ldapsearch

Description Examples Arguments

Description

Process one or more searches in an LDAP directory server.

The criteria for the search request can be specified in a number of different ways, including providing all of the details directly via command-line arguments, providing all of the arguments except the filter via command-line arguments and specifying a file that holds the filters to use, or specifying a file that includes a set of LDAP URLs with the base DN, scope, filter, and attributes to return.

See the examples below for a number of sample command lines for this tool.

Examples

Establishes an unencrypted LDAP connection to directory.example.com:389, performs a simple bind to authenticate as user 'uid=jdoe,ou=People,dc=example,dc=com', and issues a search request to retrieve the givenName, sn, and mail attributes for the user with uid 'jqpublic' below dc=example,dc=com. The search results will be written to standard output.

ldapsearch --hostname directory.example.com --port 389 \
     --bindDN uid=jdoe,ou=People,dc=example,dc=com --bindPassword password \
     --baseDN ou=People,dc=example,dc=com --scope sub "(uid=jqpublic)" \
     givenName sn mail

Establishes an SSL-encrypted LDAP connection to directory.example.com:636, interactively prompting the user about whether to trust the certificate presented by the directory server. The tool will then bind with the SASL PLAIN mechanism using an authentication ID of 'u:jdoe' and a password read from a file. It will then issue a search request for each filter in a given file, writing the results for each search into a separate output file.

ldapsearch --hostname directory.example.com --port 636 --useSSL \
     --saslOption mech=PLAIN --saslOption authID=u:jdoe \
     --bindPasswordFile /path/to/password/file \
     --baseDN ou=People,dc=example,dc=com --scope sub \
     --filterFile /path/to/filter/file --outputFile /path/to/base/output/file \
     --separateOutputFilePerSearch --requestedAttribute '*' \
     --requestedAttribute "+"

Establishes an LDAP connection to directory.example.com:389 that is secured with the StartTLS extended operation, using the information in the provided trust store file to determine whether to trust the certificate presented by the directory server. It will then issue an unauthenticated search to retrieve all user and operational attributes from the server's root DSE. The output will be written to a specified output file as well as displayed on standard output.

ldapsearch --hostname directory.example.com --port 389 --useStartTLS \
     --trustStorePath /path/to/truststore/file --baseDN "" --scope base \
     --outputFile /path/to/output/file \
     --teeResultsToStandardOut '(objectClass=*)' '*' "+"

Issues a search request to retrieve all entries at or below 'dc=example,dc=com', using the simple paged results control to retrieve up to 100 entries at a time. The search will use an unencrypted LDAP connection, and the tool will interactively prompt the user for the password to use when performing simple authentication.

ldapsearch --hostname directory.example.com --port 389 \
     --bindDN uid=admin,dc=example,dc=com --baseDN dc=example,dc=com \
     --scope sub --outputFile /path/to/output/file --simplePageSize 100 \
     '(objectClass=*)' '*' "+"

Issues a search request to retrieve a special entry that provides details about the server's use of indexes to determine the candidate set of potential matching entries. This feature is only supported in the UnboundID/Ping Identity Directory Server, and the user must have access control rights to retrieve the 'cn=debugsearch' entry and the 'debugsearchindex' operational attribute.

ldapsearch --hostname directory.example.com --port 389 \
     --bindDN uid=admin,dc=example,dc=com --baseDN dc=example,dc=com \
     --scope sub "(&(givenName=John)(sn=Doe))" debugsearchindex
For examples and help with LDAP options see LDAP Option Help. For help with SASL authentication, see SASL Option Help

Arguments

-H
--help

Description Display general usage information

--help-ldap

Description Display help for using LDAP options

--help-sasl

Description Display help for using SASL options

--help-debug

Description Display help for using debug options
Advanced Yes

-h {host}
--hostname {host}

Description The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
Default Value localhost
Required Yes
Multi-Valued Yes

-p {port}
--port {port}

Description The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
Default Value 389
Required Yes
Multi-Valued No

-D {dn}
--bindDN {dn}

Description The DN to use to bind to the directory server when performing simple authentication.
Required No
Multi-Valued No

-w {password}
--bindPassword {password}

Description The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required No
Multi-Valued No

-j {path}
--bindPasswordFile {path}

Description The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required No
Multi-Valued No

--promptForBindPassword

Description Indicates that the tool should interactively prompt the user for the bind password.

