Linux Commands

How to Find LDAP Using LDAP Search Examples

Usually, an individual or an employee working in a large company will know how LDAP is on a Linux OpenLDAP server or Windows domain controller. For centralizing authentication, LDAP is beneficial. As your LDAP directory grows, you can find all the entries you may need to manage when the time comes. Ldapsearch is a command that helps you find entries in the LDAP directory tree.

This tutorial will explain how you can easily find LDAP using LDAP search examples.


Ldpsearch is used to find entries on the LDAP database backend. In this, ldapsearch binds to an LDAP server, opens a connection, and simultaneously searches using filters. According to RFC 1558, an LDAP filter must conform to the string representation. Suppose ldapsearch retrieves the attributes specified by attrs when one or more entries are found. In that case, the exact value is standardized, and print the entries are on the output. If no attributes are specified, it returns all attributes.

Here the -x option is used to specify simple authentication, the -u option to output user-friendly information, -b option to the initial search point (search base).

Ldapsearch Command-Line Tool

The search request specifies the file to contain the filter via command-line arguments, providing all arguments except the filter, providing all details directly, etc. A file that includes LDAP URLs and several attributes of interest, such as scope, DN, and filter, is specified using the same syntax.

Its simple syntax is something like this:

ldapsearch {arguments} {filter} [{attr1} [{attr2} ...]]

LDAP Search with Ldapsearch

Using ldapsearch with the “-x” option allows for simple authentication. Specifying the search base with the “-b” option allows for simple LDAP discovery. If the search does not run directly on the LDAP server, you must specify the host with the “-H” option.

ldapsearch -x -b <search_base> -H <ldap_host>

If you have any OpenLDAP server installed, it runs on your network host. In this condition, if your server accepts anonymous authentication, you will perform LDAP search queries without being bound to an administrator account.

The LDAP client assumes you want to search the entire directory tree if no filter is specified. It displays the information in its entirety.

Search LDAP with the Admin Account
Sometimes LDAP queries can be run as the administrator account to present additional information. To achieve this, you must make a force request using the administrator’s account of the LDAP tree. It is necessary to execute the “ldapsearch” query with “-D” for the bind DN and “-W” for the password to locate LDAP for the administrative account.

ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W

When you perform an LDAP search as your administrator, run the above query. You can be exposed as an administrator account when running an LDAP search with an encrypted password as a user. You should also make sure that your query is run privately.

Running LDAP Searches with Filters

Running a simple LDAP search query with no filters is a waste of resources and time. You can run an LDAP search query to find specific objects in the LDAP directory tree to avoid this.

Add your filter to the end of the ldapsearch command to search with the LDAP entry filter. For this, ‌specify the object value on the right and the object type on the left. You can optionally specify attributes such as user password, username, etc., to be returned from the object.

ldapsearch <previous_options> "(object_type)=(object_value)" <optional_attributes>

Searching for All Objects in the Directory Tree
To retrieve all objects in the LDAP tree, specify the wildcard character “*” with the “ObjectClass” filter.

ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=*"

It presents all the attributes and all the objects available in the tree at the time of executing the query.

Finding User Accounts with Ldapsearch
All user accounts on an LDAP directory tree will have the “Account” structural object class by default. This allows you to narrow it down to all user accounts.

ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=account"

By default, queries return all attributes available to the ‌object class. You can add optional attributes to your query by narrowing the search as you have already done. You will need to run the following LDAP search if you are only interested in your home directory and the UID, CN user.

ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=account" cn uid homeDirectory

Run the above command to perform an LDAP search for specific selectors and filters successfully.

AND Operator Using Ldapsearch
To separate all filters through “AND” operators, you must enclose an “&” character at the beginning of the query and all the conditions between parentheses.

ldapsearch <previous_options> "(&(<condition_1>)(<condition_2>)...)"

The following query finds all entries that have “ben” that equals “Y” and “X” that equals “banks.”

ldapsearch <previous_options> "(&(objectclass=banks)(Y=ben))"

Where X is equal to object class and Y is similarl to uid .

