Ldap query in linux

The ldapsearch Command-Line Tool

Process one or more searches in an LDAP directory server.

The criteria for the search request can be specified in a number of different ways, including providing all of the details directly via command-line arguments, providing all of the arguments except the filter via command-line arguments and specifying a file that holds the filters to use, or specifying a file that includes a set of LDAP URLs with the base DN, scope, filter, and attributes to return.

See the examples below for a number of sample command lines for this tool.

Usage

LDAP Connection and Authentication Arguments

• -h / —hostname — The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of ‘localhost’ will be used.

Operation Arguments

• -b / —baseDN — Specifies the base DN that should be used for the search. If a filter file is provided, then this base DN will be used for each search with a filter read from that file. This argument must not be provided if the —ldapURLFile is given. If no base DN is specified, then the null base DN will be used by default.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.

Data Arguments

• —wrapColumn — The column at which long lines in the LDIF representation of an entry should be wrapped. A value of zero indicates that no wrapping should be performed. If this is not provided, then the wrap column will be based on the width of the terminal used to run the tool.
  The specified value must not be less than 0 or greater than 2,147,483,647.

Control Arguments

• --bindControl [:[:|::]] — Specifies a control that should be included in all bind requests used to authenticate to the server.
  A provided value must be a string representation of a valid LDAP control in the form [:[:|::]].

Entry Transformation Arguments

• —excludeAttribute — Specifies the name or OID of an attribute that should be excluded from search result entries. This argument may be provided multiple times to specify multiple attributes to exclude.

Additional Arguments

• --scriptFriendly — Indicates that the tool should operate in script-friendly mode. This argument has no effect and is provided only for the purpose of compatibility with other ldapsearch tools.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of ‘true’. If it is absent from a set of arguments, then it will be assumed to have a value of ‘false’.

Dependent Argument Sets

• If the --keyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --keyStorePasswordFile argument is provided, then the --keyStorePath argument must also be provided.
• If the --promptForKeyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --trustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --trustStorePasswordFile argument is provided, then the --trustStorePath argument must also be provided.
• If the --promptForTrustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --keyStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --defaultTrust argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustAll argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --bindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --bindPasswordFile argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --promptForBindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --getEffectiveRightsAttribute argument is provided, then the --getEffectiveRightsAuthzID argument must also be provided.
• If the --virtualListView argument is provided, then the --sortOrder argument must also be provided.
• If the --separateOutputFilePerSearch argument is provided, then the --outputFile argument must also be provided.
• If the --separateOutputFilePerSearch argument is provided, then at least one of the following arguments must also be provided: --filter, --filterFile, --ldapURLFile
• If the --teeResultsToStandardOut argument is provided, then the --outputFile argument must also be provided.
• If the --joinBaseDN argument is provided, then the --joinRule argument must also be provided.
• If the --joinScope argument is provided, then the --joinRule argument must also be provided.
• If the --joinSizeLimit argument is provided, then the --joinRule argument must also be provided.
• If the --joinFilter argument is provided, then the --joinRule argument must also be provided.
• If the --joinRequestedAttribute argument is provided, then the --joinRule argument must also be provided.
• If the --joinRequireMatch argument is provided, then the --joinRule argument must also be provided.
• If the --hideRedactedValueCount argument is provided, then the --redactAttribute argument must also be provided.
• If the --scrambleJSONField argument is provided, then the --scrambleAttribute argument must also be provided.
• If the --scrambleRandomSeed argument is provided, then the --scrambleAttribute argument must also be provided.
• If the --renameAttributeFrom argument is provided, then the --renameAttributeTo argument must also be provided.
• If the --renameAttributeTo argument is provided, then the --renameAttributeFrom argument must also be provided.
• If the --moveSubtreeFrom argument is provided, then the --moveSubtreeTo argument must also be provided.
• If the --moveSubtreeTo argument is provided, then the --moveSubtreeFrom argument must also be provided.
• If the --compressOutput argument is provided, then the --outputFile argument must also be provided.
• If the --encryptOutput argument is provided, then the --outputFile argument must also be provided.
• If the --encryptionPassphraseFile argument is provided, then the --encryptOutput argument must also be provided.

