883N/A<?
xml version="1.0" encoding="UTF-8"?>
883N/A ! This work is licensed under the Creative Commons 883N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 883N/A ! To view a copy of this license, visit 883N/A ! or send a letter to Creative Commons, 444 Castro Street, 883N/A ! Suite 900, Mountain View, California, 94041, USA. 883N/A ! You can also obtain a copy of the license at 883N/A ! See the License for the specific language governing permissions 883N/A ! and limitations under the License. 883N/A ! If applicable, add the following below this CCPL HEADER, with the fields 883N/A ! enclosed by brackets "[]" replaced with your own identifying information: 883N/A ! Portions Copyright [yyyy] [name of copyright owner] 883N/A ! Copyright 2011-2015 ForgeRock AS. 883N/A<
refentry xml:
id='ldapsearch-1' 883N/A version='5.0' xml:
lang='en' 883N/A <
info><
copyright><
year>2011-2015</
year><
holder>ForgeRock AS.</
holder></
copyright></
info>
883N/A <
refentrytitle>ldapsearch</
refentrytitle><
manvolnum>1</
manvolnum>
883N/A <
refmiscinfo class="software">OpenDJ</
refmiscinfo>
883N/A <
refmiscinfo class="version"><?
eval ${
docTargetVersion}?></
refmiscinfo>
883N/A <
refname>ldapsearch</
refname>
883N/A <
refpurpose>perform LDAP search operations</
refpurpose>
883N/A <
command>ldapsearch</
command>
883N/A <
arg choice="req">options</
arg>
883N/A <
arg choice="opt">filter</
arg>
883N/A <
arg choice="opt" rep="repeat">attributes</
arg>
883N/A <
title>Description</
title>
883N/A <
para>This utility can be used to perform LDAP search operations in the
883N/A <
para>The following options are supported.</
para>
883N/A <
term><
option>-a, --dereferencePolicy {dereferencePolicy}</
option></
term>
883N/A <
para>Alias dereference policy ('never', 'always', 'search', or 'find')</
para>
883N/A <
para>Default value: never</
para>
883N/A <
term><
option>-A, --typesOnly</
option></
term>
883N/A <
para>Only retrieve attribute names but not their values</
para>
883N/A <
term><
option>--assertionFilter {filter}</
option></
term>
883N/A <
para>Use the LDAP assertion control with the provided filter</
para>
883N/A <
term><
option>-b, --baseDN {baseDN}</
option></
term>
883N/A <
para>Base DN format string</
para>
883N/A <
term><
option>-c, --continueOnError</
option></
term>
883N/A <
para>Continue processing even if there are errors</
para>
883N/A <
term><
option>-C, --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]</
option></
term>
883N/A <
para>Use the persistent search control</
para>
883N/A A persistent search allows the client to continue receiving new results
883N/A whenever changes are made to data that is in the scope of the search,
883N/A thus using the search as a form of change notification.
883N/A The optional <
literal>changetype</
literal> setting defines
883N/A the kinds of updates that result in notification.
883N/A By default the <
literal>changetype</
literal> is not set.
883N/A <
term><
literal>add</
literal></
term>
883N/A Send notifications for LDAP add operations.
883N/A <
term><
literal>del</
literal></
term>
883N/A <
term><
literal>delete</
literal></
term>
883N/A Send notifications for LDAP delete operations.
883N/A <
term><
literal>mod</
literal></
term>
883N/A <
term><
literal>modify</
literal></
term>
883N/A Send notifications for LDAP modify operations.
883N/A <
term><
literal>moddn</
literal></
term>
883N/A <
term><
literal>modrdn</
literal></
term>
883N/A <
term><
literal>modifydn</
literal></
term>
883N/A Send notifications for LDAP modify DN (rename and move) operations.
883N/A <
term><
literal>all</
literal></
term>
883N/A <
term><
literal>any</
literal></
term>
883N/A Send notifications for all LDAP update operations.
