Title: ldapsearch
Author:
Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
Date: 01/27/2015
Manual: Tools Reference
Source: OpenDJ 3.0.0
Language: English
* Define some portability stuff
-----------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://bugs.debian.org/507673
http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----------------------------------------------------------------
* set default formatting
-----------------------------------------------------------------
disable hyphenation
disable justification (adjust text to left margin only)
-----------------------------------------------------------------
* MAIN CONTENT STARTS HERE *
-----------------------------------------------------------------
\w'ldapsearch 'u ldapsearch {options} [filter] [attributes...]
This utility can be used to perform LDAP search operations in the directory.
The following options are supported.
-a, --dereferencePolicy {dereferencePolicy}
Alias dereference policy (\*(Aqnever\*(Aq, \*(Aqalways\*(Aq, \*(Aqsearch\*(Aq, or \*(Aqfind\*(Aq) Default value: never
-A, --typesOnly
Only retrieve attribute names but not their values
--assertionFilter {filter}
Use the LDAP assertion control with the provided filter
-b, --baseDN {baseDN}
Base DN format string
-c, --continueOnError
Continue processing even if there are errors
-C, --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]
Use the persistent search control A persistent search allows the client to continue receiving new results whenever changes are made to data that is in the scope of the search, thus using the search as a form of change notification. The optional changetype setting defines the kinds of updates that result in notification. By default the changetype is not set.
add
Send notifications for LDAP add operations.
del, delete
Send notifications for LDAP delete operations.
mod, modify
Send notifications for LDAP modify operations.
moddn, modrdn, modifydn
Send notifications for LDAP modify DN (rename and move) operations.
all, any
Send notifications for all LDAP update operations.
true
Do not return existing entries, but instead only notifications about changes. This is the default setting.
false
Also return existing entries.
true
Do request the Entry Change Notification control. This is the default setting.
false
Do not request the Entry Change Notification control.
--countEntries
Count the number of entries returned by the server
-e, --getEffectiveRightsAttribute {attribute}
Specifies geteffectiverights control specific attribute list
-f, --filename {file}
LDIF file containing the changes to apply
-g, --getEffectiveRightsAuthzid {authzID}
Use geteffectiverights control with the provided authzid
-G, --virtualListView {before:after:index:count | before:after:value}
Use the virtual list view control to retrieve the specified results page
-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}
Use a request control with the provided information For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.
accountusable, accountusability
Account Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
authzid, authorizationidentity
Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16
effectiverights, geteffectiverights
Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
managedsait
Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2
noop, no-op
No-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2
pwpolicy, passwordpolicy
Password Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
realattrsonly, realattributesonly
Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17
subtreedelete, treedelete
Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805
virtualattrsonly, virtualattributesonly
Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19
-l, --timeLimit {timeLimit}
Maximum length of time in seconds to allow for the search Default value: 0
--matchedValuesFilter {filter}
Use the LDAP matched values control with the provided filter
-n, --dry-run
Show what would be done but do not perform any operation
-s, --searchScope {searchScope}
Search scope (\*(Aqbase\*(Aq, \*(Aqone\*(Aq, \*(Aqsub\*(Aq, or \*(Aqsubordinate\*(Aq) Default value: sub subordinate is an LDAP extension that might not work with all LDAP servers.
