1 .TH LDAPSEARCH 1 "10 November 1998" "OpenLDAP LDVERSION"
3 ldapsearch \- ldap search tool
27 .BI \-d \ debuglevel\fR]
37 .BI \-w \ bindpasswd\fR]
39 .BI \-h \ ldaphost\fR]
41 .BI \-p \ ldapport\fR]
43 .BI \-P \ 2\fR\||\|\fI3\fR]
45 .BI \-b \ searchbase\fR]
47 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
49 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
51 .BI \-l \ timelimit\fR]
53 .BI \-z \ sizelimit\fR]
59 is a shell-accessible interface to the
64 opens a connection to an LDAP server, binds, and performs a search
65 using the filter \fIfilter\fP. The \fIfilter\fP should conform to
66 the string representation for LDAP filters as defined in RFC 1558.
70 finds one or more entries, the attributes specified by
71 \fIattrs\fP are retrieved and the entries and values are printed to
72 standard output. If no \fIattrs\fP are listed, all attributes are
77 Show what would be done, but don't actually perform the search. Useful for
78 debugging in conjunction with -v.
81 Include the User Friendly form of the Distinguished Name (DN) in the output
84 Run in verbose mode, with many diagnostics written to standard output
87 Use Kerberos authentication instead of simple authentication. It is
88 assumed that you already have a valid ticket granting ticket.
90 must be compiled with KERBEROS defined for this option to have any effect.
93 Same as \-k, but only does step 1 of the kerberos bind. This is useful
94 when connecting to a slapd and there is no x500dsa.hostname principal
95 registered with your kerberos servers.
98 Write retrieved values to a set of temporary files. This is useful for
99 dealing with non-ASCII values such as jpegPhoto or audio.
102 Retrieve attributes only (no values). This is useful when you just want to
103 see if an attribute is present in an entry and are not interested in the
107 Do not suppress display of non-ascii values. This is useful when
108 dealing with values that appear in alternate characters sets such as
109 ISO-8859.1. This option is implied by -L (see below).
112 Display search results in
114 format. This option also turns on the -B option, and causes the -F option
118 Do not automatically follow referrals returned while searching.
120 must be compiled with LDAP_REFERRALS defined for referrals to be
121 automatically followed by default, and for this option to have any effect.
124 Use \fIsep\fP as the field separator between attribute names and values.
125 The default separator is `=', unless the -L flag has been specified, in
126 which case this option is ignored.
129 Sort the entries returned based on \fIattribute\fP. The default is not
130 to sort entries returned. If \fIattribute\fP is a zero-length string (""),
131 the entries are sorted by the components of their Distingished Name. See
133 for more details. Note that
135 normally prints out entries as it receives them. The use of the
137 option defeats this behavior, causing all entries to be retrieved,
138 then sorted, then printed.
141 Set the LDAP debugging level to \fIdebuglevel\fP.
143 must be compiled with LDAP_DEBUG defined for this option to have any effect.
146 Read a series of lines from \fIfile\fP, performing one LDAP search for
147 each line. In this case, the \fIfilter\fP given on the command line
148 is treated as a pattern where the first occurrence of \fB%s\fP is
149 replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
150 character, then the lines are read from standard input.
153 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
154 a string-represented DN as defined in RFC 1779.
157 Prompt for simple authentication.
158 This is used instead of specifying the password on the command line.
161 Use \fIbindpasswd\fP as the password for simple authentication.
164 Specify an alternate host on which the ldap server is running.
167 Specify an alternate TCP port where the ldap server is listening.
170 Use \fIsearchbase\fP as the starting point for the search instead of
173 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
174 Specify the scope of the search to be one of
179 to specify a base object, one-level, or subtree search. The default
183 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
184 Specify how aliases dereferencing is done. Should be one of
190 to specify that aliases are never dereferenced, always dereferenced,
191 dereferenced when searching, or dereferenced only when locating the
192 base object for the search. The default is to never dereference aliases.
194 .BI \-P \ 2\fR\||\|\fI3
195 Specify the LDAP protocol version to use.
198 wait at most \fItimelimit\fP seconds for a search to complete.
201 retrieve at most \fIsizelimit\fP entries for a search.
203 If one or more entries are found, each entry is written to standard output
207 Distinguished Name (DN)
208 User Friendly Name (this line present only if the -u option is used)
215 Multiple entries are separated with a single blank line. If the -F option
216 is used to specify a separator character, it will be used instead of the
217 `=' character. If the -t option is used, the name of a temporary file
218 is used in place of the actual value. If the -A option
219 is given, only the "attributename" part is written.
221 The following command:
224 ldapsearch "cn=mark smith" cn telephoneNumber
227 will perform a subtree search (using the default search base) for entries
228 with a commonName of "mark smith". The commonName and telephoneNumber
229 values will be retrieved and printed to standard output.
230 The output might look something like this if two entries are found:
233 cn=Mark D Smith, ou="College of Literature, Science, and the Arts", ou=Students, ou=People, o=University of Michigan, c=US
238 telephoneNumber=+1 313 930-9489
240 cn=Mark C Smith, ou=Information Technology Division, ou=Faculty and Staff, ou=People, o=University of Michigan, c=US
244 telephoneNumber=+1 313 764-2277
250 ldapsearch -u -t "uid=mcs" jpegPhoto audio
253 will perform a subtree search using the default search base for entries
254 with user id of "mcs". The user friendly form of the entry's DN will be
255 output after the line that contains the DN itself, and the jpegPhoto
256 and audio values will be retrieved and written to temporary files. The
257 output might look like this if one entry with one value for each of the
258 requested attributes is found:
261 cn=Mark C Smith, ou=Information Technology Division, ou=Faculty and Staff, ou=People, o=University of Michigan, c=US
262 Mark C Smith, Information Technology Division, Faculty and Staff, People, University of Michigan, US
263 audio=/tmp/ldapsearch-audio-a19924
264 jpegPhoto=/tmp/ldapsearch-jpegPhoto-a19924
270 ldapsearch -L -s one -b "c=US" "o=university*" o description
273 will perform a one-level search at the c=US level for all organizations
274 whose organizationName begins with \fBuniversity\fP. Search results
275 will be displayed in the LDIF format.
276 The organizationName and description attribute values will be retrieved
277 and printed to standard output, resulting in output similar to this:
280 dn: o=University of Alaska Fairbanks, c=US
281 o: University of Alaska Fairbanks
282 description: Preparing Alaska for a brave new yesterday
283 description: leaf node only
285 dn: o=University of Colorado at Boulder, c=US
286 o: University of Colorado at Boulder
287 description: No personnel information
288 description: Institution of education and research
290 dn: o=University of Colorado at Denver, c=US
291 o: University of Colorado at Denver
295 description: Institute for Higher Learning and Research
297 dn: o=University of Florida, c=US
298 o: University of Florida
300 description: Warper of young minds
305 Exit status is 0 if no errors occur. Errors result in a non-zero exit
306 status and a diagnostic message being written to standard error.
317 .IR "A String Representation of Distinguished Names",
320 ISODE Consortium, March 1995.
323 .IR "A String Representation of LDAP Search Filters",
326 University of Michigan, December 1993.
329 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
331 is derived from University of Michigan LDAP 3.3 Release.