version 4, including all changes.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
LDAPSEARCH |
|
|
2 |
!!!LDAPSEARCH |
|
|
3 |
NAME |
|
|
4 |
SYNOPSIS |
|
|
5 |
DESCRIPTION |
|
|
6 |
OPTIONS |
|
|
7 |
OUTPUT FORMAT |
|
|
8 |
EXAMPLE |
|
|
9 |
DIAGNOSTICS |
|
|
10 |
SEE ALSO |
|
|
11 |
AUTHOR |
|
|
12 |
ACKNOWLEDGEMENTS |
|
|
13 |
---- |
|
|
14 |
!!NAME |
|
|
15 |
|
|
|
16 |
|
|
|
17 |
ldapsearch - LDAP search tool |
|
|
18 |
!!SYNOPSIS |
|
|
19 |
|
|
|
20 |
|
|
|
21 |
__ldapsearch__ [[__-n__] [[__-u__] [[__-v__] |
|
|
22 |
[[__-k__] [[__-K__] [[__-t__] [[__-A__] [[__-C__] |
|
|
23 |
[[__-L[[L[[L]]__] [[__-M[[M]__] [[__-d__ |
|
|
24 |
''debuglevel''] [[__-f__ ''file''] [[__-D__ |
|
|
25 |
''binddn''] [[__-W__] [[__-w__ ''bindpasswd''] |
|
|
26 |
[[__-H__ ''ldapuri''] [[__-h__ ''ldaphost''] |
|
|
27 |
[[__-p__ ''ldapport''] [[__-P__ ''2''|''3''] |
|
|
28 |
[[__-b__ ''searchbase''] [[__-s__ |
|
|
29 |
''base''|''one''|''sub''] [[__-a__ |
|
|
30 |
''never''|''always''|''search''|''find''] |
|
|
31 |
[[__-l__ ''timelimit''] [[__-z__ ''sizelimit''] |
|
|
32 |
[[__-O__ security-properties__]__ [[__-I__] |
|
|
33 |
[[__-Q__] [[__-U__ ''authcid''] [[__-x__] |
|
|
34 |
[[__-X__ ''authzid''] [[__-Y__ ''mech''] |
|
|
35 |
[[__-Z[[Z]__] ''filter'' [[''attrs...''] |
|
|
36 |
!!DESCRIPTION |
|
|
37 |
|
|
|
38 |
|
|
|
39 |
''ldapsearch'' is a shell-accessible interface to the |
4 |
perry |
40 |
ldap_search(3) library call. |
1 |
perry |
41 |
|
|
|
42 |
|
|
|
43 |
__ldapsearch__ opens a connection to an LDAP server, |
|
|
44 |
binds, and performs a search using specified parameters. The |
|
|
45 |
''filter'' should conform to the string representation |
|
|
46 |
for search filters as defined in RFC 2254. If not provided, |
|
|
47 |
the default filter, (objectClass=*), is used. |
|
|
48 |
|
|
|
49 |
|
|
|
50 |
If __ldapsearch finds one or more entries, the attributes |
|
|
51 |
specified by__ ''attrs'' are returned. If * is listed, |
|
|
52 |
all user attributes are returned. If + is listed, all |
|
|
53 |
operational attributes are returned. If no ''attrs'' are |
|
|
54 |
listed, all attributes are returned. If only 1.1 is listed, |
|
|
55 |
no attributes will be returned. |
|
|
56 |
!!OPTIONS |
|
|
57 |
|
|
|
58 |
|
|
|
59 |
__-n__ |
|
|
60 |
|
|
|
61 |
|
|
|
62 |
Show what would be done, but don't actually perform the |
|
|
63 |
search. Useful for debugging in conjunction with |
|
|
64 |
-v. |
|
|
65 |
|
|
|
66 |
|
|
|
67 |
__-u__ |
|
|
68 |
|
|
|
69 |
|
|
|
70 |
Include the User Friendly Name form of the Distinguished |
|
|
71 |
Name (DN) in the output. |
|
|
72 |
|
|
|
73 |
|
|
|
74 |
__-v__ |
|
|
75 |
|
|
|
76 |
|
|
|
77 |
Run in verbose mode, with many diagnostics written to |
|
|
78 |
standard output. |
|
|
79 |
|
|
|
80 |
|
|
|
81 |
__-k__ |
|
|
82 |
|
|
|
83 |
|
|
|
84 |
