
The ldapsearch command can be used to search for Organizational Units (OUs), People, and Groups in LDAP. In this example, entries in the example.com domain will be returned.
- The -H option is the LDAP URI
- The -x option means to use basic authentication instead of SASL (Kerberos)
- The -b option is the base LDAP distinguished name (DN)
The dc style is often used in a DNS based LDAP tree. This is the style Active Directory (AD) uses.
ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com
Novell's eDirectory is an O based tree
ldapsearch -x -H ldaps://ldap.example.com -b o=acme
Sometimes, the -D option is included if the LDAP system requires authentication and the upper case -W option will prompt you for your password.
ldapsearch -x -H ldaps://ldap.example.com -b o=acme -D john.doe@example.com -W
Or the lower case -w option can be used to include your password on the command line.
ldapsearch -x -H ldaps://ldap.example.com -b o=acme -D john.doe@example.com -w itsasecret
The uid (user ID) option can be used to return results that match a UID.
ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com uid=JohnDoe
Likewise, the cn (common name) option can be used to return results that match a cn.
ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com cn=JohnDoe
Even better, filter with both objectClass and cn.
ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com "(&(objectClass=person)(cn=JohnDoe)"
Be aware that if the value you are searching for contains whitespace you will not place quotes around the value since doublequotes are already place around the search filter.
ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com "(&(objectClass=person)(displayName=John Doe))"
Following is an example of what could be returned by the ldapsearch command.
# extended LDIF
#
# LDAPv3
# base <DC=example,DC=com> with scope subtree
# filter: cn=JohnDoe
# requesting: ALL
#
dn: cn=JohnDoe,ou=People,dc=example,dc=com
uid: JohnDoe
cn: JohnDoe
sn: JohnDoe
mail: JohnDoe@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypx}asldfjalkfjaslkfavkjalkalkvjalkvjalfjadofiasoifjelemlaemlakemla
shadowLastChange: 17483
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/JohnDoe
gecos: JohnDoe
dn: cn=admins,ou=Group,dc=example,dc=com
objectClass: PosixGroup
objectClass: top
cn: admins
userPassword: {crypt}x
gidNumber: 1003
memberUid: JohnDoe
Notice that by default, the top of the output includes a few commented out lines. The -LLL flag can be used to NOT include commented out lines.
ldapsearch -x -LLL -H ldaps://ldap.example.com -b dc=example,dc=com cn=JohnDoe
dn can be included to only return the dn (distinguished name). Notice in this example that the dn output is wrapped (at 79 characters).
~]$ ldapsearch -x -H ldaps://ldap.example.com -b DC=example,DC=com -D johndoe@example.com -W "(&(cn=jane.doe)(objectClass=person))" dn
dn: CN=jane.doe,OU=Marketing Department,OU=Person,DC=examp
le,DC=com
-o ldif-wrap=no can be used to NOT wrap lines at 79 characters.
~]$ ldapsearch -x -o ldif-wrap=no -H ldaps://ldap.example.com -b DC=example,DC=com -D johndoe@example.com -W "(&(cn=jane.doe)(objectClass=person))" dn
dn: CN=jane.doe,OU=Marketing Department,OU=Person,DC=example,DC=com
Did you find this article helpful?
If so, consider buying me a coffee over at