1 .TH LDAPSEARCH 1 "20 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapsearch \- LDAP search tool
30 .BI \-d \ debuglevel\fR]
38 .BI \-w \ bindpasswd\fR]
42 .BI \-h \ ldaphost\fR]
44 .BI \-p \ ldapport\fR]
46 .BI \-P \ 2\fR\||\|\fI3\fR]
48 .BI \-b \ searchbase\fR]
50 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
52 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
54 .BI \-l \ timelimit\fR]
56 .BI \-z \ sizelimit\fR]
58 .BR \-O \ security-properties ]
64 .BI \-U \ username\fR]
78 is a shell-accessible interface to the
83 opens a connection to an LDAP server, binds, and performs a search
84 using the filter \fIfilter\fP. The \fIfilter\fP should conform to
85 the string representation for search filters as defined in RFC 2254.
89 finds one or more entries, the attributes specified by
90 \fIattrs\fP are retrieved and the entries and values are printed to
91 standard output. If no \fIattrs\fP are listed, all attributes are
92 returned. If * is listed, all user attributes are returned.
93 If + is listed, all operational attributes are returned.
94 If only 1.1 is listed, no attributes are listed.
98 Show what would be done, but don't actually perform the search. Useful for
99 debugging in conjunction with -v.
102 Include the User Friendly Name form of the Distinguished Name (DN)
106 Run in verbose mode, with many diagnostics written to standard output.
109 Use Kerberos authentication instead of simple authentication. It is
110 assumed that you already have a valid ticket granting ticket.
112 must be compiled with Kerberos support for this option to have any effect.
115 Same as \-k, but only does step 1 of the Kerberos bind. This is useful
116 when connecting to a slapd and there is no x500dsa.hostname principal
117 registered with your Kerberos servers.
120 Write retrieved values to a set of temporary files. This is useful for
121 dealing with non-ASCII values such as jpegPhoto or audio.
124 Retrieve attributes only (no values). This is useful when you just want to
125 see if an attribute is present in an entry and are not interested in the
129 Search results are display in LDAP Data Interchange Format detailed in
131 A single -L restricts the output to LDIFv1.
132 A second -L disables comments.
133 A third -L disables printing of the LDIF version.
134 The default is to use an extended version of LDIF.
137 Enable manage DSA IT control.
139 makes control critical.
142 Automatically chase referrals.
145 Sort the entries returned based on \fIattribute\fP. The default is not
146 to sort entries returned. If \fIattribute\fP is a zero-length string (""),
147 the entries are sorted by the components of their Distingished Name. See
149 for more details. Note that
151 normally prints out entries as it receives them. The use of the
153 option defeats this behavior, causing all entries to be retrieved,
154 then sorted, then printed.
157 Set the LDAP debugging level to \fIdebuglevel\fP.
159 must be compiled with LDAP_DEBUG defined for this option to have any effect.
162 Read a series of lines from \fIfile\fP, performing one LDAP search for
163 each line. In this case, the \fIfilter\fP given on the command line
164 is treated as a pattern where the first occurrence of \fB%s\fP is
165 replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
166 character, then the lines are read from standard input.
169 Use simple authentication instead of SASL.
172 Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
175 Prompt for simple authentication.
176 This is used instead of specifying the password on the command line.
179 Use \fIbindpasswd\fP as the password for simple authentication.
182 Specify URI(s) referring to the ldap server(s).
185 Specify an alternate host on which the ldap server is running.
186 Deprecated in favor of -H.
189 Specify an alternate TCP port where the ldap server is listening.
190 Deprecated in favor of -H.
193 Use \fIsearchbase\fP as the starting point for the search instead of
196 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
197 Specify the scope of the search to be one of
202 to specify a base object, one-level, or subtree search. The default
206 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
207 Specify how aliases dereferencing is done. Should be one of
213 to specify that aliases are never dereferenced, always dereferenced,
214 dereferenced when searching, or dereferenced only when locating the
215 base object for the search. The default is to never dereference aliases.
217 .BI \-P \ 2\fR\||\|\fI3
218 Specify the LDAP protocol version to use.
221 wait at most \fItimelimit\fP seconds for a search to complete. A
227 A server may impose a maximal timelimit which only
228 the root user may override.
231 retrieve at most \fIsizelimit\fP entries for a search. A sizelimit
237 A server may impose a maximal sizelimit which only
238 the root user may override.
240 .BI \-O \ security-properties
241 Specify SASL security properties.
244 Enable SASL Interactive mode. Always prompt. Default is to prompt
248 Enable SASL Quiet mode. Never prompt.
251 Specify the username for SASL bind. The syntax of the username depends on the
252 actual SASL mechanism used.
256 Specify the requested authorization ID for SASL bind.
258 must be one of the following formats:
260 .I <distinguished name>
266 Specify the SASL mechanism to be used for authentication. If it's not
267 specified, the program will choose the best mechanism the server knows.
270 Issue StartTLS (Transport Layer Security) extended operation. If you use
272 , the command will require the operation to be successful.
274 If one or more entries are found, each entry is written to standard
275 output in LDAP Data Interchange Format or
281 # bjensen, example, net
282 dn: uid=bjensen, dc=example, dc=net
284 objectClass: dcObject
291 If the -t option is used, the URI of a temporary file
292 is used in place of the actual value. If the -A option
293 is given, only the "attributename" part is written.
295 The following command:
298 ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
301 will perform a subtree search (using the default search base defined
304 for entries with a surname (sn) of smith. The common name (cn), surname
305 (sn) and telephoneNumber values will be retrieved and printed to
307 The output might look something like this if two entries are found:
310 dn: uid=jts, dc=example, dc=com
316 telephoneNumber: 1 555 123-4567
318 dn: uid=sss, dc=example, dc=com
324 telephoneNumber: 1 555 765-4321
330 ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
333 will perform a subtree search using the default search base for entries
334 with user id of "xyz". The user friendly form of the entry's DN will be
335 output after the line that contains the DN itself, and the jpegPhoto
336 and audio values will be retrieved and written to temporary files. The
337 output might look like this if one entry with one value for each of the
338 requested attributes is found:
341 dn: uid=xyz, dc=example, dc=com
342 ufn: xyz, example, com
343 audio:< file::/tmp/ldapsearch-audio-a19924
344 jpegPhoto:< file::=/tmp/ldapsearch-jpegPhoto-a19924
350 ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
353 will perform a one-level search at the c=US level for all entries
354 whose organization name (o) begins begins with \fBUniversity\fP.
355 The organization name and description attribute values will be retrieved
356 and printed to standard output, resulting in output similar to this:
359 dn: o=University of Alaska Fairbanks, c=US
360 o: University of Alaska Fairbanks
361 description: Preparing Alaska for a brave new yesterday
362 description: leaf node only
364 dn: o=University of Colorado at Boulder, c=US
365 o: University of Colorado at Boulder
366 description: No personnel information
367 description: Institution of education and research
369 dn: o=University of Colorado at Denver, c=US
370 o: University of Colorado at Denver
374 description: Institute for Higher Learning and Research
376 dn: o=University of Florida, c=US
377 o: University of Florida
379 description: Warper of young minds
384 Exit status is zero if no errors occur.
385 Errors result in a non-zero exit status and
386 a diagnostic message being written to standard error.
397 The OpenLDAP Project <http://www.openldap.org/>
400 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
402 is derived from University of Michigan LDAP 3.3 Release.