LDapper Help
LDapper is an LDAP (Lightweight Directory Access Protocol) client. You can use LDapper to search an LDAP server for entries matching specified criteria. You can also browse an LDAP server hierarchically.
Unlike older versions of LDapper which used the LDAP framework (or OpenLDAP libraries) directly, this version is really a "wrapper" around the built-in LDAP utility ldapsearch included with Mac OS X. You can think of LDapper as a GUI "front-end" to ldapsearch. Many of the options and preferences you specify simply modify the command line arguments to the ldapsearch command.
The latest version of LDapper can be found here.
LDapper 4.0.1 - by Carl W. Bell
Copyright © 1997-2015 Baylor University.
Baylor's Boilerplate Fine Print
This software, data and/or documentation contain trade secrets and confidential
information which are proprietary to Baylor University. Their use or disclosure
in whole or in part without the express written permission of Baylor University
is prohibited.
This software, data and/or documentation are also unpublished works protected
under the copyright laws of the United States of America. If these works become
published, the following notice shall apply:
Copyright © 1997-2015 Baylor University
All Rights Reserved
The name of Baylor University may not be used to endorse or promote products
derived from this software without specific prior written permission. THIS
SOFTWARE, DATA AND/OR DOCUMENTATION ARE PROVIDED "AS IS" AND WITHOUT
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
When permission has been granted to make copies of this software, data and/or
documentation, the above notices must be retained on all copies.
Permission is hereby granted for non-commercial use and distribution of LDapper
4.0.1 (9-Apr-2015)
- Added back the ability to set "temporary" options for the current window.
- Some minor UI tweaks.
4.0 (10-Sep-2014)
- Initial release of version 4.0.
- Previous versions of LDapper were primarily intended to be used to find email addresses and provide LDAP functionality for email applications that didn't support LDAP directly. LDapper is now focused on more general searches. Many "email related" features have been removed.
- Passwords saved in your keychain now use "LDapper password" instead of "Internet password".
- No longer converts directories from old (pre-3.0) preferences.
- Directories no longer have specific attributes associated with them.
- Details Text now displays information for all selected entries.
- If LDAP server returns an authentication error (49) LDapper will display a reminder about pressing the Option key when searching to prompt for the password.
- Can now export information for multiple (or all) entries, not just the currently selected entry.
- Printing now uses a smaller font size rather than the default displayed font size.
- Converts saved searches from previous versions the first time 4.0 is run. If you later run an older version and make any changes to saved searches, those changes will not appear in 4.0.
- Directory popup menu now has a tooltip that displays the server and search base.
- Now displays the number of entries in the list (or "No entries found").
Choose the "File→New Search Window" menu command to open a new Search Window with default settings. You will need to have set up at least one directory in Preferences before you can do a search.
You can change several of the settings (e.g., the directory and search criteria) before doing a search. You can have up to 4 criteria for searching. Click the (+) and (-) buttons to add and remove criteria. When searching, LDapper will find entries that match ALL criteria (i.e., AND, not OR).
For each criterion, choose which attribute you want to search for. LDapper includes all of the basic attributes in the popup menu but you can also choose "Other..." to search for another, "non-basic", attribute. Next, choose the type of search (is, is similar to, contains, starts with, ends with, exists, is missing) and enter some text in the search field.
After you have specified the search criteria, click the Search button or choose the "LDAP→Search" menu command.
If required, you will be prompted for a password. If your password is stored in your keychain but you don't want to use it for some reason, or if you need to specify/change your identification, press the Option key while starting a search and you will be prompted to enter a password. You can choose to save the new password in your keychain.
When searching, LDapper will build the ldapsearch command using the options you specify and then run ldapsearch. It will parse any output from the ldapsearch command and add the entries returned to the Entry List;. If you select one or more entries in the Entry List, their information (i.e., returned attribute and their values) will appear in the Details Text at the bottom of the window. LDapper can also save the all of the output from the ldapsearch command. You can switch between the Details Text and the Command Output Text by clicking on the "Details/Output" buttons. LDapper adds the actual ldapsearch command and its arguments at the top of the Command Output Text. You should be able to copy the command and paste it in Terminal to run the ldapsearch command directly. If you just want to get the command but not actually perform a search, press the Control key while starting a search. Also, any error text (i.e., stderr) will appear below the output.
