1ldapsearch(1) User Commands ldapsearch(1)
2
6 ldapsearch - ldap search tool
7
9 ldapsearch [-n] [-u] [-v] [-t] [-A] [-B] [-L] [-R] [-H]
10 [-?] [-t] [-T] [-B] [-E] [-J] [-e] [-l] [-Z] [-r]
11 [-M] [-d debuglevel] [-F sep] [-f file] [-D bindDN]
12 [-j filename] [-V version] [-Y proxyDN] [-O hopLimit]
13 [-i locale] [-k path] [-S [-] attribute] [-C pattern]
14 [-c authzid] [-P path] [-N certificate] [-w passwd]
15 [-h ldaphost] [-p ldapport] [-o attributename=value]
16 [-b searchbase] [-s scope] [-a deref] [-l timelimit]
17 [-z sizelimit] filter [attrs]...
18
21 The ldapsearch utility opens a connection to an LDAP server, binds, and
22 performs a search using the filter filter.
23 If ldapsearch finds one or more entries, the attributes specified by
26 attrs are retrieved and the entries and values are printed to standard
27 output. If no attrs are listed, all attributes are returned.
28 Output Format
30 If one or more entries are found, each entry is written to standard
31 output in the form:
32 dn: Distinguished Name (DN)
34 attributename: value
35 attributename: value
36 attributename: value
37 ...
38 Multiple entries are separated with a single blank line. If the -F
43 option is used to specify a different separator character, this charac‐
44 ter is used instead of the : character. If the -t option is used, the
45 name of a temporary file is returned in place of the actual value. If
46 the -A option is given, only the "attributename" is returned and not
47 the attribute value.
48
50 The following options are supported:
51 -A
53 Retrieve attributes only (no values). This is useful when you just
55 want to see whether an attribute is present in an entry and are not
56 interested in the specific value.
57 -a deref
60 Specify how aliases dereferencing is done. The possible values for
62 deref are never, always, search, or find to specify respectively
63 that aliases are never dereferenced, always dereferenced, derefer‐
64 enced when searching, or dereferenced only when finding the base
65 object for the search. The default is to never dereference aliases.
66 -B
69 Display non-ASCII values and use the old non-LDIF format. This
71 option disables the default -L option.
72 -b searchbase
75 Use searchbase as the starting point for the search instead of the
77 default.
78 -C pattern
81 Persistent search. Perform a search that keeps the connection open
83 and displays results whenever entries matching the scope and filter
84 of the search are added, modified, or removed. With this option,
85 the ldapsearch tool runs indefinitely; you must type Control-c to
86 stop it. The pattern has the following format:
87 ps:changeType[:changesOnly[:entryChangeControls]]
89 -c authzid
94 Specifies the getEffectiveRights control authzid. For example:
96 dn:uid=bjensen,dc=example,dc=com
98 -D bindDN
103 Use the distinguished name bindDN to bind to the directory.
105 -d debuglevel
108 Set the LDAP debugging level. Useful levels of debugging for
110 ldapsearch are:
111 1 Trace
113 2 Packets
116 4 Arguments
119 32 Filters
122 128 Access control
125 To request more than one category of debugging information, add the
127 masks. For example, to request trace and filter information, spec‐
128 ify a debuglevel of 33.
129 -E
132 Ask server to expose (report) bind identity by means of authentica‐
134 tion response control.
135 -e
138 Minimize base-64 encoding of values.
140 -F sep
143 Use sep as the field separator between attribute names and values.
145 If this option has been specified, the -L option is ignored.
146 -f file
149 Read a series of lines from file, performing one LDAP search for
151 each line. In this case, the filter given on the command line is
152 treated as a pattern where the first occurrence of %s is replaced
153 with a line from file. If file is a single - character, then the
154 lines are read from standard input.
155 -G pattern
158 Virtual list view. Retrieve only a portion of all results, as
160 determined by the index or value of the search target and the num‐
161 ber of entries to be returned before and after the target. This
162 option always requires the -S and -x options to specify the sorting
163 order on the server.
164 -?
167 Display the usage help text that briefly describes all options.
169 -H
172 Display the usage help text that briefly describes all options.
174 -h ldaphost
177 Specify an alternate host on which the secure LDAP server is run‐
179 ning.
