Process one or more searches in an LDAP directory server.
The criteria for the search request can be specified in a number of different ways, including providing all of the details directly via command-line arguments, providing all of the arguments except the filter via command-line arguments and specifying a file that holds the filters to use, or specifying a file that includes a set of LDAP URLs with the base DN, scope, filter, and attributes to return.
See the examples below for a number of sample command lines for this tool.
Establishes an unencrypted LDAP connection to directory.example.com:389, performs a simple bind to authenticate as user 'uid=jdoe,ou=People,dc=example,dc=com', and issues a search request to retrieve the givenName, sn, and mail attributes for the user with uid 'jqpublic' below dc=example,dc=com. The search results will be written to standard output.
ldapsearch --hostname directory.example.com --port 389 \ --bindDN uid=jdoe,ou=People,dc=example,dc=com --bindPassword password \ --baseDN ou=People,dc=example,dc=com --scope sub "(uid=jqpublic)" \ givenName sn mail
Establishes an SSL-encrypted LDAP connection to directory.example.com:636, interactively prompting the user about whether to trust the certificate presented by the directory server. The tool will then bind with the SASL PLAIN mechanism using an authentication ID of 'u:jdoe' and a password read from a file. It will then issue a search request for each filter in a given file, writing the results for each search into a separate output file.
ldapsearch --hostname directory.example.com --port 636 --useSSL \ --saslOption mech=PLAIN --saslOption authID=u:jdoe \ --bindPasswordFile /path/to/password/file \ --baseDN ou=People,dc=example,dc=com --scope sub \ --filterFile /path/to/filter/file --outputFile /path/to/base/output/file \ --separateOutputFilePerSearch --requestedAttribute '*' \ --requestedAttribute "+"
Establishes an LDAP connection to directory.example.com:389 that is secured with the StartTLS extended operation, using the information in the provided trust store file to determine whether to trust the certificate presented by the directory server. It will then issue an unauthenticated search to retrieve all user and operational attributes from the server's root DSE. The output will be written to a specified output file as well as displayed on standard output.
ldapsearch --hostname directory.example.com --port 389 --useStartTLS \ --trustStorePath /path/to/truststore/file --baseDN "" --scope base \ --outputFile /path/to/output/file \ --teeResultsToStandardOut '(objectClass=*)' '*' "+"
Issues a search request to retrieve all entries at or below 'dc=example,dc=com', using the simple paged results control to retrieve up to 100 entries at a time. The search will use an unencrypted LDAP connection, and the tool will interactively prompt the user for the password to use when performing simple authentication.
ldapsearch --hostname directory.example.com --port 389 \ --bindDN uid=admin,dc=example,dc=com --baseDN dc=example,dc=com \ --scope sub --outputFile /path/to/output/file --simplePageSize 100 \ '(objectClass=*)' '*' "+"
Issues a search request to retrieve a special entry that provides details about the server's use of indexes to determine the candidate set of potential matching entries. This feature is only supported in the UnboundID/Ping Identity Directory Server, and the user must have access control rights to retrieve the 'cn=debugsearch' entry and the 'debugsearchindex' operational attribute.