When you first open a Search Window, LDapper adds columns to the Entry List for specific attributes. After you perform a search, LDapper can add any newly discovered attributes returned from the server and add columns for those attributes. Depending on your Preferences settings, columns for some returned attributes may not be shown after a search. Right-click (or control-click) in the Entry List header to view a popup menu where you can show/hide various columns.
Images and binary values cannot be displayed in the Entry List. Instead, you will see "(exists)" if that entry has a value. If an entry has multiple values for some attribute, you will see "(multiple values)". Move the cursor over that text to get a tooltip that displays the values. Images, binary values, and attributes with multiple values can all be found in the Details Text.
Choose the "File→Export Entries..." menu command to export the results of all or selected entries in the Entry List.
To save the information displayed in the Details Text, export as Plain Text (.txt) or Rich Text Format (.rtf). If any of the entries to be exported contain images, you can save as Rich Text Format with Attachments (.rtfd) to include the photos in the file. Note that an exported photo may be resized so that the maximum height or width is 256 pixels so it may be smaller that the actual image in the directory. You can also drag individual images from the Details text and LDapper will create jpeg files.
You can also export the entries in tabular format by exporting as Tab Delimited or Comma Separated Values. LDapper will export all columns, displayed or not, or you can specify that only visible columns be exported. There is also an option to export all of the attribute names as the first row of the file. You can also export the contents of the Command Output Text. This is always exported as plain text.
You can Copy the selected entries to place them (in tab delimited format) on the Mac Clipboard. This will only copy visible columns. Hold down the Option key before you Copy to include the attribute names as the first row. You can also drag and drop selected entries from the Entry List. And finally, if you double-click a value, you can copy its text directly. (You cannot modify it.)
When printing, click the "Show Details" button in the Print Window and you will see a popup button that allows you to select what to print - Details (Selected), Details (All), or Command Output. If you select "Print Summary Information" LDapper will include information about the search at the top of the first page. You can also modify the margins here.
Choose the "File→New Browse Window" menu command to open a new Browse Window. This will allow you to browse an LDAP server hierarchically, starting with the directory's Search Base. Click the small triangle to the left of an entry to expand it. This will display all of the entries one "level" down. Click the small triangle again to collapse the list. Selecting an entry will display its attributes and values in the Details Text below the list. LDapper only fetches an entry's information from the server when you actually select it. Unlike a Search Window, you cannot copy (or drag and drop) individual entries from the list but you can still export entries (and Command Output) to a file.
LDapper will remember the last search and use its criteria when you open a new search window.
LDapper also allows you to save searches, similar to a web browser's bookmarks. To view them, choose the "Window→Saved Searches" menu command. You can add, modify, and delete searches from this window. To save the criteria in an active Search Window, choose the "LDAP→Saved Searches→Save Current Search" menu command. You can reorder the saved searches by dragging them.
Each saved search has a name which appears in the Saved Searches menu. Choosing a saved search from that menu will apply that search's criteria to the Search Window, or if there isn't one, open a new Search Window with that search. You can also drag a saved search to a Search Window to use it (or click the "Use Selected Search" button.)
You can modify several options to use when performing a search:
- Fetch attributes - which attributes should be fetched from the server? The choices are All, Minimal, Operational, All + Operational, and None. The default is to fetch All attributes. "Minimal" will fetch only "basic" attributes and any other explicitly searched attributes. "Operational" returns attributes used by servers for administering the directory system itself. "None" will return just the "distinguished names" (dn) of any matching entries.
