1 .TH LDAPSEARCH 1 "20 April 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapsearch \- LDAP search tool
32 .BI \-d \ debuglevel\fR]
42 .BI \-w \ bindpasswd\fR]
44 .BI \-h \ ldaphost\fR]
46 .BI \-p \ ldapport\fR]
48 .BI \-P \ 2\fR\||\|\fI3\fR]
50 .BI \-b \ searchbase\fR]
52 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
54 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
56 .BI \-l \ timelimit\fR]
58 .BI \-z \ sizelimit\fR]
64 .BI \-U \ username\fR]
76 is a shell-accessible interface to the
81 opens a connection to an LDAP server, binds, and performs a search
82 using the filter \fIfilter\fP. The \fIfilter\fP should conform to
83 the string representation for LDAP filters as defined in RFC 1558.
87 finds one or more entries, the attributes specified by
88 \fIattrs\fP are retrieved and the entries and values are printed to
89 standard output. If no \fIattrs\fP are listed, all attributes are
90 returned. If * is listed, all user attributes are returned.
91 If + is listed, all operational attributes are returned.
92 If only 1.1 is listed, no attributes are listed.
96 Show what would be done, but don't actually perform the search. Useful for
97 debugging in conjunction with -v.
100 Include the User Friendly form of the Distinguished Name (DN) in the output
103 Run in verbose mode, with many diagnostics written to standard output
106 Use Kerberos authentication instead of simple authentication. It is
107 assumed that you already have a valid ticket granting ticket.
109 must be compiled with KERBEROS defined for this option to have any effect.
112 Same as \-k, but only does step 1 of the kerberos bind. This is useful
113 when connecting to a slapd and there is no x500dsa.hostname principal
114 registered with your kerberos servers.
117 Write retrieved values to a set of temporary files. This is useful for
118 dealing with non-ASCII values such as jpegPhoto or audio.
121 Retrieve attributes only (no values). This is useful when you just want to
122 see if an attribute is present in an entry and are not interested in the
126 Do not suppress display of non-ascii values. This is useful when
127 dealing with values that appear in alternate characters sets such as
128 ISO-8859.1. This option is implied by -L (see below).
131 Display search results in
133 format. This option also turns on the -B option, and causes the -F option
137 Enable manage DSA IT control.
139 makes control critical.
142 Do not automatically follow referrals returned while searching.
144 must be compiled with LDAP_REFERRALS defined for referrals to be
145 automatically followed by default, and for this option to have any effect.
148 Use \fIsep\fP as the field separator between attribute names and values.
149 The default separator is `=', unless the -L flag has been specified, in
150 which case this option is ignored.
153 Sort the entries returned based on \fIattribute\fP. The default is not
154 to sort entries returned. If \fIattribute\fP is a zero-length string (""),
155 the entries are sorted by the components of their Distingished Name. See
157 for more details. Note that
159 normally prints out entries as it receives them. The use of the
161 option defeats this behavior, causing all entries to be retrieved,
162 then sorted, then printed.
165 Set the LDAP debugging level to \fIdebuglevel\fP.
167 must be compiled with LDAP_DEBUG defined for this option to have any effect.
170 Read a series of lines from \fIfile\fP, performing one LDAP search for
171 each line. In this case, the \fIfilter\fP given on the command line
172 is treated as a pattern where the first occurrence of \fB%s\fP is
173 replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
174 character, then the lines are read from standard input.
177 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
178 a string-represented DN as defined in RFC 1779.
181 Prompt for simple authentication.
182 This is used instead of specifying the password on the command line.
185 Use \fIbindpasswd\fP as the password for simple authentication.
188 Specify an alternate host on which the ldap server is running.
191 Specify an alternate TCP port where the ldap server is listening.
194 Use \fIsearchbase\fP as the starting point for the search instead of
197 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
198 Specify the scope of the search to be one of
203 to specify a base object, one-level, or subtree search. The default
207 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
208 Specify how aliases dereferencing is done. Should be one of
214 to specify that aliases are never dereferenced, always dereferenced,
215 dereferenced when searching, or dereferenced only when locating the
216 base object for the search. The default is to never dereference aliases.
