Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ldapsearch(1)			 User Commands			 ldapsearch(1)

       ldapsearch - ldap search	tool

       ldapsearch  [-n]	 [-u]  [-v]  [-t]  [-A]	[-B] [-L] [-R] [-d debuglevel]
       [-F sep]	[-f file] [-D binddn] [-w passwd] [-h ldaphost]	 [-M authenti-
       cation]	[-p ldapport]  [-b searchbase] [-s scope] [-a deref] [ -l time
       limit] [	-z size	limit] filter [	attrs ....]

       ldapsearch opens	a connection to	an LDAP	server,	binds, and performs  a
       search using the	filter filter.

       If  ldapsearch  finds  one or more entries, the attributes specified by
       attrs are retrieved and the entries and values are printed to  standard
       output.	If no attrs are	listed,	all attributes are returned.

   Output Format
       If  one	or  more  entries are found, each entry	is written to standard
       output in the form:

       Distinguished Name (DN)
	   User	Friendly Name (if the -u option	is used)

       Multiple	entries	are separated with a single blank line.	  If  the   -F
       option  is used to specify a different separator	character, this	 char-
       acter will be used  instead of the `=' character.  If the  -t option is
       used,  the  name	of a temporary file is returned	in place of the	actual
       value.  If the  -A option is given, only	 the  "attributename"  is  re-
       turned and not the attribute value.

       -A    Retrieve  attributes  only	 (no values).  This is useful when you
	     just want to see whether an attribute is present in an entry  and
	     are not interested	in the specific	value.

       -a deref
	     Specify  how  aliases  dereferencing is done. The possible	values
	     for deref are never, always, search, or find to  specify  respec-
	     tively  that aliases are never dereferenced, always dereferenced,
	     dereferenced when searching, or dereferenced  only	 when  finding
	     the base object for the search.  The default is to	never derefer-
	     ence aliases.

       -B    Do	not suppress display of	non-ASCII values.  This	is useful when
	     dealing  with values that appear in alternate character sets such
	     as	ISO-8859.1.  This option is automatically set by  the  -L  op-

       -b searchbase
	     Use  searchbase  as  the starting point for the search instead of
	     the default.

       -D binddn
	     Use the distinguished name	binddn to bind to the directory.

       -d debuglevel
	     Set the LDAP debugging level.  Useful  levels  of	debugging  for
	     ldapsearch	are:

	     1	   Trace

	     2	   Packets

	     4	   Arguments

	     32	   Filters

	     128   Access control

	     To	 request  more than one	category of debugging information, add
	     the masks.	For example, to	request	trace and filter  information,
	     specify a debuglevel of 33.

       -F sep
	     Use  sep  as the field separator between attribute	names and val-
	     ues. The default separator	is `='.	If  -L option has been	speci-
	     fied, this	option is  ignored.

       -f file
	     Read  a series of lines from file,	performing one LDAP search for
	     each line.	 In this case, the filter given	on the command line is
	     treated as	a pattern where	the first occurrence of	%s is replaced
	     with a line from file.  If	file is	a single - character, then the
	     lines are read from standard input.

       -h ldaphost
	     Specify an	alternate host on which	the slapd server is running.

       -L    Display  search  results  in a modified format.  This option also
	     turns on the -B option, and causes	the -F option to be ignored.

       -l timelimit
	     Wait at most timelimit seconds for	a search to complete.

       -M authentication
	     Specifies the authentication mechanism used to bind to the	direc-

	     The  default authentication method	for ldapsearch is simple bind.
	     simple bind sends the password to the server in  the  clear.  The
	     password  is  subject to snooping if the server is	not local. You
	     must use special care when	you use	this command with the  default
	     authentication  method. If	your server supports the challenge re-
	     sponse method CRAM-MD5 authentication method,  you	 can  override
	     the  default  authentication  method  by using the	-M option with
	     CRAM-MD5 as the value for	authentication.

	     The bind DN and bind password are mandatory with this option.

