1 .TH LDAPSEARCH 1 "12 July 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapsearch \- LDAP search tool
30 .BI \-d \ debuglevel\fR]
38 .BI \-w \ bindpasswd\fR]
40 .BI \-h \ ldaphost\fR]
42 .BI \-p \ ldapport\fR]
44 .BI \-P \ 2\fR\||\|\fI3\fR]
46 .BI \-b \ searchbase\fR]
48 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
50 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
52 .BI \-l \ timelimit\fR]
54 .BI \-z \ sizelimit\fR]
56 .BR \-O \ security-properties ]
62 .BI \-U \ username\fR]
76 is a shell-accessible interface to the
81 opens a connection to an LDAP server, binds, and performs a search
82 using the filter \fIfilter\fP. The \fIfilter\fP should conform to
83 the string representation for LDAP filters as defined in RFC 1558.
87 finds one or more entries, the attributes specified by
88 \fIattrs\fP are retrieved and the entries and values are printed to
89 standard output. If no \fIattrs\fP are listed, all attributes are
90 returned. If * is listed, all user attributes are returned.
91 If + is listed, all operational attributes are returned.
92 If only 1.1 is listed, no attributes are listed.
96 Show what would be done, but don't actually perform the search. Useful for
97 debugging in conjunction with -v.
100 Include the User Friendly form of the Distinguished Name (DN) in the output
103 Run in verbose mode, with many diagnostics written to standard output
106 Use Kerberos authentication instead of simple authentication. It is
107 assumed that you already have a valid ticket granting ticket.
109 must be compiled with KERBEROS defined for this option to have any effect.
112 Same as \-k, but only does step 1 of the kerberos bind. This is useful
113 when connecting to a slapd and there is no x500dsa.hostname principal
114 registered with your kerberos servers.
117 Write retrieved values to a set of temporary files. This is useful for
118 dealing with non-ASCII values such as jpegPhoto or audio.
121 Retrieve attributes only (no values). This is useful when you just want to
122 see if an attribute is present in an entry and are not interested in the
126 Display search results in
128 format. A second -L disables comments. A third -L disables
129 printing of the LDIF version.
133 Enable manage DSA IT control.
135 makes control critical.
138 Automatically chase referrals.
141 Sort the entries returned based on \fIattribute\fP. The default is not
142 to sort entries returned. If \fIattribute\fP is a zero-length string (""),
143 the entries are sorted by the components of their Distingished Name. See
145 for more details. Note that
147 normally prints out entries as it receives them. The use of the
149 option defeats this behavior, causing all entries to be retrieved,
150 then sorted, then printed.
153 Set the LDAP debugging level to \fIdebuglevel\fP.
155 must be compiled with LDAP_DEBUG defined for this option to have any effect.
158 Read a series of lines from \fIfile\fP, performing one LDAP search for
159 each line. In this case, the \fIfilter\fP given on the command line
160 is treated as a pattern where the first occurrence of \fB%s\fP is
161 replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
162 character, then the lines are read from standard input.
165 Use simple authentication instead of SASL.
168 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
169 a string-represented DN as defined in RFC 1779.
172 Prompt for simple authentication.
173 This is used instead of specifying the password on the command line.
176 Use \fIbindpasswd\fP as the password for simple authentication.
179 Specify an alternate host on which the ldap server is running.
182 Specify an alternate TCP port where the ldap server is listening.
185 Use \fIsearchbase\fP as the starting point for the search instead of
188 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
189 Specify the scope of the search to be one of
194 to specify a base object, one-level, or subtree search. The default
198 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
199 Specify how aliases dereferencing is done. Should be one of
205 to specify that aliases are never dereferenced, always dereferenced,
206 dereferenced when searching, or dereferenced only when locating the
207 base object for the search. The default is to never dereference aliases.
209 .BI \-P \ 2\fR\||\|\fI3
210 Specify the LDAP protocol version to use.
213 wait at most \fItimelimit\fP seconds for a search to complete. A
219 A server may impose a maximal timelimit which only
220 the root user may override.
223 retrieve at most \fIsizelimit\fP entries for a search. A sizelimit
229 A server may impose a maximal sizelimit which only
230 the root user may override.
232 .BI \-O \ security-properties
233 Specify SASL security properties.
236 Enable SASL Interactive mode. Always prompt. Default is to prompt
240 Enable SASL Quiet mode. Never prompt.
243 Specify the username for SASL bind. The syntax of the username depends on the
244 actual SASL mechanism used.
248 Specify the requested authorization ID for SASL bind.
250 must be one of the following formats:
252 .I <distinguished name>
258 Specify the SASL mechanism to be used for authentication. If it's not
259 specified, the program will choose the best mechanism the server knows.
262 Issue StartTLS (Transport Layer Security) extended operation. If you use
264 , the command will require the operation to be successful.
266 If one or more entries are found, each entry is written to standard output
270 Distinguished Name (DN)
271 User Friendly Name (this line present only if the -u option is used)
278 Multiple entries are separated with a single blank line.
279 If the -t option is used, the name of a temporary file
280 is used in place of the actual value. If the -A option
281 is given, only the "attributename" part is written.
283 The following command:
286 ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
289 will perform a subtree search (using the default search base) for
290 entries with a surname (sn) of smith. The common name (cn), surname
291 (sn) and telephoneNumber values will be retrieved and printed to
293 The output might look something like this if two entries are found:
296 dn: uid=jts, ou=Volunteers, ou=People, dc=OpenLDAP, dc=org
302 telephoneNumber: 1 555 123-4567
304 dn: uid=sss, ou=Staff, ou=People, dc=OpenLDAP, dc=org
310 telephoneNumber: 1 555 765-4321
316 ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
319 will perform a subtree search using the default search base for entries
320 with user id of "xyz". The user friendly form of the entry's DN will be
321 output after the line that contains the DN itself, and the jpegPhoto
322 and audio values will be retrieved and written to temporary files. The
323 output might look like this if one entry with one value for each of the
324 requested attributes is found:
327 dn: uid=xyz, ou=Staff, ou=People, dc=OpenLDAP, dc=org
328 ufn: xyz, Staff, People, OpenLDAP, org
329 audio:< file::/tmp/ldapsearch-audio-a19924
330 jpegPhoto:< file::=/tmp/ldapsearch-jpegPhoto-a19924
336 ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
339 will perform a one-level search at the c=US level for all entries
340 whose organizationName (o) begins begins with \fBUniversity\fP.
341 The organizationName and description attribute values will be retrieved
342 and printed to standard output, resulting in output similar to this:
345 dn: o=University of Alaska Fairbanks, c=US
346 o: University of Alaska Fairbanks
347 description: Preparing Alaska for a brave new yesterday
348 description: leaf node only
350 dn: o=University of Colorado at Boulder, c=US
351 o: University of Colorado at Boulder
352 description: No personnel information
353 description: Institution of education and research
355 dn: o=University of Colorado at Denver, c=US
356 o: University of Colorado at Denver
360 description: Institute for Higher Learning and Research
362 dn: o=University of Florida, c=US
363 o: University of Florida
365 description: Warper of young minds
370 Exit status is 0 if no errors occur. Errors result in a non-zero exit
371 status and a diagnostic message being written to standard error.
382 .IR "A String Representation of Distinguished Names",
385 ISODE Consortium, March 1995.
388 .IR "A String Representation of LDAP Search Filters",
391 University of Michigan, December 1993.
393 The OpenLDAP Project <http://www.openldap.org/>
396 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
398 is derived from University of Michigan LDAP 3.3 Release.