16.10 - Working with Ldapsearch Options - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017
Option or Argument Description
-x Specifies that the search uses simple binding, if offered by the directory. You cannot use the -x option with the -Y option.
–D user Passes the user identity when you specify -x (simple binding). The name format you use may depend on the directory type. You can use:
  • The FQDN for the user on all certified directories.
  • user@domain on Active Directory
  • The contents of the userPrincipalName attribute for the user on ADAM or AD LDS
-Y DIGEST-MD5 Specifies that the search uses DIGEST-MD5 binding, if offered by the directory. You cannot be use the -Y option with the -x option.
–U user Passes the user identity when the search uses a DIGEST-MD5 bind, that is, when you specify -Y DIGEST-MD5.
-w password Specifies the directory user password in the ldapsearch command.
-W Specifies that the ldapsearch prompts the user for a password.
-R realm Specifies a SASL realm offered by the directory server. This option is valid only when the directory server offers more than one realm.

Set up the -R option similarly to the LdapServerRealm property. See LdapServerRealm.

–b basedn The FQDN of the of the directory object that constitutes the search base, that is, the starting point for the directory search.

If you omit this option, the search uses the directory defaults in the ldaprc or .ldaprc file. For more information, go to: http://www.openldap.org.

-s scope Use this option to specify the scope of the search.
  • one: Searches the children of the object identified by the search base (-b option).
  • base: Searches only the object identified by the search base (-b option).
  • sub: Specifies a subtree search (or deep search). A deep search includes any object names contained in the -b option, and any other objects included in the subtree named by the search base.
If you use the root node as the search base (the usual default) with a scope of sub, the command searches the entire directory.
-H scheme://host:port/ Identifies the URI for the LDAP directory server.

See LdapServerName for valid settings.

-Z Requests that the search use TLS protection for the search authentication token exchange. If TLS is not available, -Z returns an error message, but the search continues (without protection).
-ZZ Same as -Z, but if TLS is not available, the search aborts.
filter Specifies the filter for the search, and is approximately equivalent to an SQL WHERE clause.

You must use a unique syntax to specify a filter, in accordance with IETF RFC 2254. Go to: http://www.faqs.org/rfcs/rfc2254.html.

If you do not specify a filter, the search uses ‘(objectClass=*)’.

All search filters must begin with a ‘(‘ character, which is not legal in an attribute name.
attr1 [attr2 …] A space separated list of one or more optional arguments that tell the server the names of attributes it must return. If you do not specify any attributes, the search returns all user defined attributes for each object that matches the search criteria, for most directory types. Specify:
  • ‘*’ to include all normal attributes.
  • ‘+’ to include all operational attributes, that is, those attributes the server uses to manage the object.
  • ‘1.1’ to return no attributes.

For some directory types, such as OpenLDAP, you can use ‘+’ and ‘*’ to request all user attributes and all system attributes, respectively.

A search always returns the FQDN of the object.