       -n    Show what would be	done, but do not actually perform the  search.
	     Useful in	conjunction with -v and	-d for debugging.

       -p ldapport
	     Specify  an  alternate TCP	port where the slapd server is listen-

       -R    Do	not automatically follow referrals returned while searching.

       -s scope
	     Specify the scope of the search. The possible values of scope are
	     base,  one,  or  sub  to specify respectively a base object, one-
	     level, or subtree search. The default is sub.

       -t    Write retrieved values to a set of	temporary files.  This is use-
	     ful for dealing with non-ASCII values such	as jpegPhoto or	audio.

       -u    Include  the user-friendly	form of	the Distinguished Name (DN) in
	     the output.

       -v    Run in verbose mode, with diagnostics written to standard output.

       -w passwd
	     Use passwd	as the password	for authentication to  the  directory.
	     When you use -w passwd to specify the password to be used for au-
	     thentication, the password	is visible to other users of the  sys-
	     tem  by means of the ps command, in script	files or in shell his-
	     tory. If you use the ldapsearch command without this option,  the
	     command  will  prompt  for	the password and read it from standard
	     in. When used without the -w option, the  password	 will  not  be
	     visible to	other users.

       -z sizelimit
	     Retrieve at most sizelimit	entries	for a search to	complete.

       Example 1: Performing a Subtree Search

       The  following  command	performs  a  subtree search (using the default
       search base) for	entries	with a commonName of "mark smith".   The  com-
       monName	and  telephoneNumber  values  will be retrieved	and printed to
       standard	output.

       example%	ldapsearch "cn=mark smith" cn telephoneNumber

       The output looks	something like this:

       cn=Mark D Smith,	ou=Sales, ou=Atlanta, ou=People, o=XYZ,	c=US
       cn=Mark Smith
       cn=Mark David Smith
       cn=Mark D Smith 1
       cn=Mark D Smith
       telephoneNumber=+1 123 456-7890
       cn=Mark C Smith,	ou=Distribution, ou=Atlanta, ou=People,	o=XYZ, c=US
       cn=Mark Smith
       cn=Mark C Smith 1
       cn=Mark C Smith
       telephoneNumber=+1 123 456-9999

       Example 2: Performing a Subtree Search Using the	Default	Search Base

       The following command performs  a  subtree  search  using  the  default
       search  base for	entries	with user id of	"mcs".	The user-friendly form
       of the entry's DN will be output	after the line that  contains  the  DN
       itself,	and the	jpegPhoto and audio values will	be retrieved and writ-
       ten to temporary	files.

       example%ldapsearch -u -t	"uid=mcs" jpegPhoto audio

       The output might	look like this if one entry with one value for each of
       the requested attributes	is found:

       cn=Mark C Smith,	ou=Distribution, ou=Atlanta, ou=People,	o=XYZ, c=US
       Mark C Smith, Distribution, Atlanta, People, XYZ, US

       Example 3: Performing a One Level Search

       The following command performs a	one-level search at the	c=US level for
       all organizations whose organizationName	begins with XY.

       example%	ldapsearch -L -s one -b	"c=US" "o=XY*" o description

       Search results are displayed in the LDIF	format.	 The  organizationName
       and description attribute values	will be	retrieved and printed to stan-
       dard output, resulting in output	similar	to this:

       dn: o=XYZ, c=US
       o: XYZ
       description: XYZ	Corporation
       dn: o="XY Trading Company", c=US
       o: XY Trading Company
       description: Import and export specialists

       dn: o=XYInternational, c=US
       o: XYInternational
       o: XYI
       o: XY International

       The following exit values are returned:

       0     Successful	completion.

       >0    An	error occurred.	A diagnostic message is	 written  to  standard

       See attributes(5) for a description of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsu			   |
       |Stability Level		     |Evolving			   |

       ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1),	attributes(5)

SunOS 5.9			  30 Jan 2002			 ldapsearch(1)


Want to link to this manual page? Use this URL:

home | help