DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

ldapsearch(1)




LDAPSEARCH(1)            USER COMMANDS              LDAPSEARCH(1)


NAME

     ldapsearch - LDAP search tool


SYNOPSIS

     ldapsearch [-n] [-u] [-v] [-k]  [-K]  [-t]  [-A]  [-L[L[L]]]
     [-M[M]]    [-d debuglevel]    [-f file]   [-D binddn]   [-W]
     [-w passwd]   [-y passwdfile]   [-H ldapuri]   [-h ldaphost]
     [-p ldapport]   [-P 2|3]  [-b searchbase]  [-s base|one|sub]
     [-a never|always|search|find] [-l timelimit]  [-z sizelimit]
     [-O security-properties]  [-I]  [-Q] [-U authcid] [-R realm]
     [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]


DESCRIPTION

     ldapsearch  is   a   shell-accessible   interface   to   the
     ldap_search(3) library call.

     ldapsearch opens a connection to an LDAP server, binds,  and
     performs  a  search using specified parameters.   The filter
     should conform  to  the  string  representation  for  search
     filters  as  defined  in  RFC  2254.   If  not provided, the
     default filter, (objectClass=*), is used.

     If ldapsearch finds one or more entries, attrs are returned.
     If  *  is listed, all user attributes are returned.  If + is
     listed, all operational  attributes  are  returned.   If  no
     attrs are listed, all user attributes are returned.  If only
     1.1 is listed, no attributes will be returned.


OPTIONS

     -n   Show what would be done, but don't actually perform the
          search.  Useful for debugging in conjunction with -v.

     -u   Include  the  User  Friendly  Name  form  of  the  Dis-
          tinguished Name (DN) in the output.

     -v   Run in verbose mode, with many diagnostics  written  to
          standard output.

     -k   Use  Kerberos  IV  authentication  instead  of   simple
          authentication.   It is assumed that you already have a
          valid ticket granting ticket.  ldapsearch must be  com-
          piled with Kerberos support for this option to have any
          effect.

     -K   Same as -k, but only does step 1  of  the  Kerberos  IV
          bind.   This  is  useful when connecting to a slapd and
          there is no x500dsa.hostname principal registered  with
          your Kerberos Domain Controller(s).

     -t   Write retrieved values to a  set  of  temporary  files.
          This  is  useful for dealing with non-ASCII values such
          as jpegPhoto or audio.

OpenLDAP LDVERSION  Last change: RELEASEDATE                    1

LDAPSEARCH(1)            USER COMMANDS              LDAPSEARCH(1)

     -A   Retrieve attributes only (no values).  This  is  useful
          when you just want to see if an attribute is present in
          an entry and are not interested in the specific values.

     -L   Search results are display  in  LDAP  Data  Interchange
          Format  detailed in ldif(5).  A single -L restricts the
          output to LDIFv1.  A second -L  disables  comments.   A
          third  -L  disables  printing of the LDIF version.  The
          default is to use an extended version of LDIF.

     -M[M]
          Enable manage DSA IT control.  -MM makes control criti-
          cal.

     -S attribute
          Sort the  entries  returned  based  on  attribute.  The
          default  is not to sort entries returned.  If attribute
          is a zero-length string (""), the entries are sorted by
          the   components   of  their  Distingished  Name.   See
          ldap_sort(3) for more  details.  Note  that  ldapsearch
          normally  prints  out  entries as it receives them. The
          use of the -S option defeats this behavior, causing all
          entries to be retrieved, then sorted, then printed.

     -d debuglevel
          Set the LDAP debugging level to debuglevel.  ldapsearch
          must  be  compiled  with  LDAP_DEBUG  defined  for this
          option to have any effect.

     -f file
          Read a series of lines from file, performing  one  LDAP
          search  for  each line.  In this case, the filter given
          on the command line is treated as a pattern  where  the
          first  occurrence  of  %s  is replaced with a line from
          file.  If file is a single - character, then the  lines
          are read from standard input.

     -x   Use simple authentication instead of SASL.

     -D binddn
          Use the Distinguished Name binddn to bind to  the  LDAP
          directory.

     -W   Prompt for simple authentication.  This is used instead
          of specifying the password on the command line.

     -w passwd
          Use passwd as the password for simple authentication.

     -y passwdfile
          Use complete contents of passwdfile as the password for
          simple authentication.

OpenLDAP LDVERSION  Last change: RELEASEDATE                    2

LDAPSEARCH(1)            USER COMMANDS              LDAPSEARCH(1)

     -H ldapuri
          Specify URI(s) referring to the ldap server(s).

     -h ldaphost
          Specify an alternate host on which the ldap  server  is
          running.  Deprecated in favor of -H.

     -p ldapport
          Specify an alternate TCP port where the ldap server  is
          listening.  Deprecated in favor of -H.

     -b searchbase
          Use searchbase as the starting  point  for  the  search
          instead of the default.

     -s base|one|sub
          Specify the scope of the search to be one of base, one,
          or  sub to specify a base object, one-level, or subtree
          search.  The default is sub.

     -a never|always|search|find
          Specify how aliases dereferencing is done.   Should  be
          one  of  never, always, search, or find to specify that
          aliases are never  dereferenced,  always  dereferenced,
          dereferenced  when searching, or dereferenced only when
          locating the base object for the search.   The  default
          is to never dereference aliases.

     -P 2|3
          Specify the LDAP protocol version to use.