OR Operator Using Ldapsearch
If you need to separate multiple filters, you can use the “OR” Operator. First, include a “|” character at the beginning of the query, along with the conditions.

ldapsearch <previous_options> "(|(<condition_1>)(<condition_2>)...)"

It would be best to run the below query to find all entries with two different object classes of type “X” or type “Y.”

ldapsearch <previous_options> "(|(X=banks)(Y=jobrole))"

Where X and Y are two different ‌object class .

A Negation Filter Using LdapSearch
When you have an LDAP directory tree and want to match some entries within it, you need to enclose parentheses for separating conditions and also enclose all your condition(s) with a “!” character.

ldapsearch <previous_options> "(!(<condition_1>)(<condition_2>)...)"

For example, if you want to match all entries NOT having a “cn” attribute of value “john,” you would write the following query.

You run the following query when you need to match all the entries NOT having an “X” attribute of the value “Ben.”

ldapsearch <previous_options> "(!(X=Ben))"

Where X is a condition.

Using LDAPsearch to Find LDAP Server Configurations
Using the ldapsearch command, you can retrieve the configuration of the LDAP tree. You also know that a global configuration object is at the top of the LDAP hierarchy if you know about OpenLDAP.

Sometimes, such as modifying the root administrator password or changing access control, look at the features of your LDAP configuration.

To locate LDAP configurations, specify “cn=config” as the search base in the “ldapsearch” command. Note that you must specify the “-Y” option, besides specifying “external” as the authentication mechanism for this discovery to run.

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

Note: You must run the above command on the server, not on your LDAP client.

The default behavior of this command is to return lots of results, including backends, schemas, and modules.

If you want to limit your search to database configuration, you can specify the “olcDatabaseConfig” object class with ldapsearch.

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectclass=olcDatabaseConfig)"

LDAP Searches with Wildcards
Besides wildcards, you can also use asterisks (“*”) to search through LDAP entries.

The wildcard character works the same way as it uses an asterisk in a regex. It matches any attribute that ends with or begins with a ‌substring.

ldapsearch <previous_options> "(object_type)=*(object_value)"
ldapsearch <previous_options> "(object_type)=(object_value)*"

Whenever you find an entry with the attribute “q” beginning with the letter “d,” run the following command.

ldapsearch <previous_options> "X=d*"

Where X is equal to uid.

Ldapsearch Advanced Options

So far, you have seen some essential aspects of ldapsearch options, but apart from this, there are some advanced options ‌you can use:

LDAP Extensible Match Filters
You can use extensible LDAP matching filters to supercharge some of the existing operators you want to represent, such as equality operators.

A Supercharged Default Operator
To supercharge an LDAP operator, use the “:=” syntax.

ldapsearch <previous_options> "<object_type>:=<object_value>"

If you want to find all the entries where “X” equals “ben,” you must run the following command.

ldapsearch <previous_options> "X:=ben"

The above command is like the following one.

ldapsearch <previous_options> "X=ben"

Where “X” is equal to conditions.

Running a search on “BEN” and “ben” will give you the same result. As a result, you can be sensitive to your search results by limiting them to the exact match “ben.”

You can separate filters with “:” characters using ldapsearch.

ldapsearch <previous_options> "<object_type>:<op1>:<op2>:=<object_value>"

You can perform case sensitive search by running the following command.

ldapsearch <previous_options> "X:caseExactMatch:=ben"


This is how to search the LDAP directory tree using the ldapsearch command. You can supercharge existing operators by specifying a custom operator or using extensible matching options. We have provided you with complete information through one-by-one ldapsearch command examples from our side. We hope ‌you will ‌solve your questions completely through this article and will ‌solve the problem.

About the author

Prateek Jangid

A passionate Linux user for personal and professional reasons, always exploring what is new in the world of Linux and sharing with my readers.