ldapsearch --hostname directory.example.com --port 389 \ --bindDN uid=admin,dc=example,dc=com --baseDN dc=example,dc=com \ --scope sub "(&(givenName=John)(sn=Doe))" debugsearchindexFor examples and help with LDAP options see LDAP Option Help. For help with SASL authentication, see SASL Option Help
-H
--help
Description | Display general usage information |
--help-ldap
Description | Display help for using LDAP options |
--help-sasl
Description | Display help for using SASL options |
--help-debug
Description | Display help for using debug options |
Advanced | Yes |
-h {host}
--hostname {host}
Description | The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used. |
Default Value | localhost |
Required | Yes |
Multi-Valued | Yes |
-p {port}
--port {port}
Description | The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used. |
Default Value | 389 |
Required | Yes |
Multi-Valued | No |
-D {dn}
--bindDN {dn}
Description | The DN to use to bind to the directory server when performing simple authentication. |
Required | No |
Multi-Valued | No |
-w {password}
--bindPassword {password}
Description | The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
Required | No |
Multi-Valued | No |
-j {path}
--bindPasswordFile {path}
Description | The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
Required | No |
Multi-Valued | No |
--promptForBindPassword
Description | Indicates that the tool should interactively prompt the user for the bind password. |
-Z
--useSSL
Description | Use SSL when communicating with the directory server. |
-q
--useStartTLS
Description | Use StartTLS when communicating with the directory server. |
--defaultTrust
Description | Use the JVM's default trust store, the server's default trust store, the server's topology registry, and optionally an additional trust store specified using the --trustStorePath argument to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it. |
-X
--trustAll
Description | Trust any certificate presented by the directory server. |
-K {path}
--keyStorePath {path}
Description | The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server. |
Required | No |
Multi-Valued | No |
-W {password}
--keyStorePassword {password}
Description | The password to use to access the key store contents. |
Required | No |
Multi-Valued | No |
-u {path}
--keyStorePasswordFile {path}
Description | The path to the file containing the password to use to access the key store contents. |
Required | No |
Multi-Valued | No |
--promptForKeyStorePassword
Description | Indicates that the tool should interactively prompt the user for the password to use to access the key store contents. |
--keyStoreFormat {format}
Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file. |
Required | No |
Multi-Valued | No |
-P {path}
--trustStorePath {path}
Description | The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server. |
Required | No |
Multi-Valued | No |
--trustStorePassword {password}
Description | The password to use to access the trust store contents. |
Required | No |
Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
Description | The path to the file containing the password to use to access the trust store contents. |
Required | No |
Multi-Valued | No |
--promptForTrustStorePassword
Description | Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents. |
--trustStoreFormat {format}
Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file. |
Required | No |
Multi-Valued | No |
--verifyCertificateHostnames
Description | Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued. |
-N {nickname}
--certNickname {nickname}
Description | The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication. |
Required | No |
Multi-Valued | No |
--enableSSLDebugging
Description | Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'. |
-o {name=value}
--saslOption {name=value}
Description | A name-value pair providing information to use when performing SASL authentication. |
Required | No |
Multi-Valued | Yes |
--useSASLExternal
Description | Use the SASL EXTERNAL mechanism to authenticate. |
--helpSASL
Description | Provide information about the supported SASL mechanisms, including the properties available for use with each. |
-b {dn}
--baseDN {dn}
Description | Specifies the base DN that should be used for the search. If a filter file is provided, then this base DN will be used for each search with a filter read from that file. This argument must not be provided if the --ldapURLFile is given. If no base DN is specified, then the null base DN will be used by default. |
Required | No |
Multi-Valued | No |
-s {base|one|sub|subordinates}
--scope {base|one|sub|subordinates}
Description | Specifies the scope that to use for search requests. The value should be one of 'base', 'one', 'sub', or 'subordinates'. If this argument is not provided, a default of 'sub' will be used. |
Allowed Values |
sub subord base one |
Default Value | SUB |
Required | No |
Multi-Valued | No |
-z {value}
--sizeLimit {value}
Description | Specifies the maximum number of entries that the server should return for each search. A value of zero (which is the default if this argument is not used) indicates that no client-side size limit should be imposed. Note that the server may impose its own limit on the number of entries that may be returned for a search. |
Upper Bound | 2147483647 |
Default Value | 0 |
Required | No |
Multi-Valued | No |
-l {value}
--timeLimitSeconds {value}
Description | Specifies the maximum length of time in seconds that the server should spend processing each search. A value of zero (which is the default if this argument is not provided) indicates that no client-side time limit should be imposed. Note that the server may impose its own time limit for search requests. |