883N/A The optional <
literal>changesonly</
literal> setting defines
883N/A whether the server returns existing entries as well as changes.
883N/A <
term><
literal>true</
literal></
term>
883N/A Do not return existing entries,
883N/A but instead only notifications about changes.
883N/A This is the default setting.
883N/A <
term><
literal>false</
literal></
term>
883N/A Also return existing entries.
883N/A The optional <
literal>entrychgcontrols</
literal> setting defines
883N/A whether the server returns an Entry Change Notification control
883N/A with each entry notification.
883N/A The Entry Change Notification control provides additional information
883N/A about the change that caused the entry to be returned by the search.
883N/A In particular, it indicates the change type,
883N/A the change number if available,
883N/A and the previous DN if the change type was a modify DN operation.
883N/A <
term><
literal>true</
literal></
term>
883N/A Do request the Entry Change Notification control.
883N/A This is the default setting.
883N/A <
term><
literal>false</
literal></
term>
883N/A Do not request the Entry Change Notification control.
883N/A <
term><
option>--countEntries</
option></
term>
883N/A <
para>Count the number of entries returned by the server</
para>
883N/A <
term><
option>-e, --getEffectiveRightsAttribute {attribute}</
option></
term>
883N/A <
para>Specifies geteffectiverights control specific attribute list</
para>
883N/A <
term><
option>-f, --filename {file}</
option></
term>
883N/A <
para>LDIF file containing the changes to apply</
para>
883N/A <
term><
option>-g, --getEffectiveRightsAuthzid {authzID}</
option></
term>
883N/A <
para>Use geteffectiverights control with the provided authzid</
para>
883N/A <
term><
option>-G, --virtualListView {before:after:index:count | before:after:value}</
option></
term>
883N/A <
para>Use the virtual list view control to retrieve the specified results page</
para>
883N/A <
term><
option>-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}</
option></
term>
883N/A <
para>Use a request control with the provided information</
para>
883N/A For some <
replaceable>controloid</
replaceable> values,
883N/A you can replace object identifiers with user-friendly strings.
883N/A The strings are listed here in lower case, but the case is not important.
883N/A You can use camelCase if you prefer, for example.
883N/A <
term><
literal>accountusable</
literal></
term>
883N/A <
term><
literal>accountusability</
literal></
term>
883N/A <
para>Account Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8</
para>
883N/A <
term><
literal>authzid</
literal></
term>
883N/A <
term><
literal>authorizationidentity</
literal></
term>
883N/A <
para>Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16</
para>
883N/A <
term><
literal>effectiverights</
literal></
term>
883N/A <
term><
literal>geteffectiverights</
literal></
term>
883N/A <
para>Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2</
para>
883N/A <
term><
literal>managedsait</
literal></
term>
883N/A <
para>Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2</
para>
883N/A <
term><
literal>noop</
literal></
term>
883N/A <
term><
literal>no-op</
literal></
term>
883N/A <
para>No-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2</
para>
883N/A <
term><
literal>pwpolicy</
literal></
term>
883N/A <
term><
literal>passwordpolicy</
literal></
term>
883N/A <
para>Password Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1</
para>
883N/A <
term><
literal>realattrsonly</
literal></
term>
883N/A <
term><
literal>realattributesonly</
literal></
term>
883N/A <
para>Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17</
para>
883N/A <
term><
literal>subtreedelete</
literal></
term>
883N/A <
term><
literal>treedelete</
literal></
term>
883N/A <
para>Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805</
para>
883N/A <
term><
literal>virtualattrsonly</
literal></
term>
883N/A <
term><
literal>virtualattributesonly</
literal></
term>
883N/A <
para>Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19</
para>
883N/A <
term><
option>-l, --timeLimit {timeLimit}</
option></
term>
883N/A <
