ldapsearch
Search Lightweight Directory Access Protocol (LDAP) directories
TLDR
Query an LDAP server for all items that are a member of the given group and return the object's displayName value
Query an LDAP server with a no-newline password file for all items that are a member of the given group and return the object's displayName value
Return 5 items that match the given filter
Wait up to 7 seconds for a response
Invert the filter
Return all items that are part of multiple groups, returning the display name for each item
Return all items that are members of at least 1 of the specified groups
Combine multiple boolean logic filters
SYNOPSIS
ldapsearch [-V] [-d debuglevel] [-f filterfile] [-F customfilter] [-s {base|one|sub|children}] [-x] [-D binddn] [-w passwd] [-H ldapuri] [filter] [attrs...] [basedn]
PARAMETERS
-H ldapuri
Specify LDAP server URI (e.g., ldap://server:389 or ldaps://server:636)
-x
Use simple authentication instead of SASL
-D binddn
Bind DN for authentication
-w passwd
Bind password (visible in process list; insecure)
-W
Prompt for bind password securely
-y passwdfile
Read password from file
-Y mech
SASL mechanism (e.g., GSSAPI)
-b basedn
Base DN for search
-s {base|one|sub|children}
Search scope: base object, one level, subtree, or children
-f filterfile
Read multiple filters from file
-F customfilter
Named filter from server
-a {never|always|search|find|join}
Alias dereferencing behavior
-z sizelimit
Maximum number of entries to retrieve (0=unlimited)
-Z
Start TLS (if not ldaps://)
-L
LDIF output format
-LL
Omit LDIF comments
-LLL
Omit LDIF comments and wrap/no CRLF
-o ldif-wrap={no|width}
Control LDIF line wrapping
-P version
Protocol version (2 or 3; default 3)
-d debuglevel
Set LDAP debugging level (0-65535)
-r
Do not chase referrals
-u
Show UTF8 output
-E [!]ext[=extparam]
Pre-search extensions
-J [:criticality:]option[[:]value]
Control extensions
-o option[=value]
Generic options (e.g., nettimeout)
DESCRIPTION
ldapsearch is a powerful command-line utility from the OpenLDAP suite used to issue search requests to LDAP (Lightweight Directory Access Protocol) directories. It allows users to query directory servers for entries matching specified criteria, retrieving attributes such as distinguished names (DNs), common names, emails, and more.
LDAP is a protocol for accessing and maintaining distributed directory information services, commonly used for user authentication, authorization, and centralized identity management in enterprise environments. ldapsearch supports both simple and SASL authentication, various search scopes (base, one-level, subtree), filters in LDAP syntax, and output in human-readable or LDIF (LDAP Data Interchange Format) formats.
Typical usage involves specifying a base DN, a search filter (e.g., (uid=jdoe)), and desired attributes. It's invaluable for administrators scripting directory lookups, testing LDAP configurations, or integrating with other tools. Security features include TLS support via ldaps:// URIs and password prompting to avoid plaintext exposure. While versatile, it requires knowledge of LDAP schema and careful handling of credentials.
CAVEATS
Password via -w is visible in ps(1); use -W or -y. Requires OpenLDAP libraries. Large queries may timeout or hit sizelimits. Filters must follow LDAP syntax or fail silently.
COMMON FILTER EXAMPLES
(objectClass=person) all persons
(&(uid=*doe*)(objectClass=posixAccount)) accounts matching pattern
(|(cn=Admin*)(cn=Manager*)) OR condition
TYPICAL USAGE
ldapsearch -x -H ldap://server -b 'dc=example,dc=com' '(uid=jdoe)'
ldapsearch -LLL -x -W -H ldaps://server -b 'ou=users,dc=com' 'cn=*' cn mail
HISTORY
Developed as part of OpenLDAP 1.0 (1998), based on University of Michigan LDAP implementation. Current versions follow RFC 4510-4519 standards, with major enhancements in OpenLDAP 2.x (2000s) for SASL/TLS and paged results.
SEE ALSO
ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), ldappasswd(1), slapd(8)