180 -i locale
183 Specify the character set to use for command-line input. The
185 default is the character set specified in the LANG environment
186 variable. You might want to use this option to perform the conver‐
187 sion from the specified character set to UTF8, thus overriding the
188 LANG setting. Using this argument, you can input the bind DN, base
189 DN, and the search filter pattern in the specified character set.
190 The ldapsearch tool converts the input from these arguments before
191 it processes the search request. For example, -i no indicates that
192 the bind DN, base DN, and search filter are provided in Norwegian.
193 This argument only affects the command-line input. If you specify a
194 file containing a search filter (with the -f option), ldapsearch
195 does not convert the data in the file.
196 -j filename
199 Specify a file containing the password for the bind DN or the pass‐
201 word for the SSL client's key database. To protect the password,
202 use this option in scripts and place the password in a secure file.
203 This option is mutually exclusive of the -w and -W options.
204 -J [:criticality[:value|::b64value|b64value|:fileurl]]
207 Criticality is a boolean value (default is false).
209 -k path
212 Specify the path to a directory containing conversion routines.
214 These routines are used if you want to specify a locale that is not
215 supported by default by your directory server. This is for NLS sup‐
216 port.
217 -L
220 Display search results in LDIF format. This option also turns on
222 the -B option. This behavior is the default.
223 -l timelimit
226 Wait at most timelimit seconds for a search to complete.
228 -M
231 Manage smart referrals. When they are the target of the operation,
233 search the entry containing the referral instead of the entry
234 obtained by following the referral.
235 -N certificate
238 Specify the certificate name to use for certificate-based client
240 authentication. For example: -N "Directory-Cert".
241 -n
244 Show what would be done, but do not actually perform the search.
246 Useful in conjunction with -v and -d for debugging.
247 -O hopLimit
250 Specify the maximum number of referral hops to follow while finding
252 an entry to modify. By default, there is no limit.
253 -o attributename=value
256 For SASL mechanisms and other options such as security properties,
258 mode of operation, authorization ID, authentication ID, and so
259 forth.
260 The different attribute names and their values are as follows:
262 secProp="number" For defining SASL security properties.
264 realm="value" Specifies SASL realm (default is realm=none).
267 authzid="value" Specify the authorization ID name for SASL
270 bind.
271 authid="value" Specify the authentication ID for SASL bind.
274 mech="value" Specifies the various SASL mechanisms.
277 -P path
281 Specify the path and filename of the client's certificate database.
283 For example:
284 -P /home/uid/.netscape/cert7.db
286 When using the command on the same host as the directory server,
289 you can use the server's own certificate database. For example:
290 -P installDir/lapd-serverID/alias/cert7.db
292 Use the -P option alone to specify server authentication only.
295 -p ldapport
298 Specify an alternate TCP port where the secure LAPD server is lis‐
300 tening.
301 -R
304 Do not automatically follow referrals returned while searching.
306 -r
309 Display the output of the ldapsearch command in the old format.
311 -S [-]attribute
314 Specify an attribute for sorting the entries returned by the
316 search. The sort criteria is alphabetical on the attribute's value
317 or reverse alphabetical with the form -attribute. You can give mul‐
318 tiple -S options to refine the sorting, For example:
319 -S sn -S givenname
321 By default, the entries are not sorted. Use the -x option to per‐
324 form server-side sorting.
325 -s scope
328 Specify the scope of the search. The possible values of scope are
330 base, one, or sub to specify respectively a base object, one-level,
331 or subtree search. The default is sub.
332 -T
335 Format the output of search results so that no line breaks are used
337 within individual attribute values.
338 -t
341 Write retrieved values to a set of temporary files. This is useful
343 for dealing with non-ASCII values such as jpegPhoto or audio.
344 -U
347 URL format (valid only with the -t option). When using temporary
349 file output, the standard output of the tool includes the URL of
350 the file instead of the attributes value. For example:
351 jpegPhoto:< file:/tmp/ldapsearch-jpegPhoto-YzaOMh
353 -u
358 Include the user-friendly form of the Distinguished Name (DN) in
360 the output.
361 -V version
364 Specify the LDAP protocol version number to be used for the delete
366 operation, either 2 or 3. LDAP v3 is the default. Specify LDAP v2
367 when connecting to servers that do not support v3.
368 -v
371 Run in verbose mode, with diagnostics written to standard output.
373 -W password
376 Specify the password for the client's key database given in the -P
378 option. This option is required for certificate-based client
379 authentication. Specifying password on the command line has secu‐
380 rity issues because the password can be seen by others on the sys‐
381 tem by means of the ps command. Use the -j instead to specify the
382 password from the file. This option is mutually exclusive of -j.