Upper Bound | 2147483647 |
Default Value | 0 |
Required | No |
Multi-Valued | No |
-a {never|always|search|find}
--dereferencePolicy {never|always|search|find}
Description | Specifies the alias dereferencing policy to use for search requests. The value should be one of 'never', 'always', 'search', or 'find'. If this argument is not provided, a default of 'never' will be used. |
Default Value | never |
Required | No |
Multi-Valued | No |
-A
--typesOnly
Description | Indicates that the server should only include the names of the attributes contained in the entry rather than both names and values. |
--requestedAttribute {attr}
Description | Specifies an identifier that indicates which attribute(s) should be included in entries that match the search criteria. The value may be an attribute name or OID, a special token like '*' to indicate all user attributes or '+' to indicate all operational attributes, or an object class name prefixed by an '@' symbol to indicate all attributes associated with the specified object class. This may be provided multiple times to specify multiple requested attributes, and it may be provided instead of or in addition to the set of requested attributes in the set of trailing arguments. If this is not specified, then the server will behave as if all user attributes had been requested. |
Required | No |
Multi-Valued | Yes |
--filter {filter}
Description | Specifies a filter to use when processing a search. This may be provided multiple times to issue multiple searches with different filters. If this argument is provided, then the first trailing argument will not be interpreted as a search filter (all trailing arguments will be interpreted as requested attributes). |
Required | No |
Multi-Valued | No |
-f {path}
--filterFile {path}
Description | Specifies the path to a file containing the search filters to issue. Each filter should be on a separate line. Blank lines and lines beginning with the '#' character will be ignored. This argument may be provided multiple times to specify multiple filter files. If a filter file is provided, then the first trailing argument will not be interpreted as a search filter (all trailing arguments will be interpreted as requested attributes). |
Required | No |
Multi-Valued | Yes |
--ldapURLFile {path}
Description | Specifies the path to a file containing LDAP URLs that define the search requests to issue. The LDAP URLs will specify the base DN, scope, filter, and attributes to return for each search (any hostnames and port numbers included in the URLs will be ignored). Each URL should be on a separate line. Blank lines and lines beginning with the '#' character will be ignored. This argument may be provided multiple times to specify multiple LDAP URL files. |
Required | No |
Multi-Valued | Yes |
--followReferrals
Description | Attempt to follow any referrals and search result references encountered during search processing. If this is not provided, then referrals and search references will be displayed in the output. |
--retryFailedOperations
Description | Indicates that, if a search fails in a way that indicates the connection to the server may no longer be valid, the tool should automatically create a new connection and re-try the search before reporting it as a failure. |
-c
--continueOnError
Description | Continue processing searches even if an error is encountered. If this is not provided, then processing will abort after the first failed search. |
-r {num}
--ratePerSecond {num}
Description | Specifies a maximum search rate that the tool should be permitted to achieve. Note that this limit applies only to the rate at which the client issues search requests and not to the rate at which the server may send matching entries. |
Upper Bound | 2147483647 |
Required | No |
Multi-Valued | No |
--useAdministrativeSession
Description | Indicates that the tool should attempt to use an administrative session to process all operations using a dedicated pool of worker threads. This may be useful when trying to diagnose problems in a server that is unresponsive because all normal worker threads are busy processing other requests. |
-n
--dryRun
Description | Indicate which searches would be issued but do not actually send them to the server. |
--wrapColumn {value}
Description | The column at which long lines in the LDIF representation of an entry should be wrapped. A value of zero indicates that no wrapping should be performed. If this is not provided, then the wrap column will be based on the width of the terminal used to run the tool. |
Upper Bound | 2147483647 |
Required | No |
Multi-Valued | No |
-T
--dontWrap
Description | Indicates that no line wrapping should be performed when displaying the LDIF representations of matching entries. |
--suppressBase64EncodedValueComments
Description | Indicates that the tool should not include any comments that attempt to provide a human-readable representation of any base64-encoded attribute values in the search results. If this argument is not provided, then any attribute value whose LDIF representation requires base64 encoding will be immediately followed by a comment that attempts to provide a human-readable representation of the raw bytes that comprise that base64-encoded value. |
--outputFile {path}
Description | Specifies the path to the file to which search results should be written. If this argument is not provided then results will be written to standard output. |
Required | No |
Multi-Valued | No |
--compressOutput
Description | Indicates that the output should be gzip-compressed. This can only be used if the --outputFile argument is provided and the --teeResultsToStandardOut argument is not provided. |
--encryptOutput
