The ldapsearch utility is found in the following location:
(UNIX, Linux) install-dir/bin (Windows) install-dir\bat
The utility has the following format:
ldapsearch optional-options search-filter optional-list-of-attributes
optional-options are command-line options that must appear before the search filter.
search-filter is an LDAP search filter either specified on the command-line or in a file.
optional-list-of-attributes is a list of attributes separated by a space. The list of attributes must appear after the search filter.
The ldapsearch command has many options to search entries in the directory. Options are allowed in either their short form (for example, -b baseDN) or their long form (for example, --baseDN). The most common command options to use with ldapsearch are as follows:
Specifies the host name or IP address of the directory server on which the search should be run. It can be an IP address or a resolvable name. If this is not provided, a default value of localhost is used.
Specifies the directory server port. It should be an integer value between 1 and 65535, inclusive. If this is not provided, a default port of 389 is used.
Specifies the base DN to use for the search operation. If a file containing multiple filters is provided using the --filename option, this base DN is used for all of the searches. This is a required option.
Sets the scope for the search operation. Its value must be one of the following:
base. Searches only the entry specified by the --baseDN or -b option.
one. Searches only the entry specified by the --baseDN or -b option and its immediate children.
sub or subordinate. Searches the entire subtree whose base is the entry specified by the --baseDN or -b option. This is the default option when no --searchScope option is provided.
Specifies the DN to use when binding to the directory server through simple authentication. This option is not required when using SASL authentication or anonymous binding.
Specifies the password to use when binding to the directory server. This option is used for simple authentication, as well as for password-based SASL mechanisms like CRAM-MD5, DIGEST-MD5, and PLAIN. It is not required if anonymous binding is used. This option must not be used in conjunction with the --bindPasswordFile option. To prompt for the password, type -w -.
Sets the maximum length of time in seconds that the directory server should spend processing any search request. If this is not provided, no time limit is imposed by the client. Note that the directory server may enforce a lower time limit than the one requested by the client.
Sets the maximum number of matching entries that the directory server should return to the client. If this is not provided, no maximum size is imposed by the client. Note that the directory server may enforce a lower size limit than the one requested by the client.
Sorts the results before returning them to the client. The sort order is a comma-delimited list of sort keys, where each sort key consists of the following elements:
+/- (plus or minus sign). Indicates that the sort should be in ascending (+) or descending (-) order. If this value is omitted, the sort uses ascending order by default.
Attribute name. The name of the attribute to sort the data. This element is required.
Name or OID Matching Rule. An optional colon followed by the name or OID of the matching rule used to perform the sort. If this is not provided, the default ordering matching rule for the specified attribute type is used.
For example, the sort order string sn,givenName sorts the entries in ascending order first by sn and then by givenName. Alternately, using -modifyTimestamp, the directory server sorts the modifyTimestamp attributes with the most recent values first.