Perform LDAP search operations in the Identity Broker.
This tool can search the directory for a single entry or multiple entries in a particular subtree. A filter can be used to restrict the entries returned.
At least one search filter must be specified for all searches. The --filename option can be used to include multiple filters. If multiple filters are specified, all trailing arguments are considered to be attributes.
Attribute names can be specified as space-separated trailing arguments to restrict the information that is returned for each entry. If no attributes are specified, all non-operational attributes are returned. The attributes returned can be restricted by specifying a space-separated list of attributes as trailing arguments, resulting in only those attributes being returned. If operational attributes are desired in the result, they must be specified in this way or with a '+' which results in all operational attributes being returned.
ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \ --baseDN uid=jdoe,ou=People,dc=example,dc=com --searchScope base \ '(objectclass=*)'
ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \ --baseDN ou=People,dc=example,dc=com --searchScope sub "(uid=jdoe)"
ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \ --baseDN ou=People,dc=example,dc=com --searchScope one '(objectclass=*)' \ sn givenName "+"
ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \ --baseDN ou=People,dc=example,dc=com --searchScope sub \ --sortOrder sn,-givenName '(objectclass=*)'
ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \ --baseDN ou=People,dc=example,dc=com --searchScope sub --sizeLimit 200 \ --timeLimit 5 "(&(sn<=Doe)(employeeNumber<=1000))" ds-entry-unique-id \ entryUUID
Description | Display general usage information |
Description | Display help for using LDAP options |
Description | Display help for using SASL options |
Description | Display help for using debug options |
Advanced | Yes |
--propertiesFilePath {propertiesFilePath}
Description | Path to the file that contains default property values used for command-line arguments |
Required | No |
Multi-Valued | No |
Description | Specify that no properties file will be used to get default command-line argument values |
Description | Use script-friendly mode |
-h {host}
--hostname {host}
Description | Identity Broker hostname or IP address |
Default Value | localhost |
Required | No |
Multi-Valued | No |
-p {port}
--port {port}
Description | Identity Broker port number |
Default Value | 389 |
Required | No |
Multi-Valued | No |
Description | Use SSL for secure communication with the server |
Description | Use StartTLS to secure communication with the server |
-D {bindDN}
--bindDN {bindDN}
Description | DN used to bind to the server |
Required | No |
Multi-Valued | No |
-w {bindPassword}
--bindPassword {bindPassword}
Description | Password used to bind to the server |
Required | No |
Multi-Valued | No |
-j {bindPasswordFile}
--bindPasswordFile {bindPasswordFile}
Description | Bind password file |
Required | No |
Multi-Valued | No |
-b {baseDN}
--baseDN {baseDN}
Description | Search base DN |
Required | Yes |
Multi-Valued | No |
-s {searchScope}
--searchScope {searchScope}
Description | Search scope ('base', 'one', 'sub', or 'subordinate') |
Required | No |
Multi-Valued | No |
-f {file}
--filename {file}
Description | File containing a list of search filter strings, with one filter string per line |
Required | No |
Multi-Valued | No |
Description | Use the SASL EXTERNAL authentication mechanism |
-o {name=value}
--saslOption {name=value}
Description | SASL bind options |
Required | No |
Multi-Valued | Yes |
Description | Trust all server SSL certificates |
-K {keyStorePath}
--keyStorePath {keyStorePath}
Description | Certificate key store path |
Required | No |
Multi-Valued | No |
-W {keyStorePassword}
--keyStorePassword {keyStorePassword}
Description | Certificate key store PIN |
Required | No |
Multi-Valued | No |
-u {keyStorePasswordFile}
--keyStorePasswordFile {keyStorePasswordFile}
Description | Certificate key store PIN file |
Required | No |
Multi-Valued | No |
-N {nickname}
--certNickname {nickname}
Description | Nickname of the certificate for SSL client authentication |
Required | No |
Multi-Valued | No |
-P {trustStorePath}
--trustStorePath {trustStorePath}
Description | Certificate trust store path |
Required | No |
Multi-Valued | No |
-Y {authzID}
--proxyAs {authzID}
Description | Use the proxied authorization control to request operations be processed using a given authorization ID instead of the identity associated with the connection (see RFC 4370) |
Required | No |
Multi-Valued | No |
Description | Use the authorization identity control |
Description | Use the password policy request control |
-C ps[:changetype[:changesonly[:entrychgcontrols]]]
--persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]