para>Maximum length of time in seconds to allow for the search</
para>
883N/A <
para>Default value: 0</
para>
883N/A <
term><
option>--matchedValuesFilter {filter}</
option></
term>
883N/A <
para>Use the LDAP matched values control with the provided filter</
para>
883N/A <
term><
option>-n, --dry-run</
option></
term>
883N/A <
para>Show what would be done but do not perform any operation</
para>
883N/A <
term><
option>-s, --searchScope {searchScope}</
option></
term>
883N/A <
para>Search scope ('base', 'one', 'sub', or 'subordinate')</
para>
883N/A <
para>Default value: sub</
para>
883N/A <
para><
literal>subordinate</
literal> is an LDAP extension that might
883N/A not work with all LDAP servers.</
para>
<
term><
option>-S, --sortOrder {sortOrder}</
option></
term>
<
para>Sort the results using the provided sort order</
para>
<
term><
option>--simplePageSize {numEntries}</
option></
term>
<
para>Use the simple paged results control with the given page size</
para>
<
para>Default value: 1000</
para>
<
term><
option>--subEntries</
option></
term>
<
para>Use subentries control to specify that subentries are visible and
normal entries are not</
para>
<
term><
option>-Y, --proxyAs {authzID}</
option></
term>
<
para>Use the proxied authorization control with the given authorization
<
term><
option>-z, --sizeLimit {sizeLimit}</
option></
term>
<
para>Maximum number of entries to return from the search</
para>
<
para>Default value: 0</
para>
<
title>LDAP Connection Options</
title>
<
term><
option>--connectTimeout {timeout}</
option></
term>
<
para>Maximum length of time (in milliseconds) that can be taken to
establish a connection. Use '0' to specify no time out.</
para>
<
para>Default value: 30000</
para>
<
term><
option>-D, --bindDN {bindDN}</
option></
term>
<
para>DN to use to bind to the server</
para>
<
para>Default value: cn=Directory Manager</
para>
<
term><
option>-E, --reportAuthzID</
option></
term>
<
para>Use the authorization identity control</
para>
<
term><
option>-h, --hostname {host}</
option></
term>
<
para>Directory server hostname or IP address</
para>
<
term><
option>-j, --bindPasswordFile {bindPasswordFile}</
option></
term>
<
para>Bind password file</
para>
<
term><
option>-K, --keyStorePath {keyStorePath}</
option></
term>
<
para> Certificate key store path</
para>
<
term><
option>-N, --certNickname {nickname}</
option></
term>
<
para>Nickname of certificate for SSL client authentication</
para>
<
term><
option>-o, --saslOption {name=value}</
option></
term>
<
para>SASL bind options</
para>
<
term><
option>-p, --port {port}</
option></
term>
<
para>Directory server port number</
para>
<
para>Default value: 389</
para>
<
term><
option>-P, --trustStorePath {trustStorePath}</
option></
term>
<
para>Certificate trust store path</
para>
<
term><
option>-q, --useStartTLS</
option></
term>
<
para>Use StartTLS to secure communication with the server</
para>
<
term><
option>-r, --useSASLExternal</
option></
term>
<
para>Use the SASL EXTERNAL authentication mechanism</
para>
<
term><
option>--trustStorePassword {trustStorePassword}</
option></
term>
<
para>Certificate trust store PIN</
para>
<
term><
option>-u, --keyStorePasswordFile {keyStorePasswordFile}</
option></
term>
<
para>Certificate key store PIN file</
para>
<
term><
option>-U, --trustStorePasswordFile {path}</
option></
term>
<
para>Certificate trust store PIN file</
para>
<
term><
option>--usePasswordPolicyControl</
option></
term>
<
para>Use the password policy request control</
para>
<
term><
option>-V, --ldapVersion {version}</
option></
term>
<
para>LDAP protocol version number</
para>
<
para>Default value: 3</
para>
<
term><
option>-w, --bindPassword {bindPassword}</
option></
term>
<
para>Password to use to bind to the server</
para>
<
term><
option>-W, --keyStorePassword {keyStorePassword}</
option></
term>
<
para>Certificate key store PIN</
para>
<
term><
option>-X, --trustAll</
option></
term>
<
para>Trust all server SSL certificates</
para>
<
term><
option>-Z, --useSSL</
option></
term>
<
para>Use SSL for secure communication with the server</
para>
<
term><
option>-i, --encoding {encoding}</
option></
