The general form of an ldapsearch command is given below.
ldapsearch \
[options...] \
[filter] \
[attrs...]Some common options are listed below.
-b BASE
Start searching at DN BASE.
If given, overrides BASE setting in
a configuration file.
-s SCOPE
Limit search to SCOPE. If
not provided, default is sub. Values:
base: limit to the search
base entry
one: limit to the immediate
children of the search base entry
sub: limit to the search
base entry and all descendants
children: limit to the
immediate children and descendants below them;
requires subordinate feature extension
-z SIZELIMIT
Attempt to limit number of result entries to
SIZELIMIT. Use
0 for unlimited. A server may
impose a maximum limit which only the root user can
override. If given, overrides
SIZELIMIT setting in a configuration
file.
The general form of a simple filter is given below. If no filter is
provided, the default filter, ( objectClass=* ), is used.
Filters are described in RFC 2254.
Syntaxes and matching rules are described in RFC 4517.
(attributefilterOperatorvalue)
filterOperators are listed below.
String matching may be case-sensitive or case-insensitive, depending on the matching rule for the attribute.
In general, value may include one or more
asterisks (*) wildcard characters. And in an equality match, each
asterisk matches zero or more characters. However, wildcards are not
permitted in filters on attributes containing distinguished names.
For example, the following filter will match any entry with an
attribute sn (surname) that matches any list of
characters ending in oe.
( sn=*oe )
The characters below cannot be included literally in
value. But they and any character can be
included using a backslash and the character's two ASCII hexadecimal
digits. E.g., NUL()*\ would be represented as
\00\28\29\2a\5c.
NUL (00)
( (28)
) (29)
* (2a)
\ (5c)
Some LDAP products support extensible filters. Microsoft Active
Directory supports a limited subset of functionality. The two general
forms of an extensible filter are given below. If an OID of a
matchingrule is not provided, then an
attribute must be provided and its default
equality matching rule is used. If an
attribute is not provided, then all
attributes in the entry are tested and an OID of a
matchingrule must be provided. If
:dn is included, then attributes of an entry's
distinguished name are included when testing.
(attribute[":dn"] [":"matchingrule] ":="value)
( [":dn"] ":"matchingrule":="value)
Below is a filter that will match entries where attribute
c (country) is in the distinguished name and the
value is us (or any variant regardless of case).
This match will occur whether or not the entry contains an indepedent
attribte c.
( c:dn:=us )
Two or more filters can be combined using one or more Boolean operators listed below with a prefix notation syntax. So, open parenthesis; Boolean operator; one, two, or more filters as needed; closed parenthesis.
Some examples are listed below.
( & (givenName=John) (sn=Doe) )
Match if givenName is
John and sn is
Doe.
( | (& (givenName=John) (sn=Doe)) (& (givenName=Richard) (sn=Roe)) )
Match if givenName is
John and sn is
Doe. Or match if
givenName is
Richard and sn
is Roe.
The final set of arguments to the ldapsearch command
are the set of attributes to display for matching entries. The
dn distinguished name attribute is always displayed.
There are two basic types of attributes: user and operational. User
attributes are “normal” attributes and are identified by
the attribute usage being set to
userApplications. Operational attributes are used
internally by the server and are identified by the attribute
usage being set to
directoryOperation,
distributedOperation, or
dSAOperation. A summary of attribute argument cases
is below.
no attributes listed
Display all user attributes.
'*'
Display all user attributes.
+
Display dn and all operational attributes.
'*' +
Display all user and operational attributes.
ATTR
Display dn and user or operational
attribute ATTR.
ATTR1
ATTR2
Display dn and user or operational
attributes ATTR1 and
ATTR2. Specific additional
attributes can be requested by simply appending them.