Description | Use the persistent search control to define a channel through which entry changes can be communicated (see draft-ietf-ldapext-psearch). The changetype specification can be a comma-separated list of the values 'add', 'delete', 'modify', 'modifydn', or it can be the value 'any' to register for all change types. The changesonly specification can be 1 to only return matching entries that have changed since the beginning of the search, or 0 to also include existing entries that match the search criteria. The entrychgcontrols specification can be 1 to request that the entry change notification control be included in updated entries, or 0 to exclude the control from matching entries. The option value 'ps' is equivalent to 'ps:any:1:1' |
Required | No |
Multi-Valued | No |
--simplePageSize {numEntries}
Description | Use the simple paged results control with the given page size |
Lower Bound | 1 |
Default Value | 1000 |
Required | No |
Multi-Valued | No |
--assertionFilter {filter}
Description | Use the LDAP assertion control with the provided filter to specify a condition that must be true for the operation to be processed normally (see RFC 4528) |
Required | No |
Multi-Valued | No |
--matchedValuesFilter {filter}
Description | Use the LDAP matched values control with the provided filter |
Required | No |
Multi-Valued | Yes |
-S {sortOrder}
--sortOrder {sortOrder}
Description | Sort the results using the provided sort order. The order consists of a comma-separated list of tokens defined as [+/-]attribute[:matchingRule], where the optional plus or minus sign are used to indicate ascending (+) or descending (-) order |
Required | No |
Multi-Valued | No |
-G {before:after:index:count | before:after:value}
--virtualListView {before:after:index:count | before:after:value}
Description | Use the virtual list view control to retrieve the specified results page |
Required | No |
Multi-Valued | No |
-J {controloid[:criticality[:value|::b64value|:
--control {controloid[:criticality[:value|::b64value|:
Description | Use a request control with the provided information. For certain controls that do not require a value, you may provide a user-friendly name instead of the numeric OID for the control. Supported names include: authorization-identity, get-effective-rights, hard-delete, ignore-no-user-modification, manage-dsa-it, no-op, password-policy, permissive-modify, purge-password, real-attributes-only, replication-repair, retire-password, return-conflict-entries, soft-delete, soft-deleted-entry-access, subtree-delete, undelete and virtual-attributes-only. Note that not all types of controls apply to all types of operations |
Required | No |
Multi-Valued | Yes |
-g {authzID}
--getEffectiveRightsAuthzid {authzID}
Description | Use the get effective rights control with the provided authorization ID |
Required | No |
Multi-Valued | No |
-e {attribute}
--getEffectiveRightsAttribute {attribute}
Description | Specify the attribute list of the get effective rights control |
Required | No |
Multi-Valued | Yes |
Description | Display Identity Broker version information |
-V {version}
--ldapVersion {version}
Description | LDAP protocol version number |
Default Value | 3 |
Required | No |
Multi-Valued | No |
-i {encoding}
--encoding {encoding}
Description | Use the specified character set for command-line input |
Required | No |
Multi-Valued | No |
-a {dereferencePolicy}
--dereferencePolicy {dereferencePolicy}
Description | Specify the alias dereference policy ('never', 'always', 'search', or 'find') |
Required | No |
Multi-Valued | No |
Description | Only retrieve attribute names but not their values |
-z {sizeLimit}
--sizeLimit {sizeLimit}
Description | Maximum number of entries to return from the search |
Default Value | 0 |
Required | No |
Multi-Valued | No |
-l {timeLimit}
--timeLimit {timeLimit}
Description | Maximum length of time in seconds to allow for the search |
Default Value | 0 |
Required | No |
Multi-Valued | No |
Description | Do not wrap long lines |
Description | Count the number of entries returned by the server |
Description | Continue processing even if there are errors |
Description | Show what would be done but do not perform any operation |
Description | Attempt to use an administrative session to have operations processed on a dedicated pool of worker threads. This may be useful when trying to diagnose problems in a server that is unresponsive because all normal worker threads are busy processing other requests |
--includeSoftDeletedEntries {with-non-deleted-entries | without-non-deleted-entries | deleted-entries-in-undeleted-form}
Description | Soft delete search options: "with-non-deleted-entries" returns all entries matching the search criteria with the results including non-deleted entries and soft-deleted entries, "without-non-deleted-entries" returns only soft-deleted entries matching the search criteria, "deleted-entries-in-undeleted-form" returns only soft-deleted ehtries matching the search criteria with the results returned in their undeleted entry form |
Allowed Values |
deleted-entries-in-undeleted-form with-non-deleted-entries without-non-deleted-entries |
Default Value | with-non-deleted-entries |
Required | No |
Multi-Valued | No |
Description | Use verbose mode |