     -l timelimit
          wait at most timelimit seconds for  a  search  to  com-
          plete.   A  timelimit of 0 (zero) removes the ldap.conf
          limit.  A server may impose a maximal  timelimit  which
          only the root user may override.

     -z sizelimit
          retrieve at most sizelimit entries  for  a  search.   A
          sizelimit  of  0 (zero) removes the ldap.conf limit.  A
          server may impose a maximal sizelimit  which  only  the
          root user may override.

     -O security-properties
          Specify SASL security properties.

     -I   Enable SASL Interactive mode.  Always prompt.   Default
          is to prompt only as needed.

     -Q   Enable SASL Quiet mode.  Never prompt.

     -U authcid

OpenLDAP LDVERSION  Last change: RELEASEDATE                    3

LDAPSEARCH(1)            USER COMMANDS              LDAPSEARCH(1)

          Specify the authentication ID for SASL bind.  The  form
          of the ID depends on the actual SASL mechanism used.

     -R realm
          Specify the realm of authentication ID for  SASL  bind.
          The  form  of  the  realm  depends  on  the actual SASL
          mechanism used.

     -X authzid
          Specify the requested authorization ID for  SASL  bind.
          authzid   must   be   one  of  the  following  formats:
          dn:<distinguished name> or u:<username>

     -Y mech
          Specify the SASL mechanism to be used  for  authentica-
          tion.  If  it's  not specified, the program will choose
          the best mechanism the server knows.

     -Z[Z]
          Issue  StartTLS  (Transport  Layer  Security)  extended
          operation. If you use -ZZ, the command will require the
          operation to be successful.


OUTPUT FORMAT

     If one or more entries are found, each entry is  written  to
     standard output in LDAP Data Interchange Format or ldif(5):

         version: 1

         # bjensen, example, net
         dn: uid=bjensen,dc=example,dc=net
         objectClass: person
         objectClass: dcObject
         uid: bjensen
         cn: Barbara Jensen
         sn: Jensen
         ...

     If the -t option is used, the URI of  a  temporary  file  is
     used  in  place  of  the  actual value.  If the -A option is
     given, only the "attributename" part is written.


EXAMPLE

     The following command:

         ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber

     will perform a subtree search (using the default search base
     defined  in ldap.conf(5)) for entries with a surname (sn) of
     smith.    The   common   name   (cn),   surname   (sn)   and
     telephoneNumber  values  will  be  retrieved  and printed to
     standard output.  The output might look something like  this

OpenLDAP LDVERSION  Last change: RELEASEDATE                    4

LDAPSEARCH(1)            USER COMMANDS              LDAPSEARCH(1)

     if two entries are found:

         dn: uid=jts,dc=example,dc=com
         cn: John Smith
         cn: John T. Smith
         sn: Smith
         sn;lang-en: Smith
         sn;lang-de: Schmidt
         telephoneNumber: 1 555 123-4567

         dn: uid=sss,dc=example,dc=com
         cn: Steve Smith
         cn: Steve S. Smith
         sn: Smith
         sn;lang-en: Smith
         sn;lang-de: Schmidt
         telephoneNumber: 1 555 765-4321

     The command:

         ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio

     will perform a subtree search using the default search  base
     for  entries  with user id of "xyz".  The user friendly form
     of the entry's DN will be output after the  line  that  con-
     tains the DN itself, and the jpegPhoto and audio values will
     be retrieved and written to  temporary  files.   The  output
     might look like this if one entry with one value for each of
     the requested attributes is found:

         dn: uid=xyz,dc=example,dc=com
         ufn: xyz, example, com
         audio:< file:///tmp/ldapsearch-audio-a19924
         jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924

     This command:

         ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description

     will perform a one-level search at the c=US  level  for  all
     entries  whose  organization  name  (o)  begins  begins with
     University.  The organization name and description attribute
     values  will  be  retrieved  and printed to standard output,
     resulting in output similar to this:

         dn: o=University of Alaska Fairbanks,c=US
         o: University of Alaska Fairbanks
         description: Preparing Alaska for a brave new yesterday
         description: leaf node only

         dn: o=University of Colorado at Boulder,c=US
         o: University of Colorado at Boulder

OpenLDAP LDVERSION  Last change: RELEASEDATE                    5

LDAPSEARCH(1)            USER COMMANDS              LDAPSEARCH(1)

         description: No personnel information
         description: Institution of education and research

         dn: o=University of Colorado at Denver,c=US
         o: University of Colorado at Denver
         o: UCD
         o: CU/Denver
         o: CU-Denver
         description: Institute for Higher Learning and Research

         dn: o=University of Florida,c=US
         o: University of Florida
         o: UFl
         description: Warper of young minds

         ...


DIAGNOSTICS

     Exit status is zero if no errors occur.  Errors result in  a
     non-zero  exit status and a diagnostic message being written
     to standard error.


SEE ALSO

     ldapadd(1),  ldapdelete(1),  ldapmodify(1),   ldapmodrdn(1),
     ldap.conf(5), ldif(5), ldap(3), ldap_search(3)


AUTHOR

     The OpenLDAP Project <http://www.openldap.org/>


ACKNOWLEDGEMENTS

     OpenLDAP is developed and maintained by The OpenLDAP Project
     (http://www.openldap.org/).    OpenLDAP   is   derived  from
     University of Michigan LDAP 3.3 Release.

OpenLDAP LDVERSION  Last change: RELEASEDATE                    6


Man(1) output converted with man2html