The use of Ldapsearch

Source: Internet
Author: User
Tags ldap ldapsearch

Parameters Use
-? Print help on using Ldapsearch.
-A Deref Specifies the alias reverse reference. Please enter never, always, search, or find. If you do not use this parameter, the default is never.
-A Retrieves only the name of the property, not the value of the property.
-B Base DN Specifies the distinguished name to use as the starting point for the search. Use quotation marks to specify the value, for example: "Ou=west,o=acme,c=us"

You must use this parameter if the server you are searching for needs to specify a search starting point. Otherwise, this parameter is optional.

You can also use-B and-S to determine the search scope. Without –s,-b, the item specified as the starting point and all children of the item are searched.

-B Allow non-ASCII values to be printed
-D bind DN Specifies that the server is used to verify your distinguished name. The name must match the entries in the directory and must have the permissions required to search the directory.

Use quotation marks to specify the name, for example: "Cn=directory manager,o=acme,c=us"

If you do not use this parameter, the connection to the server is anonymous. If the server does not allow anonymous connections, you must use-D.

In addition to-D, you must also use the-w parameter to specify the password associated with the distinguished name.

-F File Specifies the file that contains the search filter you want to use, such as the-f filter. Please put each search filter on a separate line. Ldapsearch will perform a search on each row. You can choose to specify the filtering mode. For example, specify-F to filter "cn=%s" and enter a value for the common name in each line of the file.
-F Sep Print Sep instead of an equal sign (=) between the property name and the value. For example, you can use this parameter if the tool that reads the Ldapsearch output wants to use a different delimiter.
-H Host Name Specifies the hostname of the server to which you want to connect, such as-H server.acme.com.
-L TimeLimit Specifies the time limit (in seconds) to complete the search. If you do not specify this parameter or specify a limit of 0, the search does not have a time limit. However, Ldapsearch's wait time never exceeds the search time limit set on the server.
-L Specifies output in LDIF format. The LDIF format uses colons (:) Instead of an equal sign (=) as the property descriptor. LDIF is useful for adding or modifying a large number of catalog items at once. For example, you can introduce the output to a directory that is compatible with LDAP.
-M The reference object is managed as a normal item so that Ldapsearch can return the properties of the reference item itself, not the property of the referenced item.
-N Shows how to perform a search without actually performing a search
-P Port Specifies the port used by the server. If this parameter is not used, Ldapsearch uses port 389 by default.
-R Search references returned by the server are not automatically followed. Note that the Netscape directory server uses the term referrals for the search reference.
-S scope Specify the search scope when using the-B parameter:
  • Base-searches only the items specified by the-b parameter

  • OneLevel---searches only the immediate child of the-b parameter for the specified item, without searching for the item itself

  • Subtree--Searches for the item specified by the-b parameter and all its subkeys. This is the default behavior for use-B when not with-S.

It is not important to specify the order of-B and-S.
-S attribute Sorts the results by the specified attributes.
-Z SizeLimit Specifies the maximum number of returned items. If this parameter is not specified or the specified limit is 0, the returned item has no quantity limit. However, Ldapsearch returns no more items than the number allowed by the server.
-U Specifies that Ldapsearch returns the distinguished name in a user-friendly format.
-V Specifies that Ldapsearch run in verbose mode.
-W Password Specifies the password associated with the distinguished name used with the-D parameter.
X When used with-s, you can specify that the LDAP server sort the results before returning them. If you use-s instead of using –x,ldapsearch, the results are sorted.


table of operators used in the Ldapsearch search filter
The following table describes the operators that you can use in search filters.

Operator Use Sample Example
= Finds items that contain property values that are the same as the specified value "Cn=john Browning"
= <string>*<string> Finds the item that contains the same property value as the specified substring "Cn=john*"

"Cn=j*brown"

>= Finds a specific item that contains a number or alphabetic value of a property that is greater than or equal to the specified value. "Cn>=d"
<= Finds a specific item that contains a numeric or alphabetic value of a property that is less than or equal to the specified value. "Roomnumber<=300"
=* Finds the item that contains the value of a particular property, without the value of the Tube property. "Sn=*"
~= Finds a specific item in which the value of the property contained is approximately equal to the specified value. "Sn~=brning" may return sn=browning
& Finds items that match the criteria specified in all search filters (& (Cn=john Browning) (L=dallas))
| Finds items that match the criteria specified in at least one search filter "(| (Cn=john Browning) (L=dallas)) "
! Find items that do not match the criteria specified in any search filter "(! (Cn=john Browning) (L=dallas)) "


Search filters using Ldapsearch
You must use the search filter to specify the properties to search for. The syntax for the search filter is:


"<attribute> <operator> <value>"


For example, the following search filter can find all of the specific items as long as the value of the SN attribute is used as Smith in the item:


"Sn=smith"


You can specify any property stored in the directory in the search filter. The following are common properties used to search for personal items:

    • CN--The public name of the individual

    • sn--The surname of the individual

    • Telephonenumber--A personal phone number

    • L--Personal location


You can specify search filters on the ldapsearch command line, or specify them in the file, and use the Lsearch parameter-F to reference the file. If you use a file, specify each search filter in a separate row.