383 -w passwd
386 Use passwd as the password for authentication to the directory.
388 When you use -w passwd to specify the password to be used for
389 authentication, the password is visible to other users of the sys‐
390 tem by means of the ps command, in script files or in shell his‐
391 tory. If you use the ldapsearch command without this option, the
392 command prompts for the password and read it from standard in. When
393 used without the -w option, the password is not visible to other
394 users.
395 -x
398 Use with the -S option to specify that search results be sorted on
400 the server rather than by the ldapsearch command running on the
401 client. This is useful if you want to sort according to a matching
402 rule, as with an international search. It is usually faster to sort
403 on the server, if that is supported, rather than on the client.
404 -Y proxyDN
407 Specify the proxy DN (proxied authorization id) to use for the mod‐
409 ify operation, usually in double quotes (" ") for the shell.
410 -Z
413 Specify that SSL be used to provide certificate-based client
415 authentication. This option requires the -N and SSL password and
416 any other of the SSL options needed to identify the certificate and
417 the key database.
418 -z sizelimit
421 Retrieve at most sizelimit entries for a search to complete.
423
426 Example 1 Performing a Subtree Search
427 The following command performs a subtree search (using the default
430 search base) for entries with a commonName of "mark smith". The common‐
431 Name and telephoneNumber values is retrieved and printed to standard
432 output. Use the -r option to display this output in the old format.
433 example% ldapsearch "cn=mark smith" cn telephoneNumber
436 The output looks something like this:
441 dn: Mark D Smith, ou=Sales, ou=Atlanta, ou=People, o=XYZ, c=US
444 cn: Mark Smith
445 cn: Mark David Smith
446 cn: Mark D Smith 1
447 cn: Mark D Smith
448 telephoneNumber: +1 123 456-7890
449 dn: Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
451 cn: Mark Smith
452 cn: Mark C Smith 1
453 cn: Mark C Smith
454 telephoneNumber: +1 123 456-9999
455 Example 2 Performing a Subtree Search Using the Default Search Base
459 The following command performs a subtree search using the -r option to
462 display in old style format with a default search base for entries with
463 user id of mcs. The user-friendly form of the entry's DN is output
464 after the line that contains the DN itself, and the jpegPhoto and audio
465 values are retrieved and written to temporary files.
466 ldapsearch -r -u -t "uid=mcs" -r jpegPhoto audio
469 The output might look like this if one entry with one value for each of
474 the requested attributes is found:
475 cn=Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
478 Mark C Smith, Distribution, Atlanta, People, XYZ, US
479 audio=/tmp/ldapsearch-audio-a19924
480 jpegPhoto=/tmp/ldapsearch-jpegPhoto-a19924
481 Example 3 Performing a One-Level Search
485 The following command performs a one-level search at the c=US level for
488 all organizations whose organizationName begins with XY.
489 example% ldapsearch -s one -b "c=US" "o=XY*" o description
492 The organizationName and description attribute values are retrieved and
497 printed to standard output, resulting in output similar to this:
498 dn: o=XYZ c=US
501 o: XYZ
502 description: XYZ Corporation
503 dn: o="XY Trading Company", c=US
505 o: XY Trading Company
506 description: Import and export specialists
507 dn: o=XYInternational, c=US
509 o: XYInternational
510 o: XYI
511 o: XY International
512 Example 4 Performing a Subtree Search on an IPv6 Server
516 The following command performs a subtree search using the default
519 search base for entries with a user id of mcs on an IPv6 (that is, -h)
520 server:
521 example% ldapsearch -u -h '['fec0::111:a00:20ff:fea3:edcf']' \
524 -t "uid=mcs" jpegPhoto audio
525
529 The following exit values are returned:
530 0 Successful completion.
532 >0 An error occurred. A diagnostic message is written to standard
535 error.
536
539 See attributes(5) for a description of the following attributes:
540 ┌─────────────────────────────┬─────────────────────────────┐
545 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
546 ├─────────────────────────────┼─────────────────────────────┤
547 │Availability │SUNWcsu │
548 │Stability Level │Evolving │
549 └─────────────────────────────┴─────────────────────────────┘
550
552 ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), attributes(5)
553SunOS 5.11 6 Jan 2006 ldapsearch(1)