ldapsearch - ldap search tool


     ldapsearch [-n] [-u]  [-v]  [-t]  [-A]  [-B]  [-L]  [-R]  [-
     d debuglevel]  [-F sep] [-f file] [-D binddn] [-w passwd] [-
     h ldaphost]     [-M authentication]     [-p ldapport]     [-
     b searchbase]   [-s scope]   [-a deref]  [  -l timelimit]  [
     -z sizelimit] filter [attrs...]


     ldapsearch opens a connection to an LDAP server, binds,  and
     performs a search using the filter filter.

     If ldapsearch finds one  or  more  entries,  the  attributes
     specified  by attrs are retrieved and the entries and values
     are printed to standard output.  If no attrs are listed, all
     attributes are returned.

  Output Format
     If one or more entries are found, each entry is  written  to
     standard output in the form:

     Distinguished Name (DN)
         User Friendly Name (if the -u option is used)

     Multiple entries are separated with a single blank line.  If
     the   -F  option  is  used  to specify a different separator
     character, this  character will be used  instead of the  `='
     character.   If  the   -t option is used, the name of a tem-
     porary file is returned in place of the actual value. If the
     -A option is given, only the "attributename" is returned and
     not the attribute value.


     The following options are supported:

     -A    Retrieve attributes only (no values).  This is  useful
           when  you  just  want  to  see whether an attribute is
           present in an entry and  are  not  interested  in  the
           specific value.

     -a deref
           Specify how aliases dereferencing is done. The  possi-
           ble  values  for  deref  are never, always, search, or
           find to specify respectively that  aliases  are  never
           dereferenced,  always  dereferenced, dereferenced when
           searching, or dereferenced only when finding the  base
           object  for  the  search.   The  default  is  to never
           dereference aliases.

     -B    Do not suppress display of non-ASCII values.  This  is
           useful  when dealing with values that appear in alter-
           nate character sets such as ISO-8859.1. This option is
           automatically set by the -L option.

     -b searchbase
           Use searchbase as the starting point  for  the  search
           instead of the default.

     -D binddn
           Use the distinguished  name  binddn  to  bind  to  the

     -d debuglevel
           Set the LDAP debugging level. Useful levels of  debug-
           ging for ldapsearch are:

           1     Trace

           2     Packets

           4     Arguments

           32    Filters

           128   Access control

           To request more than one category of debugging  infor-
           mation,  add  the masks. For example, to request trace
           and filter information, specify a debuglevel of 33.

     -F sep
           Use sep as the field separator between attribute names
           and  values.  The  default  separator  is  `='. If  -L
           option has been specified, this option is  ignored.

     -f file
           Read a series of lines from file, performing one  LDAP
           search  for each line.  In this case, the filter given
           on the command line is treated as a pattern where  the
           first  occurrence  of  %s is replaced with a line from
           file.  If file is a single - character, then the lines
           are read from standard input.

     -h ldaphost
           Specify an alternate host on which the slapd server is

     -L    Display search results in  a  modified  format.   This
           option  also turns on the -B option, and causes the -F
           option to be ignored.

     -l timelimit
           Wait at most timelimit seconds for a  search  to  com-

     -M authentication
           Specifies the authentication mechanism used to bind to
           the directory.

           The default authentication method  for  ldapsearch  is
           simple  bind.  simple  bind  sends the password to the
           server in the clear. The password is subject to snoop-
           ing  if  the server is not local. You must use special
           care when  you  use  this  command  with  the  default
           authentication  method.  If  your  server supports the
           challenge  response  method  CRAM-MD5   authentication
           method,  you  can  override the default authentication
           method by using the -M option  with  CRAM-MD5  as  the
           value for  authentication.

           The bind DN and bind password are mandatory with  this

     -n    Show what would be done, but do not  actually  perform
           the search.  Useful in  conjunction with -v and -d for

     -p ldapport
           Specify an alternate TCP port where the  slapd  server
           is listening.

     -R    Do not automatically follow referrals  returned  while

     -s scope
           Specify the scope of the search. The  possible  values
           of scope are base, one, or sub to specify respectively
           a base  object,  one-level,  or  subtree  search.  The
           default is sub.

     -t    Write retrieved values to a set  of  temporary  files.
           This  is useful for dealing with non-ASCII values such
           as jpegPhoto or audio.

     -u    Include the user-friendly form  of  the  Distinguished
           Name (DN) in the output.

     -v    Run in verbose mode, with diagnostics written to stan-
           dard output.

     -w passwd
           Use passwd as the password for authentication  to  the
           directory. When you use -w passwd to specify the pass-
           word to be used for authentication,  the  password  is
           visible  to  other users of the system by means of the
           ps command, in script files or in  shell  history.  If
           you  use  the  ldapsearch command without this option,
           the command will prompt for the password and  read  it
           from standard in. When used without the -w option, the
           password will not be visible to other users.

     -z sizelimit
           Retrieve at most sizelimit entries  for  a  search  to


     Example 1: Performing a Subtree Search

     The following command performs a subtree search  (using  the
     default  search base) for entries with a commonName of "mark
     smith".  The commonName and telephoneNumber values  will  be
     retrieved and printed to standard output.

     example% ldapsearch "cn=mark smith" cn telephoneNumber

     The output looks something like this:

     cn=Mark D Smith, ou=Sales, ou=Atlanta, ou=People, o=XYZ, c=US
     cn=Mark Smith
     cn=Mark David Smith
     cn=Mark D Smith 1
     cn=Mark D Smith
     telephoneNumber=+1 123 456-7890
     cn=Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
     cn=Mark Smith
     cn=Mark C Smith 1
     cn=Mark C Smith
     telephoneNumber=+1 123 456-9999

     Example 2: Performing a Subtree  Search  Using  the  Default
     Search Base

     The following command performs a subtree  search  using  the
     default  search base for entries with user id of "mcs".  The
     user-friendly form of the entry's DN will  be  output  after
     the  line that contains the DN itself, and the jpegPhoto and
     audio values will be  retrieved  and  written  to  temporary

     example%ldapsearch -u -t "uid=mcs" jpegPhoto audio

     The output might look like this if one entry with one  value
     for each of the requested attributes is found:

     cn=Mark C Smith, ou=Distribution, ou=Atlanta, ou=People, o=XYZ, c=US
     Mark C Smith, Distribution, Atlanta, People, XYZ, US

     Example 3: Performing a One Level Search

     The following command performs a  one-level  search  at  the
     c=US  level  for  all  organizations  whose organizationName
     begins with XY.

     example% ldapsearch -L -s one -b "c=US" "o=XY*" o description

     Search results are displayed in the LDIF format. The  organ-
     izationName   and   description  attribute  values  will  be
     retrieved and printed to standard output, resulting in  out-
     put similar to this:

     dn: o=XYZ, c=US
     o: XYZ
     description: XYZ Corporation
     dn: o="XY Trading Company", c=US
     o: XY Trading Company
     description: Import and export specialists

     dn: o=XYInternational, c=US
     o: XYInternational
     o: XYI
     o: XY International


     The following exit values are returned:

     0     Successful completion.

     >0    An error occurred. A diagnostic message is written  to
           standard error.


     See attributes(5) for a description of the following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsu                     |
    | Stability Level             | Evolving                    |


     ldapadd(1),  ldapdelete(1),  ldapmodify(1),   ldapmodrdn(1),

Man(1) output converted with man2html