- Max # hits - the maximum number of responses you want to receive from the LDAP server. Set this to 0 to indicate no limit. The default is 100. Note that there may be a limit set by the server. One interesting thing related to this value is that if your search uses too many resources on the server (e.g., searching on a non-indexed attribute) LDapper may receive a "max hits exceeded" error from the server even though there really weren't that many matches. This probably won't happen on normal searches.
- Time limit - wait at most this long for a search to complete. Set this to 0 to wait forever. The default is 60 seconds.
- Connect timeout - wait at most this long for the initial network connection to the LDAP server to complete. This is a different timeout value than "Time limit" above. Note that if you have specified Request/Require StartTLS, this option is not used, so if LDapper is unable to connect, you will probably end up waiting until the connection is timed out by the operating system, usually 75 seconds. I don't know if this is by design or a bug in ldapsearch.
- Show friendly attributes - specifies how attributes should be displayed in the "Details" text field. If enabled, a more descriptive attribute is used (e.g., "Last Name" instead of "sn"). If disabled, the actual attribute is displayed. This setting also affects the column headers in a Search Window's entry list.
- Decode Base64 - should values that include Base64 encoded data (e.g.,photos or text data with special characters, be decoded when adding to the entry list? Note that even if this is enabled, the Base64 encoded value will still appear in the Command Output text because it is meant to display the ldapsearch output verbatim.
- Discard output - should output from the ldapsearch command be discarded instead of added to the Command Output text?
- Debug level - enables and specifies the debug level for the ldapsearch command. Note that the extra info returned by ldapsearch may make it impossible for LDapper to parse the results correctly. You can see the debug/trace results in the "Command Output" text.
You will need to set up at least one directory before you can do a search. To add a directory, click the add [+] button below the Directories list. If you hold down the option key while clicking the add button, a copy of the selected directory will be added. Click the delete [-] or edit [pencil] buttons to delete or edit directories. You can rearrange the directories in the list by dragging them. This will affect the order that they appear in a Search/Browse window's directory menu.
There may be times when you need to copy directory settings to another Mac. Rather than reentering all of the settings manually, you can export all or selected directories to a file. This will be a property list (.plist) file which may be (carefully) edited if necessary. You can then import that file on a different Mac.
When editing a directory you can specify the directory's name (which can be whatever you want, but must be unique), the LDAP server's URI (e.g.,"ldap://ldap.example.com/"), and an optional (but sometimes not so optional) search base. You can specify a TCP port if it is different from the normal LDAP port (389) by adding a ":port#" to the end of the URI. Although LDAP URIs can contain many things, LDapper only uses the server and port. If your directory supports StartTLS, you can have LDapper request (or require) TLS. By default, LDapper assumes that an LDAP server is an LDAPv3 server but you can tell it that your server is LDAPv2 if necessary.
Searching a directory may require authentication. While editing the directory, click the "Authentication" tab. LDapper supports several authentication methods:
- Anonymous - No authentication.
- Simple - No Password Required - Uses an ID (probably your "disinguished name") but no password.
- Simple - With Password - Uses an ID and a password. Although the ldapsearch command supports specifying the password on the command line, this is a potential security risk. Instead, LDapper will use ldapsearch's -W option which tells ldapsearch to prompt for the password. You may see the prompt (but not your password) included in the Command Output text.
- SASL - Simple Authentication and Security Layer. For SASL authentication, LDapper simply passes any options you specify (e.g., SASL mechanism or properties) to the ldapsearch command.
Most users will probably use "Simple - With Password". LDapper can store the directory's password in the Mac OS X keychain so you won't be required to enter it every time you search. If the password stored in your keychain gets out of sync with the password on the server (e.g., you changed your password), press the Option key when searching and LDapper will ignore the keychain and prompt you for the password. You will be able to save the new (and correct) password in your keychain. LDapper can also run the ldapwhoami command that you can use to test your authentication/authorization credentials.
In LDapper, there are three different types of LDAP attributes: normal, image, and binary. Most attributes are normal and contain simple, text values. Image attributes contain, unsurprisingly, base64 encoded images as their values. Binary attributes contain base64 encoded non-text values. Image (and binary) values cannot be displayed in a Search Window's entry list but will be included in the Details text. Also, you cannot search for image or binary attributes other than for their existence (or lack thereof).