-Z
--useSSL

Description Use SSL when communicating with the directory server.

-q
--useStartTLS

Description Use StartTLS when communicating with the directory server.

--defaultTrust

Description Use the JVM's default trust store, the server's default trust store, the server's topology registry, and optionally an additional trust store specified using the --trustStorePath argument to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.

-X
--trustAll

Description Trust any certificate presented by the directory server.

-K {path}
--keyStorePath {path}

Description The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
Required No
Multi-Valued No

-W {password}
--keyStorePassword {password}

Description The password to use to access the key store contents.
Required No
Multi-Valued No

-u {path}
--keyStorePasswordFile {path}

Description The path to the file containing the password to use to access the key store contents.
Required No
Multi-Valued No

--promptForKeyStorePassword

Description Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.

--keyStoreFormat {format}

Description The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
Required No
Multi-Valued No

-P {path}
--trustStorePath {path}

Description The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
Required No
Multi-Valued No

--trustStorePassword {password}

Description The password to use to access the trust store contents.
Required No
Multi-Valued No

-U {path}
--trustStorePasswordFile {path}

Description The path to the file containing the password to use to access the trust store contents.
Required No
Multi-Valued No

--promptForTrustStorePassword

Description Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.

--trustStoreFormat {format}

Description The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
Required No
Multi-Valued No

--verifyCertificateHostnames

Description Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued.

-N {nickname}
--certNickname {nickname}

Description The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
Required No
Multi-Valued No

--enableSSLDebugging

Description Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.

-o {name=value}
--saslOption {name=value}

Description A name-value pair providing information to use when performing SASL authentication.
Required No
Multi-Valued Yes

--useSASLExternal

Description Use the SASL EXTERNAL mechanism to authenticate.

--helpSASL

Description Provide information about the supported SASL mechanisms, including the properties available for use with each.

-b {dn}
--baseDN {dn}

Description Specifies the base DN that should be used for the search. If a filter file is provided, then this base DN will be used for each search with a filter read from that file. This argument must not be provided if the --ldapURLFile is given. If no base DN is specified, then the null base DN will be used by default.
Required No
Multi-Valued No

-s {base|one|sub|subordinates}
--scope {base|one|sub|subordinates}

Description Specifies the scope that to use for search requests. The value should be one of 'base', 'one', 'sub', or 'subordinates'. If this argument is not provided, a default of 'sub' will be used.
Allowed Values sub
subord
base
one
Default Value SUB
Required No
Multi-Valued No

-z {value}
--sizeLimit {value}

Description Specifies the maximum number of entries that the server should return for each search. A value of zero (which is the default if this argument is not used) indicates that no client-side size limit should be imposed. Note that the server may impose its own limit on the number of entries that may be returned for a search.
Upper Bound 2147483647
Default Value 0
Required No
Multi-Valued No

-l {value}
--timeLimitSeconds {value}

Description Specifies the maximum length of time in seconds that the server should spend processing each search. A value of zero (which is the default if this argument is not provided) indicates that no client-side time limit should be imposed. Note that the server may impose its own time limit for search requests.
Upper Bound 2147483647
Default Value 0
Required No
Multi-Valued No

-a {never|always|search|find}
--dereferencePolicy {never|always|search|find}

Description Specifies the alias dereferencing policy to use for search requests. The value should be one of 'never', 'always', 'search', or 'find'. If this argument is not provided, a default of 'never' will be used.
Default Value never
Required No
Multi-Valued No

-A
--typesOnly

Description Indicates that the server should only include the names of the attributes contained in the entry rather than both names and values.

