“ldapsearch” is a command-line utility used for querying LDAP (Lightweight Directory Access Protocol) directories. LDAP is a protocol used for accessing and managing directory information services, commonly used for centralized user authentication, authorization, and directory services in networked environments.
Key features and functionalities of ldapsearch include:
- Querying LDAP Directories: ldapsearch allows users to perform queries against LDAP directories to retrieve information stored within them. Users can specify search criteria such as attributes, filters, and search scopes to retrieve specific entries or subsets of data from the directory.
- Search Filters: ldapsearch supports the use of search filters, which allow users to narrow down search results based on specific criteria. Filters can be used to match entries based on attribute values, presence or absence of attributes, substring matches, and more, providing flexibility in querying LDAP directories.
- Output Formatting: ldapsearch provides options for formatting the output of search results, allowing users to specify the attributes to include in the output, control the format of the output, and customize the display of search results according to their preferences.
- Authentication and Security: ldapsearch supports authentication mechanisms such as simple authentication and SASL (Simple Authentication and Security Layer), allowing users to authenticate to LDAP directories before performing queries. Additionally, ldapsearch provides options for specifying secure connections (e.g., SSL/TLS) to LDAP servers to ensure data confidentiality and integrity during communication.
- Usage and Documentation: ldapsearch is well-documented, with comprehensive usage information and command-line options available in the documentation. Users can refer to the official documentation for ldapsearch to learn about its various options, parameters, and usage examples for querying LDAP directories effectively.
ldapsearch Command Examples
1. Query an LDAP server for all items that are a member of the given group and return the object’s displayName value:
# ldapsearch -D '[admin_DN]' -w '[password]' -h [ldap_host] -b [base_ou] '[memberOf=group1]' displayName
2. Query an LDAP server with a no-newline password file for all items that are a member of the given group and return the object’s displayName value:
# ldapsearch -D '[admin_DN]' -y '[password_file]' -h [ldap_host] -b [base_ou] '[memberOf=group1]' displayName
3. Return 5 items that match the given filter:
# ldapsearch -D '[admin_DN]' -w '[password]' -h [ldap_host] -b [base_ou] '[memberOf=group1]' -z 5 displayName
4. Wait up to 7 seconds for a response:
# ldapsearch -D '[admin_DN]' -w '[password]' -h [ldap_host] -b [base_ou] '[memberOf=group1]' -l 7 displayName
5. Invert the filter:
# ldapsearch -D '[admin_DN]' -w '[password]' -h [ldap_host] -b [base_ou] '(!(memberOf=[group1]))' displayName
6. Return all items that are part of multiple groups, returning the display name for each item:
# ldapsearch -D '[admin_DN]' -w '[password]' -h [ldap_host] '(&([memberOf=group1])([memberOf=group2]) ([memberOf=group3]))' "displayName"
7. Return all items that are members of at least 1 of the specified groups:
# ldapsearch -D '[admin_DN]' -w '[password]' -h [ldap_host] '(|([memberOf=group1])([memberOf=group1]) ([memberOf=group3]))' displayName
8. Combine multiple boolean logic filters:
# ldapsearch -D '[admin_DN]' -w '[password]' -h [ldap_host] '(&([memberOf=group1])([memberOf=group2])(!([memberOf=group3])))' displayName
Summary
Overall, ldapsearch is a versatile and powerful tool for querying LDAP directories from the command line. Whether retrieving user information, group memberships, or other directory data, ldapsearch provides a convenient and efficient means of accessing and querying LDAP directories for various administrative and operational tasks.