Exclusive Argument Sets

• The following arguments cannot be used together: --useSSL, --useStartTLS
• The following arguments cannot be used together: --keyStorePassword, --keyStorePasswordFile, --promptForKeyStorePassword
• The following arguments cannot be used together: --trustStorePassword, --trustStorePasswordFile, --promptForTrustStorePassword
• The following arguments cannot be used together: --defaultTrust, --trustAll
• The following arguments cannot be used together: --trustAll, --trustStorePath
• The following arguments cannot be used together: --bindDN, --saslOption, --useSASLExternal
• The following arguments cannot be used together: --bindPassword, --bindPasswordFile, --promptForBindPassword
• The following arguments cannot be used together: --baseDN, --ldapURLFile
• The following arguments cannot be used together: --scope, --ldapURLFile
• The following arguments cannot be used together: --requestedAttribute, --ldapURLFile
• The following arguments cannot be used together: --filter, --ldapURLFile
• The following arguments cannot be used together: --filterFile, --ldapURLFile
• The following arguments cannot be used together: --followReferrals, --manageDsaIT
• The following arguments cannot be used together: --persistentSearch, --filterFile
• The following arguments cannot be used together: --persistentSearch, --ldapURLFile
• The following arguments cannot be used together: --draftLDUPSubentries, --rfc3672Subentries
• The following arguments cannot be used together: --realAttributesOnly, --virtualAttributesOnly
• The following arguments cannot be used together: --simplePageSize, --virtualListView
• The following arguments cannot be used together: --terse, --verbose
• The following arguments cannot be used together: --rejectUnindexedSearch, --permitUnindexedSearch
• The following arguments cannot be used together: --wrapColumn, --dontWrap
• The following arguments cannot be used together: --countEntries, --filter
• The following arguments cannot be used together: --countEntries, --filterFile
• The following arguments cannot be used together: --countEntries, --ldapURLFile
• The following arguments cannot be used together: --countEntries, --persistentSearch
• The following arguments cannot be used together: --compressOutput, --teeResultsToStandardOut
• The following arguments cannot be used together: --encryptOutput, --teeResultsToStandardOut
• The following arguments cannot be used together: --propertiesFilePath, --noPropertiesFile

Examples

• Establishes an unencrypted LDAP connection to directory.example.com:389, performs a simple bind to authenticate as user ‘uid=jdoe,ou=People,dc=example,dc=com’, and issues a search request to retrieve the givenName, sn, and mail attributes for the user with uid ‘jqpublic’ below dc=example,dc=com. The search results will be written to standard output.

ldapsearch --hostname directory.example.com --port 389 \ --bindDN uid=jdoe,ou=People,dc=example,dc=com \ --bindPassword password --baseDN ou=People,dc=example,dc=com \ --scope sub "(uid=jqpublic)" givenName sn mail

• Establishes an SSL-encrypted LDAP connection to directory.example.com:636, interactively prompting the user about whether to trust the certificate presented by the directory server. The tool will then bind with the SASL PLAIN mechanism using an authentication ID of ‘u:jdoe’ and a password read from a file. It will then issue a search request for each filter in a given file, writing the results for each search into a separate output file.

ldapsearch --hostname directory.example.com --port 636 --useSSL \ --saslOption mech=PLAIN --saslOption authID=u:jdoe \ --bindPasswordFile /path/to/password/file \ --baseDN ou=People,dc=example,dc=com --scope sub \ --filterFile /path/to/filter/file \ --outputFile /path/to/base/output/file \ --separateOutputFilePerSearch --requestedAttribute '*' \ --requestedAttribute "+"

• Establishes an LDAP connection to directory.example.com:389 that is secured with the StartTLS extended operation, using the information in the provided trust store file to determine whether to trust the certificate presented by the directory server. It will then issue an unauthenticated search to retrieve all user and operational attributes from the server’s root DSE. The output will be written to a specified output file as well as displayed on standard output.

ldapsearch --hostname directory.example.com --port 389 --useStartTLS \ --trustStorePath /path/to/truststore/file --baseDN "" --scope base \ --outputFile /path/to/output/file \ --teeResultsToStandardOut '(objectClass=*)' '*' "+"

• Issues a search request to retrieve all entries at or below ‘dc=example,dc=com’, using the simple paged results control to retrieve up to 100 entries at a time. The search will use an unencrypted LDAP connection, and the tool will interactively prompt the user for the password to use when performing simple authentication.

ldapsearch --hostname directory.example.com --port 389 \ --bindDN uid=admin,dc=example,dc=com --baseDN dc=example,dc=com \ --scope sub --outputFile /path/to/output/file --simplePageSize 100 \ '(objectClass=*)' '*' "+"

• Issues a search request to retrieve a special entry that provides details about the server’s use of indexes to determine the candidate set of potential matching entries. This feature is only supported in the UnboundID/Ping Identity Directory Server, and the user must have access control rights to retrieve the ‘cn=debugsearch’ entry and the ‘debugsearchindex’ operational attribute.

ldapsearch --hostname directory.example.com --port 389 \ --bindDN uid=admin,dc=example,dc=com --baseDN dc=example,dc=com \ --scope sub "(&(givenName=John)(sn=Doe))" debugsearchindex

Источник