Skip Headers
Oracle® Identity Management User Reference
10g Release 2 (10.1.2)
B15883-01
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

4.13 ldapsearch

The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.

The LDAP filter that you use to search for entries must be compliant with the Internet Engineering Task Force (IETF) standards as specified in RFC 2254. Refer to the IETF Web site at http://www.ietf.org for more information about the standard filter format. Oracle Internet Directory supports all elements of RFC 2254 except for extensible matching.


Note:

Various UNIX shells interpret some characters—for example, asterisks (*)—as special characters. Depending on the shell you are using, you may need to escape these characters.

4.13.1 Syntax for ldapsearch

ldapsearch -h oid_hostname -D "binddn" -w password [-Y "proxy_dn"] [-p ldap_port] [-V ldap_version] -b "basedn" {-s base|one|sub} {"filter_string" [attributes]|-f input_file} [-A] [-a never|always|search|find] [-F separator] [-S] [-R] [-i 1|0] [-t] [-u] [-L|-X] [-B] [-M] [-v] [-n] [-l time_limit] [-z size_limit] [-O ref_hop_limit] [-U SSL_auth_mode {-W wallet_location -P wallet_password}] [-d debug_level]  [-E character_set]

4.13.2 Arguments for ldapsearch

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-w password

Required. The user password needed to bind to the directory.

-Y "proxy_dn"

Optional. The DN of a proxy user. After binding to the directory, the add operation will be performed as this user.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 389.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-b "basedn"

Required. The base DN for the search.

-s base | one | sub

Required. The scope of the search within the DIT. The options are:

  • base - Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass and the filter Present.

  • one - Limits your search to all entries beginning one level down from the root of your search.

  • sub - Searches entries within the entire subtree, including the root of your search.

"filter_string" [attributes] | -f input_file

Required. Supply a single filter on the command-line within quotes followed by the attribute names whose values you want returned. Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.

You can also supply an input file with the -f argument that contains a sequence of search operations to perform.

-F separator

Optional. Enables you to choose a separator to use between attribute names and values in the search output. The default is = (equal sign).

-A

Optional. Retrieves attribute names only (no values).

-a never | always | search | find

Optional. Specifies alias dereferencing. An alias entry in an LDAP directory is an entry that points to another entry. Following an alias pointer is known as dereferencing an alias. The options are:

  • never - Never dereference alias entries. Choose this option to improve search performance if there are no alias entries in the directory that require dereferencing.

  • always - Always dereference aliases. This selection is the default.

  • search - Dereference alias entries subordinate to a specified search base, but do not dereference an alias search base entry.

  • find - Deference an alias entry for a specified search base, but do not dereference alias entries subordinate to the search base.

-S attr

Optional. Sorts the results by the attribute specified.

-R

Optional. Disables the automatic following of referrals.

-i 1 | 0

Optional. Specifies whether or not to bind as the current user when following referrals. 1 means bind as the current user, 0 means bind anonymously. The default is 0 (zero).

-t

Optional. Writes files to /tmp.

-u

Optional. Includes user-friendly names in the output.

-L | -X

Optional. Prints entries in LDIF (-L) or DSML format (-X).

-B

Optional. Allows printing of non-ASCII values.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-n

Optional. Enables you to preview what would occur in an operation without actually performing the operation.

-v

Optional. Runs the tool in verbose mode.

-l time_limit

Optional. The maximum time in seconds to wait for an ldapsearch command to complete.

-z size_limit

Optional. The maximum number of entries to return.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-P wallet_password

Required if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument.

-d debug_level

Optional. If not specified the default of 0 (not enabled) is used. Debug levels are additive. Add the numbers representing the functions that you want to activate, and use the sum of those in the command-line option. For example, to trace search filter processing (512) and active connection management (256), enter 768 as the debug level (512 + 256 = 768). Debug levels are as follows:

  • 1 — Heavy trace debugging

  • 128 — Debug packet handling

  • 256 — Connection management, related to network activities

  • 512 — Search filter processing

  • 1024 — Entry parsing

  • 2048 — Configuration file processing

  • 8192 — Access control list processing

  • 491520 — Log of communication with the database

  • 524288 — Schema related operations

  • 4194304 — Replication specific operations

  • 8388608 — Log of entries, operations and results for each connection

  • 16777216 — Trace function call arguments

  • 67108864 — Number and identity of clients connected to this server

  • 117440511 — All possible operations and data

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

4.13.3 Tasks and Examples for ldapsearch

Using the ldapsearch command-line tool, you can perform the following tasks:

4.13.3.1 Performing a Base Object Search

The following example performs a base-level search on the directory from the root.

  • -b specifies base DN for the search, root in this case.

  • -s specifies whether the search is a base search (base), one level search (one) or subtree search (sub).

  • "objectclass=*" specifies the filter for search.

Example:

ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"

4.13.3.2 Performing a One-Level Search

The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".

Example:

ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one \
           -v "objectclass=*"

4.13.3.3 Performing a Subtree Search

The following example performs a subtree search and returns all entries having a DN starting with "cn=us".

Example:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"

4.13.3.4 Searching for Attribute Values of Entries

The following example returns only the DN attribute values of the matching entries:

Example:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn

The following example retrieves only the distinguished name along with the surname (sn) and description (description) attribute values:

Example:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description

4.13.3.5 Searching for Entries with Attribute Options

The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.

Example:

ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example does not return John's entry:

Example:

ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"

4.13.3.6 Searching for All User Attributes and Specified Operational Attributes

The following example retrieves all user attributes and the createtimestamp and orclguid operational attributes:

Example:

ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" \
           -s sub "cn=Person*" "*" createtimestamp orclguid

The following example retrieves entries modified by Anne Smith:

Example:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne
Smith))"

The following example retrieves entries modified between 01 April 2001 and 06 April 2001:

Example:

ldapsearch -h sun1 -b "" \
           "(&(objectclass=*)(modifytimestamp >= 20000401000000) \
           (modifytimestamp <= 20000406235959))"

Note:

Because modifiersname and modifytimestamp are not indexed attributes, use catalog.sh to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands.

4.13.3.7 Searching for Entries (More Examples)

Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".

The following example searches for all entries with any value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"

The following example searches for all entries that have orcl at the beginning of the value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=orcl*"

The following example searches for entries where the objectclass attribute begins with orcl and cn begins with foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
          -s subtree "(&(objectclass=orcl*)(cn=foo*))"

The following example searches for entries in which cn begins with foo or sn begins with bar.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
          -s subtree "(|(cn=foo*)(sn=bar*))"

The following example searches for entries in which employeenumber is less than or equal to 10000.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
           -s subtree "employeenumber<=10000"

4.13.4 Related Command-Line Tools for ldapsearch