--requestedAttribute {attr}

Description Specifies an identifier that indicates which attribute(s) should be included in entries that match the search criteria. The value may be an attribute name or OID, a special token like '*' to indicate all user attributes or '+' to indicate all operational attributes, or an object class name prefixed by an '@' symbol to indicate all attributes associated with the specified object class. This may be provided multiple times to specify multiple requested attributes, and it may be provided instead of or in addition to the set of requested attributes in the set of trailing arguments. If this is not specified, then the server will behave as if all user attributes had been requested.
Required No
Multi-Valued Yes

--filter {filter}

Description Specifies a filter to use when processing a search. This may be provided multiple times to issue multiple searches with different filters. If this argument is provided, then the first trailing argument will not be interpreted as a search filter (all trailing arguments will be interpreted as requested attributes).
Required No
Multi-Valued No

-f {path}
--filterFile {path}

Description Specifies the path to a file containing the search filters to issue. Each filter should be on a separate line. Blank lines and lines beginning with the '#' character will be ignored. This argument may be provided multiple times to specify multiple filter files. If a filter file is provided, then the first trailing argument will not be interpreted as a search filter (all trailing arguments will be interpreted as requested attributes).
Required No
Multi-Valued Yes

--ldapURLFile {path}

Description Specifies the path to a file containing LDAP URLs that define the search requests to issue. The LDAP URLs will specify the base DN, scope, filter, and attributes to return for each search (any hostnames and port numbers included in the URLs will be ignored). Each URL should be on a separate line. Blank lines and lines beginning with the '#' character will be ignored. This argument may be provided multiple times to specify multiple LDAP URL files.
Required No
Multi-Valued Yes

--followReferrals

Description Attempt to follow any referrals and search result references encountered during search processing. If this is not provided, then referrals and search references will be displayed in the output.

--retryFailedOperations

Description Indicates that, if a search fails in a way that indicates the connection to the server may no longer be valid, the tool should automatically create a new connection and re-try the search before reporting it as a failure.

-c
--continueOnError

Description Continue processing searches even if an error is encountered. If this is not provided, then processing will abort after the first failed search.

-r {num}
--ratePerSecond {num}

Description Specifies a maximum search rate that the tool should be permitted to achieve. Note that this limit applies only to the rate at which the client issues search requests and not to the rate at which the server may send matching entries.
Upper Bound 2147483647
Required No
Multi-Valued No

--useAdministrativeSession

Description Indicates that the tool should attempt to use an administrative session to process all operations using a dedicated pool of worker threads. This may be useful when trying to diagnose problems in a server that is unresponsive because all normal worker threads are busy processing other requests.

-n
--dryRun

Description Indicate which searches would be issued but do not actually send them to the server.

--wrapColumn {value}

Description The column at which long lines in the LDIF representation of an entry should be wrapped. A value of zero indicates that no wrapping should be performed. If this is not provided, then the wrap column will be based on the width of the terminal used to run the tool.
Upper Bound 2147483647
Required No
Multi-Valued No

-T
--dontWrap

Description Indicates that no line wrapping should be performed when displaying the LDIF representations of matching entries.

--suppressBase64EncodedValueComments

Description Indicates that the tool should not include any comments that attempt to provide a human-readable representation of any base64-encoded attribute values in the search results. If this argument is not provided, then any attribute value whose LDIF representation requires base64 encoding will be immediately followed by a comment that attempts to provide a human-readable representation of the raw bytes that comprise that base64-encoded value.

--outputFile {path}

Description Specifies the path to the file to which search results should be written. If this argument is not provided then results will be written to standard output.
Required No
Multi-Valued No

--compressOutput

Description Indicates that the output should be gzip-compressed. This can only be used if the --outputFile argument is provided and the --teeResultsToStandardOut argument is not provided.

--encryptOutput

Description Indicates that the output should be encrypted with a key generated from a provided password. This can only be used if the --outputFile argument is provided and the --teeResultsToStandardOut argument is not provided. If the --encryptionPassphraseFile argument is provided, then that file will be used to specify the encryption passphrase; otherwise, the passphrase will be interactively requested.

--encryptionPassphraseFile {path}

Description The path to a file that specifies the passphrase to use to encrypt the output. This can only be provided if the --encryptOutput argument is given, but if that argument is given and no passphrase file is specified, then the passphrase will be interactively requested. If a file is specified, then that file must exist and must contain exactly one line comprised entirely of the passphrase.
Required No
Multi-Valued No

--separateOutputFilePerSearch

Description Indicates that the tool should generate a separate output file for each search rather than combining all results into a single file.

