1 .TH LDAPSEARCH 1 "20 April 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapsearch \- LDAP search tool
30 .BI \-d \ debuglevel\fR]
38 .BI \-w \ bindpasswd\fR]
40 .BI \-h \ ldaphost\fR]
42 .BI \-p \ ldapport\fR]
44 .BI \-P \ 2\fR\||\|\fI3\fR]
46 .BI \-b \ searchbase\fR]
48 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
50 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
52 .BI \-l \ timelimit\fR]
54 .BI \-z \ sizelimit\fR]
60 .BI \-U \ username\fR]
72 is a shell-accessible interface to the
77 opens a connection to an LDAP server, binds, and performs a search
78 using the filter \fIfilter\fP. The \fIfilter\fP should conform to
79 the string representation for LDAP filters as defined in RFC 1558.
83 finds one or more entries, the attributes specified by
84 \fIattrs\fP are retrieved and the entries and values are printed to
85 standard output. If no \fIattrs\fP are listed, all attributes are
86 returned. If * is listed, all user attributes are returned.
87 If + is listed, all operational attributes are returned.
88 If only 1.1 is listed, no attributes are listed.
92 Show what would be done, but don't actually perform the search. Useful for
93 debugging in conjunction with -v.
96 Include the User Friendly form of the Distinguished Name (DN) in the output
99 Run in verbose mode, with many diagnostics written to standard output
102 Use Kerberos authentication instead of simple authentication. It is
103 assumed that you already have a valid ticket granting ticket.
105 must be compiled with KERBEROS defined for this option to have any effect.
108 Same as \-k, but only does step 1 of the kerberos bind. This is useful
109 when connecting to a slapd and there is no x500dsa.hostname principal
110 registered with your kerberos servers.
113 Write retrieved values to a set of temporary files. This is useful for
114 dealing with non-ASCII values such as jpegPhoto or audio.
117 Retrieve attributes only (no values). This is useful when you just want to
118 see if an attribute is present in an entry and are not interested in the
122 Display search results in
124 format. A second -L disables comments. A third -L disables
125 printing of the LDIF version.
129 Enable manage DSA IT control.
131 makes control critical.
134 Do not automatically follow referrals returned while searching.
137 Sort the entries returned based on \fIattribute\fP. The default is not
138 to sort entries returned. If \fIattribute\fP is a zero-length string (""),
139 the entries are sorted by the components of their Distingished Name. See
141 for more details. Note that
143 normally prints out entries as it receives them. The use of the
145 option defeats this behavior, causing all entries to be retrieved,
146 then sorted, then printed.
149 Set the LDAP debugging level to \fIdebuglevel\fP.
151 must be compiled with LDAP_DEBUG defined for this option to have any effect.
154 Read a series of lines from \fIfile\fP, performing one LDAP search for
155 each line. In this case, the \fIfilter\fP given on the command line
156 is treated as a pattern where the first occurrence of \fB%s\fP is
157 replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
158 character, then the lines are read from standard input.
161 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
162 a string-represented DN as defined in RFC 1779.
165 Prompt for simple authentication.
166 This is used instead of specifying the password on the command line.
169 Use \fIbindpasswd\fP as the password for simple authentication.
172 Specify an alternate host on which the ldap server is running.
175 Specify an alternate TCP port where the ldap server is listening.
178 Use \fIsearchbase\fP as the starting point for the search instead of
181 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
182 Specify the scope of the search to be one of
187 to specify a base object, one-level, or subtree search. The default
191 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
192 Specify how aliases dereferencing is done. Should be one of
198 to specify that aliases are never dereferenced, always dereferenced,
199 dereferenced when searching, or dereferenced only when locating the
200 base object for the search. The default is to never dereference aliases.
202 .BI \-P \ 2\fR\||\|\fI3
203 Specify the LDAP protocol version to use.
206 wait at most \fItimelimit\fP seconds for a search to complete. A
212 A server may impose a maximal timelimit which only
213 the root user may override.
