.TH LDAPSEARCH 1 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
ldapsearch \- LDAP search tool
[\c
.BR \-v ]
[\c
-.BR \-k ]
+.BR \-t[t] ]
[\c
-.BR \-K ]
+.BI \-T \ path\fR]
[\c
-.BR \-t ]
+.BI \-F \ prefix\fR]
[\c
.BR \-A ]
[\c
[\c
.BR \-M[M] ]
[\c
+.BI \-S \ attribute\fR]
+[\c
.BI \-d \ debuglevel\fR]
[\c
.BI \-f \ file\fR]
[\c
+.BR \-x ]
+[\c
.BI \-D \ binddn\fR]
[\c
.BR \-W ]
[\c
.BI \-p \ ldapport\fR]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
-[\c
.BI \-b \ searchbase\fR]
[\c
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
+.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren\fR]
[\c
.BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
[\c
+.BI \-P \ 2\fR\||\|\fI3\fR]
+[\c
+.BR \-e \ [!]ext[=extparam]]
+[\c
+.BR \-E \ [!]ext[=extparam]]
+[\c
.BI \-l \ timelimit\fR]
[\c
.BI \-z \ sizelimit\fR]
[\c
.BI \-R \ realm\fR]
[\c
-.BR \-x ]
-[\c
.BI \-X \ authzid\fR]
[\c
.BI \-Y \ mech\fR]
.SH DESCRIPTION
.I ldapsearch
is a shell-accessible interface to the
-.BR ldap_search (3)
+.BR ldap_search_ext (3)
library call.
.LP
.B ldapsearch
opens a connection to an LDAP server, binds, and performs a search
using specified parameters. The \fIfilter\fP should conform to
-the string representation for search filters as defined in RFC 2254.
+the string representation for search filters as defined in RFC 4515.
If not provided, the default filter, (objectClass=*), is used.
.LP
If
-.B ldapsearch finds one or more entries, the attributes specified by
+.B ldapsearch
+finds one or more entries, the attributes specified by
\fIattrs\fP are returned. If * is listed, all user attributes are
returned. If + is listed, all operational attributes are returned.
If no \fIattrs\fP are listed, all user attributes are returned. If only
.B \-v
Run in verbose mode, with many diagnostics written to standard output.
.TP
-.B \-k
-Use Kerberos IV authentication instead of simple authentication. It is
-assumed that you already have a valid ticket granting ticket.
-.B ldapsearch
-must be compiled with Kerberos support for this option to have any effect.
+.B \-t[t]
+A single -t writes retrieved non-printable values to a set of temporary
+files. This is useful for dealing with values containing non-character
+data such as jpegPhoto or audio. A second -t writes all retrieved values to
+files.
.TP
-.B \-K
-Same as \-k, but only does step 1 of the Kerberos IV bind. This is useful
-when connecting to a slapd and there is no x500dsa.hostname principal
-registered with your Kerberos Domain Controller(s).
+.BI \-T \ path
+Write temporary files to directory specified by \fIpath\fP (default:
+/var/tmp/)
.TP
-.B \-t
-Write retrieved non-printable values to a set of temporary files. This
-is useful for dealing with values containing non-character data such as
-jpegPhoto or audio.
+.BI \-F \ prefix
+URL prefix for temporary files. Default is file://\fIpath\fP/ where
+\fIpath\fP is /var/tmp/ or specified with -T.
.TP
.B \-A
Retrieve attributes only (no values). This is useful when you just want to
.BI \-S \ attribute
Sort the entries returned based on \fIattribute\fP. The default is not
to sort entries returned. If \fIattribute\fP is a zero-length string (""),
-the entries are sorted by the components of their Distingished Name. See
+the entries are sorted by the components of their Distinguished Name. See
.BR ldap_sort (3)
for more details. Note that
.B ldapsearch
.BI \-f \ file
Read a series of lines from \fIfile\fP, performing one LDAP search for
each line. In this case, the \fIfilter\fP given on the command line
-is treated as a pattern where the first occurrence of \fB%s\fP is
-replaced with a line from \fIfile\fP. If \fIfile\fP is a single \fI-\fP
-character, then the lines are read from standard input.
+is treated as a pattern where the first and only occurrence of \fB%s\fP
+is replaced with a line from \fIfile\fP. Any other occurence of the
+the \fB%\fP character in the pattern will be regarded as an error.
+Where it is desired that the search filter include a \fB%\fP character,
+the character should be encoded as \fB\\25\fP (see RFC 4515).
+If \fIfile\fP is a single
+\fI-\fP character, then the lines are read from standard input.
.TP
.B \-x
Use simple authentication instead of SASL.
simple authentication.
.TP
.BI \-H \ ldapuri
-Specify URI(s) referring to the ldap server(s).
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Use \fIsearchbase\fP as the starting point for the search instead of
the default.
.TP
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub
+.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren
Specify the scope of the search to be one of
.IR base ,
.IR one ,
+.IR sub ,
or
-.I sub
-to specify a base object, one-level, or subtree search. The default
-is
+.I children
+to specify a base object, one-level, subtree, or children search.
+The default is
.IR sub .
+Note:
+.I children
+scope requires LDAPv3 subordinate feature extension.
.TP
.BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
Specify how aliases dereferencing is done. Should be one of
.BI \-P \ 2\fR\||\|\fI3
Specify the LDAP protocol version to use.
.TP
+.B \-e \fI[!]ext[=extparam]\fP
+.TP
+.B \-E \fI[!]ext[=extparam]\fP
+
+Specify general extensions with -e and search extensions with -E.
+\'!\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ [!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ abandon, cancel (SIGINT sends abandon/cancel; not really controls)
+.fi
+
+Search extensions:
+.nf
+ [!]domainScope (domain scope)
+ [!]mv=<filter> (matched values filter)
+ [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
+ [!]subentries[=true|false] (subentries)
+ [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
+ rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
+.fi
+.TP
.BI \-l \ timelimit
wait at most \fItimelimit\fP seconds for a search to complete.
A timelimit of
.BR ldap.conf (5),
.BR ldif (5),
.BR ldap (3),
-.BR ldap_search (3)
+.BR ldap_search_ext (3),
+.BR ldap_sort (3)
.SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.
+.so ../Project