Unix/Linux Go Back    

OpenDarwin 7.2.1 - man page for ldapsearch (opendarwin section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


       ldapsearch - LDAP search tool

       ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file]
       [-D binddn] [-W]  [-w passwd]  [-y passwdfile]  [-H ldapuri]  [-h ldaphost]  [-p ldapport]
       [-P 2|3]  [-b searchbase]  [-s base|one|sub]  [-a never|always|search|find] [-l timelimit]
       [-z sizelimit]	[-O security-properties]   [-I]   [-Q]	 [-U authcid]	[-R realm]   [-x]
       [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

       ldapsearch is a shell-accessible interface to the ldap_search(3) library call.

       ldapsearch opens a connection to an LDAP server, binds, and performs a search using speci-
       fied parameters.   The filter should conform to the string representation for search  fil-
       ters  as  defined  in  RFC 2254.  If not provided, the default filter, (objectClass=*), is

       If ldapsearch finds one or more entries, the attributes specified by attrs  are	returned.
       If  *  is  listed,  all	user  attributes  are  returned.  If + is listed, all operational
       attributes are returned.  If no attrs are listed, all user attributes  are  returned.   If
       only 1.1 is listed, no attributes will be returned.

       -n     Show  what would be done, but don't actually perform the search.	Useful for debug-
	      ging in conjunction with -v.

       -u     Include the User Friendly Name form of the Distinguished Name (DN) in the output.

       -v     Run in verbose mode, with many diagnostics written to standard output.

       -k     Use Kerberos IV authentication instead of simple	authentication.   It  is  assumed
	      that  you already have a valid ticket granting ticket.  ldapsearch must be compiled
	      with Kerberos support for this option to have any effect.

       -K     Same as -k, but only does step 1 of the Kerberos IV bind.  This is useful when con-
	      necting  to a slapd and there is no x500dsa.hostname principal registered with your
	      Kerberos Domain Controller(s).

       -t     Write retrieved values to a set of temporary files.  This  is  useful  for  dealing
	      with non-ASCII values such as jpegPhoto or audio.

       -A     Retrieve	attributes only (no values).  This is useful when you just want to see if
	      an attribute is present in an entry and are not interested in the specific values.

       -L     Search results are display in LDAP Data Interchange Format detailed in ldif(5).	A
	      single  -L restricts the output to LDIFv1.  A second -L disables comments.  A third
	      -L disables printing of the LDIF version.  The default is to use an  extended  ver-
	      sion of LDIF.

       -M[M]  Enable manage DSA IT control.  -MM makes control critical.

       -S attribute
	      Sort  the  entries  returned based on attribute. The default is not to sort entries
	      returned.  If attribute is a zero-length string (""), the entries are sorted by the
	      components  of  their  Distingished  Name.  See ldap_sort(3) for more details. Note
	      that ldapsearch normally prints out entries as it receives them. The use of the  -S
	      option  defeats  this  behavior,	causing all entries to be retrieved, then sorted,
	      then printed.

       -d debuglevel
	      Set the LDAP debugging level to  debuglevel.   ldapsearch  must  be  compiled  with
	      LDAP_DEBUG defined for this option to have any effect.

       -f file
	      Read  a  series  of  lines from file, performing one LDAP search for each line.  In
	      this case, the filter given on the command line is treated as a pattern  where  the
	      first  occurrence  of  %s is replaced with a line from file.  If file is a single -
	      character, then the lines are read from standard input.

       -x     Use simple authentication instead of SASL.

       -D binddn
	      Use the Distinguished Name binddn to bind to the LDAP directory.

       -W     Prompt for simple authentication.  This is used instead of specifying the  password
	      on the command line.

       -w passwd
	      Use passwd as the password for simple authentication.

       -y passwdfile
	      Use complete contents of passwdfile as the password for simple authentication.

       -H ldapuri
	      Specify URI(s) referring to the ldap server(s).

       -h ldaphost
	      Specify an alternate host on which the ldap server is running.  Deprecated in favor
	      of -H.

       -p ldapport
	      Specify an alternate TCP port where the ldap server is  listening.   Deprecated  in
	      favor of -H.

       -b searchbase
	      Use searchbase as the starting point for the search instead of the default.

       -s base|one|sub
	      Specify  the  scope  of the search to be one of base, one, or sub to specify a base
	      object, one-level, or subtree search.  The default is sub.

       -a never|always|search|find
	      Specify how aliases dereferencing is done.  Should be one of never, always, search,
	      or find to specify that aliases are never dereferenced, always dereferenced, deref-
	      erenced when searching, or dereferenced only when locating the base object for  the
	      search.  The default is to never dereference aliases.