216 retrieve at most \fIsizelimit\fP entries for a search. A sizelimit
222 A server may impose a maximal sizelimit which only
223 the root user may override.
226 Requset the use of SASL privacy (encryption). If the server allows it, data
227 sent between the client and the server will be encrypted. If the server
228 requires the use of encryption and this flag is not specified, the command
229 will fail. If you use
231 , the command will fail if the server does not support encryption.
237 Request the use of SASL integrity checking. It protects data sent between the
238 client and the server from being modified along the way, but it does not
239 prevent sniffing. If the server requires the use of integrity checking and
240 this flag is not specified, the command will fail.If you use
242 , the command will fail if the server does not support this function.
245 Specify the username for SASL bind. The syntax of the username depends on the
246 actual SASL mechanism used.
249 Specify the requested authorization ID for SASL bind.
251 must be one of the following formats:
253 .I <distinguished name>
259 Specify the SASL mechanism to be used for authentication. If it's not
260 specified, the program will choose the best mechanism the server knows.
263 Issue StartTLS (Transport Layer Security) extended operation. If you use
265 , the command will require the operation to be successful.
267 If one or more entries are found, each entry is written to standard output
271 Distinguished Name (DN)
272 User Friendly Name (this line present only if the -u option is used)
279 Multiple entries are separated with a single blank line.
280 If the -t option is used, the name of a temporary file
281 is used in place of the actual value. If the -A option
282 is given, only the "attributename" part is written.
284 The following command:
287 ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
290 will perform a subtree search (using the default search base) for
291 entries with a surname (sn) of smith. The common name (cn), surname
292 (sn) and telephoneNumber values will be retrieved and printed to
294 The output might look something like this if two entries are found:
297 dn: uid=jts, ou=Volunteers, ou=People, dc=OpenLDAP, dc=org
303 telephoneNumber: 1 555 123-4567
305 dn: uid=sss, ou=Staff, ou=People, dc=OpenLDAP, dc=org
311 telephoneNumber: 1 555 765-4321
317 ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
320 will perform a subtree search using the default search base for entries
321 with user id of "xyz". The user friendly form of the entry's DN will be
322 output after the line that contains the DN itself, and the jpegPhoto
323 and audio values will be retrieved and written to temporary files. The
324 output might look like this if one entry with one value for each of the
325 requested attributes is found:
328 dn: uid=xyz, ou=Staff, ou=People, dc=OpenLDAP, dc=org
329 ufn: xyz, Staff, People, OpenLDAP, org
330 audio:< file::/tmp/ldapsearch-audio-a19924
331 jpegPhoto:< file::=/tmp/ldapsearch-jpegPhoto-a19924
337 ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
340 will perform a one-level search at the c=US level for all entries
341 whose organizationName (o) begins begins with \fBUniversity\fP.
342 The organizationName and description attribute values will be retrieved
343 and printed to standard output, resulting in output similar to this:
346 dn: o=University of Alaska Fairbanks, c=US
347 o: University of Alaska Fairbanks
348 description: Preparing Alaska for a brave new yesterday
349 description: leaf node only
351 dn: o=University of Colorado at Boulder, c=US
352 o: University of Colorado at Boulder
353 description: No personnel information
354 description: Institution of education and research
356 dn: o=University of Colorado at Denver, c=US
357 o: University of Colorado at Denver
361 description: Institute for Higher Learning and Research
363 dn: o=University of Florida, c=US
364 o: University of Florida
366 description: Warper of young minds
371 Exit status is 0 if no errors occur. Errors result in a non-zero exit
372 status and a diagnostic message being written to standard error.
383 .IR "A String Representation of Distinguished Names",
386 ISODE Consortium, March 1995.
389 .IR "A String Representation of LDAP Search Filters",
392 University of Michigan, December 1993.
395 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
397 is derived from University of Michigan LDAP 3.3 Release.