218 .BI \-P \ 2\fR\||\|\fI3
219 Specify the LDAP protocol version to use.
222 wait at most \fItimelimit\fP seconds for a search to complete. A
228 A server may impose a maximal timelimit which only
229 the root user may override.
232 retrieve at most \fIsizelimit\fP entries for a search. A sizelimit
238 A server may impose a maximal sizelimit which only
239 the root user may override.
242 Requset the use of SASL privacy (encryption). If the server allows it, data
243 sent between the client and the server will be encrypted. If the server
244 requires the use of encryption and this flag is not specified, the command
245 will fail. If you use
247 , the command will fail if the server does not support encryption.
253 Request the use of SASL integrity checking. It protects data sent between the
254 client and the server from being modified along the way, but it does not
255 prevent sniffing. If the server requires the use of integrity checking and
256 this flag is not specified, the command will fail.If you use
258 , the command will fail if the server does not support this function.
261 Specify the username for SASL bind. The syntax of the username depends on the
262 actual SASL mechanism used.
265 Specify the requested authorization ID for SASL bind.
267 must be one of the following formats:
269 .I <distinguished name>
275 Specify the SASL mechanism to be used for authentication. If it's not
276 specified, the program will choose the best mechanism the server knows.
279 Request the use of TLS (Transport Layer Security). If you use
281 , the command will fail if TLS negotiation does not succeed for some reason.
283 If one or more entries are found, each entry is written to standard output
287 Distinguished Name (DN)
288 User Friendly Name (this line present only if the -u option is used)
295 Multiple entries are separated with a single blank line. If the -F option
296 is used to specify a separator character, it will be used instead of the
297 `=' character. If the -t option is used, the name of a temporary file
298 is used in place of the actual value. If the -A option
299 is given, only the "attributename" part is written.
301 The following command:
304 ldapsearch "(sn=smith)" cn sn telephoneNumber
307 will perform a subtree search (using the default search base) for
308 entries with a surname (sn) of smith. The common name (cn), surname
309 (sn) and telephoneNumber values will be retrieved and printed to
311 The output might look something like this if two entries are found:
314 uid=jts, ou=Volunteers, ou=People, dc=OpenLDAP, dc=org
318 telephoneNumber=+1 555 123-4567
320 uid=sss, ou=Staff, ou=People, dc=OpenLDAP, dc=org
324 telephoneNumber=+1 555 765-4321
330 ldapsearch -u -t "uid=xyz" jpegPhoto audio
333 will perform a subtree search using the default search base for entries
334 with user id of "xyz". The user friendly form of the entry's DN will be
335 output after the line that contains the DN itself, and the jpegPhoto
336 and audio values will be retrieved and written to temporary files. The
337 output might look like this if one entry with one value for each of the
338 requested attributes is found:
341 uid=xyz, ou=Staff, ou=People, dc=OpenLDAP, dc=org
342 xyz, Staff, People, OpenLDAP, org
343 audio=/tmp/ldapsearch-audio-a19924
344 jpegPhoto=/tmp/ldapsearch-jpegPhoto-a19924
350 ldapsearch -L -s one -b "c=US" "o=University*" o description
353 will perform a one-level search at the c=US level for all entries
354 whose organizationName (o) begins begins with \fBUniversity\fP.
355 Search results will be displayed in the LDIF format.
356 The organizationName and description attribute values will be retrieved
357 and printed to standard output, resulting in output similar to this:
360 dn: o=University of Alaska Fairbanks, c=US
361 o: University of Alaska Fairbanks
362 description: Preparing Alaska for a brave new yesterday
363 description: leaf node only
365 dn: o=University of Colorado at Boulder, c=US
366 o: University of Colorado at Boulder
367 description: No personnel information
368 description: Institution of education and research
370 dn: o=University of Colorado at Denver, c=US
371 o: University of Colorado at Denver
375 description: Institute for Higher Learning and Research
377 dn: o=University of Florida, c=US
378 o: University of Florida
380 description: Warper of young minds
385 Exit status is 0 if no errors occur. Errors result in a non-zero exit
386 status and a diagnostic message being written to standard error.
397 .IR "A String Representation of Distinguished Names",
400 ISODE Consortium, March 1995.
403 .IR "A String Representation of LDAP Search Filters",
406 University of Michigan, December 1993.
409 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
411 is derived from University of Michigan LDAP 3.3 Release.