Understanding LDAP (part 2) - Digging Deep
( Page 6 of 9 )

Now that you've put data in, it's time to get it out - which is where the "ldapsearch" command comes in.

The "ldapsearch" command allows you to query the LDAP database from a specific segment of the directory tree, and look for records matching certain characteristics. These characteristics could be attributes ("fetch me all records containing email addresses beginning with a J"), object classes ("fetch me all records of class 'person'") or any other criteria that you may choose.

Consider the following example, which demonstrates:

[root@olympus] $ /usr/local/openldap/bin/ldapsearch -b 'dc=melonfire,dc=com'

This is a very simple catch-all query - it returns all the records in the database. The "-b" parameter tells the query engine the base at which to begin searching.

Here's the output:

# extended LDIF
#
# LDAPv3
# base <dc=melonfire,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# melonfire.com
dn: dc=melonfire,dc=com
objectClass: dcObject
objectClass: organization
o: Melonfire
dc: melonfire.com

# root@melonfire-mail.com, melonfire.com
dn: mail=root@melonfire-mail.com,dc=melonfire,dc=com
objectClass: inetOrgPerson
cn: Keith
sn: Richards
mail: root@melonfire-mail.com

# joe@melonfire-mail.com, melonfire.com
dn: mail=joe@melonfire-mail.com,dc=melonfire,dc=com
objectClass: inetOrgPerson
cn: Joe
sn: Somebody
mail: joe@melonfire-mail.com

# sarah@melonfire-mail.com, melonfire.com
dn: mail=sarah@melonfire-mail.com,dc=melonfire,dc=com
objectClass: inetOrgPerson
cn: Sarah
sn: Nobody
mail: sarah@melonfire-mail.com
telephoneNumber: 23 67 128 5639

# numResponses: 5
# numEntries: 4

Let's try another search, this one a little more focused:

[root@olympus] $ /usr/local/openldap/bin/ldapsearch -u -b
'dc=melonfire,dc=com' '(cn=Joe)'

In this case, I've specified an additional search filter - return only those entries that have a "cn" attribute with the value "Joe". Here's the output:

# extended LDIF
#
# LDAPv3
# base <dc=melonfire,dc=com> with scope sub
# filter: (cn=Joe)
# requesting: ALL
#

# joe@melonfire-mail.com, melonfire.com
dn: mail=joe@melonfire-mail.com,dc=melonfire,dc=com
ufn: joe@melonfire-mail.com, melonfire.com
objectClass: inetOrgPerson
cn: Joe
sn: Somebody
mail: joe@melonfire-mail.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

How about another one?

[root@olympus] $ /usr/local/openldap/bin/ldapsearch -LLL -b
'dc=melonfire,dc=com' '(mail=root*)'

A different search criteria this time, this one using wildcards to search for users with an email address beginning with "root". The "-LLL" parameter tells the client to display the output in LDIF format, without the additional comments.

Here's the output:

dn: mail=root@melonfire-mail.com,dc=melonfire,dc=com
objectClass: inetOrgPerson
cn: Keith
sn: Richards
mail: root@melonfire-mail.com

Too much information? You can limit the attributes displayed of each entry by specifying them at the end of your command:

[root@olympus] $ /usr/local/openldap/bin/ldapsearch -LLL -b
'dc=melonfire,dc=com' '(mail=root*)' cn sn 

In this case, only the "cn" and "sn" attributes of the entry will be displayed:

dn: mail=root@melonfire-mail.com,dc=melonfire,dc=com
cn: Keith
sn: Richards

If you have a large database, you can limit the number of entries returned via the "-z" parameter, which specifies the number of results to display.

[root@olympus] $ /usr/local/openldap/bin/ldapsearch -b 'dc=melonfire,dc=com'
-z 2

Here's the output:

# extended LDIF
#
# LDAPv3
# base <dc=melonfire,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# melonfire.com
dn: dc=melonfire,dc=com
objectClass: dcObject
objectClass: organization
o: Melonfire
dc: melonfire.com

# root@melonfire-mail.com, melonfire.com
dn: mail=root@melonfire-mail.com,dc=melonfire,dc=com
objectClass: inetOrgPerson
cn: Keith
sn: Richards
mail: root@melonfire-mail.com

# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 3
# numEntries: 2

Obviously, there are innumerable ways to search the database, and I don't plan to get into all of them here. The examples above should give you a taste of what is possible - try experimenting on your own, or check out the manual pages for more.

>>> More Administration Articles          >>> More By icarus, (c) Melonfire