Description | Indicates that the output should be encrypted with a key generated from a provided password. This can only be used if the --outputFile argument is provided and the --teeResultsToStandardOut argument is not provided. If the --encryptionPassphraseFile argument is provided, then that file will be used to specify the encryption passphrase; otherwise, the passphrase will be interactively requested. |
--encryptionPassphraseFile {path}
Description | The path to a file that specifies the passphrase to use to encrypt the output. This can only be provided if the --encryptOutput argument is given, but if that argument is given and no passphrase file is specified, then the passphrase will be interactively requested. If a file is specified, then that file must exist and must contain exactly one line comprised entirely of the passphrase. |
Required | No |
Multi-Valued | No |
--separateOutputFilePerSearch
Description | Indicates that the tool should generate a separate output file for each search rather than combining all results into a single file. |
--teeResultsToStandardOut
Description | Indicates that search results should be written to standard output as well as to the output file specified via the 'outputFile' argument. |
--outputFormat {ldif|json|csv|multi-valued-csv|tab-delimited|multi-valued-tab-delimited|dns-only|values-only}
Description | Specifies the format that should be used for the output generated by this tool. Allowed values are 'LDIF' (LDAP Data Interchange Format, which is the standard string representation for LDAP data), 'JSON' (JavaScript Object Notation, which is a popular format used by web services), 'CSV' (comma-separated values, which is a commonly used format for text processing, with only a single value per attribute), 'multi-valued-csv' (comma-separated values with a vertical bar between values of multivalued attributes), 'tab-delimited' (another commonly used general text format, with only a single value per attribute), 'multi-valued-tab-delimited' (tab-delimited text with a vertical bar between values of multivalued attributes), 'dns-only' (in which only the DN of each matching entry will be written on a line by itself with no information about the entry's attributes), and 'values-only' (in which each value returned will be written on a line by itself with no attribute names, entry DNs, or delimiters between entries). If either the 'CSV' or 'tab-delimited' format is selected (or one of their multivalued variants), the set of requested attributes must be provided with the '--requestedAttribute' argument, the order in which the attributes are provided on the command line specifies the order in which they will be listed in the output, and if any of those attributes has multiple values then only the first value will be used. Further, the 'CSV' and 'tab-delimited' formats cannot be used in conjunction with the '--ldapURLFile' argument. If no output format is specified, a default of 'LDIF' will be used. |
Default Value | ldif |
Required | No |
Multi-Valued | No |
--requireMatch
Description | Indicates that ldapsearch should exit with a nonzero result code, 94 (no results returned), if the search completes successfully but does not return any matching entries. This argument only affects the tool exit code; it will not have any visible effect on the output. |
--terse
Description | Indicates that the tool should generate terse output. The only thing written to standard output will be search result entries and references, without any summary messages. Standard error will not be affected. |
-v
--verbose
Description | Indicates that the tool should generate verbose output. |
--bindControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all bind requests used to authenticate to the server. |
Required | No |
Multi-Valued | No |
-J {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
--control {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all search requests sent to the server. |
Required | No |
Multi-Valued | No |
--accessLogField {name:value}
Description | Indicates that all search requests should include an access log field request control to indicate that the server should include a custom field with the specified name and value. The field name must contain only ASCII letters, digits, dashes, and underscores. The field name must be followed by a colon and the field value for that field. This argument may be provided multiple times to request multiple access log fields. |
Required | No |
Multi-Valued | Yes |
--accountUsable
Description | Indicates that all search requests should include the UnboundID-proprietary account usable request control to request that each search result entry returned include a response control with information about the password policy usability state for the entry. |
-E
--authorizationIdentity
Description | Indicates that all bind requests should include the authorization identity request control as defined in RFC 3829. With this control, a successful bind result should include the authorization identity assigned to the connection. |
--assertionFilter {filter}
Description | A filter that will be used in conjunction with the LDAP assertion request control (as described in RFC 4528) to indicate that the server should only process searches in which the entry specified as the base DN matches this filter. |
Required | No |
Multi-Valued | No |
--excludeBranch {dn}
Description | Indicates that all search requests should include the UnboundID-proprietary exclude branch request control to indicate that matching entries below the specified base DN should be excluded from search results. This argument may be provided multiple times if multiple branches should be excluded. |
Required | No |
Multi-Valued | Yes |
--generateAccessToken
