Name
ldapsearch — perform LDAP search operations
Synopsis
ldapsearch
{options} [filter] [attributes...]
Options
The following options are supported.
-a, --dereferencePolicy {dereferencePolicy}
-
Alias dereference policy ('never', 'always', 'search', or 'find')
Default value: never
-A, --typesOnly
-
Only retrieve attribute names but not their values
--assertionFilter {filter}
-
Use the LDAP assertion control with the provided filter
-b, --baseDN {baseDN}
-
Base DN format string
-c, --continueOnError
-
Continue processing even if there are errors
-C, --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]
-
Use the persistent search control
--countEntries
-
Count the number of entries returned by the server
-e, --getEffectiveRightsAttribute {attribute}
-
Specifies geteffectiverights control specific attribute list
-f, --filename {file}
-
LDIF file containing the changes to apply
-g, --getEffectiveRightsAuthzid {authzID}
-
Use geteffectiverights control with the provided authzid
-G, --virtualListView {before:after:index:count | before:after:value}
-
Use the virtual list view control to retrieve the specified results page
-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}
-
Use a request control with the provided information
-l, --timeLimit {timeLimit}
-
Maximum length of time in seconds to allow for the search
Default value: 0
--matchedValuesFilter {filter}
-
Use the LDAP matched values control with the provided filter
-n, --dry-run
-
Show what would be done but do not perform any operation
-s, --searchScope {searchScope}
-
Search scope ('base', 'one', 'sub', or 'subordinate')
Default value: sub
subordinate
is an LDAP extension that might not work with all LDAP servers. -S, --sortOrder {sortOrder}
-
Sort the results using the provided sort order
--simplePageSize {numEntries}
-
Use the simple paged results control with the given page size
Default value: 1000
-Y, --proxyAs {authzID}
-
Use the proxied authorization control with the given authorization ID
-z, --sizeLimit {sizeLimit}
-
Maximum number of entries to return from the search
Default value: 0
LDAP Connection Options
-D, --bindDN {bindDN}
-
DN to use to bind to the server
Default value: cn=Directory Manager
-E, --reportAuthzID
-
Use the authorization identity control
-h, --hostname {host}
-
Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}
-
Bind password file
-K, --keyStorePath {keyStorePath}
-
Certificate key store path
-N, --certNickname {nickname}
-
Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}
-
SASL bind options
-p, --port {port}
-
Directory server port number
Default value: 389
-P, --trustStorePath {trustStorePath}
-
Certificate trust store path
-q, --useStartTLS
-
Use StartTLS to secure communication with the server
-T, --trustStorePassword {trustStorePassword}
-
Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}
-
Certificate key store PIN file
-U, --trustStorePasswordFile {path}
-
Certificate trust store PIN file
--usePasswordPolicyControl
-
Use the password policy request control
-V, --ldapVersion {version}
-
LDAP protocol version number
Default value: 3
-w, --bindPassword {bindPassword}
-
Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}
-
Certificate key store PIN
-X, --trustAll
-
Trust all server SSL certificates
-Z, --useSSL
-
Use SSL for secure communication with the server
Utility Input/Output Options
-i, --encoding {encoding}
-
Use the specified character set for command-line input
--noPropertiesFile
-
No properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}
-
Path to the file containing default property values used for command line arguments
-t, --dontWrap
-
Do not wrap long lines
-v, --verbose
-
Use verbose mode
Filter
The filter argument is a string representation of an LDAP search filter
as in (cn=Babs Jensen)
, (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
, or
(cn:caseExactMatch:=Fred Flintstone)
.
Attribute
The optional attribute list specifies the attributes to return in the
entries found by the search. In addition to identifying attributes by name
such as cn sn mail
and so forth, you can use the following
notations, too.
*
-
Return all user attributes such as
cn
,sn
, andmail
. +
-
Return all operational attributes such as
etag
andpwdPolicySubentry
. @
objectclass
-
Return all attributes of the specified object class, where
objectclass
is one of the object classes on the entries returned by the search.
Exit Codes
- 0
-
The command completed successfully.
ldap-error
-
An LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
-
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties
to set
the defaults for bind DN, host name, and port number as in the following
example.
hostname=directory.example.com port=1389 bindDN=uid=kvaughan,ou=People,dc=example,dc=com ldapcompare.port=1389 ldapdelete.port=1389 ldapmodify.port=1389 ldappasswordmodify.port=1389 ldapsearch.port=1389
Examples
The following example searches for entries with UID containing
jensen
, returning only DNs and uid values.
$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid dn: uid=ajensen,ou=People,dc=example,dc=com uid: ajensen dn: uid=bjensen,ou=People,dc=example,dc=com uid: bjensen dn: uid=gjensen,ou=People,dc=example,dc=com uid: gjensen dn: uid=jjensen,ou=People,dc=example,dc=com uid: jjensen dn: uid=kjensen,ou=People,dc=example,dc=com uid: kjensen dn: uid=rjensen,ou=People,dc=example,dc=com uid: rjensen dn: uid=tjensen,ou=People,dc=example,dc=com uid: tjensen Result Code: 0 (Success)
You can also use @
notation in the attribute list to return
the attributes of a particular object class. The following example shows
how to return attributes of the objectclass
inetOrgPerson
object
class.
$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson dn: uid=bjensen,ou=People,dc=example,dc=com givenName: Barbara objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uid: bjensen cn: Barbara Jensen cn: Babs Jensen telephoneNumber: +1 408 555 1862 sn: Jensen roomNumber: 0209 mail: bjensen@example.com l: Cupertino ou: Product Development ou: People facsimileTelephoneNumber: +1 408 555 1992
You can use +
in the attribute list to return
all operational attributes, as in the following example.
$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" + dn: uid=bjensen,ou=People,dc=example,dc=com numSubordinates: 0 structuralObjectClass: inetOrgPerson etag: 0000000073c29972 pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config subschemaSubentry: cn=schema hasSubordinates: false entryDN: uid=bjensen,ou=people,dc=example,dc=com entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c