There are many default attributes that LDapper already knows about. You can also add your own custom attributes. Each attribute has several properties - the attribute's name ("sn"), its "friendly name" ("Last Name"), and its type (normal, image, or binary). Some attributes are considered "basic" attributes and are included in a Search Window's popup menus, etc. Some attributes are automatically shown as columns a Search Window's entry list.
When searching, LDapper can automatically add any returned attributes to your custom attributes. It can also automatically display those attributes in columns. Note that if an attribute is not in the list, it cannot be displayed in a column, although it will still appear in the Details text.
When searching or browsing an LDAP directory, LDapper uses the ldapsearch command that is included with Mac OS X. The ldapsearch command is part of the OpenLDAP Project.
LDAPSEARCH(1) LDAPSEARCH(1)
NAME
ldapsearch - LDAP search tool
SYNOPSIS
ldapsearch [-n] [-c] [-u] [-v] [-t[t]] [-T path] [-F prefix] [-A]
[-L[L[L]]] [-M[M]] [-S attribute] [-d debuglevel] [-f file] [-x]
[-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
[-p ldapport] [-b searchbase] [-s {base|one|sub|children}]
[-a {never|always|search|find}] [-P {2|3}] [-e [!]ext[=extparam]]
[-E [!]ext[=extparam]] [-l timelimit] [-z sizelimit] [-O security-prop-
erties] [-I] [-Q] [-U authcid] [-R realm] [-X authzid] [-Y mech]
[-Z[Z]] filter [attrs...]
DESCRIPTION
ldapsearch is a shell-accessible interface to the ldap_search_ext(3)
library call.
ldapsearch opens a connection to an LDAP server, binds, and performs a
search using specified parameters. The filter should conform to the
string representation for search filters as defined in RFC 4515. If
not provided, the default filter, (objectClass=*), is used.
If ldapsearch finds one or more entries, the attributes specified by
attrs are returned. If * is listed, all user attributes are returned.
If + is listed, all operational attributes are returned. If no attrs
are listed, all user attributes are returned. If only 1.1 is listed,
no attributes will be returned.
The search results are displayed using an extended version of LDIF.
Option -L controls the format of the output.
OPTIONS
-n Show what would be done, but don't actually perform the search.
Useful for debugging in conjunction with -v.
-c Continuous operation mode. Errors are reported, but ldapsearch
will continue with searches. The default is to exit after
reporting an error. Only useful in conjunction with -f.
-u Include the User Friendly Name form of the Distinguished Name
(DN) in the output.
-v Run in verbose mode, with many diagnostics written to standard
output.
-t[t] A single -t writes retrieved non-printable values to a set of
temporary files. This is useful for dealing with values con-
taining non-character data such as jpegPhoto or audio. A second
-t writes all retrieved values to files.
-T path
Write temporary files to directory specified by path (default:
/var/tmp/)
-F prefix
URL prefix for temporary files. Default is file://path where
path is /var/tmp/ or specified with -T.
-A Retrieve attributes only (no values). This is useful when you
just want to see if an attribute is present in an entry and are
not interested in the specific values.
-L Search results are display in LDAP Data Interchange Format
detailed in ldif(5). A single -L restricts the output to
LDIFv1.
A second -L disables comments. A third -L disables printing of
the LDIF version. The default is to use an extended version of
LDIF.
-M[M] Enable manage DSA IT control. -MM makes control critical.
-S attribute
Sort the entries returned based on attribute. The default is not
to sort entries returned. If attribute is a zero-length string
(""), the entries are sorted by the components of their Distin-
guished Name. See ldap_sort(3) for more details. Note that
ldapsearch normally prints out entries as it receives them. The
use of the -S option defeats this behavior, causing all entries
to be retrieved, then sorted, then printed.
-d debuglevel
Set the LDAP debugging level to debuglevel. ldapsearch must be
compiled with LDAP_DEBUG defined for this option to have any
effect.