       -P 2|3 Specify the LDAP protocol version to use.

       -l timelimit
	      wait  at	most timelimit seconds for a search to complete.  A timelimit of 0 (zero)
	      removes the ldap.conf limit.  A server may impose a maximal  timelimit  which  only
	      the root user may override.

       -z sizelimit
	      retrieve	at  most sizelimit entries for a search.  A sizelimit of 0 (zero) removes
	      the ldap.conf limit.  A server may impose a maximal sizelimit which only	the  root
	      user may override.

       -O security-properties
	      Specify SASL security properties.

       -I     Enable SASL Interactive mode.  Always prompt.  Default is to prompt only as needed.

       -Q     Enable SASL Quiet mode.  Never prompt.

       -U authcid
	      Specify  the  authentication  ID	for  SASL bind. The form of the ID depends on the
	      actual SASL mechanism used.

       -R realm
	      Specify the realm of authentication ID for SASL bind. The form of the realm depends
	      on the actual SASL mechanism used.

       -X authzid
	      Specify  the proxy authorization ID for SASL bind.  authzid must be one of the fol-
	      lowing formats: dn:<distinguished name> or u:<username>

       -Y mech
	      Specify the SASL mechanism to be used for authentication. If  it's  not  specified,
	      the program will choose the best mechanism the server knows.

       -Z[Z]  Issue  StartTLS  (Transport Layer Security) extended operation. If you use -ZZ, the
	      command will require the operation to be successful.

       If one or more entries are found, each entry is written to standard output  in  LDAP  Data
       Interchange Format or ldif(5):

	    version: 1

	    # bjensen, example, net
	    dn: uid=bjensen,dc=example,dc=net
	    objectClass: person
	    objectClass: dcObject
	    uid: bjensen
	    cn: Barbara Jensen
	    sn: Jensen

       If  the	-t  option  is	used,  the URI of a temporary file is used in place of the actual
       value.  If the -A option is given, only the "attributename" part is written.

       The following command:

	   ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber

       will perform a subtree search (using the default search base defined in ldap.conf(5))  for
       entries	with  a  surname  (sn) of smith.  The common name (cn), surname (sn) and telepho-
       neNumber values will be retrieved and printed to standard output.  The output  might  look
       something like this if two entries are found:

	   dn: uid=jts,dc=example,dc=com
	    cn: John Smith
	    cn: John T. Smith
	    sn: Smith
	    sn;lang-en: Smith
	    sn;lang-de: Schmidt
	    telephoneNumber: 1 555 123-4567

	    dn: uid=sss,dc=example,dc=com
	    cn: Steve Smith
	    cn: Steve S. Smith
	    sn: Smith
	    sn;lang-en: Smith
	    sn;lang-de: Schmidt
	    telephoneNumber: 1 555 765-4321

       The command:

	   ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio

       will  perform  a  subtree search using the default search base for entries with user id of
       "xyz".  The user friendly form of the entry's DN will be output after the line  that  con-
       tains  the  DN itself, and the jpegPhoto and audio values will be retrieved and written to
       temporary files.  The output might look like this if one entry with one value for each  of
       the requested attributes is found:

	   dn: uid=xyz,dc=example,dc=com
	   ufn: xyz, example, com
	   audio:< file::/tmp/ldapsearch-audio-a19924
	   jpegPhoto:< file::=/tmp/ldapsearch-jpegPhoto-a19924

       This command:

	   ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description

       will  perform a one-level search at the c=US level for all entries whose organization name
       (o) begins begins with University.  The organization name and description attribute values
       will be retrieved and printed to standard output, resulting in output similar to this:

	   dn: o=University of Alaska Fairbanks,c=US
	   o: University of Alaska Fairbanks
	   description: Preparing Alaska for a brave new yesterday
	   description: leaf node only

	   dn: o=University of Colorado at Boulder,c=US
	   o: University of Colorado at Boulder
	   description: No personnel information
	   description: Institution of education and research

	   dn: o=University of Colorado at Denver,c=US
	   o: University of Colorado at Denver
	   o: UCD
	   o: CU/Denver
	   o: CU-Denver
	   description: Institute for Higher Learning and Research

	   dn: o=University of Florida,c=US
	   o: University of Florida
	   o: UFl
	   description: Warper of young minds


       Exit  status  is  zero  if no errors occur.  Errors result in a non-zero exit status and a
       diagnostic message being written to standard error.

       ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), ldap.conf(5),  ldif(5),  ldap(3),

       The OpenLDAP Project <http://www.openldap.org/>

       OpenLDAP  is  developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
       OpenLDAP is derived from University of Michigan LDAP 3.3 Release.

Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 08:29 AM.