--teeResultsToStandardOut

Description Indicates that search results should be written to standard output as well as to the output file specified via the 'outputFile' argument.

--outputFormat {ldif|json|csv|multi-valued-csv|tab-delimited|multi-valued-tab-delimited|dns-only|values-only}

Description Specifies the format that should be used for the output generated by this tool. Allowed values are 'LDIF' (LDAP Data Interchange Format, which is the standard string representation for LDAP data), 'JSON' (JavaScript Object Notation, which is a popular format used by web services), 'CSV' (comma-separated values, which is a commonly used format for text processing, with only a single value per attribute), 'multi-valued-csv' (comma-separated values with a vertical bar between values of multivalued attributes), 'tab-delimited' (another commonly used general text format, with only a single value per attribute), 'multi-valued-tab-delimited' (tab-delimited text with a vertical bar between values of multivalued attributes), 'dns-only' (in which only the DN of each matching entry will be written on a line by itself with no information about the entry's attributes), and 'values-only' (in which each value returned will be written on a line by itself with no attribute names, entry DNs, or delimiters between entries). If either the 'CSV' or 'tab-delimited' format is selected (or one of their multivalued variants), the set of requested attributes must be provided with the '--requestedAttribute' argument, the order in which the attributes are provided on the command line specifies the order in which they will be listed in the output, and if any of those attributes has multiple values then only the first value will be used. Further, the 'CSV' and 'tab-delimited' formats cannot be used in conjunction with the '--ldapURLFile' argument. If no output format is specified, a default of 'LDIF' will be used.
Default Value ldif
Required No
Multi-Valued No

--requireMatch

Description Indicates that ldapsearch should exit with a nonzero result code, 94 (no results returned), if the search completes successfully but does not return any matching entries. This argument only affects the tool exit code; it will not have any visible effect on the output.

--terse

Description Indicates that the tool should generate terse output. The only thing written to standard output will be search result entries and references, without any summary messages. Standard error will not be affected.

-v
--verbose

Description Indicates that the tool should generate verbose output.

--bindControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]

Description Specifies a control that should be included in all bind requests used to authenticate to the server.
Required No
Multi-Valued No

-J {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
--control {oid}[:{criticality}[:{stringValue}|::{base64Value}]]

Description Specifies a control that should be included in all search requests sent to the server.
Required No
Multi-Valued No

--accessLogField {name:value}

Description Indicates that all search requests should include an access log field request control to indicate that the server should include a custom field with the specified name and value. The field name must contain only ASCII letters, digits, dashes, and underscores. The field name must be followed by a colon and the field value for that field. This argument may be provided multiple times to request multiple access log fields.
Required No
Multi-Valued Yes

--accountUsable

Description Indicates that all search requests should include the UnboundID-proprietary account usable request control to request that each search result entry returned include a response control with information about the password policy usability state for the entry.

-E
--authorizationIdentity

Description Indicates that all bind requests should include the authorization identity request control as defined in RFC 3829. With this control, a successful bind result should include the authorization identity assigned to the connection.

--assertionFilter {filter}

Description A filter that will be used in conjunction with the LDAP assertion request control (as described in RFC 4528) to indicate that the server should only process searches in which the entry specified as the base DN matches this filter.
Required No
Multi-Valued No

--excludeBranch {dn}

Description Indicates that all search requests should include the UnboundID-proprietary exclude branch request control to indicate that matching entries below the specified base DN should be excluded from search results. This argument may be provided multiple times if multiple branches should be excluded.
Required No
Multi-Valued Yes

--generateAccessToken

Description Indicates that the bind request should include the generate access token request control, which may be used to request that the server generate and return an access token that can be used to authorize subsequent connections via the OAUTHBEARER SASL mechanism.

--getAuthorizationEntryAttribute {attr}

Description Indicates that all bind requests should include the UnboundID-proprietary get authorization entry request control to request that the server return the specified attribute (or collection of attributes, in the case of a special identifier like '*' to indicate all user attributes or '+' to indicate all operational attributes) from the authenticated user's entry. This argument may be provided multiple times to specify multiple attributes to request.
Required No
Multi-Valued Yes

--getBackendSetID

Description Indicates that all search requests should include the UnboundID-proprietary get backend set ID request control to request that the Directory Proxy Server include a corresponding get backend set ID response control in each search result entry, indicating the entry-balancing backend set from which that entry was retrieved.

