Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 10. Searching IdM entries using the ldapsearch command
You can use the ipa find command to search through the Identity Management entries. For more information about ipa command see Structure of IPA commands section in the Accessing Identity Management services documentation.
This section introduces the basics of an alternative search option using ldapsearch command line command through the Identity Management entries.
10.1. Using the ldapsearch command
The ldapsearch command has the following format:
ldapsearch [-x | -Y mechanism] [options] [search_filter] [list_of_attributes]
# ldapsearch [-x | -Y mechanism] [options] [search_filter] [list_of_attributes]-
To configure the authentication method, specify the
-xoption to use simple binds or the-Yoption to set the Simple Authentication and Security Layer (SASL) mechanism. Note that you need to obtain a Kerberos ticket if you are using the-Y GSSAPIoption. -
The options are the
ldapsearchcommand options described in a table below. - The search_filter is an LDAP search filter.
- The list_of_attributes is a list of the attributes that the search results return.
For example, you want to search all the entries of a base LDAP tree for the user name user01:
ldapsearch -x -H ldap://ldap.example.com -s sub "(uid=user01)"
# ldapsearch -x -H ldap://ldap.example.com -s sub "(uid=user01)"-
The
-xoption tells theldapsearchcommand to authenticate with the simple bind. Note that if you do not provide the Distinguish Name (DN) with the-Doption, the authentication is anonymous. -
The
-Hoption connects you to the ldap://ldap.example.com. -
The
-s suboption tells theldapsearchcommand to search all the entries, starting from the base DN, for the user with the name user01. The "(uid=user01)" is a filter.
Note that if you do not provide the starting point for the search with the -b option, the command searches in the default tree. It is specified in the BASE parameter of the etc/openldap/ldap.conf file.
| Option | Description |
|---|---|
| -b |
The starting point for the search. If your search parameters contain an asterisk (*) or other character, that the command line can interpret into a code, you must wrap the value in single or double quotation marks. For example, |
| -D | The Distinguished Name (DN) with which you want to authenticate. |
| -H |
An LDAP URL to connect to the server. The |
| -l | The time limit in seconds to wait for a search request to complete. |
| -s scope | The scope of the search. You can choose one of the following for the scope:
|
| -W | Requests for the password. |
| -x | Disables the default SASL connection to allow simple binds. |
| -Y SASL_mechanism | Sets the SASL mechanism for the authentication. |
| -z number | The maximum number of entries in the search result. |
Note, you must specify one of the authentication mechanisms with the -x or -Y option with the ldapsearch command.
10.2. Using the ldapsearch filters
The ldapsearch filters allow you to narrow down the search results.
For example, you want the search result to contain all the entries with a common names set to example:
"(cn=example)"
"(cn=example)"In this case, the equal sign (=) is the operator, and example is the value.
| Search type | Operator | Description |
|---|---|---|
| Equality | = | Returns the entries with the exact match to the value. For example, cn=example. |
| Substring | =string* string | Returns all entries with the substring match. For example, cn=exa*l. The asterisk (*) indicates zero (0) or more characters. |
| Greater than or equal to | >= | Returns all entries with attributes that are greater than or equal to the value. For example, uidNumber >= 5000. |
| Less than or equal to | <= | Returns all entries with attributes that are less than or equal to the value. For example, uidNumber <= 5000. |
| Presence | =* | Returns all entries with one or more attributes. For example, cn=*. |
| Approximate | ~= | Returns all entries with the similar to the value attributes. For example, l~=san fransico can return l=san francisco. |
You can use boolean operators to combine multiple filters to the ldapsearch command.
| Search type | Operator | Description |
|---|---|---|
| AND | & | Returns all entries where all statements in the filters are true. For example, (&(filter)(filter)(filter)…). |
| OR | | | Returns all entries where at least one statement in the filters is true. For example, (|(filter)(filter)(filter)…). |
| NOT | ! | Returns all entries where the statement in the filter is not true. For example, (!(filter)). |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}