ldaplist(1) User Commands ldaplist(1)
ldaplist - search and list naming information from an LDAP directory using the configured
/usr/bin/ldaplist [-dlv] [-h LDAP_server[:serverPort] [-M domainName]
[-N profileName] [-a authenticationMethod] [-P certifPath]
[-D bindDN] [-w bindPassword] [-j passwdFile]]
If the -h LDAP_server[:serverPort] option is specified, ldaplist establishes a connection
to the server pointed to by the option to obtain a DUAProfile specified by the -N option.
Then ldaplist lists the information from the directory described by the configuration
By default (if the -h LDAP_server[:serverPort] option is not specified), the utility
searches for and lists the naming information from the LDAP directory service defined in
the LDAP configuration files generated byldapclient(1M) during the client initialization
phase. To use the utility in the default mode, the Solaris LDAP client must be set up in
The database is either a container name or a database name as defined in nsswitch.conf(4).
A container is a non-leaf entry in the Directory Information Tree (DIT) that contains nam-
ing service information. The container name is the LDAP Relative Distinguished Name (RDN)
of the container relative to the defaultSearchBase as defined in the configuration files.
For example, for a container named ou=people, the database name is the database specified
in nsswitch.conf. This database is mapped to a container, for example, passwd maps to
ou=people. If an invalid database is specified, it is mapped to a generic container, for
The key is the attribute value to be searched in the database. You can specify more than
one key to be searched in the same database. The key can be specified in either of two
forms: attribute=value or value. In the first case, ldaplist passes the search key to the
server. In the latter case, an attribute is assigned depending on how the database is
specified. If the database is a container name, then the "cn" attribute type is used. If
the database is a valid database name as defined in the nsswitch.conf, then a predefined
attribute type is used (see table below). If the database is an invalid database name,
then cn is used as the attribute type.
The ldaplist utility relies on the Schema defined in the RFC 2307bis, currently an IETF
draft. The data stored on the LDAP server must be stored based on this Schema, unless the
profile contains schema mapping definitions. For more information on schema mapping see
ldapclient(1M). The following table lists the default mapping from the database names to
the container, the LDAP object class, and the attribute type used if not defined in the
Database Object Class Attribute Type Container
aliases mailGroup cn ou=Aliases
automount nisObject cn automountMapName=auto_*
bootparams bootableDevice cn ou=Ethers
ethers ieee802Device cn ou=Ethers
group posixgroup cn ou=Group
hosts ipHost cn ou=Hosts
ipnodes ipHost cn ou=Hosts
netgroup ipNetgroup cn ou=Netgroup
netmasks ipNetwork ipnetworknumber ou=Networks
networks ipNetwork ipnetworknumber ou=Networks
passwd posixAccount uid ou=People
protocols ipProtocol cn ou=Protocols
publickey nisKeyObject uidnumber ou=People
rpc oncRpc cn ou=Rpc
services ipService cn ou=Services
printers printerService printer-uri ou=printers
auth_attr SolarisAuthAttr nameT ou=SolarisAuthAttr
prof_attr SolarisProfAttr nameT ou=SolarisProfAttr
exec_attr SolarisExecAttr nameT ou=SolarisProfAttr
user_attr SolarisUserAttr uidT ou=people
audit_user SolarisAuditUser uidT ou=people
projects SolarisProject SolarisProjectID ou=projects
The following databases are available only if the system is configured with Trusted Exten-
tnrhtp ipTnetTemplate ipTnetTemplateName ou=ipTnet
tnrhdb ipTnetHost ipTnetNumber ou=ipTnet
o For the automount database, auto_*, in the container column, represents
auto_home, auto_direct, ...
o For the publickey database, if the key starts with a digit, it is interpreted
as an uid number. If the key starts with a non-digit, it is interpreted as a
The ldaplist utility supports substring search by using the wildcard "*" in the key. For
example, "my*" matches any strings that starts with "my". In some shell environments, keys
containing the wildcard might need to be quoted.
If the key is not specified, all the containers in the current search baseDN is listed.
