12.8. Finding Things in Your OpenLDAP Directory

Problem

Your directory is growing, and you want to know how to fine-tune your searches so you can pluck out just the information you want, and not have to wade through a bunch of irrelevant stuff.

Solution

The ldapsearch command comes with a host of options for searching on every imaginable attribute. This command searches for a specific user by common name (CN):

	$ ldapsearch -xtb 'dc=alrac,dc=net' 'cn=carla'

If you're not quite sure what to look for, you can use wildcards. This example searches for UIDs that end in schroder:

	$ ldapsearch -xtb 'dc=alrac,dc=net' 'uid=*schroder'

Maybe you want all the entries with a certain phone prefix:

	$ ldapsearch -xtb 'ou=people,dc=alrac,dc=net' '(telephoneNumber=333*)'

You might want a list of attributes only, without the values:

	$ ldapsearch -xtb 'dc=alrac,dc=net' 'cn=carla' -A

You can start from a different level in your DIT:

	$ ldapsearch -xtb 'ou=people,dc=alrac,dc=net' 'cn=carla'

You can limit the size of your search, like this example that searches for entries with photos, and limits the results to 10 entries:

	$ ldapsearch -z 10 -xtb 'ou=people,dc=alrac,dc=net' '(jpegPhoto=*)'

This command makes a list of objectClasses used in your directory:

	$ ldapsearch -xb 'dc=alrac,dc=net' '(objectclass=*)' dcObject

Or, search for entries with specific objectClasses:

	$ ldapsearch -xb 'dc=alrac,dc=net' '(objectclass=simpleSecurityObject)'

Combine attributes to narrow searches, such as users with a certain phone prefix and mail domain:

	$ ldapsearch -xtb 'dc=alrac,dc=net' '(&(mail=*domain.com)(telephoneNumber=333*))'

Or, list all users at a specific mail domain except the ones with the specified phone prefix (mind your parentheses):

	$ ldapsearch -xtb 'dc=alrac,dc=net' '(&(mail=*domain.com)(!(telephoneNumber=333*)))'

Discussion

If you're thinking, "Forget this, I'm making a beeline to those nice graphical LDAP clients," slow down. Those nice graphical interfaces still require a knowledge of the OpenLDAP commands.

Here are some examples of the syntax for various search expressions:

Match this value

	(attribute=value)
	(objectclass=name)

Approximately match this value; this requires an approx index; see Recipe 12.9 for more information

	(attribute~=value)

Match all these values

	(&(exp1)(exp2)(exp3))

Match any of these values; exp1 OR exp2 OR exp3

	(|(exp1)(exp2)(exp3))

Exclude this value

	(!(exp1))

Exclude both of these values

	(&(!(exp1))(!(exp2)))

Exclude either of these values

	|(!(exp1))(!(exp2)))

There are some other available search types, though I haven't found them to be useful because these depend on the attribute having an ordering rule, and most of them don't:

Match results that are greater than

	(attribute>=value)

Match results that are less than

	(attribute<=value)

See Also

• man 1 ldapsearch

• OpenLDAP.org: http://www.openldap.org/

• LDAP Directories Explained: An Introduction and Analysis, by Brian Arkills (Addison-Wesley)

• LDAP System Administration, by Gerald Carter (O'Reilly)