Red Hat SummitChapter 4. LDAP search (ldapsearch) examples
The following examples provide the most common ldapsearches used for searching though the directory.
Prerequisites
- You perform the search for all entries in the directory.
-
You configured the directory to support anonymous access for search and read operations. Therefore, you do not need to use
-Wand-Doptions in the command to supply any bind information. For more information on anonymous access, see Granting anonymous access. - The server uses the default port number 389. You do not need to specify it in the search request.
-
The server has the
server.example.comhostname. -
You enabled TLS for the server on the port
636, the default LDAPS port number. -
Directory Server store all data under the
dc=example,dc=comsuffix.
Returning all entries
The following LDAP search returns all entries in the directory:
# ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -s sub -x "(objectclass=*)"
Use the (objectclass=*) search filter to return every entry in the directory. Each entry must have an object class, and the objectclass attribute is always indexed.
Specifying search filters on the command line
You can specify a search filter directly on the command by enclosing the filter in quotation marks ("filter"). If you supply the filter in the command, do not specify the -f option. For example, to specify the "cn=babs jensen", enter:
# ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -s sub -x "cn=babs jensen"Searching the Root DSE entry
The root DSE is a special entry that contains information about the directory server instance, including all of the suffixes that the local Directory Server supports. Search for this entry by supplying a search base of "", a search scope base, and the filter "objectclass=*", for example:
# ldapsearch -H ldap://server.example.com -x -b "" -s base "objectclass=*"Searching the schema entry
The cn=schema entry is a special entry that contains information about the directory schema, such as object classes and attribute types.
To list the content of the cn=schema entry, enter either of the following commands:
# ldapsearch -x -o ldif-wrap=no -b "cn=schema" \ '(objectClass=subSchema)' -s sub objectClasses attributeTypes matchingRules \ matchingRuleUse dITStructureRules nameForms ITContentRules ldapSyntaxesor
# ldapsearch -x -o ldif-wrap=no -b "cn=schema" \ '(objectClass=subSchema)' -s sub "+"Using LDAP_BASEDN variable
To simplify the search, you can set the search base by using the LDAP_BASEDN environment variable. You can set LDAP_BASEDN instead of using the ldapsearch command with the -b option. For more information about setting environment variables, see the documentation for the operating system.
Set LDAP_BASEDN to the directory suffix value. Because the directory suffix is equal to the root entry in the directory, all searches begin from the directory root entry.
For example, to set the LDAP_BASEDN variable to dc=example,dc=com and search for cn=babs jensen in the directory, enter:
# export LDAP_BASEDN="dc=example,dc=com"
# ldapsearch -H ldap://server.example.com -x "cn=babs jensen"
The command uses the default scope sub because the -s option was not supplied to specify the scope.
Displaying subsets of attributes
The ldapsearch command returns all search results in the LDIF format. By default, ldapsearch returns the entry distinguished name (DN) and all of the attributes that the user is allowed to read. You can set the directory access control to allow users to read only a subset of the attributes on any given directory entry.
Directory Server does not return operational attributes by default. To return operational attributes as a result of a search operation, explicitly specify these attributes in the search command or use the + argument to return all operational attributes. For more information, see Searching for operational attributes.
You can limit the returned attributes to a few specific attributes by specifying the required attributes on the command line after the search filter.
For example, to show the cn and sn attributes for every entry in the directory, enter:
# ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -s sub -x "(objectclass=*)" sn cn Searching for operational attributes
Operational attributes are special attributes that Directory Server sets itself. Directory Server uses operational attributes to perform maintenance tasks, such as processing access control instructions. These attributes show specific information about the entry, such as the time this entry was initially created and the name of the user who created it.
You can use operational attributes on every entry in the directory, even if the attribute is specifically defined for the object class of the entry.
Regular ldapsearch commands do not return operational attributes. According to RFC3673, use + to return all operational attributes in a search request:
# ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -s sub -x "(objectclass=*)" '+'
To return only certain defined operational attributes, explicitly specify them in the ldapsearch request:
# ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -s sub -x "(objectclass=*)" creatorsName createTimestamp modifiersName modifyTimestamp For the complete list of operational attributes, see Operational Attributes and Object Classes.
To return all of the regular entry attributes along with the specified operational attributes, use the special search attribute, "*", in addition to the operational attributes that you list.
# ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -s sub -x "(objectclass=*)" "*" aciNote that you must enclose the asterisk (*) in quotation marks to prevent the shell from interpreting it.
Specifying search filters by using a file
You can specify search filters in a file instead of entering them on the command line.
Specify each search filter on a separate line in the file. The ldapsearch command runs each search in the order in which it appears in the file.
For example, the file contains the following filters:
sn=example
givenname=user
The ldapsearch command first finds all the entries with the surname set to example, then all the entries with the givenname set to user. If the search request finds an entry that matches both search criteria, then the entry is returned twice.
In the following search, the filters are specified in a file named searchdb:
# ldapsearch -H ldap://server.example.com -x -f searchdb
You can limit the set of returned attributes by specifying the attribute names at the end of the search line. For example, the following ldapsearch command performs both searches but returns only the DN and the givenname and sn attributes of each entry:
# ldapsearch -H ldap://server.example.com -x -f searchdb sn givennameSpecifying DNs that contain commas in search filters
When a DN within a search filter contains a comma as part of its value, the search command must escape the comma with a backslash (\). For example, to find everyone in the example.com Bolivia, S.A. subtree, enter:
# ldapsearch -H ldap://server.example.com -x -s base -b "l=Bolivia\, S.A.,dc=example,dc=com" "objectclass=*"Using the nsRole virtual attribute in the filter
In the following example, the ldapsearch command searches for DNs of all user entries that contain the nsrole attribute set to the managed_role value:
# ldapsearch -H ldap://server.example.com -x -b "dc=example,dc=com" "(nsrole=cn=managed_role,dc=example,dc=com)" dnUsing a client certificate to bind to Directory Server
For more information about certificate-based authentication, see Configuring certificate-based authentication.
Searching with language matching rules
To explicitly submit a matching rule in a search filter, insert the matching rule after the attribute:
attr:matchingRule:=value
Matching rules are frequently used for searching internationalized directories. The following command searches for the department numbers after N4709 in the Swedish (2.16.840.1.113730.3.3.2.46.1) matching rule.
departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>= N4709For more examples of performing internationalized searches, see Searching an Internationalized Directory.
Finding groups a user belongs to
To find all direct or indirect groups of which the user uid=jdoe,ou=people,dc=example,dc=com is a member, enter:
# ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com -xLL -b "dc=example,dc=com" "(member:1.2.840.113556.1.4.1941:=uid=jdoe,ou=people,dc=example,dc=com)" dn
The search with inchainMatch matching rule does not support anonymous access. For more details about using the inchainMatch matching rule, see Using inchainMatch matching rule to find the ancestry of an LDAP entry.
Finding members of a group
To find all direct or indirect members of the marketing group, enter:
# ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com -xLL -b "dc=example,dc=com" "(memberof:1.2.840.113556.1.4.1941:=cn=marketing,ou=groups,dc=example,dc=com)" dn
The search with inchainMatch matching rule does not support anonymous access. For more details about using the inchainMatch matching rule, see Using inchainMatch matching rule to find the ancestry of an LDAP entry.
Searching for attributes with bit field values
Bitwise searches use the bitwise AND or bitwise OR matching rules to perform bitwise search operations on attributes with values that are bit fields.
Attributes with values for bit fields are not common in LDAP. Default Directory Server schemas do not use bit fields as attribute syntax. However, several LDAP syntaxes support integer-style values. You can define custom attributes to use bit field values. Applications can use custom attributes to perform bitwise operations against bit field values.
The bitwise AND matching rule (1.2.840.113556.1.4.803) checks if the bit given in the assertion value is set in the bit field attribute value. It is similar to an equality search. The following example sets userAccountControl value to the bit that represents 2:
"(UserAccountControl:1.2.840.113556.1.4.803:=2)"
The following example show that the userAccountControl value must have all of the bits that are set in the value 6 (bits 2 and 4):
"(UserAccountControl:1.2.840.113556.1.4.803:=6)"
The bitwise OR matching rule (1.2.840.113556.1.4.804) checks if any of the bits in the assertion string are represented in the attribute value. It is similar to a substring search. In this example, the UserAccountControl value must have any of the bits that are set in the bit field of 6, meaning that the attribute value can be 2, 4, or 6:
"(UserAccountControl:1.2.840.113556.1.4.804:=6)"You can use bitwise searches with the Windows-Linux integration, such as using Samba file servers.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}