-g {authzID}
--getEffectiveRightsAuthzID {authzID}

Description Indicates that all search requests should include the UnboundID-proprietary get effective rights request control to return information about the access control rights the specified user has when interacting with each matching entry.
Required No
Multi-Valued No

-e {attr}
--getEffectiveRightsAttribute {attr}

Description Indicates that all search requests should include the UnboundID-proprietary get effective rights request control to return information about the access control rights that a user has when interacting with each matching entry. This argument may be provided multiple times to specify multiple attributes.
Required No
Multi-Valued Yes

--getRecentLoginHistory

Description Indicates that all bind requests should include the get recent login history request control to request that the server include a corresponding response control with information about the user's recent login history.

--getServerID

Description Indicates that all search requests should include the UnboundID-proprietary get server ID request control to request that server include a corresponding get server ID response control in each search result entry, indicating the server from which that entry was retrieved.

--getUserResourceLimits

Description Indicates that all bind requests should include the UnboundID-proprietary get user resource limits request control to request that the server return information about resource limits (e.g., size limit, time limit, idle time limit, etc.) imposed for the user.

--includeReplicationConflictEntries

Description Indicates that all search requests should include the UnboundID-proprietary return conflict entries request control to indicate that the server may return any replication conflict entries that match the search criteria. Replication conflict entries are normally excluded from search results.

--includeSoftDeletedEntries {with-non-deleted-entries|without-non-deleted-entries|deleted-entries-in-undeleted-form}

Description Indicates that all search requests should include the UnboundID-proprietary soft-deleted entry access request control to indicate that the server may return any soft-deleted entries that match the search criteria. Soft-deleted entries are normally excluded from search results. The value for this argument must be one of: 'with-non-deleted-entries' (indicates that both regular and soft-deleted entries should be returned), 'without-non-deleted-entries' (indicates that only soft-deleted entries should be returned), or 'deleted-entries-in-undeleted-form' (returns only soft-deleted entries in the form in the form the entries had before they were deleted).
Required No
Multi-Valued No

--draftLDUPSubentries

Description Indicates that all search requests should include the subentries request control as described in draft-ietf-ldup-subentry to indicate that the server may return any LDAP subentries that match the search criteria. LDAP subentries are normally excluded from search results. This control does not take a value.

--rfc3672Subentries {returnOnlySubentries}

Description Indicates that all search requests should include the subentries request control as described in RFC 3672 to indicate that the server may return any LDAP subentries that match the search criteria, optionally including regular entries along with the subentries. LDAP subentries are normally excluded from search results. This control requires a Boolean value of either 'true' or 'false' to indicate whether the server should return only subentries (if true), or both regular entries and subentries (if false).
Required No
Multi-Valued No

--joinRule {dn:sourceAttr|reverse-dn:targetAttr|equals:sourceAttr:targetAttr|contains:sourceAttr:targetAttr }

Description Indicates that all search requests should include the join request control to indicate that matching entries should be joined with related entries based on the specified criteria. Allowed values include 'dn:' followed by the name of an attribute in the source entry containing the DNs of the entries with which to join; 'reverse-dn:' followed by the name of an attribute in the target entries whose value is the DN of the source entry; 'equals:' followed by the name of an attribute in the source entry, a colon, and the name of an attribute in target entries that must exactly match the source attribute; or 'contains:' followed by the name of an attribute in the source entry, a colon, and the name of an attribute in target entries that must match or contain the value of the source attribute.
Required No
Multi-Valued No

--joinBaseDN {search-base|source-entry-dn|{dn}}

Description Specifies the base DN to use for searches used to join search result entries with related entries. The value may be one of 'search-base' to use the base DN of the search request, 'source-entry-dn' to use the DN of the source entry as the base DN for join searches, or any valid LDAP DN to use a custom base DN for join searches. If this is not specified, then the default join base DN will be the search base DN.
Required No
Multi-Valued No

