448         telephoneNumber: +1 123 456-7890
449
450         dn: Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
451         cn: Mark Smith
452         cn: Mark C Smith 1
453         cn: Mark C Smith
454         telephoneNumber: +1 123 456-9999
455
456
457
458       Example 2 Performing a Subtree Search Using the Default Search Base
459
460
461       The  following command performs a subtree search using the -r option to
462       display in old style format with a default search base for entries with
463       user  id  of  mcs.  The  user-friendly form of the entry's DN is output
464       after the line that contains the DN itself, and the jpegPhoto and audio
465       values are retrieved and written to temporary files.
466
467
468         ldapsearch -r -u -t "uid=mcs" -r jpegPhoto audio
469
470
471
472
473       The output might look like this if one entry with one value for each of
474       the requested attributes is found:
475
476
477         cn=Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
478         Mark C Smith, Distribution, Atlanta, People, XYZ, US
479         audio=/tmp/ldapsearch-audio-a19924
480         jpegPhoto=/tmp/ldapsearch-jpegPhoto-a19924
481
482
483
484       Example 3 Performing a One-Level Search
485
486
487       The following command performs a one-level search at the c=US level for
488       all organizations whose organizationName begins with XY.
489
490
491         example% ldapsearch -s one -b "c=US" "o=XY*" o description
492
493
494
495
496       The organizationName and description attribute values are retrieved and
497       printed to standard output, resulting in output similar to this:
498
499
500         dn: o=XYZ    c=US
501              o: XYZ
502              description: XYZ Corporation
503
504              dn: o="XY Trading Company", c=US
505              o: XY Trading Company
506              description: Import and export specialists
507
508              dn: o=XYInternational, c=US
509              o: XYInternational
510              o: XYI
511              o: XY International
512
513
514
515       Example 4 Performing a Subtree Search on an IPv6 Server
516
517
518       The following command performs  a  subtree  search  using  the  default
519       search  base for entries with a user id of mcs on an IPv6 (that is, -h)
520       server:
521
522
523         example% ldapsearch -u -h '['fec0::111:a00:20ff:fea3:edcf']' \
524                       -t "uid=mcs" jpegPhoto audio
525
526
527

EXIT STATUS

529       The following exit values are returned:
530
531       0     Successful completion.
532
533
534       >0    An error occurred. A diagnostic message is  written  to  standard
535             error.
536
537

ATTRIBUTES

539       See attributes(5) for a description of the following attributes:
540
541
542
543
544       ┌─────────────────────────────┬─────────────────────────────┐
545       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
546       ├─────────────────────────────┼─────────────────────────────┤
547       │Availability                 │SUNWcsu                      │
548       │Stability Level              │Evolving                     │
549       └─────────────────────────────┴─────────────────────────────┘
550

SEE ALSO

552       ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), attributes(5)
553
554
555
556SunOS 5.11                        6 Jan 2006                     ldapsearch(1)
Impressum