Note: If the LDAP directory (such as the Domino LDAP directory) supports language tags, you can include them in the search filter. For example:


"Givenname;lang-fr=etienne"


Multiple search filters using Boolean operators

You can use multiple search filters and Boolean operators. Use the following syntax:


"(operator (filter))"


For example, use the following search filter to find items that are not known as Browning, and where the location is Dallas.


(& (Sn=browning) (L=dallas))


Boolean operators can be nested. For example, use the following search filter to find items in the Mail network domain MDN that surname is Caneel or givenname as Alfred:


( & (MAILDOMAIN=MDN) (| ( Sn=caneel) (givenname=alfred))) "



Examples of using Ldapsearch

The following table provides examples of using the Ldapsearch utility.

Search Command
All entries on host ldap.acme.com with port 389 are used, and all properties and values are returned Ldapsearch-h ldap.acme.com "objectclass=*"
Same as above, but only property names are returned Ldapsearch-a-H ldap.acme.com "objectclass=*"
All entries on host ldap.acme.com using port 389, and all aliases found for reverse referencing Ldapsearch-a always-h ldap.acme.com "objectclass=*"
Use all entries on port 389 for host ldap.acme.com and return properties such as Mail, CN, SN, and givenname Ldapsearch-h ldap.acme.com "objectclass=*" Mail cn sn givenname
On host ldap.acme.com using port 389, search under "Ou=west,o=acme,c=us" (cn=mike*) and return all properties and values Ldapsearch-b "Ou=west,o=acme,c=us"-H ldap.acme.com "(cn=mike*)"
Use a level on port 389 host ldap.acme.com, and return all properties and values Ldapsearch-s onelevel-h ldap.acme.com "objectclass=*"
Ibid., but limits the scope of the benchmark Ldapsearch-s base-h ldap.acme.com "objectclass=*"
All entries on the host ldap.acme.com of port 389 are used, and all properties and values are returned; The search time limit is five seconds Ldapsearch-l 5-h ldap.acme.com "objectclass=*"
All entries on the host ldap.acme.com of port 389 are used, all properties and values are returned, and the size limit is five Ldapsearch-z 5-h ldap.acme.com "objectclass=*"
All entries on host ldap.acme.com with Port 389 are bundled as: User "Cn=john doe,o=acme", password "password", and return all properties and values in LDIF format Ldapsearch-h ldap.acme.com-d "Cn=john doe,o=acme"-W password-l "objectclass=*"
Use the host ldap.acme.com for port 389. For the "Cn=john DOE,O=ACME" entry, returns all properties that it allows for anonymous viewing Ldapsearch-h ldap.acme.com "-S Base-b" Cn=john doe,o=acme "objectclass=*"
Configure all entries on another host bluepages.ibm.com to listen for LDAP requests on port 391 Ldapsearch-h bluepages.ibm.com-p 391 "objectclass=*"
Bluepages.ibm.com on Port 391. Subtree searches for any "personal" object type that also has properties that match any of the attributes in the or filter (default), starting with the organization "O=IBM". The timeout value is 300 seconds, and the maximum number of items returned is set to 1000. Only the DN (default) and CN (which is the common filter for WEB applications) are returned. Ldapsearch-h bluepages.ibm.com-p 391-b "O=IBM"-L 300-z (& (Objectclass=person) (| ( Cn=jerry seinfeld*) (Givenname=jerry seinfeld*) (Sn=jerry seinfeld*) (Mail=jerry seinfeld*)) "cn
Bluepages.ibm.com on Port 391. Starting with the Datum "Cn=hr group,ou=asia,o=ibm", the time limit is 300 seconds, and all members of this item are queried. (Another common filter used by the WEB application to determine group members). Ldapsearch-h bluepages.ibm.com-p 391-b "Cn=hr group,ou=asia,o=ibm"-S Base-l "(objectclass=*)" member



This article is from the "Mr. Koala" blog, please make sure to keep this source http://koala003.blog.51cto.com/9996246/1663662

The use of Ldapsearch

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.