Description | Indicates that the bind request should include the generate access token request control, which may be used to request that the server generate and return an access token that can be used to authorize subsequent connections via the OAUTHBEARER SASL mechanism. |
--getAuthorizationEntryAttribute {attr}
Description | Indicates that all bind requests should include the UnboundID-proprietary get authorization entry request control to request that the server return the specified attribute (or collection of attributes, in the case of a special identifier like '*' to indicate all user attributes or '+' to indicate all operational attributes) from the authenticated user's entry. This argument may be provided multiple times to specify multiple attributes to request. |
Required | No |
Multi-Valued | Yes |
--getBackendSetID
Description | Indicates that all search requests should include the UnboundID-proprietary get backend set ID request control to request that the Directory Proxy Server include a corresponding get backend set ID response control in each search result entry, indicating the entry-balancing backend set from which that entry was retrieved. |
-g {authzID}
--getEffectiveRightsAuthzID {authzID}
Description | Indicates that all search requests should include the UnboundID-proprietary get effective rights request control to return information about the access control rights the specified user has when interacting with each matching entry. |
Required | No |
Multi-Valued | No |
-e {attr}
--getEffectiveRightsAttribute {attr}
Description | Indicates that all search requests should include the UnboundID-proprietary get effective rights request control to return information about the access control rights that a user has when interacting with each matching entry. This argument may be provided multiple times to specify multiple attributes. |
Required | No |
Multi-Valued | Yes |
--getRecentLoginHistory
Description | Indicates that all bind requests should include the get recent login history request control to request that the server include a corresponding response control with information about the user's recent login history. |
--getServerID
Description | Indicates that all search requests should include the UnboundID-proprietary get server ID request control to request that server include a corresponding get server ID response control in each search result entry, indicating the server from which that entry was retrieved. |
--getUserResourceLimits
Description | Indicates that all bind requests should include the UnboundID-proprietary get user resource limits request control to request that the server return information about resource limits (e.g., size limit, time limit, idle time limit, etc.) imposed for the user. |
--includeReplicationConflictEntries
Description | Indicates that all search requests should include the UnboundID-proprietary return conflict entries request control to indicate that the server may return any replication conflict entries that match the search criteria. Replication conflict entries are normally excluded from search results. |
--includeSoftDeletedEntries {with-non-deleted-entries|without-non-deleted-entries|deleted-entries-in-undeleted-form}
Description | Indicates that all search requests should include the UnboundID-proprietary soft-deleted entry access request control to indicate that the server may return any soft-deleted entries that match the search criteria. Soft-deleted entries are normally excluded from search results. The value for this argument must be one of: 'with-non-deleted-entries' (indicates that both regular and soft-deleted entries should be returned), 'without-non-deleted-entries' (indicates that only soft-deleted entries should be returned), or 'deleted-entries-in-undeleted-form' (returns only soft-deleted entries in the form in the form the entries had before they were deleted). |
Required | No |
Multi-Valued | No |
--draftLDUPSubentries
Description | Indicates that all search requests should include the subentries request control as described in draft-ietf-ldup-subentry to indicate that the server may return any LDAP subentries that match the search criteria. LDAP subentries are normally excluded from search results. This control does not take a value. |
--rfc3672Subentries {returnOnlySubentries}
Description | Indicates that all search requests should include the subentries request control as described in RFC 3672 to indicate that the server may return any LDAP subentries that match the search criteria, optionally including regular entries along with the subentries. LDAP subentries are normally excluded from search results. This control requires a Boolean value of either 'true' or 'false' to indicate whether the server should return only subentries (if true), or both regular entries and subentries (if false). |
Required | No |
Multi-Valued | No |
--joinRule {dn:sourceAttr|reverse-dn:targetAttr|equals:sourceAttr:targetAttr|contains:sourceAttr:targetAttr }
Description | Indicates that all search requests should include the join request control to indicate that matching entries should be joined with related entries based on the specified criteria. Allowed values include 'dn:' followed by the name of an attribute in the source entry containing the DNs of the entries with which to join; 'reverse-dn:' followed by the name of an attribute in the target entries whose value is the DN of the source entry; 'equals:' followed by the name of an attribute in the source entry, a colon, and the name of an attribute in target entries that must exactly match the source attribute; or 'contains:' followed by the name of an attribute in the source entry, a colon, and the name of an attribute in target entries that must match or contain the value of the source attribute. |
