Openldap --- use ldapsearch

Source: Internet
Author: User
Tags benchmark ldap ldapsearch sorts openldap

Ldapsearch catalogs
The following table describes the numbers of shards that can be used for ldapsearch in uppercase and lowercase.

Number of shards Purpose
-? Print help on using ldapsearch.
-A deref Specifies reverse alias reference. Enter never, always, search, or find. If the number of workers is not used, the default value is never.
- Only the attribute name is retrieved, but not the attribute value.
-B Base DN Specifies the private name used as the search start point. You can use the quote to specify this value, for example, "ou = West, O = Acme, c = us"

Assume that the server to be searched must specify the search start point, the number of workers must be used. Otherwise, the number of shards is optional.

You can also use-B and-s to determine the search range at the same time. Without-S,-B searches for all the items specified as the starting point and the item.

-B Agree to print non-ASCII values
-D bind DN Specify the server to verify your private name. The name must match the items in the folder and have the permissions required to search for the folder.

Use the quote to specify the name, for example, "cn = Directory Manager, O = Acme, c = us"

If this parameter is not used, the connection to the server is anonymous. If the server does not agree to anonymous connections, you must use-D.

In addition to-D, you must use the-W limit number to specify the password associated with the private name.

-F File Specifies the file that includes the search filter to be used, such as the-F filter. Place each search filter in a single row. Ldapsearch runs a search for each row. You can select the specified filtering mode. For example, specify-F to filter "cn = % s" and enter the value of the public name in each row of the file.
-F Sep Print SEP between attribute names and values instead of equal sign (= ). For example, if the tool that reads ldapsearch output wants to use other separators, this number of separators can be used.
-H Host Name Specify the Host Name of the server to be connected, such as-H server.acme.com.
-L timelimit Specify the time limit (in seconds) for completing the search ). If the number of shards is not specified or the specified limit is 0, there is no time limit for searching. However, the waiting time of ldapsearch will never exceed the search time limit set on the server.
-L Specify the output in ldif format. The ldif format uses the colon (:) instead of the equal sign (=) as the attribute descriptor. Ldif is very helpful for adding or modifying a large number of folder items at one time. For example, you can introduce the output content to LDAP-compatible folders.
-M Manage the subject as a common item so that ldapsearch can return the attributes of the selected item, rather than the attributes of the selected item.
-N Shows how to run the search, but does not actually run the search
-P Port Port used by the server. If the number of partitions is not used, ldapsearch uses the 389 port by default.
-R Do not manually follow the search reference returned by the server. Note that the Netscape folder server uses the term referrals for reference search.
-S scope Specify the search range when-B limit is used:
  • Base -- only search for items specified by-B Limit
  • Onelevel -- only searches for the direct subitem of a specified item in-B limit, rather than the item itself
  • Subtree -- search for the items specified by the number of B segments and all its sub-items. This is the default act of using-B without-s.
It is not important to specify the order of-B and-s.
-S attribute Sorts the result by specified attribute.
-Z sizelimit Specify the maximum number of returned items. If the number of partitions is not specified or the specified limit is 0, there is no limit on the number of returned items. However, ldapsearch returns no more items than the server agrees.
-U Specify the private name returned by ldapsearch in user-friendly format.
-V Specify ldapsearch to run in detail mode.
-W Password Specifies the password associated with the VPC name used with the-D quota.
X When used with-S, you can specify that the LDAP server sorts the results before returning them. If-S is used instead of-X, ldapsearch sorts the results.


Operator table used in ldapsearch search filter
The following table describes the operators that can be used in search filters.

Operator Purpose Example
= Searches for items with the same attribute value as the specified value. "Cn = John Browning"
= <String> * <string> Searches for items with the same attribute value as the specified substring. "Cn = John *"

"Cn = J * Brown"

> = Search for a specific item. The number or letter value of the attribute included in this item is greater than or equal to the specified value. "CN> = D"
<= Search for a specific item. The number or letter value of the attribute included in this item is smaller than or equal to the specified value. & Quot; roomnumber & quot; <= 300 & quot"
= * Search for items that contain the values of a specific attribute, regardless of the value of the attribute. "Sn = *"
~ = Search for a specific item. The attribute value in this item is approximately the same as the specified value. "Sn ~ = Brning "may return Sn = Browning
& Searches for items that match the conditions specified in all search filters. "(& (CN = John Browning) (L = Dallas ))"
| Searches for items that match the conditions specified in at least one search filter. "(| (CN = John Browning) (L = Dallas ))"
! Searches for items that do not match the specified condition in any search filter. "(! (CN = John Browning) (L = Dallas ))"


