If you are using the directory server to manage your users and groups, see the Directory Server Administrator's Guide for more information on performing searches.
ldapsearch
You use ldapsearch to locate entries in your directory. You can use ldapsearch either with the directory server, or with a Netscape local directory that is bundled with the Netscape Administration Server.
You direct ldapsearch's actions through search filters.
ldapsearch is can be located under the Netscape Administration Server at:
NSHOME\userdb\ldap\tools\ldapsearch
where NSHOME is the directory where you installed your Netscape Administration Server.
Search filters
Search filters select the entries to be returned search operation. They are most commonly used with the ldapsearch command line utility. When you are using ldapsearch, you can place multiple search filters in a file, with each filter on a separate line in the file, or you can specify a search filter directly on the command line call to ldapsearch.
For example, the following filter specifies a search for a common name equal to Babs Jensen:
cn=babs jensen
Search filter syntax
The basic syntax of a search filter is:
attribute operator value
For example:
employeenumber >= 100
In this example, employeenumber
is the attribute, >=
is the operator, and 100
is the value. You can also define filters that use different attributes combined together using boolean operators.
The following sections describe search filters in detail.
Using attributes in search filters
When searching for an entry, you can specify attributes associated with that type of entry. For example, when you search for entries about people, you can use the cn
attribute to search for people with a specific common name.
Examples of attributes for entries about people might include:
cn
(the person's common name)
sn
(the person's surname, or last name, or family name)
telephonenumber
(the person's telephone number)
employeenumber
(the person's employeenumber)
l
(the location where you can find the person)
Using multiple search filters
Multiple search operations can be combined using boolean operators expressed in prefix notation as follows:
(boolean_operator((search operation)(search operation)(search
operation)...))
where operator is any one of the boolean operators. In addition, multiple search operation boolean operators can be nested together to form complex expressions, such as:
(boolean_operator(search operation)((operator(search operation)(search operation)))
Boolean operators
The boolean operators available for use with search filters are:
Search filter examples
The following filter searches for entries containing the manager attribute. This is also known as a presence search:
manager=*
The following filter searches for entries containing the common name of Ray Kultgen. This is also known as an equality search:
cn=Ray Kultgen
The following filter returns any entries that do not contain the common name of Ray Kultgen:
(!(cn=Ray Kultgen))
The following filter returns any entries that contain a description attribute with a substring of X.500:
description=*X.500*
The following filter returns any entries whose organizational unit is Marketing and whose description field does not contain the substring X.500:
(&(ou=Marketing)(!(description=*X.500*)))
The following filter returns any entries whose organizational unit is Marketing and that have Julie Fulmer or Cindy Zwaska as a manager:
(&(ou=Marketing)(|(manager="cn=Julie Fulmer,ou=Marketing,o=Ace
The following filter returns any entries that do not represent a person:
Industry,c=US")(manager="cn=Cindy Zwaska,ou=Marketing,o=Ace
Industry,c=US")))
(!(objectClass=person))
The following filter returns any entries that do not represent a person and whose common name is similar to printer3b:
(&(!(objectClass=person))(cn~=printer3b))
Using ldapsearch
You use the ldapsearch command-line utility to locate and retrieve directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on a specified search filter. Alternatively, this utility can access a Netscape local directory and search it for entries. Search scopes can include a single entry, an entry's immediate subentries, or an entire tree or subtree.
Search results are returned in LDIF format.
Note
If you are using the directory server to manage your users and groups, see the
Directory Server Administrator's Guide for more information on performing
searches.
Using quotation marks
When using the ldapsearch command-line utility, you may need to specify values that contain characters that have special meaning to the command-line interpreter (such as space [ ], asterisk [*], backslash [\], and so forth). When this situation occurs, enclose the value in quotation marks (""). For example:
-D "cn=Barbara Jensen, ou=Product Development, o=Ace Industry, c=US"
Note
Depending on which command-line interpreter you are using, you should use
either single or double quotation marks for this purpose. Refer to your
operating system documentation for more information.
Commonly used ldapsearch parameters
To locate an entry in an existing database, use the ldapsearch command-line utility with the following parameters:
-D
Specifies the distinguished name with which to authenticate to the server. This
parameter is optional if anonymous access is supported by your server. If
specified, this value must be a DN recognized by the directory server or the
local directory, and it must also have the authority to search for the entries.
