ldapsearch
Search Lightweight Directory Access Protocol (LDAP) directories
TLDR
Query an LDAP server for all items that are a member of the given group and return the object's displayName value
Query an LDAP server with a no-newline password file for all items that are a member of the given group and return the object's displayName value
Return 5 items that match the given filter
Wait up to 7 seconds for a response
Invert the filter
Return all items that are part of multiple groups, returning the display name for each item
Return all items that are members of at least 1 of the specified groups
Combine multiple boolean logic filters
SYNOPSIS
ldapsearch [OPTIONS] [FILTER] [ATTRIBUTES...]
Common invocation examples:
ldapsearch -x -H ldap://localhost:389 -b "dc=example,dc=com" "(uid=john.doe)" givenName sn mail
ldapsearch -x -D "cn=admin,dc=example,dc=com" -w secret -b "ou=users,dc=example,dc=com" -s sub "(objectClass=person)"
PARAMETERS
-x
Use simple authentication (password provided via -w or prompt).
-D
Specify the Distinguished Name (DN) to bind as for authentication.
-w
Specify the password for simple authentication. (Caution: May expose password in command history).
-H
Specify the LDAP URI (e.g., ldap://host:port/ or ldaps://host:port/) of the LDAP server.
-b
Specify the base DN for the search operation. The search will start from this point in the directory tree.
-s
Specify the search scope: base (only the base DN itself), one (direct children of base DN), sub (subtree starting from base DN), or subord (subtree excluding base DN).
-f
Read the search filter from the specified file.
-L / -LL / -LLL
Output entries in LDIF format. -L for standard LDIF, -LL for more concise, -LLL for machine-readable/scriptable LDIF without comments or version info.
-A
Retrieve attribute names only (no attribute values).
-z
Set the maximum number of entries to return (size limit).
-l
Set the maximum time (in seconds) the server should spend performing the search (time limit).
-V
Specify the LDAP protocol version to use (e.g., 2 or 3).
DESCRIPTION
ldapsearch is a powerful command-line utility used to query information from LDAP (Lightweight Directory Access Protocol) directory servers. As a client program, it allows users to specify search criteria, including the base DN (Distinguished Name) from which to start the search, the scope of the search (e.g., base object, one-level, subtree), and a filter to narrow down results based on attributes and values. Users can also specify which attributes they wish to retrieve for matching entries. ldapsearch is an essential tool for system administrators managing LDAP-based authentication systems like OpenLDAP or Active Directory, developers interacting with directory services, and for general troubleshooting. It is part of the OpenLDAP software suite, supporting various authentication methods (like simple bind or SASL) and protocol versions. The output is typically in LDIF (LDAP Data Interchange Format), making it easily parsable and suitable for scripting. It offers extensive options for controlling the search operation, connection details, and output formatting.
CAVEATS
Password Exposure: Using -w
Resource Consumption: Performing broad subtree searches (-s sub) with loose filters on large directories can be very resource-intensive for the LDAP server and lead to performance issues.
Connection Issues: Ensure correct hostname/IP, port, and network connectivity. Firewall rules often block default LDAP ports (389 for unencrypted, 636 for LDAPS).
COMMON USAGE EXAMPLES
Search for a specific user by UID anonymously:
ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=jdoe)"
List all common names (cn) of all people in an organizational unit:
ldapsearch -x -H ldap.example.com -b "ou=people,dc=example,dc=com" -s sub "(objectClass=person)" cn
Perform an anonymous search and get only attribute names:
ldapsearch -H ldap://localhost -b "dc=example,dc=com" "(objectClass=*)" -A
SEARCH FILTER SYNTAX
LDAP search filters are enclosed in parentheses (). They consist of assertions using logical operators (prefixed):
& (AND)
| (OR)
! (NOT)
These are combined with attribute-value comparisons.
Examples:
(objectClass=person): Matches entries with objectClass "person".
(cn=John Doe): Matches entries where common name is "John Doe".
(mail=jdoe*): Matches entries where mail starts with "jdoe" (wildcard *).
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))): A complex filter combining AND, NOT, and OID-based matching for disabled accounts in Active Directory.
HISTORY
ldapsearch is a core utility that emerged with the development of the LDAP protocol itself. It is a fundamental component of the OpenLDAP project, which provides a free and open-source implementation of the LDAP protocol. Since its inception, OpenLDAP and its associated client utilities like ldapsearch have been widely adopted for directory service deployments across various operating systems. The command's functionality has evolved to support new features and extensions introduced in subsequent LDAP protocol versions (from LDAPv2 to the more widely used LDAPv3), ensuring its continued relevance and capability in modern directory environments. Its design emphasizes simplicity and scriptability, making it a staple for both interactive queries and automated tasks.
SEE ALSO
ldapadd(1), ldapmodify(1), ldapdelete(1), ldappasswd(1), ldapwhoami(1), slapd(8), ldif(5)