Use Kerberos IV authentication instead of simple |
|
|
85 |
authentication. It is assumed that you already have a valid |
|
|
86 |
ticket granting ticket. __ldapsearch__ must be compiled |
|
|
87 |
with Kerberos support for this option to have any |
|
|
88 |
effect. |
|
|
89 |
|
|
|
90 |
|
|
|
91 |
__-K__ |
|
|
92 |
|
|
|
93 |
|
|
|
94 |
Same as -k, but only does step 1 of the Kerberos IV bind. |
|
|
95 |
This is useful when connecting to a slapd and there is no |
|
|
96 |
x500dsa.hostname principal registered with your Kerberos |
|
|
97 |
Domain Controller(s). |
|
|
98 |
|
|
|
99 |
|
|
|
100 |
__-t__ |
|
|
101 |
|
|
|
102 |
|
|
|
103 |
Write retrieved values to a set of temporary files. This is |
|
|
104 |
useful for dealing with non-ASCII values such as jpegPhoto |
|
|
105 |
or audio. |
|
|
106 |
|
|
|
107 |
|
|
|
108 |
__-A__ |
|
|
109 |
|
|
|
110 |
|
|
|
111 |
Retrieve attributes only (no values). This is useful when |
|
|
112 |
you just want to see if an attribute is present in an entry |
|
|
113 |
and are not interested in the specific values. |
|
|
114 |
|
|
|
115 |
|
|
|
116 |
__-L__ |
|
|
117 |
|
|
|
118 |
|
|
|
119 |
Search results are display in LDAP Data Interchange Format |
|
|
120 |
detailed in ldif(5). A single -L restricts the output |
|
|
121 |
to LDIFv1. A second -L disables comments. A third -L |
|
|
122 |
disables printing of the LDIF version. The default is to use |
|
|
123 |
an extended version of LDIF. |
|
|
124 |
|
|
|
125 |
|
|
|
126 |
__-M[[M]__ |
|
|
127 |
|
|
|
128 |
|
|
|
129 |
Enable manage DSA IT control. __-MM__ makes control |
|
|
130 |
critical. |
|
|
131 |
|
|
|
132 |
|
|
|
133 |
__-C__ |
|
|
134 |
|
|
|
135 |
|
|
|
136 |
Automatically chase referrals. |
|
|
137 |
|
|
|
138 |
|
|
|
139 |
__-S__ ''attribute'' |
|
|
140 |
|
|
|
141 |
|
|
|
142 |
Sort the entries returned based on ''attribute''. The |
|
|
143 |
default is not to sort entries returned. If ''attribute'' |
|
|
144 |
is a zero-length string ( |
|
|
145 |
''ldap_sort__(3) for more details. Note that |
|
|
146 |
__ldapsearch__ normally prints out entries as it receives |
|
|
147 |
them. The use of the __-S__ option defeats this behavior, |
|
|
148 |
causing all entries to be retrieved, then sorted, then |
|
|
149 |
printed. |
|
|
150 |
|
|
|
151 |
|
|
|
152 |
__-d__ ''debuglevel'' |
|
|
153 |
|
|
|
154 |
|
|
|
155 |
Set the LDAP debugging level to ''debuglevel''. |
|
|
156 |
__ldapsearch__ must be compiled with LDAP_DEBUG defined |
|
|
157 |
for this option to have any effect. |
|
|
158 |
|
|
|
159 |
|
|
|
160 |
__-f__ ''file'' |
|
|
161 |
|
|
|
162 |
|
|
|
163 |
Read a series of lines from ''file'', performing one LDAP |
|
|
164 |
search for each line. In this case, the ''filter'' given |
|
|
165 |
on the command line is treated as a pattern where the first |
|
|
166 |