--joinScope {base|one|sub|subordinates}

Description Specifies the scope to use for searches used to join search result entries with related entries. The value may be one of 'base', 'one', 'sub', or 'subordinates'. If this is not specified, then the scope of the search request will be used as the join scope.
Allowed Values sub
subord
base
one
Required No
Multi-Valued No

--joinSizeLimit {num}

Description Specifies the maximum number of entries that the server will permit to be joined with any single search result entry. If this is not provided, the size limit from the search request will be used. Note that the server will impose a maximum join size limit of 1000 entries, so any join size limit greater than that will be limited to 1000.
Upper Bound 2147483647
Required No
Multi-Valued No

--joinFilter {filter}

Description Specifies an additional filter that the server will require target entries to match in order to be joined with the source entry. If this is not provided, no additional join filter will be used.
Required No
Multi-Valued No

--joinRequestedAttribute {attr}

Description Specifies an identifier that indicates which attribute(s) should be included in entries joined with search result entries. The value may be an attribute name or OID, a special token like '*' to indicate all user attributes or '+' to indicate all operational attributes, or an object class name prefixed by an '@' symbol to indicate all attributes associated with the specified object class. This may be provided multiple times to specify multiple requested attributes. If this is not specified, then the server will behave as if all user attributes had been requested.
Required No
Multi-Valued Yes

--joinRequireMatch

Description Indicates that the server should not return an entry that matches the search criteria if it is not joined with at least one additional entry. If this is not provided, then entries matching the search criteria will be returned even if they are not joined with any other entries.

--manageDsaIT

Description Indicates that all search requests should include the manageDsaIT request control to indicate that any referral entries in the scope of the search should be treated as regular entries rather than causing the server to send search result references.

--matchedValuesFilter {filter}

Description Indicates that all search requests should include the matched values request control (as described in RFC 3876) to indicate that search result entries should only include values for a given attribute that match the provided filter. This argument may be provided multiple times to specify multiple matched values filters.
Required No
Multi-Valued No

--matchingEntryCountControl {examineCount=NNN[:alwaysExamine][:allowUnindexed][:skipResolvingExplodedIndexes][:fastShortCircuitThreshold=NNN][:slowShortCircuitThreshold=NNN][:extendedResponseData][:debug]}

Description Indicates that all search requests should include the UnboundID-proprietary matching entry count request control, which indicates that the server should return information about the number of entries that match the search criteria. The maximum number of entries to examine must be specified, which helps indicate whether an exact count or an estimate will be returned. If alwaysExamine is specified and the number of candidates is less than the examine count, then each candidate will be examined to verify that it matches the criteria and would actually be returned to the client in a search. If allowUnindexed is specified, then the count will be allowed to be processed even if the search is unindexed (and may take a very long time to complete). If extended is specified, then the client will request extended response data from the server. If debug is specified, then additional debug information may be included in the output.
Required No
Multi-Valued No

--operationPurpose {purpose}

Description Indicates that all search requests should include the UnboundID-proprietary operation purpose request control to provide the specified reason for the operation.
Required No
Multi-Valued No

--overrideSearchLimit {name=value}

Description Indicates that search operations should include the override search limits request control with the specified name-value pair. This may be provided multiple times to specify multiple property name-value pairs to include in the control.
Required No
Multi-Valued Yes

-C ps[:changetype[:changesonly[:entrychgcontrols]]]
--persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]

Description Indicates that the search request should include the persistent search request control (as described in draft-ietf-ldapext-psearch) to indicate that the server should return information about changes to entries that match the search criteria as they are processed. This argument may only be used when processing a single search operation.
Required No
Multi-Valued No

--permitUnindexedSearch

Description Indicates that all search requests should include the UnboundID-proprietary permit unindexed search request control to indicate that the server should process the search operation even if it cannot do so efficiently using server indexes. The requester must have either the unindexed-search or unindexed-search-with-control privilege.