Required | No |
Multi-Valued | No |
--joinBaseDN {search-base|source-entry-dn|{dn}}
Description | Specifies the base DN to use for searches used to join search result entries with related entries. The value may be one of 'search-base' to use the base DN of the search request, 'source-entry-dn' to use the DN of the source entry as the base DN for join searches, or any valid LDAP DN to use a custom base DN for join searches. If this is not specified, then the default join base DN will be the search base DN. |
Required | No |
Multi-Valued | No |
--joinScope {base|one|sub|subordinates}
Description | Specifies the scope to use for searches used to join search result entries with related entries. The value may be one of 'base', 'one', 'sub', or 'subordinates'. If this is not specified, then the scope of the search request will be used as the join scope. |
Allowed Values |
sub subord base one |
Required | No |
Multi-Valued | No |
--joinSizeLimit {num}
Description | Specifies the maximum number of entries that the server will permit to be joined with any single search result entry. If this is not provided, the size limit from the search request will be used. Note that the server will impose a maximum join size limit of 1000 entries, so any join size limit greater than that will be limited to 1000. |
Upper Bound | 2147483647 |
Required | No |
Multi-Valued | No |
--joinFilter {filter}
Description | Specifies an additional filter that the server will require target entries to match in order to be joined with the source entry. If this is not provided, no additional join filter will be used. |
Required | No |
Multi-Valued | No |
--joinRequestedAttribute {attr}
Description | Specifies an identifier that indicates which attribute(s) should be included in entries joined with search result entries. The value may be an attribute name or OID, a special token like '*' to indicate all user attributes or '+' to indicate all operational attributes, or an object class name prefixed by an '@' symbol to indicate all attributes associated with the specified object class. This may be provided multiple times to specify multiple requested attributes. If this is not specified, then the server will behave as if all user attributes had been requested. |
Required | No |
Multi-Valued | Yes |
--joinRequireMatch
Description | Indicates that the server should not return an entry that matches the search criteria if it is not joined with at least one additional entry. If this is not provided, then entries matching the search criteria will be returned even if they are not joined with any other entries. |
--manageDsaIT
Description | Indicates that all search requests should include the manageDsaIT request control to indicate that any referral entries in the scope of the search should be treated as regular entries rather than causing the server to send search result references. |
--matchedValuesFilter {filter}
Description | Indicates that all search requests should include the matched values request control (as described in RFC 3876) to indicate that search result entries should only include values for a given attribute that match the provided filter. This argument may be provided multiple times to specify multiple matched values filters. |
Required | No |
Multi-Valued | No |
--matchingEntryCountControl {examineCount=NNN[:alwaysExamine][:allowUnindexed][:skipResolvingExplodedIndexes][:fastShortCircuitThreshold=NNN][:slowShortCircuitThreshold=NNN][:extendedResponseData][:debug]}
Description | Indicates that all search requests should include the UnboundID-proprietary matching entry count request control, which indicates that the server should return information about the number of entries that match the search criteria. The maximum number of entries to examine must be specified, which helps indicate whether an exact count or an estimate will be returned. If alwaysExamine is specified and the number of candidates is less than the examine count, then each candidate will be examined to verify that it matches the criteria and would actually be returned to the client in a search. If allowUnindexed is specified, then the count will be allowed to be processed even if the search is unindexed (and may take a very long time to complete). If extended is specified, then the client will request extended response data from the server. If debug is specified, then additional debug information may be included in the output. |
Required | No |
Multi-Valued | No |
--operationPurpose {purpose}
Description | Indicates that all search requests should include the UnboundID-proprietary operation purpose request control to provide the specified reason for the operation. |
Required | No |
Multi-Valued | No |
--overrideSearchLimit {name=value}
Description | Indicates that search operations should include the override search limits request control with the specified name-value pair. This may be provided multiple times to specify multiple property name-value pairs to include in the control. |
Required | No |
Multi-Valued | Yes |
-C ps[:changetype[:changesonly[:entrychgcontrols]]]
--persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]
Description | Indicates that the search request should include the persistent search request control (as described in draft-ietf-ldapext-psearch) to indicate that the server should return information about changes to entries that match the search criteria as they are processed. This argument may only be used when processing a single search operation. |
Required | No |
Multi-Valued | No |
--permitUnindexedSearch
Description | Indicates that all search requests should include the UnboundID-proprietary permit unindexed search request control to indicate that the server should process the search operation even if it cannot do so efficiently using server indexes. The requester must have either the unindexed-search or unindexed-search-with-control privilege. |