occurrence of __%s__ is replaced with a line from |
|
|
167 |
''file''. If ''file'' is a single ''-'' character, |
|
|
168 |
then the lines are read from standard input. |
|
|
169 |
|
|
|
170 |
|
|
|
171 |
__-x__ |
|
|
172 |
|
|
|
173 |
|
|
|
174 |
Use simple authentication instead of SASL. |
|
|
175 |
|
|
|
176 |
|
|
|
177 |
__-D__ ''binddn'' |
|
|
178 |
|
|
|
179 |
|
|
|
180 |
Use the Distinguished Name ''binddn'' to bind to the LDAP |
|
|
181 |
directory. |
|
|
182 |
|
|
|
183 |
|
|
|
184 |
__-W__ |
|
|
185 |
|
|
|
186 |
|
|
|
187 |
Prompt for simple authentication. This is used instead of |
|
|
188 |
specifying the password on the command line. |
|
|
189 |
|
|
|
190 |
|
|
|
191 |
__-w__ ''bindpasswd'' |
|
|
192 |
|
|
|
193 |
|
|
|
194 |
Use ''bindpasswd'' as the password for simple |
|
|
195 |
authentication. |
|
|
196 |
|
|
|
197 |
|
|
|
198 |
__-H__ ''ldapuri'' |
|
|
199 |
|
|
|
200 |
|
|
|
201 |
Specify URI(s) referring to the ldap server(s). |
|
|
202 |
|
|
|
203 |
|
|
|
204 |
__-h__ ''ldaphost'' |
|
|
205 |
|
|
|
206 |
|
|
|
207 |
Specify an alternate host on which the ldap server is |
|
|
208 |
running. Deprecated in favor of -H. |
|
|
209 |
|
|
|
210 |
|
|
|
211 |
__-p__ ''ldapport'' |
|
|
212 |
|
|
|
213 |
|
|
|
214 |
Specify an alternate TCP port where the ldap server is |
|
|
215 |
listening. Deprecated in favor of -H. |
|
|
216 |
|
|
|
217 |
|
|
|
218 |
__-b__ ''searchbase'' |
|
|
219 |
|
|
|
220 |
|
|
|
221 |
Use ''searchbase'' as the starting point for the search |
|
|
222 |
instead of the default. |
|
|
223 |
|
|
|
224 |
|
|
|
225 |
__-s__ ''base''|''one''|''sub'' |
|
|
226 |
|
|
|
227 |
|
|
|
228 |
Specify the scope of the search to be one of ''base'', |
|
|
229 |
''one'', or ''sub'' to specify a base object, |
|
|
230 |
one-level, or subtree search. The default is |
|
|
231 |
''sub''. |
|
|
232 |
|
|
|
233 |
|
|
|
234 |
__-a__ |
|
|
235 |
''never''|''always''|''search''|''find'' |
|
|
236 |
|
|
|
237 |
|
|
|
238 |
Specify how aliases dereferencing is done. Should be one of |
|
|
239 |
''never'', ''always'', ''search'', or ''find'' |
|
|
240 |
to specify that aliases are never dereferenced, always |
|
|
241 |
dereferenced, dereferenced when searching, or dereferenced |
|
|
242 |
only when locating the base object for the search. The |
|
|
243 |
default is to never dereference aliases. |
|
|
244 |
|
|
|
245 |
|
|
|
246 |
__-P__ ''2''|''3'' |
|
|
247 |
|
|
|
248 |
|
|
|
249 |
Specify the LDAP protocol version to use. |
|
|
250 |
|
|
|
251 |
|
|
|
252 |
__-l__ ''timelimit'' |
|
|
253 |
|
|
|
254 |
|
|
|
255 |
wait at most ''timelimit'' seconds for a search to |
|
|
256 |
complete. A timelimit of ''0'' (zero) removes the |
|
|
257 |
__ldap.conf__ limit. A server may impose a maximal |
|
|
258 |
timelimit which only the root user may |
|
|
259 |
override. |
|
|
