OpenLDAP---ldapsearch use

ldapsearch Parameter Table
The following table describes the case-sensitive parameters that can be used for ldapsearch.

Parameters	Use
-?	Print help on using Ldapsearch.
-A Deref	Specifies an alias reverse reference. Please enter never, always, search, or find. If you do not use this parameter, the default is never.
-A	Retrieves only the name of the property, not the value of the property.
-B Base DN	Specifies the proper name to use as the starting point for the search. Use quotation marks to specify this value, for example: "Ou=west,o=acme,c=us" You must use this parameter if the server you are searching for needs to specify the starting point for the search. Otherwise, this parameter is optional. You can also use both-B and-S to determine the scope of your search. Without –s,-b, the item specified as the starting point and all the subkeys of the item are searched.
-B	Allow non-ASCII values to be printed
-D bind DN	Specifies that the server is used to authenticate your proprietary name. The name must match the items in the directory and must have the permissions required to search the directory. Use quotation marks to specify the name, for example: "Cn=directory manager,o=acme,c=us" If you do not use this parameter, the connection to the server is anonymous. If the server does not allow anonymous connections, you must use-D. In addition to-D, you must also use the-w parameter to specify the password associated with the proprietary name.
-F File	Specifies the file containing the search filter you want to use, such as the-f filter. Please place each search filter on a separate line. Ldapsearch will perform a search for each row. You can optionally specify a filter mode. For example, specify-F filter "cn=%s" and enter a value for the common name in each row of the file.
-F Sep	Prints the Sep instead of the equal sign (=) between the property name and the value. For example, you can use this parameter if the tool that reads the Ldapsearch output wants to use a different separator.
-H Host Name	Specifies the server host name to connect to, such as-H server.acme.com.
-L TimeLimit	Specifies the time limit (in seconds) to complete the search. If this parameter is not specified or the specified limit is 0, then there is no time limit for the search. However, the Ldapsearch wait time will never exceed the search time limit set on the server.
-L	Specifies output in LDIF format. The LDIF format uses a colon (:) Instead of the equal sign (=) as the attribute descriptor. LDIF is helpful for adding or modifying a large number of directory entries at once. For example, the output can be introduced into a directory compatible with LDAP.
-M	The reference object is managed as a common item so that Ldapsearch can return the properties of the reference item itself, not the attributes of the referenced item.
-N	Shows how to perform a search, but does not actually perform a search
-P Port	Specifies the port used by the server. If this parameter is not used, Ldapsearch uses port 389 by default.
-R	The search reference returned by the server is not automatically followed. Note that the Netscape directory server uses the term referrals for search references.
-S scope	Specify the search scope when using the-B parameter: base-search only for the item onelevel specified by the-B parameter-only the direct subkey of the specified item in the-B parameter, not the item itself subtree-search for the item specified by the-b parameter and all its subkeys. This is the default behavior using-B when not with-S. It is not important to specify the order of-B and-S.
-S attribute	Sorts the results by the properties you specify.
-Z SizeLimit	Specifies the maximum number of returned items. If this parameter is not specified or the specified limit is 0, there is no limit to the number of items returned. However, Ldapsearch will never return more entries than the server allows.
-U	Specifies that Ldapsearch returns a proprietary name in a user-friendly format.
-V	Specifies ldapsearch to run in verbose mode.
-W Password	Specifies the password that is associated with the exclusive name used with the-D parameter.
X	When used with-s, you can specify that the LDAP server sorts the results before returning them. If use-S is used instead of –x,ldapsearch, the result is sorted.

table of operators used in the Ldapsearch search filter
The following table describes the operators that you can use in search filters.

operator	Use	examples
=	Find items that contain the same property value as the specified value	"Cn=john Browning"
= <string>*<string>	Find the item that contains the same property value as the specified substring	"Cn=john*" "Cn=j*brown"
>=	Finds a specific item that contains a number or alphabetic value of a property that is greater than or equal to the specified value.	"Cn>=d"
<=	Finds a specific item that contains a number or alphabetic value of a property that is less than or equal to the specified value.	"Roomnumber<=300"
=*	Find the item that contains the value of a particular property, regardless of what the value of the property is.	"Sn=*"
~=	Finds a specific item in which the value of the property contained is approximately equal to the specified value.	"Sn~=brning" may return sn=browning
&	Find items that match the criteria specified in all search filters	"(& (Cn=john Browning) (L=dallas))"
|	Finds items that match the criteria specified in at least one search filter	"(| (Cn=john Browning) (L=dallas)) "
!	Find items that do not match the criteria specified in any search filter	"(! (Cn=john Browning) (L=dallas)) "

Search filters using Ldapsearch
You must use a search filter to specify the properties to search for. The syntax for the search filter is:
"<attribute> <operator> <value>"

For example, the following search filter can find all the specific items, as long as the value of Smith as the SN (alias) attribute in that item:
"Sn=smith"

You can specify any property that is stored in the directory in the search filter. The following are the common properties used to search for personal items: CN--Personal common name sn--personal surname Telephonenumber--personal phone number L--Personal location

You can specify search filters on the ldapsearch command line, or specify them in a file, and use the Lsearch parameter-F to reference this file. If you use files, specify each search filter in a separate row.