Use the ldapsearch search filter
You must use the search filter to specify the attribute to be searched. The search filter syntax is:


    "<Attribute> <operator> <value>"


For example, the following search filter can find all the specific items, and only the values of Smith as the Sn (alias) attribute in the item are required:


    "Sn = Smith"


You can specify random attributes stored in folders in the search filter. The following is a public attribute used to search for personal items:

  • CN-public name of a person
  • Sn-the surname of the individual
  • Telephonenumber -- personal phone number
  • L -- personal geographic location


You can specify search filters in the ldapsearch command line, or specify them in files, and use the number of lsearch shards-F to reference this file. If files are used, specify each search filter in a separate row.

NOTE: If LDAP folders (such as Domino LDAP folders) support language tags, You can include them in the search filter. For example:


    "Givenname; Lang-Fr = Etienne"


Multiple search filters using boolean operators

You can use multiple search filters and boolean operators. Use the following syntax:


    "(Operator (filter ))"


For example, use the following search filter to find items that are not called browning and whose position is Dallas.


    "(& (Sn = Browning) (L = Dallas ))"


Boolean operators can be nested. For example, use the following search filter to search for items with surname caneel or givenname Alfred in the mail network domain MDN:


    "(& (Maildomain = MDN) (| (Sn = caneel) (givenname = Alfred )))"



Example of ldapsearch

The following table provides examples of using the ldapsearch utility.

Search Command
Use all items on port 389 host ldap.acme.com and return all attributes and values Ldapsearch-H ldap.acme.com "objectclass = *"
Same as above, but only the property name is returned Ldapsearch-a-h ldap.acme.com "objectclass = *"
Use all the items on port 389 host ldap.acme.com, and reverse reference all aliases found Ldapsearch-A always-H ldap.acme.com "objectclass = *"
Use all the items on port 389 host ldap.acme.com, and return attributes such as mail, CN, Sn, and givenname. Ldapsearch-H ldap.acme.com "objectclass = *" mail CN Sn givenname
Search (CN = Mike *) under the "ou = West, O = Acme, c = us" benchmark on port 389 host ldap.acme.com and return all attributes and values. Ldapsearch-B "ou = West, O = Acme, c = us"-H ldap.acme.com "(CN = Mike *)"
Use a level on port 389 host ldap.acme.com and return all attributes and values Ldapsearch-s onelevel-H ldap.acme.com "objectclass = *"
Same as above, but the scope of the benchmark is limited Ldapsearch-S base-H ldap.acme.com "objectclass = *"
Use all items on port 389 host ldap.acme.com and return all attributes and values. The search time is limited to five seconds. Ldapsearch-L 5-H ldap.acme.com "objectclass = *"
Use all items on port 389 host ldap.acme.com and return all attributes and values. The maximum size is five. Ldapsearch-Z 5-H ldap.acme.com "objectclass = *"
All the items on port 389 host ldap.acme.com are bundled as "cn = John Doe, O = Acme", password "password", and all attributes and values are returned in ldif format. Ldapsearch-H ldap.acme.com-d "cn = John Doe, O = Acme"-W password-L "objectclass = *"
Use the port 389 host ldap.acme.com. For "cn = John Doe, O = Acme", return all attributes that it agrees to be anonymously viewed Ldapsearch-H ldap.acme.com "-S base-B" cn = John Doe, O = Acme "objectclass = *"
All the items configured to listen for LDAP requests on port 391 and on the host bluepages.ibm.com Ldapsearch-H bluepages.ibm.com-P 391 "objectclass = *"
Port 391 on bluepages.ibm.com. Perform a subtree search (default) on any "individual" object type that matches any attribute in the OR filter, starting with "O = IBM" of the Organization. The timeout value is 300 seconds, and the maximum number of returned items is 1000. And only the DN (default) and CN (this is the public filter of the Web application) are returned ). Ldapsearch-H bluepages.ibm.com-P 391-B "O = IBM"-l 300-Z 1000 "(& (objectclass = person) (| (CN = Jerry Seinfeld *) (givenname = JerrySeinfeld *) (Sn = Jerry Seinfeld *) (Mail = Jerry Seinfeld *) "cn
Port 391 on bluepages.ibm.com. Start with the reference item "cn = HR group, ou = Asia, O = IBM". The time limit is 300 seconds. query all members of this item. (There is also a public filter used in the Web application to determine group members ). Ldapsearch-H bluepages.ibm.com-P 391-B "cn = HR group, ou = Asia, O = IBM"-S base-l 300 "(objectclass = *)" Member

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.