-f file
Read a series of lines from file, performing one LDAP search for
each line. In this case, the filter given on the command line
is treated as a pattern where the first and only occurrence of
%s is replaced with a line from file. Any other occurrence of
the the % character in the pattern will be regarded as an error.
Where it is desired that the search filter include a % charac-
ter, the character should be encoded as \25 (see RFC 4515). If
file is a single - character, then the lines are read from stan-
dard input. ldapsearch will exit when the first non-successful
search result is returned, unless -c is used.
-x Use simple authentication instead of SASL.
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-W Prompt for simple authentication. This is used instead of spec-
ifying the password on the command line.
-w passwd
Use passwd as the password for simple authentication.
-y passwdfile
Use complete contents of passwdfile as the password for simple
authentication.
-H ldapuri
Specify URI(s) referring to the ldap server(s); a list of URI,
separated by whitespace or commas is expected; only the proto-
col/host/port fields are allowed. As an exception, if no
host/port is specified, but a DN is, the DN is used to look up
the corresponding host(s) using the DNS SRV records, according
to RFC 2782. The DN must be a non-empty sequence of AVAs whose
attribute type is "dc" (domain component), and must be escaped
according to RFC 2396.
-h ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
-p ldapport
Specify an alternate TCP port where the ldap server is listen-
ing. Deprecated in favor of -H.
-b searchbase
Use searchbase as the starting point for the search instead of
the default.
-s {base|one|sub|children}
Specify the scope of the search to be one of base, one, sub, or
children to specify a base object, one-level, subtree, or chil-
dren search. The default is sub. Note: children scope requires
LDAPv3 subordinate feature extension.
-a {never|always|search|find}
Specify how aliases dereferencing is done. Should be one of
never, always, search, or find to specify that aliases are never
dereferenced, always dereferenced, dereferenced when searching,
or dereferenced only when locating the base object for the
search. The default is to never dereference aliases.
-P {2|3}
Specify the LDAP protocol version to use.
-e [!]ext[=extparam]
-E [!]ext[=extparam]
Specify general extensions with -e and search extensions with
-E. '!' indicates criticality.
General extensions:
[!]assert=<filter> (an RFC 4515 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
abandon, cancel (SIGINT sends abandon/cancel; not really controls)
Search extensions:
[!]domainScope (domain scope)
[!]mv=<filter> (matched values filter)
[!]pr=<size>[/prompt|noprompt] (paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...] (server side sorting)
[!]subentries[=true|false] (subentries)
[!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
(virtual list view)
-l timelimit
wait at most timelimit seconds for a search to complete. A
timelimit of 0 (zero) or none means no limit. A timelimit of
max means the maximum integer allowable by the protocol. A
server may impose a maximal timelimit which only the root user
may override.
-z sizelimit
retrieve at most sizelimit entries for a search. A sizelimit of
0 (zero) or none means no limit. A sizelimit of max means the
maximum integer allowable by the protocol. A server may impose
a maximal sizelimit which only the root user may override.
-O security-properties
Specify SASL security properties.
-I Enable SASL Interactive mode. Always prompt. Default is to
prompt only as needed.
-Q Enable SASL Quiet mode. Never prompt.
-U authcid
Specify the authentication ID for SASL bind. The form of the ID
depends on the actual SASL mechanism used.
-R realm
Specify the realm of authentication ID for SASL bind. The form
of the realm depends on the actual SASL mechanism used.
-X authzid
Specify the requested authorization ID for SASL bind. authzid
must be one of the following formats: dn:<distinguished name> or
u:<username>
-Y mech
Specify the SASL mechanism to be used for authentication. If
it's not specified, the program will choose the best mechanism
the server knows.
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
you use -ZZ, the command will require the operation to be suc-
cessful.
OUTPUT FORMAT
If one or more entries are found, each entry is written to standard
output in LDAP Data Interchange Format or ldif(5):
version: 1
# bjensen, example, net
dn: uid=bjensen,dc=example,dc=net
objectClass: person
objectClass: dcObject
uid: bjensen
cn: Barbara Jensen
sn: Jensen
...
