ldapsearch(1)
NAME
ldapsearch - ldap search tool
SYNOPSIS
ldapsearch [-n] [-u] [-v] [-t] [-A] [-B] [-L] [-R] [-
d debuglevel] [-F sep] [-f file] [-D binddn] [-w passwd] [-
h ldaphost] [-M authentication] [-p ldapport] [-
b searchbase] [-s scope] [-a deref] [ -l timelimit] [
-z sizelimit] filter [attrs...]
DESCRIPTION
ldapsearch opens a connection to an LDAP server, binds, and
performs a search using the filter filter.
If ldapsearch finds one or more entries, the attributes
specified by attrs are retrieved and the entries and values
are printed to standard output. If no attrs are listed, all
attributes are returned.
Output Format
If one or more entries are found, each entry is written to
standard output in the form:
Distinguished Name (DN)
User Friendly Name (if the -u option is used)
attributename=value
attributename=value
attributename=value
...
Multiple entries are separated with a single blank line. If
the -F option is used to specify a different separator
character, this character will be used instead of the `='
character. If the -t option is used, the name of a tem-
porary file is returned in place of the actual value. If the
-A option is given, only the "attributename" is returned and
not the attribute value.
OPTIONS
The following options are supported:
-A Retrieve attributes only (no values). This is useful
when you just want to see whether an attribute is
present in an entry and are not interested in the
specific value.
-a deref
Specify how aliases dereferencing is done. The possi-
ble values for deref are never, always, search, or
find to specify respectively that aliases are never
dereferenced, always dereferenced, dereferenced when
searching, or dereferenced only when finding the base
object for the search. The default is to never
dereference aliases.
-B Do not suppress display of non-ASCII values. This is
useful when dealing with values that appear in alter-
nate character sets such as ISO-8859.1. This option is
automatically set by the -L option.
-b searchbase
Use searchbase as the starting point for the search
instead of the default.
-D binddn
Use the distinguished name binddn to bind to the
directory.
-d debuglevel
Set the LDAP debugging level. Useful levels of debug-
ging for ldapsearch are:
1 Trace
2 Packets
4 Arguments
32 Filters
128 Access control
To request more than one category of debugging infor-
mation, add the masks. For example, to request trace
and filter information, specify a debuglevel of 33.
-F sep
Use sep as the field separator between attribute names
and values. The default separator is `='. If -L
option has been specified, this option is ignored.
-f file
Read a series of lines from file, performing one LDAP
search for each line. In this case, the filter given
on the command line is treated as a pattern where the
first occurrence of %s is replaced with a line from
file. If file is a single - character, then the lines
are read from standard input.
-h ldaphost
Specify an alternate host on which the slapd server is
running.
-L Display search results in a modified format. This
option also turns on the -B option, and causes the -F
option to be ignored.
-l timelimit
Wait at most timelimit seconds for a search to com-
plete.
-M authentication
Specifies the authentication mechanism used to bind to
the directory.
The default authentication method for ldapsearch is
simple bind. simple bind sends the password to the
server in the clear. The password is subject to snoop-
ing if the server is not local. You must use special
care when you use this command with the default
authentication method. If your server supports the
challenge response method CRAM-MD5 authentication
method, you can override the default authentication
method by using the -M option with CRAM-MD5 as the
value for authentication.
The bind DN and bind password are mandatory with this
option.
-n Show what would be done, but do not actually perform
the search. Useful in conjunction with -v and -d for
debugging.
-p ldapport
Specify an alternate TCP port where the slapd server
is listening.
-R Do not automatically follow referrals returned while
searching.
-s scope
Specify the scope of the search. The possible values
of scope are base, one, or sub to specify respectively
a base object, one-level, or subtree search. The
default is sub.
-t Write retrieved values to a set of temporary files.
This is useful for dealing with non-ASCII values such
as jpegPhoto or audio.
-u Include the user-friendly form of the Distinguished
Name (DN) in the output.
-v Run in verbose mode, with diagnostics written to stan-
dard output.
-w passwd
Use passwd as the password for authentication to the
directory. When you use -w passwd to specify the pass-
word to be used for authentication, the password is
visible to other users of the system by means of the
ps command, in script files or in shell history. If
you use the ldapsearch command without this option,
the command will prompt for the password and read it
from standard in. When used without the -w option, the
password will not be visible to other users.
-z sizelimit
Retrieve at most sizelimit entries for a search to
complete.
EXAMPLES
Example 1: Performing a Subtree Search
The following command performs a subtree search (using the
default search base) for entries with a commonName of "mark
smith". The commonName and telephoneNumber values will be
retrieved and printed to standard output.
example% ldapsearch "cn=mark smith" cn telephoneNumber
The output looks something like this:
cn=Mark D Smith, ou=Sales, ou=Atlanta, ou=People, o=XYZ, c=US
cn=Mark Smith
cn=Mark David Smith
cn=Mark D Smith 1
cn=Mark D Smith
telephoneNumber=+1 123 456-7890
cn=Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
cn=Mark Smith
cn=Mark C Smith 1
cn=Mark C Smith
telephoneNumber=+1 123 456-9999
Example 2: Performing a Subtree Search Using the Default
Search Base
The following command performs a subtree search using the
default search base for entries with user id of "mcs". The
user-friendly form of the entry's DN will be output after
the line that contains the DN itself, and the jpegPhoto and
audio values will be retrieved and written to temporary
files.
example%ldapsearch -u -t "uid=mcs" jpegPhoto audio
The output might look like this if one entry with one value
for each of the requested attributes is found:
cn=Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
Mark C Smith, Distribution, Atlanta, People, XYZ, US
audio=/tmp/ldapsearch-audio-a19924
jpegPhoto=/tmp/ldapsearch-jpegPhoto-a19924
Example 3: Performing a One Level Search
The following command performs a one-level search at the
c=US level for all organizations whose organizationName
begins with XY.
example% ldapsearch -L -s one -b "c=US" "o=XY*" o description
Search results are displayed in the LDIF format. The organ-
izationName and description attribute values will be
retrieved and printed to standard output, resulting in out-
put similar to this:
dn: o=XYZ, c=US
o: XYZ
description: XYZ Corporation
dn: o="XY Trading Company", c=US
o: XY Trading Company
description: Import and export specialists
dn: o=XYInternational, c=US
o: XYInternational
o: XYI
o: XY International
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred. A diagnostic message is written to
standard error.
ATTRIBUTES
See attributes(5) for a description of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| Stability Level | Evolving |
|_____________________________|_____________________________|
SEE ALSO
ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1),
attributes(5)
Man(1) output converted with
man2html