-S, --sortOrder {sortOrder}
Sort the results using the provided sort order
--simplePageSize {numEntries}
Use the simple paged results control with the given page size Default value: 1000
--subEntries
Use subentries control to specify that subentries are visible and normal entries are not
-Y, --proxyAs {authzID}
Use the proxied authorization control with the given authorization ID
-z, --sizeLimit {sizeLimit}
Maximum number of entries to return from the search Default value: 0
--connectTimeout {timeout}
Maximum length of time (in milliseconds) that can be taken to establish a connection. Use \*(Aq0\*(Aq to specify no time out. Default value: 30000
-D, --bindDN {bindDN}
DN to use to bind to the server Default value: cn=Directory Manager
-E, --reportAuthzID
Use the authorization identity control
-h, --hostname {host}
Directory server hostname or IP address Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}
Bind password file
-K, --keyStorePath {keyStorePath}
Certificate key store path
-N, --certNickname {nickname}
Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}
SASL bind options
-p, --port {port}
Directory server port number Default value: 389
-P, --trustStorePath {trustStorePath}
Certificate trust store path
-q, --useStartTLS
Use StartTLS to secure communication with the server
-r, --useSASLExternal
Use the SASL EXTERNAL authentication mechanism
--trustStorePassword {trustStorePassword}
Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}
Certificate key store PIN file
-U, --trustStorePasswordFile {path}
Certificate trust store PIN file
--usePasswordPolicyControl
Use the password policy request control
-V, --ldapVersion {version}
LDAP protocol version number Default value: 3
-w, --bindPassword {bindPassword}
Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}
Certificate key store PIN
-X, --trustAll
Trust all server SSL certificates
-Z, --useSSL
Use SSL for secure communication with the server
-i, --encoding {encoding}
Use the specified character set for command-line input
--noPropertiesFile
No properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}
Path to the file containing default property values used for command line arguments
-T, --dontWrap
Do not wrap long lines
-v, --verbose
Use verbose mode
--version
Display version information
-?, -H, --help
Display usage information
The filter argument is a string representation of an LDAP search filter as in (cn=Babs Jensen), (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))), or (cn:caseExactMatch:=Fred Flintstone).
The optional attribute list specifies the attributes to return in the entries found by the search. In addition to identifying attributes by name such as cn sn mail and so forth, you can use the following notations, too.
*
Return all user attributes such as cn, sn, and mail.
+
Return all operational attributes such as etag and pwdPolicySubentry.
@objectclass
Return all attributes of the specified object class, where objectclass is one of the object classes on the entries returned by the search.
1.1
Return no attributes, only the DNs of matching entries.
0
The command completed successfully.
ldap-error
An LDAP error occurred while processing the operation. LDAP result codes are described in \m[blue]RFC 4511\m[]. Also see the additional information for details.
89
An error occurred while parsing the command-line arguments.
You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.
.\}
hostname=directory.example.com port=1389 bindDN=uid=kvaughan,ou=People,dc=example,dc=com ldapcompare.port=1389 ldapdelete.port=1389 ldapmodify.port=1389 ldappasswordmodify.port=1389 ldapsearch.port=1389
The following example searches for entries with UID containing jensen, returning only DNs and uid values.
.\}
$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid
dn: uid=ajensen,ou=People,dc=example,dc=com
uid: ajensen
dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
dn: uid=gjensen,ou=People,dc=example,dc=com
uid: gjensen
dn: uid=jjensen,ou=People,dc=example,dc=com
uid: jjensen
dn: uid=kjensen,ou=People,dc=example,dc=com
uid: kjensen
dn: uid=rjensen,ou=People,dc=example,dc=com
uid: rjensen
dn: uid=tjensen,ou=People,dc=example,dc=com
uid: tjensen
Result Code: 0 (Success)
You can also use @objectclass notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the inetOrgPerson object class.
.\}
$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson
dn: uid=bjensen,ou=People,dc=example,dc=com
givenName: Barbara
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: bjensen
cn: Barbara Jensen
cn: Babs Jensen
telephoneNumber: +1 408 555 1862
sn: Jensen
roomNumber: 0209
mail: bjensen@example.com
l: Cupertino
ou: Product Development
ou: People
facsimileTelephoneNumber: +1 408 555 1992
You can use + in the attribute list to return all operational attributes, as in the following example.
.\}
$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +
dn: uid=bjensen,ou=People,dc=example,dc=com
numSubordinates: 0
structuralObjectClass: inetOrgPerson
etag: 0000000073c29972
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: uid=bjensen,ou=people,dc=example,dc=com
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c
Copyright \(co 2011-2015 ForgeRock AS.