-Y {authzID}
--proxyAs {authzID}

Description Indicates that all search requests should include the proxied authorization request control (as described in RFC 4370) to process the operation under an alternate authorization identity. The authorization ID should generally be specified in the form 'dn:' followed by the target user's DN, or 'u:' followed by the username.
Required No
Multi-Valued No

--proxyV1As {dn}

Description Indicates that all search requests should include the legacy proxied authorization v1 request control (as described in draft-weltman-ldapv3-proxy-04) to process the search under an alternate authorization identity, specified as the DN of the desired user.
Required No
Multi-Valued No

--rejectUnindexedSearch

Description Indicates that all search requests should include the UnboundID-proprietary reject unindexed search request control to indicate that the server should not process the search operation if it cannot do so efficiently using server indexes, even if the requester has the unindexed-search privilege.

--routeToBackendSet {entry-balancing-processor-id:backend-set-id}

Description Specifies the ID of an entry-balancing backend set to which the Directory Proxy Server should send all of the search requests. The value should be formatted as the entry-balancing request processor ID followed by a colon and the desired backend set ID for that entry-balancing request processor. This argument can be provided multiple times to specify multiple backend set IDs for the same or different entry-balancing request processors. The request control will be configured to use absolute routing rather than a routing hint.
Required No
Multi-Valued Yes

--routeToServer {id}

Description Specifies the ID of the backend server to which the Directory Proxy Server should send all search requests.
Required No
Multi-Valued No

--suppressOperationalAttributeUpdates {attr}

Description Indicates that all operations should include the UnboundID-proprietary suppress operational attribute updates request control to indicate that the server should not apply any updates to the specified operational attributes. The value may be one of 'last-access-time', 'last-login-time', 'last-login-ip', or 'lastmod'.
Required No
Multi-Valued Yes

--usePasswordPolicyControl

Description Indicates that bind requests should include the password policy request control (as defined in draft-behera-ldap-password-policy-10) to request that the response include password policy-related information about the target entry.

--realAttributesOnly

Description Indicates that all search requests should include the UnboundID-proprietary real attributes only request control to indicate that the server should not include any virtual attributes in entries that are returned.

-S {value}
--sortOrder {value}

Description Indicates that all search requests should include the server-side sort request control (as described in RFC 2891) to request that the server sort results before returning them to the client. The sort order should be a comma-separated list of attribute names, each of which may be optionally prefixed by '+' (to indicate that sorting should be in ascending order for that attribute) or '-' (for descending order), and may be optionally followed by a colon and the name or OID for the ordering matching rule that should be used when sorting. Ascending order will be used if neither '+' or '-' is specified, and if no matching rule ID is given then the attribute type's own ordering rule will be used.
Required No
Multi-Valued No

--simplePageSize {value}

Description Indicates that all search requests should include the simple paged results control (as described in RFC 2696) to indicate that the search should return entries in pages of no more than the specified size. This can be useful for searches that must return a large number of entries but the server restricts the number of entries that may be returned for any search.
Upper Bound 2147483647
Required No
Multi-Valued No

--virtualAttributesOnly

Description Indicates that all search requests should include the UnboundID-proprietary virtual attributes only request control to indicate that the server should only include virtual attributes in entries that are returned.

-G {before:after:index:count | before:after:value}
--virtualListView {before:after:index:count | before:after:value}

Description Indicates that all search requests should include the virtual list view (VLV) request control (as described in draft-ietf-ldapext-ldapv3-vlv) to indicate that the server should return the specified subset of the sorted search results (and the 'sortOrder' argument must also be given to specify the sort order). The value should be a colon-delimited list indicating which page of results to return, and it may take one of two forms. In either case, the first element specifies the number of elements to return before the entry identified as the start of the results, and the second is the number of entries after the 'start' entry. The third element identifies the start of the result set, and it may be either an integer offset (in which the first entry in the result set has an offset of one), or a string that provides a value for which the server should identify the first entry whose value for the primary sort attribute is greater than or equal to the given string. In the event that an offset is provided, a fourth element must also be given to indicate the expected number of entries in the result set, or zero if that is not known. For example, a value of '0:9:1:0' indicates that the server should return the first ten entries of the result set (starting at offset 1, which is the first entry, return the zero previous entries and the nine following entries, with no indication of how many entries match the search criteria). Alternately, a value of '0:99:smith' indicates that the server should the first 100 entries in the result set for which the primary sort attribute has a value that is greater than or equal to 'smith'.
Required No
Multi-Valued No

--useJSONFormattedRequestControls

Description Indicates that any request controls should be encapsulated in a JSON-formatted request control. Even if there wouldn't otherwise be any request controls, an empty JSON-formatted request control will be included to indicate that the server should encapsulate any response controls in a JSON-formatted response control.