Note that if the LDAP directory (such as the Domino LDAP directory) supports language tags, they can be included in the search filter. For example:
"Givenname;lang-fr=etienne"

multiple Search filters using a Boolean operator

You can use multiple search filters and Boolean operators. Use the following syntax:
"(Operator (filter))

For example, use the search filter below to find items that are not known as Browning, and where the location is Dallas.
"(& (Sn=browning) (L=dallas))"

Boolean operators can be nested. For example, use the following search filter to find items in the Mail network domain MDN that surname is Caneel or givenname as Alfred:
"(& (MAILDOMAIN=MDN) ( Sn=caneel) (givenname=alfred)) "

Examples of using Ldapsearch
The following table provides examples of using the Ldapsearch utility.

The bluepages.ibm.com on

Search	Command
Use all items on the host ldap.acme.com of port 389 and return all properties and values	Ldapsearch-h ldap.acme.com "objectclass=*"
Ditto, but only property names are returned	Ldapsearch-a-H ldap.acme.com "objectclass=*"
Use all items on the host ldap.acme.com of port 389 and reverse reference all aliases found	Ldapsearch-a always-h ldap.acme.com "objectclass=*"
Use all items on the host ldap.acme.com of port 389 and return the properties such as Mail, CN, SN, and givenname	Ldapsearch-h ldap.acme.com "objectclass=*" Mail cn sn givenname
On the host ldap.acme.com using port 389, search for (cn=mike*) under the "Ou=west,o=acme,c=us" Datum and return all properties and values	Ldapsearch-b "Ou=west,o=acme,c=us"-H ldap.acme.com "(cn=mike*)"
Use a level on the host ldap.acme.com of port 389 and return all properties and values	Ldapsearch-s onelevel-h ldap.acme.com "objectclass=*"
IBID., but limit the scope of the benchmarks	Ldapsearch-s base-h ldap.acme.com "objectclass=*"
Use all items on the host ldap.acme.com of port 389 and return all properties and values; Search time limited to five seconds	Ldapsearch-l 5-h ldap.acme.com "objectclass=*"
Use all items on the host ldap.acme.com of port 389 and return all properties and values; size limit to five	Ldapsearch-z 5-h ldap.acme.com "objectclass=*"
Use all items on the host ldap.acme.com of Port 389, bundled as: User "Cn=john doe,o=acme", password "password", and return all properties and values in LDIF format	Ldapsearch-h ldap.acme.com-d "Cn=john doe,o=acme"-W password-l "objectclass=*"
Use the host ldap.acme.com of port 389. Returns all properties that are allowed for anonymous viewing for the "Cn=john DOE,O=ACME" item	Ldapsearch-h ldap.acme.com "-S Base-b" Cn=john doe,o=acme "objectclass=*"
All items on the bluepages.ibm.com of another host that is configured to listen on the LDAP request on port 391	Ldapsearch-h bluepages.ibm.com-p 391 "objectclass=*"
The bluepages.ibm.com on port 391. A subtree search (default) for any "personal" object type that also has properties that match any of the properties in the or filter, starting with the organization "O=IBM". The timeout value is 300 seconds, and the maximum number of items returned is set to 1000. And only the DN (default) and CN (which is the public filter for the WEB application) are returned.	Ldapsearch-h bluepages.ibm.com-p 391-b "O=IBM"-L 300-z 1000 "(& (Objectclass=person) ( Cn=jerry seinfeld*) (Givenname=jerry seinfeld*) (Sn=jerry seinfeld*) (Mail=jerry seinfeld*)) "cn
Port 391. Starts with the datum entry "Cn=hr group,ou=asia,o=ibm", with a time limit of 300 seconds, and queries all members of this item. (Another common filter used in WEB applications to determine group members).	ldapsearch-h bluepages.ibm.com-p 391-b "Cn=hr group,ou=asia,o=ibm"-S Base-l (objectclass=*) member