1 .TH LDAPSEARCH 1 "20 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapsearch \- LDAP search tool
30 .BI \-d \ debuglevel\fR]
38 .BI \-w \ bindpasswd\fR]
40 .BI \-h \ ldaphost\fR]
42 .BI \-p \ ldapport\fR]
44 .BI \-P \ 2\fR\||\|\fI3\fR]
46 .BI \-b \ searchbase\fR]
48 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
50 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
52 .BI \-l \ timelimit\fR]
54 .BI \-z \ sizelimit\fR]
56 .BR \-O \ security-properties ]
62 .BI \-U \ username\fR]
76 is a shell-accessible interface to the
81 opens a connection to an LDAP server, binds, and performs a search
82 using the filter \fIfilter\fP. The \fIfilter\fP should conform to
83 the string representation for search filters as defined in RFC 2254.
87 finds one or more entries, the attributes specified by
88 \fIattrs\fP are retrieved and the entries and values are printed to
89 standard output. If no \fIattrs\fP are listed, all attributes are
90 returned. If * is listed, all user attributes are returned.
91 If + is listed, all operational attributes are returned.
92 If only 1.1 is listed, no attributes are listed.
96 Show what would be done, but don't actually perform the search. Useful for
97 debugging in conjunction with -v.
100 Include the User Friendly Name form of the Distinguished Name (DN)
104 Run in verbose mode, with many diagnostics written to standard output.
107 Use Kerberos authentication instead of simple authentication. It is
108 assumed that you already have a valid ticket granting ticket.
110 must be compiled with Kerberos for this option to have any effect.
113 Same as \-k, but only does step 1 of the Kerberos bind. This is useful
114 when connecting to a slapd and there is no x500dsa.hostname principal
115 registered with your Kerberos servers.
118 Write retrieved values to a set of temporary files. This is useful for
119 dealing with non-ASCII values such as jpegPhoto or audio.
122 Retrieve attributes only (no values). This is useful when you just want to
123 see if an attribute is present in an entry and are not interested in the
127 Display search results in
129 format. A second -L disables comments. A third -L disables
130 printing of the LDIF version.
134 Enable manage DSA IT control.
136 makes control critical.
139 Automatically chase referrals.
142 Sort the entries returned based on \fIattribute\fP. The default is not
143 to sort entries returned. If \fIattribute\fP is a zero-length string (""),
144 the entries are sorted by the components of their Distingished Name. See
146 for more details. Note that
148 normally prints out entries as it receives them. The use of the
150 option defeats this behavior, causing all entries to be retrieved,
151 then sorted, then printed.
154 Set the LDAP debugging level to \fIdebuglevel\fP.
156 must be compiled with LDAP_DEBUG defined for this option to have any effect.
159 Read a series of lines from \fIfile\fP, performing one LDAP search for
160 each line. In this case, the \fIfilter\fP given on the command line
161 is treated as a pattern where the first occurrence of \fB%s\fP is
162 replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
163 character, then the lines are read from standard input.
166 Use simple authentication instead of SASL.
169 Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
172 Prompt for simple authentication.
173 This is used instead of specifying the password on the command line.
176 Use \fIbindpasswd\fP as the password for simple authentication.
179 Specify an alternate host on which the ldap server is running.
182 Specify an alternate TCP port where the ldap server is listening.
185 Use \fIsearchbase\fP as the starting point for the search instead of
188 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
189 Specify the scope of the search to be one of
194 to specify a base object, one-level, or subtree search. The default
198 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
199 Specify how aliases dereferencing is done. Should be one of
205 to specify that aliases are never dereferenced, always dereferenced,
206 dereferenced when searching, or dereferenced only when locating the
207 base object for the search. The default is to never dereference aliases.
209 .BI \-P \ 2\fR\||\|\fI3
210 Specify the LDAP protocol version to use.
213 wait at most \fItimelimit\fP seconds for a search to complete. A
219 A server may impose a maximal timelimit which only
220 the root user may override.
223 retrieve at most \fIsizelimit\fP entries for a search. A sizelimit
229 A server may impose a maximal sizelimit which only
230 the root user may override.
232 .BI \-O \ security-properties
233 Specify SASL security properties.
236 Enable SASL Interactive mode. Always prompt. Default is to prompt
240 Enable SASL Quiet mode. Never prompt.
243 Specify the username for SASL bind. The syntax of the username depends on the
244 actual SASL mechanism used.
248 Specify the requested authorization ID for SASL bind.
250 must be one of the following formats:
252 .I <distinguished name>
258 Specify the SASL mechanism to be used for authentication. If it's not
259 specified, the program will choose the best mechanism the server knows.
262 Issue StartTLS (Transport Layer Security) extended operation. If you use
264 , the command will require the operation to be successful.
266 If one or more entries are found, each entry is written to standard
267 output in LDAP Interchange Data Format or
271 dn: uid=bjensen, dc=example, dc=net
273 objectClass: dcObject
280 Multiple entries are separated with a single blank line.
281 If the -t option is used, the URI of a temporary file
282 is used in place of the actual value. If the -A option
283 is given, only the "attributename" part is written.
285 The following command:
288 ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
291 will perform a subtree search (using the default search base defined
294 for entries with a surname (sn) of smith. The common name (cn), surname
295 (sn) and telephoneNumber values will be retrieved and printed to
297 The output might look something like this if two entries are found:
300 dn: uid=jts, dc=example, dc=com
306 telephoneNumber: 1 555 123-4567
308 dn: uid=sss, dc=example, dc=com
314 telephoneNumber: 1 555 765-4321
320 ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
323 will perform a subtree search using the default search base for entries
324 with user id of "xyz". The user friendly form of the entry's DN will be
325 output after the line that contains the DN itself, and the jpegPhoto
326 and audio values will be retrieved and written to temporary files. The
327 output might look like this if one entry with one value for each of the
328 requested attributes is found:
331 dn: uid=xyz, dc=example, dc=com
332 ufn: xyz, example, com
333 audio:< file::/tmp/ldapsearch-audio-a19924
334 jpegPhoto:< file::=/tmp/ldapsearch-jpegPhoto-a19924
340 ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
343 will perform a one-level search at the c=US level for all entries
344 whose organization name (o) begins begins with \fBUniversity\fP.
345 The organization name and description attribute values will be retrieved
346 and printed to standard output, resulting in output similar to this:
349 dn: o=University of Alaska Fairbanks, c=US
350 o: University of Alaska Fairbanks
351 description: Preparing Alaska for a brave new yesterday
352 description: leaf node only
354 dn: o=University of Colorado at Boulder, c=US
355 o: University of Colorado at Boulder
356 description: No personnel information
357 description: Institution of education and research
359 dn: o=University of Colorado at Denver, c=US
360 o: University of Colorado at Denver
364 description: Institute for Higher Learning and Research
366 dn: o=University of Florida, c=US
367 o: University of Florida
369 description: Warper of young minds
374 Exit status is 0 if no errors occur. Errors result in a non-zero exit
375 status and a diagnostic message being written to standard error.
386 The OpenLDAP Project <http://www.openldap.org/>
389 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
391 is derived from University of Michigan LDAP 3.3 Release.