--excludeAttribute {attr}

Description Specifies the name or OID of an attribute that should be excluded from search result entries. This argument may be provided multiple times to specify multiple attributes to exclude.
Required No
Multi-Valued Yes

--redactAttribute {attr}

Description Specifies the name or OID of an attribute whose values should be redacted to indicate that the attribute is present in search result entries but to hide the actual values for that attribute. This argument may be provided multiple times to specify multiple attributes to redact.
Required No
Multi-Valued Yes

--hideRedactedValueCount

Description Indicates that the output should not reveal the number of values contained in redacted attributes. If this argument is present, then a redacted attribute will only ever have a single value of '***REDACTED***'. If this argument is not present, then a redacted attribute with multiple values will still have the same number of values that it originally had, but those values will be '***REDACTED1***', '***REDACTED2***', etc.

--scrambleAttribute {attr}

Description Specifies the name or OID of an attribute whose values should be scrambled. Scrambling will be performed in a manner that attempts to preserve the associated attribute syntax and that will generally try to ensure that a given input value will consistently yield the same scrambled output. This argument may be provided multiple times to specify multiple attributes to scramble.
Required No
Multi-Valued Yes

--scrambleJSONField {fieldName}

Description Specifies the name of a JSON field whose values should be scrambled. If the --scrambleAttribute argument is used to scramble any attributes whose values may be JSON objects, then all JSON field names will be preserved and only the values of the specified fields will be scrambled. If this argument is given (and it may be provided multiple times to target multiple JSON fields), then only the specified fields will have their values scrambled. If this argument is not provided, then any of the scramble attribute values that are JSON objects will have all values scrambled. JSON field names will be treated in a case-insensitive manner.
Required No
Multi-Valued Yes

--scrambleRandomSeed {value}

Description Specifies the value that will be used to seed the random number generator used in the course of scrambling attribute values. If a random seed is provided, then scrambling the same entry with the same seed should consistently yield the same scrambled representations. If no random seed is specified, an appropriate value will be selected automatically.
Lower Bound -2147483648
Upper Bound 2147483647
Required No
Multi-Valued No

--renameAttributeFrom {attr}

Description Specifies the name or OID of an attribute that should have its name replaced with the value specified in the --renameAttributeTo argument. This argument may be provided multiple times as long as the --renameAttributeTo argument is also provided the same number of times, and the order of --renameAttributeFrom values must correspond to the order of --renameAttributeTo values.
Required No
Multi-Valued Yes

--renameAttributeTo {attr}

Description Specifies the new name to use for an attribute to be renamed. This argument must be provided the same number of times as the --renameAttributeFrom argument.
Required No
Multi-Valued Yes

--moveSubtreeFrom {attr}

Description Specifies the base DN for a subtree to be moved to another location in the DIT, with this source DN being replaced with the base DN specified using the --moveSubtreeTo argument. This argument may be provided multiple times as long as the --moveSubtreeTo argument is also provided the same number of times, and the order of --moveSubtreeFrom values must correspond to the order of --moveSubtreeTo values.
Required No
Multi-Valued Yes

--moveSubtreeTo {attr}

Description Specifies the new base DN for a subtree to be moved. This argument must be provided the same number of times as the --moveSubtreeFrom argument.
Required No
Multi-Valued Yes

--version

Description Display Data Sync Server version information

--interactive

Description Launch the tool in interactive mode.

--propertiesFilePath {path}

Description The path to a properties file used to specify default values for arguments not supplied on the command line.
Required No
Multi-Valued No

--generatePropertiesFile {path}

Description Write an empty properties file that may be used to specify default values for arguments.
Required No
Multi-Valued No

--noPropertiesFile

Description Do not obtain any argument values from a properties file.

--suppressPropertiesFileComment

Description Suppress output listing the arguments obtained from a properties file.