Table 6-3 Commonly-used ldapsearch options

Option

Description

-b

Specifies the starting point for the search. The value specified here must be a distinguished name

 

that currently exists in the database. This option is optional if the LDAP_BASEDN environment

 

variable has been set to a base DN.

 

The value specified in this option should be provided in double quotation marks. For example:

 

-b "cn=Barbara Jensen, ou=Product Development, dc=example,dc=com"

 

The root DSE entry is a special entry that contains a list of all the suffixes supported by the local

 

directory. To search this entry, supply a search base of "", a search scope of base, and a filter of

 

"objectclass=*". For example:

 

-b "" -s base "objectclass=*"

 

 

-D

Specifies the distinguished name with which to authenticate to the server. This option is optional

 

if anonymous access is supported by the server. If specified, this value must be a DN recognized

 

by the Directory Server, and it must also have the authority to search for the entries. For example:

 

-D "uid=bjensen, dc=example,dc=com"

 

 

-g

Specifies that the password policy request control not be sent with the bind request. By default, the

 

new LDAP password policy request control is sent with bind requests.

 

The ldapsearch tool can parse and display information from the response control if it is returned

 

by a server; that is, the tool will print an appropriate error or warning message when a server sends

 

the password policy response control with the appropriate value.

 

The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not

 

understand the control can ignore it. To suppress sending of the request control with the bind

 

request, include -gon the command-line.

 

 

-h

Specifies the host name or IP address of the machine on which the Directory Server is installed. If

 

a host is not specified, ldapsearch uses the local host. For example:

 

-h mozilla

 

 

-l

Specifies the maximum number of seconds to wait for a search request to complete. For example:

 

-l 300

 

Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the

 

server's nsslapd-timelimitattribute, unless the authenticated user is the Directory Manager.

 

The default value for the nsslapd-timelimitattribute is 3600 seconds. See “nsslapd-timelimit

 

(Time limit)” for more information.

 

 

-p

Specifies the TCP port number that the Directory Server uses. For example:

 

-p 1049

 

The default is 389. If -Zis used, the default is 636.

 

 

-s

Specifies the scope of the search. The scope can be one of the following:

 

base searches only the entry specified in the -boption or defined by the LDAP_BASEDN

 

environment variable.

 

one searches only the immediate children of the entry specified in the -boption. Only the children

 

are searched; the actual entry specified in the -boption is not searched.

 

sub searches the entry specified in the -boption and all its descendants. That is, perform a

 

subtree search starting at the point identified in the -boption. This is the default.

 

 

-w

Specifies the password associated with the distinguished name that is specified in the -Doption.

 

For example:

 

-w diner892

 

If this option is not specified, anonymous access is used.

 

If a hyphen (-) is used as the password value, the utility prompts for the password after the command

 

is entered. This avoids having the password on the command line.

 

 

6.4 ldapsearch 191