Jump To: Support > KB > NetManager > Ldapsearch
Using ldapsearch to search LDAP (Active Directory)
Prerequisites
Active Directory does not allow searches for anonymous binds, except for the the Root DSE. Therefore you will need a username (known as a Bind DN and probably formatted as a UPN) and a password to perform a search. In these examples, the Bind DN is ldapbind@domain.internal and the password is ldappass.
You will need the IP address or name of an LDAP server to use. In these examples, it is dc01.
You will also need a search base. If you do not know this, you can retrieve it as follows. In this example, the search base to use is DC=domain,DC=internal:
dn:
defaultNamingContext: DC=domain,DC=internal
Simple search for everything
Use -W to be asked for the password or -w password to supply it on the command line:
Explanation of options:
- -H = LDAP server in URI format (ldaps:// for LDAP over TLS)
- -D = Bind DN
- -w = password for Bind DN given on command-line
- -W = be prompted for password for Bind DN
- -x = use simple authentication
- -L, -LL or -LLL = remove more and more extraneous information from the return results such as comments and LDIF version
- -b = base for search
- -o ldif-wrap=no = don't line-wrap the results, otherwise long lines may get split
- -E pr=1000/noprompt = return multiple pages of up to 1000 objects each without prompting between each. This is to avoid the Size limit exceeded (4) error. This is because searches of Active Directory performed without paging are limited to returning a maximum of the first 1000 records.
Setting defaults
Default values can be set for the LDAP server, the Bind DN and the base. To do this create a file called .ldaprc in your home area (i.e. ~/.ldaprc). An example is shown below:
BINDDN ldapbind@domain.internal
BASE DC=domain,DC=internal
This example will be used in the rest of the examples so as to reduce the options on the command-line.
Filters and attributes to return
After the command-line options you can specify a search filter. In the example above it is (objectclass=*) which means retrieve everything. To return user accounts, use (objectclass=person). To return computer accounts, use (objectclass=computer). To return groups, use (objectclass=group).
You may filter by any LDAP attribute, e.g. (sn=smith) will return all objects with surname smith - searches are not case-sensitive. Wildcards can be specified with * so (sm=smi*) will return all objects with surname beginning with smi
AND operations can specified by wrapping searches with & as here: (&(objectclass=person)(sn=smith))
After the filter, you can give a list of attributes you want to return, otherwise all attributes will be returned.
Finally, the search result will return the Distingushed Name (DN) of each object. To filter this out, you can pipe the results through grep with | grep -v '^dn:'
Bringing this all together, here is an example returning the full name of all users whose surnames begin with smi:
Search for members of a group
To search for members of a group use the memberof filter to specify the DN of the group. For example, this will return all users that are direct members of a group:
To search recursively (get all users that are members of a group that is itself a member of another group), use the magic 1.2.840.113556.1.4.1941 Object Identifier (OID)