The following options are supported:
Specifies the authentication method. The default value is what has been configured in
the profile. The supported authentication methods are:
Selecting simple causes passwords to be sent over the network in clear text. Its use
is strongly discouraged.
Additionally, if the client is configured with a profile which uses no authentication,
that is, either the credentialLevel attribute is set to anonymous or authentication-
Method is set to none, the user must use this option to provide an authentication
Lists the attributes for the specified database, rather than the entries. By default,
the entries are listed.
Specifies an entry which has read permission to the requested database.
Lists the database mapping.
Lists the database mapping.
This option has been deprecated.
Specifies an address (or a name) and a port of the LDAP server from which the entries
are read. The current naming service specified in the nsswitch.conf file is used. The
default value for the port is 389, unless when TLS is specified in the authentication
method. In this case, the default LDAP server port number is 636.
Specifies a file containing the password for the bind DN or the password for the SSL
client's key database. To protect the password, use this option in scripts and place
the password in a secure file.
This option is mutually exclusive of the -w option.
Lists all the attributes for each entry matching the search criteria. By default,
ldaplist lists only the Distinguished Name of the entries found.
Specifies the name of a domain served by the specified server. If this option is not
specified, the default domain name is used.
Specifies a DUAProfile name. A profile with such a name is supposed to exist on the
server specified by -H option. The default value is default.
Specifies the certificate path to the location of the certificate database. The value
is the path where security database files reside. This is used for TLS support, which
is specified in the authenticationMethod and serviceAuthenticationMethod attributes.
The default is /var/ldap.
Password to be used for authenticating the bindDN. If this parameter is missing, the
command prompts for a password. NULL passwords are not supported in LDAP.
When you use -w bind_password to specify the password to be used for authentication,
the password is visible to other users of the system by means of the ps command, in
script files or in shell history.
If the value of - is supplied as a password, the command prompts for a password.
Sets verbose mode. The ldaplist utility also prints the filter used to search for the
entry. The filter is prefixed with "+++".
Example 1 Listing All Entries in the Hosts Database
The following example lists all entries in the hosts database:
example% ldaplist hosts
Example 2 Listing All Entries in a Non-Standard Database ou=new
The following example lists all entries in a non-standard database:
example% ldaplist ou=new
Example 3 Finding user1 in the passwd Database
The following example finds user1 in the passwd database:
example% ldaplist passwd user1
Example 4 Finding the Entry With Service Port of 4045 in the services Database
The following example finds the entry with the service port of 4045 in the services data-
example% ldaplist services ipServicePort=4045
Example 5 Finding All Users With Username Starting with new in the passwd Database
The following example finds all users with the username starting with new in the passwd
example% ldaplist passwd 'new*'
Example 6 Listing the Attributes for the hosts Database
The following example lists the attributes for the hosts database:
example% ldaplist -d hosts
Example 7 Finding user1 in the passwd Database
The following example finds user1 in the passwd database. An LDAP server is specified
example% ldaplist -H 10.10.10.10:3890 \
-M another.domain.name -N special_duaprofile \
-D "cn=directory manager" -w secret \
The following exit values are returned:
0 Successfully matched some entries.
1 Successfully searched the table and no matches were found.
2 An error occurred. An error message is output.
/var/ldap/ldap_client_file Files that contain the LDAP configuration of the client. Do
/var/ldap/ldap_client_cred not manually modify these files. Their content is not guar-
anteed to be human readable. To update these files, use
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|Availability |SUNWnisu |
|Interface Stability |Committed |
ldap(1), ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), ldapsearch(1), idscon-
fig(1M), ldap_cachemgr(1M), ldapaddent(1M), ldapclient(1M), suninstall(1M),
RFC 2307bis is an IETF informational document in draft stage that defines an approach for
using LDAP as a naming service.
Currently StartTLS is not supported by libldap.so.5, therefore the port number provided
refers to the port used during a TLS open, versus the port used as part of a StartTLS
sequence. For example, -h foo:1000 -a tls:simple, refers to a raw TLS open on host foo,
port 1000, not a open, StartTLS sequence on an unsecured port 1000. If port 1000 is unse-
cured the connection is not made.
SunOS 5.11 7 Jun 2008 ldaplist(1)