1 .TH LDAPSEARCH 1 "21 July 1999" "OpenLDAP LDVERSION"
3 ldapsearch \- ldap search tool
27 .BI \-d \ debuglevel\fR]
37 .BI \-w \ bindpasswd\fR]
39 .BI \-h \ ldaphost\fR]
41 .BI \-p \ ldapport\fR]
43 .BI \-b \ searchbase\fR]
45 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
47 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
49 .BI \-l \ timelimit\fR]
51 .BI \-z \ sizelimit\fR]
57 is a shell-accessible interface to the
62 opens a connection to an LDAP server, binds, and performs a search
63 using the filter \fIfilter\fP. The \fIfilter\fP should conform to
64 the string representation for LDAP filters as defined in RFC 1558.
68 finds one or more entries, the attributes specified by
69 \fIattrs\fP are retrieved and the entries and values are printed to
70 standard output. If no \fIattrs\fP are listed, all attributes are
75 Show what would be done, but don't actually perform the search. Useful for
76 debugging in conjunction with -v.
79 Include the User Friendly form of the Distinguished Name (DN) in the output
82 Run in verbose mode, with many diagnostics written to standard output
85 Use Kerberos authentication instead of simple authentication. It is
86 assumed that you already have a valid ticket granting ticket.
88 must be compiled with KERBEROS defined for this option to have any effect.
91 Same as \-k, but only does step 1 of the kerberos bind. This is useful
92 when connecting to a slapd and there is no x500dsa.hostname principal
93 registered with your kerberos servers.
96 Write retrieved values to a set of temporary files. This is useful for
97 dealing with non-ASCII values such as jpegPhoto or audio.
100 Retrieve attributes only (no values). This is useful when you just want to
101 see if an attribute is present in an entry and are not interested in the
105 Do not suppress display of non-ascii values. This is useful when
106 dealing with values that appear in alternate characters sets such as
107 ISO-8859.1. This option is implied by -L (see below).
110 Display search results in
112 format. This option also turns on the -B option, and causes the -F option
116 Do not automatically follow referrals returned while searching.
118 must be compiled with LDAP_REFERRALS defined for referrals to be
119 automatically followed by default, and for this option to have any effect.
122 Use \fIsep\fP as the field separator between attribute names and values.
123 The default separator is `=', unless the -L flag has been specified, in
124 which case this option is ignored.
127 Sort the entries returned based on \fIattribute\fP. The default is not
128 to sort entries returned. If \fIattribute\fP is a zero-length string (""),
129 the entries are sorted by the components of their Distingished Name. See
131 for more details. Note that
133 normally prints out entries as it receives them. The use of the
135 option defeats this behavior, causing all entries to be retrieved,
136 then sorted, then printed.
139 Set the LDAP debugging level to \fIdebuglevel\fP.
141 must be compiled with LDAP_DEBUG defined for this option to have any effect.
144 Read a series of lines from \fIfile\fP, performing one LDAP search for
145 each line. In this case, the \fIfilter\fP given on the command line
146 is treated as a pattern where the first occurrence of \fB%s\fP is
147 replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
148 character, then the lines are read from standard input.
151 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
152 a string-represented DN as defined in RFC 1779.
155 Prompt for simple authentication.
156 This is used instead of specifying the password on the command line.
159 Use \fIbindpasswd\fP as the password for simple authentication.
162 Specify an alternate host on which the ldap server is running.
165 Specify an alternate TCP port where the ldap server is listening.
168 Use \fIsearchbase\fP as the starting point for the search instead of
171 .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
172 Specify the scope of the search to be one of
177 to specify a base object, one-level, or subtree search. The default
181 .BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
182 Specify how aliases dereferencing is done. Should be one of
188 to specify that aliases are never dereferenced, always dereferenced,
189 dereferenced when searching, or dereferenced only when locating the
190 base object for the search. The default is to never dereference aliases.
193 wait at most \fItimelimit\fP seconds for a search to complete. A
199 A server may impose a maximal timelimit which only
200 the root user may override.
203 retrieve at most \fIsizelimit\fP entries for a search. A sizelimit
209 A server may impose a maximal sizelimit which only
210 the root user may override.
212 If one or more entries are found, each entry is written to standard output
216 Distinguished Name (DN)
217 User Friendly Name (this line present only if the -u option is used)
224 Multiple entries are separated with a single blank line. If the -F option
225 is used to specify a separator character, it will be used instead of the
226 `=' character. If the -t option is used, the name of a temporary file
227 is used in place of the actual value. If the -A option
228 is given, only the "attributename" part is written.
230 The following command:
233 ldapsearch "cn=mark smith" cn telephoneNumber
236 will perform a subtree search (using the default search base) for entries
237 with a commonName of "mark smith". The commonName and telephoneNumber
238 values will be retrieved and printed to standard output.
239 The output might look something like this if two entries are found:
242 cn=Mark D Smith, ou="College of Literature, Science, and the Arts", ou=Students, ou=People, o=University of Michigan, c=US
247 telephoneNumber=+1 313 930-9489
249 cn=Mark C Smith, ou=Information Technology Division, ou=Faculty and Staff, ou=People, o=University of Michigan, c=US
253 telephoneNumber=+1 313 764-2277
259 ldapsearch -u -t "uid=mcs" jpegPhoto audio
262 will perform a subtree search using the default search base for entries
263 with user id of "mcs". The user friendly form of the entry's DN will be
264 output after the line that contains the DN itself, and the jpegPhoto
265 and audio values will be retrieved and written to temporary files. The
266 output might look like this if one entry with one value for each of the
267 requested attributes is found:
270 cn=Mark C Smith, ou=Information Technology Division, ou=Faculty and Staff, ou=People, o=University of Michigan, c=US
271 Mark C Smith, Information Technology Division, Faculty and Staff, People, University of Michigan, US
272 audio=/tmp/ldapsearch-audio-a19924
273 jpegPhoto=/tmp/ldapsearch-jpegPhoto-a19924
279 ldapsearch -L -s one -b "c=US" "o=university*" o description
282 will perform a one-level search at the c=US level for all organizations
283 whose organizationName begins with \fBuniversity\fP. Search results
284 will be displayed in the LDIF format.
285 The organizationName and description attribute values will be retrieved
286 and printed to standard output, resulting in output similar to this:
289 dn: o=University of Alaska Fairbanks, c=US
290 o: University of Alaska Fairbanks
291 description: Preparing Alaska for a brave new yesterday
292 description: leaf node only
294 dn: o=University of Colorado at Boulder, c=US
295 o: University of Colorado at Boulder
296 description: No personnel information
297 description: Institution of education and research
299 dn: o=University of Colorado at Denver, c=US
300 o: University of Colorado at Denver
304 description: Institute for Higher Learning and Research
306 dn: o=University of Florida, c=US
307 o: University of Florida
309 description: Warper of young minds
314 Exit status is 0 if no errors occur. Errors result in a non-zero exit
315 status and a diagnostic message being written to standard error.
326 .IR "A String Representation of Distinguished Names",
329 ISODE Consortium, March 1995.
332 .IR "A String Representation of LDAP Search Filters",
335 University of Michigan, December 1993.
338 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
340 is derived from University of Michigan LDAP 3.3 Release.