term>
<
para>Use the specified character set for command-line input</
para>
<
term><
option>--noPropertiesFile</
option></
term>
<
para>No properties file will be used to get default command line
<
term><
option>--propertiesFilePath {propertiesFilePath}</
option></
term>
<
para>Path to the file containing default property values used for
command line arguments</
para>
<
term><
option>-T, --dontWrap</
option></
term>
<
listitem><
para>Do not wrap long lines</
para></
listitem>
<
term><
option>-v, --verbose</
option></
term>
<
para>Use verbose mode</
para>
<
title>General Options</
title>
<
term><
option>--version</
option></
term>
<
para>Display version information</
para>
<
term><
option>-?, -H, --help</
option></
term>
<
para>Display usage information</
para>
<
para>The filter argument is a string representation of an LDAP search filter
as in <
literal>(cn=Babs Jensen)</
literal>, <
literal >(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))</
literal>, or
<
literal>(cn:caseExactMatch:=Fred Flintstone)</
literal>.</
para>
<
para>The optional attribute list specifies the attributes to return in the
entries found by the search. In addition to identifying attributes by name
such as <
literal>cn sn mail</
literal> and so forth, you can use the following
<
term><
literal>*</
literal></
term>
<
para>Return all user attributes such as <
literal>cn</
literal>,
<
literal>sn</
literal>, and <
literal>mail</
literal>.</
para>
<
term><
literal>+</
literal></
term>
<
para>Return all operational attributes such as <
literal>etag</
literal>
and <
literal>pwdPolicySubentry</
literal>.</
para>
<
term><
literal>@<
replaceable>objectclass</
replaceable></
literal></
term>
<
para>Return all attributes of the specified object class, where
<
replaceable>objectclass</
replaceable> is one of the object classes
on the entries returned by the search.</
para>
<
term><
literal>1.1</
literal></
term>
Return no attributes, only the DNs of matching entries.
<
title>Exit Codes</
title>
<
para>The command completed successfully.</
para>
<
term><
replaceable>ldap-error</
replaceable></
term>
<
para>An LDAP error occurred while processing the operation.</
para>
<
para>LDAP result codes are described in <
link 4511</
link>. Also see the additional information for details.</
para>
<
para>An error occurred while parsing the command-line arguments.</
para>
the defaults for bind DN, host name, and port number as in the following
<
programlisting language="ini">
bindDN=uid=kvaughan,ou=People,dc=example,dc=com
<
para>The following example searches for entries with UID containing
<
literal>jensen</
literal>, returning only DNs and uid values.</
para>
$ <
userinput>ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid</
userinput>
<
computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
dn: uid=bjensen,ou=People,dc=example,dc=com
dn: uid=gjensen,ou=People,dc=example,dc=com
dn: uid=jjensen,ou=People,dc=example,dc=com
dn: uid=kjensen,ou=People,dc=example,dc=com
dn: uid=rjensen,ou=People,dc=example,dc=com
dn: uid=tjensen,ou=People,dc=example,dc=com
Result Code: 0 (Success)</
computeroutput>
<
para>You can also use <
literal>@<
replaceable >objectclass</
replaceable></
literal> notation in the attribute list to return
the attributes of a particular object class. The following example shows
how to return attributes of the <
literal>inetOrgPerson</
literal> object
$ <
userinput>ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson</
userinput>
<
computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
telephoneNumber: +1 408 555 1862
mail: bjensen@example.com
facsimileTelephoneNumber: +1 408 555 1992</
computeroutput>
<
para>You can use <
literal>+</
literal> in the attribute list to return
all operational attributes, as in the following example.</
para>
$ <
userinput>ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +</
userinput>
<
computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
structuralObjectClass: inetOrgPerson
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
entryDN: uid=bjensen,ou=people,dc=example,dc=com
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c</
computeroutput>