-Y {authzID}
--proxyAs {authzID}
Description | Indicates that all search requests should include the proxied authorization request control (as described in RFC 4370) to process the operation under an alternate authorization identity. The authorization ID should generally be specified in the form 'dn:' followed by the target user's DN, or 'u:' followed by the username. |
Required | No |
Multi-Valued | No |
--proxyV1As {dn}
Description | Indicates that all search requests should include the legacy proxied authorization v1 request control (as described in draft-weltman-ldapv3-proxy-04) to process the search under an alternate authorization identity, specified as the DN of the desired user. |
Required | No |
Multi-Valued | No |
--rejectUnindexedSearch
Description | Indicates that all search requests should include the UnboundID-proprietary reject unindexed search request control to indicate that the server should not process the search operation if it cannot do so efficiently using server indexes, even if the requester has the unindexed-search privilege. |
--routeToBackendSet {entry-balancing-processor-id:backend-set-id}
Description | Specifies the ID of an entry-balancing backend set to which the Directory Proxy Server should send all of the search requests. The value should be formatted as the entry-balancing request processor ID followed by a colon and the desired backend set ID for that entry-balancing request processor. This argument can be provided multiple times to specify multiple backend set IDs for the same or different entry-balancing request processors. The request control will be configured to use absolute routing rather than a routing hint. |
Required | No |
Multi-Valued | Yes |
--routeToServer {id}
Description | Specifies the ID of the backend server to which the Directory Proxy Server should send all search requests. |
Required | No |
Multi-Valued | No |
--suppressOperationalAttributeUpdates {attr}
Description | Indicates that all operations should include the UnboundID-proprietary suppress operational attribute updates request control to indicate that the server should not apply any updates to the specified operational attributes. The value may be one of 'last-access-time', 'last-login-time', 'last-login-ip', or 'lastmod'. |
Required | No |
Multi-Valued | Yes |
--usePasswordPolicyControl
Description | Indicates that bind requests should include the password policy request control (as defined in draft-behera-ldap-password-policy-10) to request that the response include password policy-related information about the target entry. |
--realAttributesOnly
Description | Indicates that all search requests should include the UnboundID-proprietary real attributes only request control to indicate that the server should not include any virtual attributes in entries that are returned. |
-S {value}
--sortOrder {value}
Description | Indicates that all search requests should include the server-side sort request control (as described in RFC 2891) to request that the server sort results before returning them to the client. The sort order should be a comma-separated list of attribute names, each of which may be optionally prefixed by '+' (to indicate that sorting should be in ascending order for that attribute) or '-' (for descending order), and may be optionally followed by a colon and the name or OID for the ordering matching rule that should be used when sorting. Ascending order will be used if neither '+' or '-' is specified, and if no matching rule ID is given then the attribute type's own ordering rule will be used. |
Required | No |
Multi-Valued | No |
--simplePageSize {value}
Description | Indicates that all search requests should include the simple paged results control (as described in RFC 2696) to indicate that the search should return entries in pages of no more than the specified size. This can be useful for searches that must return a large number of entries but the server restricts the number of entries that may be returned for any search. |
Upper Bound | 2147483647 |
Required | No |
Multi-Valued | No |
--virtualAttributesOnly
Description | Indicates that all search requests should include the UnboundID-proprietary virtual attributes only request control to indicate that the server should only include virtual attributes in entries that are returned. |
-G {before:after:index:count | before:after:value}
--virtualListView {before:after:index:count | before:after:value}
Description | Indicates that all search requests should include the virtual list view (VLV) request control (as described in draft-ietf-ldapext-ldapv3-vlv) to indicate that the server should return the specified subset of the sorted search results (and the 'sortOrder' argument must also be given to specify the sort order). The value should be a colon-delimited list indicating which page of results to return, and it may take one of two forms. In either case, the first element specifies the number of elements to return before the entry identified as the start of the results, and the second is the number of entries after the 'start' entry. The third element identifies the start of the result set, and it may be either an integer offset (in which the first entry in the result set has an offset of one), or a string that provides a value for which the server should identify the first entry whose value for the primary sort attribute is greater than or equal to the given string. In the event that an offset is provided, a fourth element must also be given to indicate the expected number of entries in the result set, or zero if that is not known. For example, a value of '0:9:1:0' indicates that the server should return the first ten entries of the result set (starting at offset 1, which is the first entry, return the zero previous entries and the nine following entries, with no indication of how many entries match the search criteria). Alternately, a value of '0:99:smith' indicates that the server should the first 100 entries in the result set for which the primary sort attribute has a value that is greater than or equal to 'smith'. |