-w
Specifies the password associated with the distinguished name that is specified
in the -D option. This parameter is required if the -D option is specified.
-h
Specifies the name of the host on which the directory server is running.
-p
Specifies the port number that the directory server uses. Default is 389.
-C
Specifies the location of the configuration file for the local directory in which to
perform the search. By default, the location of this file is:
NSHOME\userdb\ldap\config\lcache.conf
where NSHOME is the directory where your administration server is installed.
This parameter is required if you are using this tool with a Netscape local
directory.
This parameter is supported only if you are using a Netscape local directory
bundled with the Netscape Administration Server.
-b
Specifies the starting point for the search. The value specified here must be a
distinguished name that currently exists in the database. This parameter is
optional if the LDAP_BASEDN environment variable has been set to a base DN.
The value specified in this parameter should be provided in double quotation
marks. For example: -b "cn=Barbara Jensen, ou=Product Development, o=Ace
Industry, c=US".
-s
Specifies the scope of the search. The scope can be one of the following:
base
--search only the entry specified in the -b option.
one
--search only the most immediate children of the entry specified in the -b parameter. Note that only the children are searched; the actual entry specified in the -b parameter is not searched.
sub
--search the entry specified in the -b parameter and all of its descendants. That is, perform a subtree search starting at the point identified in the -b parameter. This is the default.
-l
Specifies the maximum number of seconds to wait for a search request to complete. Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server's Time Limit parameter.
-z
Specifies the maximum number of entries to return in response to a search request. Regardless of the value specified here, ldapsearch will never return more entries than is allowed by the server's Size Limit parameter.
To further customize a search, use the following optional parameters:
-f
Specifies the file containing the search filter(s) to be used in the search. Search filters are described in "Search filters" on page 178. Omit this parameter if you want to supply a search filter directly to the command line.
-A
Specifies that the search retrieve the attributes only, not the attribute values. This parameter is useful if you just want to determine if an attribute is present for an entry and you are not interested in the value.
-a
Specifies how alias dereferencing is completed. Value can be "never," "'always," "search," or "find." Default value is 'never'.
-n
Specifies that the search is not to be actually performed, but that ldapsearch is to show what it would do with the specified input.
-R
Specifies that referrals are not to be followed automatically.
-S
Specifies the attribute to use as the sort criteria. The default is not to sort the returned entries. If the attribute is the zero-length string (""), the entries will be sorted by their distinguished name.
-t
Specifies that the results be written to a set of temporary files.
-u
Specifies that the user-friendly form of the distinguished name be used in the output.
-v
Specifies that the utility is to run in verbose mode.
-B
Legacy option. Not currently supported.
-F
Legacy option. Not currently supported.
-L
Legacy option. Not currently supported.
-o
Legacy option. Not currently supported.
Suppose:
searchdb
.
King~Pin
.
searchdb
file, and then enter the following command. Note that the local directory's configuration file is referenced -C option rather than an actual database location:
c:\netscape\userdb\ldap\tools
\ldapsearch -b "cn=marketing, o=Ace Industry, c=US" -D "cn=Directory Manager, o=Ace Industry, c=US" -w King~Pin -C c:\netscape\userdb\ldap\config\lcache.conf -f searchdb
Suppose:
searchdb
.
cn=Directory Manager, o=Ace Industry, c=US
.
King~Pin
.
cyclops
.
searchdb
file, and then enter the following command:
Note
The following examples reference the ldapsearch tool that is bundled with the administration server. Netscape Directory Server also comes with the same utility. For information on locating this utility in the directory server distribution, see the Directory Server Administrator's Guide.You can find the ldapsearch command line utility with your administration server installation in the
NSHOME/userdb/ldap/tools
directory.
ldapsearch -b "cn=marketing, o=Ace Industry, c=US" -D "cn=Directory Manager, o=Ace Industry, c=US" -w King~Pin -h cyclops -p 845 -C NSHOME/ userdb/ldap/config/lcache.conf -f searchdb
Note
For information on using SSL with this utility, refer to the Directory Server Administrator's Guide.
You can also specify a search filter directly on the call to the command line. If you do this, be sure to enclose your filter in quotation marks (ldapsearch -b "cn=marketing, o=Ace Industry, c=US" -D "cn=Directory Manager, o=Ace Industry, c=US" -w King~Pin -C NSHOME/userdb/ldap/config/lcache.conf "cn=babs jensen""
filter")
.Also, do not specify the -f option. For example: