ldapsearch — perform LDAP search operations
ldapsearch
filter [attributes ...]
The ldapsearch command takes the following options:
Command options:
-a | --dereferencePolicy {dereferencePolicy}
Alias dereference policy ('never', 'always', 'search', or 'find').
Default: never
-A | --typesOnly
Only retrieve attribute names but not their values.
Default: false
--assertionFilter {filter}
Use the LDAP assertion control with the provided filter.
-b | --baseDN {baseDN}
Search base DN.
-c | --continueOnError
Continue processing even if there are errors.
Default: false
-C | --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]
Use the persistent search control.
A persistent search allows the client to continue receiving new results whenever changes are made to data that is in the scope of the search, thus using the search as a form of change notification.
The optional changetype
setting defines
the kinds of updates that result in notification.
If you do not set the changetype
,
the default behavior is to send notifications for all updates.
add
Send notifications for LDAP add operations.
del
delete
Send notifications for LDAP delete operations.
mod
modify
Send notifications for LDAP modify operations.
moddn
modrdn
modifydn
Send notifications for LDAP modify DN (rename and move) operations.
all
any
Send notifications for all LDAP update operations.
The optional changesonly
setting defines
whether the server returns existing entries as well as changes.
true
Do not return existing entries, but instead only notifications about changes.
This is the default setting.
false
Also return existing entries.
The optional entrychgcontrols
setting defines
whether the server returns an Entry Change Notification control
with each entry notification.
The Entry Change Notification control provides additional information
about the change that caused the entry to be returned by the search.
In particular, it indicates the change type,
the change number if available,
and the previous DN if the change type was a modify DN operation.
true
Do request the Entry Change Notification control.
This is the default setting.
false
Do not request the Entry Change Notification control.
--connectTimeout {timeout}
Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default: 30000
--countEntries
Count the number of entries returned by the server.
Default: false
-e | --getEffectiveRightsAttribute {attribute}
Specifies geteffectiverights control specific attribute list.
-g | --getEffectiveRightsAuthzid {authzID}
Use geteffectiverights control with the provided authzid.
-G | --virtualListView {before:after:index:count | before:after:value}
Use the virtual list view control to retrieve the specified results page.
-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}
Use a request control with the provided information.
For some controloid
values,
you can replace object identifiers with user-friendly strings.
The strings are listed here in lower case, but the case is not important.
You can use camelCase if you prefer, for example.
accountusable
accountusability
Account Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
authzid
authorizationidentity
Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16
effectiverights
geteffectiverights
Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
managedsait
Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2
noop
no-op
No-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2
pwpolicy
passwordpolicy
Password Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
realattrsonly
realattributesonly
Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17
subtreedelete
treedelete
Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805
virtualattrsonly
virtualattributesonly
Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19
-l | --timeLimit {timeLimit}
Maximum length of time in seconds to allow for the search.
Default: 0
--matchedValuesFilter {filter}
Use the LDAP matched values control with the provided filter.
-n | --dry-run
Show what would be done but do not perform any operation.
Default: false
-s | --searchScope {searchScope}
Search scope ('base', 'one', 'sub', or 'subordinates'). Note: 'subordinates' is an LDAP extension that might not work with all LDAP servers.
Default: sub
-S | --sortOrder {sortOrder}
Sort the results using the provided sort order.
--simplePageSize {numEntries}
Use the simple paged results control with the given page size.
Default: 1000
--subEntries
Use subentries control to specify that subentries are visible and normal entries are not.
Default: false
-Y | --proxyAs {authzID}
Use the proxied authorization control with the given authorization ID.
-z | --sizeLimit {sizeLimit}
Maximum number of entries to return from the search.
Default: 0
LDAP connection options:
-D | --bindDN {bindDN}
DN to use to bind to the server.
Default:
-E | --reportAuthzID
Use the authorization identity control.
Default: false
-h | --hostname {host}
The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
Default: localhost.localdomain
-j | --bindPasswordFile {bindPasswordFile}
Bind password file.
-K | --keyStorePath {keyStorePath}
Certificate key store path.