If the -t option is used, the URI of a temporary file is used in place
of the actual value. If the -A option is given, only the "attribute-
name" part is written.
EXAMPLE
The following command:
ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
will perform a subtree search (using the default search base and other
parameters defined in ldap.conf(5)) for entries with a surname (sn) of
smith. The common name (cn), surname (sn) and telephoneNumber values
will be retrieved and printed to standard output. The output might
look something like this if two entries are found:
dn: uid=jts,dc=example,dc=com
cn: John Smith
cn: John T. Smith
sn: Smith
sn;lang-en: Smith
sn;lang-de: Schmidt
telephoneNumber: 1 555 123-4567
dn: uid=sss,dc=example,dc=com
cn: Steve Smith
cn: Steve S. Smith
sn: Smith
sn;lang-en: Smith
sn;lang-de: Schmidt
telephoneNumber: 1 555 765-4321
The command:
ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
will perform a subtree search using the default search base for entries
with user id of "xyz". The user friendly form of the entry's DN will
be output after the line that contains the DN itself, and the jpegPhoto
and audio values will be retrieved and written to temporary files. The
output might look like this if one entry with one value for each of the
requested attributes is found:
dn: uid=xyz,dc=example,dc=com
ufn: xyz, example, com
audio:< file:///tmp/ldapsearch-audio-a19924
jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924
This command:
ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
will perform a one-level search at the c=US level for all entries whose
organization name (o) begins begins with University. The organization
name and description attribute values will be retrieved and printed to
standard output, resulting in output similar to this:
dn: o=University of Alaska Fairbanks,c=US
o: University of Alaska Fairbanks
description: Preparing Alaska for a brave new yesterday
description: leaf node only
dn: o=University of Colorado at Boulder,c=US
o: University of Colorado at Boulder
description: No personnel information
description: Institution of education and research
dn: o=University of Colorado at Denver,c=US
o: University of Colorado at Denver
o: UCD
o: CU/Denver
o: CU-Denver
description: Institute for Higher Learning and Research
dn: o=University of Florida,c=US
o: University of Florida
o: UFl
description: Warper of young minds
...
DIAGNOSTICS
Exit status is zero if no errors occur. Errors result in a non-zero
exit status and a diagnostic message being written to standard error.
SEE ALSO
ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1), ldap.conf(5),
ldif(5), ldap(3), ldap_search_ext(3), ldap_sort(3)
AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
ACKNOWLEDGEMENTS
OpenLDAP Software is developed and maintained by The OpenLDAP Project
<http://www.openldap.org/>. OpenLDAP Software is derived from Univer-
sity of Michigan LDAP 3.3 Release.
OpenLDAP 2.4.28 2011/11/24 LDAPSEARCH(1)
usage: ldapsearch [options] [filter [attributes...]]
where:
filter RFC 4515 compliant LDAP search filter
attributes whitespace-separated list of attribute descriptions
which may include:
1.1 no attributes
* all user attributes
+ all operational attributes
Search options:
-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-c continuous operation mode (do not stop on errors)
-E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
[!]domainScope (domain scope)
!dontUseCopy (Don't Use Copy)
[!]mv=<filter> (RFC 3876 matched values filter)
[!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]
(RFC 2891 server side sorting)
[!]subentries[=true|false] (RFC 3672 subentries)
[!]sync=ro[/<cookie>] (RFC 4533 LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
(ldapv3-vlv-09 virtual list views)
[!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]
[!]<oid>[=:<b64value>] (generic control; no response handling)
-f file read operations from `file'
-F prefix URL prefix for files
-l limit time limit (in seconds, or "none" or "max") for search
-L print responses in LDIFv1 format
-LL print responses in LDIF format without comments
-LLL print responses in LDIF format without comments
and version
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-s scope one of base, one, sub or children (search scope)
-S attr sort the results by attribute `attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)