performing queries with OpenLDAP's ldapsearch tool

There are many tools that can be used to perform LDAP searches. This section outlines how to use the ldapsearch tool from the OpenLDAP LDAP suite to perform simple searches. The abstract technique and specific parameters passed will generally also apply to most other LDAP query tools.

This is not an exhaustive reference, but should provide enough to help get started.

connect parameters

Like most tools, ldapsearch needs to know how to find the LDAP service we wish to query. There are a number of options available for doing so, but perhaps the easiest is to specify the host, the port and whether to use SSL/TLS by forming a URI and passing it in with the -H option.

For example, to connect to the host on the default port and without SSL, you can pass in the following:

-H ldap://

Whereas to query an Active Directory global catalogue service on the same host using SSL, you might use the following:

-H ldaps://

bind parameters

All modern LDAP DSAs support the authentication of incoming LDAP queries and this is done during the LDAP bind phase of a query. Different bind mechanisms are supported by different LDAP clients and DSAs. Two common and contrasting mechanisms are:

  1. Simple binds -- where the username and password is sent over the network in plaintext, and
  2. GSSAPI binds -- where GSSAPI is used to authenticate the user, often using Kerberos as the underlying mechanism.

To perform a simple bind, supply the -x option, along with the bind DN (using the -D option) and password (the -w option). Using the cn=admin,dc=incomplete,dc=io user and a password of Incomplete10 as the password, the following might suffice:

-x -D "cn=admin,dc=incomplete,dc=io" -w Incomplete10

To for interactive searches, to avoid passing the password in as plaintext on the command line (often visible in the output of commands such as ps), specify the -W option with no password to be prompted interactively for a password.

To use GSSAPI and Kerberos, simply supply the -Y GSSAPI option. In some environments, you may want to specify the -N option too, in order avoid DNS lookups to canonicalise names.


In most cases, you will want to have primed your Kerberos credentials cache with an initial ticket (and default principal) to avoid having to provide a bind DN and password. This is often done using the kinit tool available as part of many Kerberos suites.

For example:

kinit admin@INCOMPLETE.IO

searching parameters

base DN, filter, attributes

tying it all together

see also

Twitter: @IncompleteIO