260 |
|
|
|
261 |
|
|
|
262 |
__-z__ ''sizelimit'' |
|
|
263 |
|
|
|
264 |
|
|
|
265 |
retrieve at most ''sizelimit'' entries for a search. A |
|
|
266 |
sizelimit of ''0'' (zero) removes the __ldap.conf__ |
|
|
267 |
limit. A server may impose a maximal sizelimit which only |
|
|
268 |
the root user may override. |
|
|
269 |
|
|
|
270 |
|
|
|
271 |
__-O__ ''security-properties'' |
|
|
272 |
|
|
|
273 |
|
|
|
274 |
Specify SASL security properties. |
|
|
275 |
|
|
|
276 |
|
|
|
277 |
__-I__ |
|
|
278 |
|
|
|
279 |
|
|
|
280 |
Enable SASL Interactive mode. Always prompt. Default is to |
|
|
281 |
prompt only as needed. |
|
|
282 |
|
|
|
283 |
|
|
|
284 |
__-Q__ |
|
|
285 |
|
|
|
286 |
|
|
|
287 |
Enable SASL Quiet mode. Never prompt. |
|
|
288 |
|
|
|
289 |
|
|
|
290 |
__-U__ ''authcid'' |
|
|
291 |
|
|
|
292 |
|
|
|
293 |
Specify the authentication ID for SASL bind. The form of the |
|
|
294 |
ID depends on the actual SASL mechanism used. |
|
|
295 |
|
|
|
296 |
|
|
|
297 |
__-X__ ''authzid'' |
|
|
298 |
|
|
|
299 |
|
|
|
300 |
Specify the requested authorization ID for SASL bind. |
|
|
301 |
''authzid'' must be one of the following formats: |
|
|
302 |
__dn:__'''' or |
|
|
303 |
__u:__'''' |
|
|
304 |
|
|
|
305 |
|
|
|
306 |
__-Y__ ''mech'' |
|
|
307 |
|
|
|
308 |
|
|
|
309 |
Specify the SASL mechanism to be used for authentication. If |
|
|
310 |
it's not specified, the program will choose the best |
|
|
311 |
mechanism the server knows. |
|
|
312 |
|
|
|
313 |
|
|
|
314 |
__-Z[[Z]__ |
|
|
315 |
|
|
|
316 |
|
|
|
317 |
Issue StartTLS (Transport Layer Security) extended |
|
|
318 |
operation. If you use __-ZZ__, the command will require |
|
|
319 |
the operation to be successful. |
|
|
320 |
!!OUTPUT FORMAT |
|
|
321 |
|
|
|
322 |
|
|
|
323 |
If one or more entries are found, each entry is written to |
|
|
324 |
standard output in LDAP Data Interchange Format or |
|
|
325 |
ldif(5): |
|
|
326 |
|
|
|
327 |
|
|
|
328 |
version: 1 |
|
|
329 |
# bjensen, example, net |
|
|
330 |
dn: uid=bjensen, dc=example, dc=net |
|
|
331 |
objectClass: person |
|
|
332 |
objectClass: dcObject |
|
|
333 |
uid: bjensen |
|
|
334 |
cn: Barbara Jensen |
|
|
335 |
sn: Jensen |
|
|
336 |
... |
|
|
337 |
If the -t option is used, the URI of a temporary file is used in place of the actual value. If the -A option is given, only the |
|
|
338 |
!!EXAMPLE |
|
|
339 |
|
|
|
340 |
|
|
|
341 |
The following command: |
|
|
342 |
|
|
|
343 |
|
|
|
344 |
ldapsearch -LLL |
4 |
perry |
345 |
will perform a subtree search (using the default search base defined in ldap.conf(5)) for entries with a surname (sn) of smith. The common name (cn), surname (sn) and telephoneNumber values will be retrieved and printed to standard output. The output might look something like this if two entries are found: |
1 |
perry |