Required | No |
Multi-Valued | No |
--useJSONFormattedRequestControls
Description | Indicates that any request controls should be encapsulated in a JSON-formatted request control. Even if there wouldn't otherwise be any request controls, an empty JSON-formatted request control will be included to indicate that the server should encapsulate any response controls in a JSON-formatted response control. |
--excludeAttribute {attr}
Description | Specifies the name or OID of an attribute that should be excluded from search result entries. This argument may be provided multiple times to specify multiple attributes to exclude. |
Required | No |
Multi-Valued | Yes |
--redactAttribute {attr}
Description | Specifies the name or OID of an attribute whose values should be redacted to indicate that the attribute is present in search result entries but to hide the actual values for that attribute. This argument may be provided multiple times to specify multiple attributes to redact. |
Required | No |
Multi-Valued | Yes |
--hideRedactedValueCount
Description | Indicates that the output should not reveal the number of values contained in redacted attributes. If this argument is present, then a redacted attribute will only ever have a single value of '***REDACTED***'. If this argument is not present, then a redacted attribute with multiple values will still have the same number of values that it originally had, but those values will be '***REDACTED1***', '***REDACTED2***', etc. |
--scrambleAttribute {attr}
Description | Specifies the name or OID of an attribute whose values should be scrambled. Scrambling will be performed in a manner that attempts to preserve the associated attribute syntax and that will generally try to ensure that a given input value will consistently yield the same scrambled output. This argument may be provided multiple times to specify multiple attributes to scramble. |
Required | No |
Multi-Valued | Yes |
--scrambleJSONField {fieldName}
Description | Specifies the name of a JSON field whose values should be scrambled. If the --scrambleAttribute argument is used to scramble any attributes whose values may be JSON objects, then all JSON field names will be preserved and only the values of the specified fields will be scrambled. If this argument is given (and it may be provided multiple times to target multiple JSON fields), then only the specified fields will have their values scrambled. If this argument is not provided, then any of the scramble attribute values that are JSON objects will have all values scrambled. JSON field names will be treated in a case-insensitive manner. |
Required | No |
Multi-Valued | Yes |
--scrambleRandomSeed {value}
Description | Specifies the value that will be used to seed the random number generator used in the course of scrambling attribute values. If a random seed is provided, then scrambling the same entry with the same seed should consistently yield the same scrambled representations. If no random seed is specified, an appropriate value will be selected automatically. |
Lower Bound | -2147483648 |
Upper Bound | 2147483647 |
Required | No |
Multi-Valued | No |
--renameAttributeFrom {attr}
Description | Specifies the name or OID of an attribute that should have its name replaced with the value specified in the --renameAttributeTo argument. This argument may be provided multiple times as long as the --renameAttributeTo argument is also provided the same number of times, and the order of --renameAttributeFrom values must correspond to the order of --renameAttributeTo values. |
Required | No |
Multi-Valued | Yes |
--renameAttributeTo {attr}
Description | Specifies the new name to use for an attribute to be renamed. This argument must be provided the same number of times as the --renameAttributeFrom argument. |
Required | No |
Multi-Valued | Yes |
--moveSubtreeFrom {attr}
Description | Specifies the base DN for a subtree to be moved to another location in the DIT, with this source DN being replaced with the base DN specified using the --moveSubtreeTo argument. This argument may be provided multiple times as long as the --moveSubtreeTo argument is also provided the same number of times, and the order of --moveSubtreeFrom values must correspond to the order of --moveSubtreeTo values. |
Required | No |
Multi-Valued | Yes |
--moveSubtreeTo {attr}
Description | Specifies the new base DN for a subtree to be moved. This argument must be provided the same number of times as the --moveSubtreeFrom argument. |
Required | No |
Multi-Valued | Yes |
--version
Description | Display Data Sync Server version information |
--interactive
Description | Launch the tool in interactive mode. |
--propertiesFilePath {path}
Description | The path to a properties file used to specify default values for arguments not supplied on the command line. |
Required | No |
Multi-Valued | No |
--generatePropertiesFile {path}
Description | Write an empty properties file that may be used to specify default values for arguments. |
Required | No |
Multi-Valued | No |
--noPropertiesFile
Description | Do not obtain any argument values from a properties file. |
--suppressPropertiesFileComment
Description | Suppress output listing the arguments obtained from a properties file. |