-N | --certNickname {nickname}
Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
-o | --saslOption {name=value}
SASL bind options.
-p | --port {port}
Directory server port number.
Default: 389
-P | --trustStorePath {trustStorePath}
Certificate trust store path.
-q | --useStartTLS
Use StartTLS to secure communication with the server.
Default: false
-T | --trustStorePassword {trustStorePassword}
Certificate trust store PIN.
-u | --keyStorePasswordFile {keyStorePasswordFile}
Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
-U | --trustStorePasswordFile {path}
Certificate trust store PIN file.
--usePasswordPolicyControl
Use the password policy request control.
Default: false
-w | --bindPassword {bindPassword}
Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
-W | --keyStorePassword {keyStorePassword}
Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
-X | --trustAll
Trust all server SSL certificates.
Default: false
-Z | --useSSL
Use SSL for secure communication with the server.
Default: false
Utility input/output options:
--noPropertiesFile
No properties file will be used to get default command line argument values.
Default: false
--propertiesFilePath {propertiesFilePath}
Path to the file containing default property values used for command line arguments.
-t | --wrapColumn {wrapColumn}
Maximum length of an output line (0 for no wrapping).
Default: 0
-v | --verbose
Use verbose mode.
Default: false
General options:
-V | --version
Display Directory Server version information.
Default: false
-H | --help
Display this usage information.
Default: false
The filter argument is a string representation of an LDAP search filter
as in (cn=Babs Jensen)
,
(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
,
or (cn:caseExactMatch:=Fred Flintstone)
.
The optional attribute list specifies the attributes to return
in the entries found by the search.
In addition to identifying attributes by name
such as cn sn mail
and so forth,
you can use the following notations, too.
*
Return all user attributes
such as cn
, sn
, and mail
.
+
Return all operational attributes
such as etag
and pwdPolicySubentry
.
@objectclass
Return all attributes of the specified object class,
where objectclass
is one of the object classes
on the entries returned by the search.
1.1
Return no attributes, only the DNs of matching entries.
The command completed successfully.
ldap-error
An LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
An error occurred while parsing the command-line arguments.
You can use ~/.opendj/tools.properties
to set the defaults for bind DN, host name, and port number
as in the following example.
hostname=directory.example.com port=1389 bindDN=uid=kvaughan,ou=People,dc=example,dc=com ldapcompare.port=1389 ldapdelete.port=1389 ldapmodify.port=1389 ldappasswordmodify.port=1389 ldapsearch.port=1389
The following example searches for entries
with UID containing jensen
,
returning only DNs and uid values:
$ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid
dn: uid=ajensen,ou=People,dc=example,dc=com uid: ajensen dn: uid=bjensen,ou=People,dc=example,dc=com uid: bjensen dn: uid=gjensen,ou=People,dc=example,dc=com uid: gjensen dn: uid=jjensen,ou=People,dc=example,dc=com uid: jjensen dn: uid=kjensen,ou=People,dc=example,dc=com uid: kjensen dn: uid=rjensen,ou=People,dc=example,dc=com uid: rjensen dn: uid=tjensen,ou=People,dc=example,dc=com uid: tjensen Result Code: 0 (Success)
You can also use @
notation
in the attribute list to return the attributes of a particular object class.
The following example shows how to return attributes
of the objectclass
inetOrgPerson
object class:
$ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson
dn: uid=bjensen,ou=People,dc=example,dc=com givenName: Barbara objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uid: bjensen cn: Barbara Jensen cn: Babs Jensen telephoneNumber: +1 408 555 1862 sn: Jensen roomNumber: 0209 mail: bjensen@example.com l: San Francisco ou: Product Development ou: People facsimileTelephoneNumber: +1 408 555 1992
You can use +
in the attribute list
to return all operational attributes, as in the following example:
$ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +
dn: uid=bjensen,ou=People,dc=example,dc=com numSubordinates: 0 structuralObjectClass: inetOrgPerson etag: 0000000073c29972 subschemaSubentry: cn=schema hasSubordinates: false entryDN: uid=bjensen,ou=people,dc=example,dc=com entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c