346 |
|
|
|
347 |
|
|
|
348 |
dn: uid=jts, dc=example, dc=com |
|
|
349 |
cn: John Smith |
|
|
350 |
cn: John T. Smith |
|
|
351 |
sn: Smith |
|
|
352 |
sn;lang-en: Smith |
|
|
353 |
sn;lang-de: Schmidt |
|
|
354 |
telephoneNumber: 1 555 123-4567 |
|
|
355 |
dn: uid=sss, dc=example, dc=com |
|
|
356 |
cn: Steve Smith |
|
|
357 |
cn: Steve S. Smith |
|
|
358 |
sn: Smith |
|
|
359 |
sn;lang-en: Smith |
|
|
360 |
sn;lang-de: Schmidt |
|
|
361 |
telephoneNumber: 1 555 765-4321 |
|
|
362 |
The command: |
|
|
363 |
|
|
|
364 |
|
|
|
365 |
ldapsearch -LLL -u -t |
|
|
366 |
will perform a subtree search using the default search base for entries with user id of |
|
|
367 |
|
|
|
368 |
|
|
|
369 |
dn: uid=xyz, dc=example, dc=com |
|
|
370 |
ufn: xyz, example, com |
|
|
371 |
audio: |
|
|
372 |
This command: |
|
|
373 |
|
|
|
374 |
|
|
|
375 |
ldapsearch -LLL -s one -b |
|
|
376 |
will perform a one-level search at the c=US level for all entries whose organization name (o) begins begins with __University__. The organization name and description attribute values will be retrieved and printed to standard output, resulting in output similar to this: |
|
|
377 |
|
|
|
378 |
|
|
|
379 |
dn: o=University of Alaska Fairbanks, c=US |
|
|
380 |
o: University of Alaska Fairbanks |
|
|
381 |
description: Preparing Alaska for a brave new yesterday |
|
|
382 |
description: leaf node only |
|
|
383 |
dn: o=University of Colorado at Boulder, c=US |
|
|
384 |
o: University of Colorado at Boulder |
|
|
385 |
description: No personnel information |
|
|
386 |
description: Institution of education and research |
|
|
387 |
dn: o=University of Colorado at Denver, c=US |
|
|
388 |
o: University of Colorado at Denver |
|
|
389 |
o: UCD |
|
|
390 |
o: CU/Denver |
|
|
391 |
o: CU-Denver |
|
|
392 |
description: Institute for Higher Learning and Research |
|
|
393 |
dn: o=University of Florida, c=US |
|
|
394 |
o: University of Florida |
|
|
395 |
o: UFl |
|
|
396 |
description: Warper of young minds |
|
|
397 |
etc.... |
|
|
398 |
!!DIAGNOSTICS |
|
|
399 |
|
|
|
400 |
|
|
|
401 |
Exit status is zero if no errors occur. Errors result in a |
|
|
402 |
non-zero exit status and a diagnostic message being written |
|
|
403 |
to standard error. |
|
|
404 |
!!SEE ALSO |
|
|
405 |
|
|
|
406 |
|
|
|
407 |
ldapadd(1), ldapdelete(1), |
|
|
408 |
ldapmodify(1), ldapmodrdn(1), |
4 |
perry |
409 |
ldap.conf(5), ldif(5), ldap(3), |
|
|
410 |
ldap_search(3) |
1 |
perry |
411 |
!!AUTHOR |
|
|
412 |
|
|
|
413 |
|
|
|
414 |
The OpenLDAP Project |
|
|
415 |
!!ACKNOWLEDGEMENTS |
|
|
416 |
|
|
|
417 |
|
|
|
418 |
__OpenLDAP__ is developed and maintained by The OpenLDAP |
|
|
419 |
Project (http://www.openldap.org/). __OpenLDAP__ is |
|
|
420 |
derived from University of Michigan LDAP 3.3 |
|
|
421 |
Release. |
|
|
422 |
---- |