Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

ldapsearch Cheatsheet

Command-line tool for querying LDAP directories. Part of the OpenLDAP suite.

Basic Syntax

ldapsearch [options] [filter] [attributes...]

Connection Options

OptionDescriptionExample
-h HOSTLDAP server hostname (deprecated, use -H)-h 172.16.5.5
-H URILDAP URI-H ldap://172.16.5.5
-p PORTPort (default: 389, LDAPS: 636)-p 389
-xSimple authentication (instead of SASL)
-D BINDDNBind DN (username)-D "CN=admin,DC=domain,DC=local"
-w PASSBind password-w Password123
-WPrompt for password
-ZStart TLS
-ZZRequire TLS (fail if unavailable)

Search Options

OptionDescriptionExample
-b BASEDNSearch base DN-b "DC=DOMAIN,DC=LOCAL"
-s SCOPESearch scope: base, one, sub-s sub
-f FILERead filters from file
-l TIMELIMITTime limit (seconds)-l 30
-z SIZELIMITSize limit (entries)-z 1000
-LLLMinimal output (no comments, version)

Common LDAP Filters

FilterDescription
(objectclass=user)All user objects
(objectclass=computer)All computer objects
(objectclass=group)All group objects
(&(objectclass=user)(sAMAccountName=jsmith))Specific user
(&(objectclass=user)(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=local))Domain Admins
(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))Enabled accounts only
(sAMAccountType=805306368)Normal user accounts

Anonymous Bind Examples

Enumerate All Users

ldapsearch -h 172.16.5.5 -x -b "DC=DOMAIN,DC=LOCAL" -s sub "(&(objectclass=user))" sAMAccountName | grep sAMAccountName: | cut -f2 -d" "

Get Password Policy

ldapsearch -h 172.16.5.5 -x -b "DC=DOMAIN,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Get Domain Info

ldapsearch -h 172.16.5.5 -x -s base namingcontexts

Authenticated Examples

Bind and Search Users

ldapsearch -H ldap://172.16.5.5 -x -D "CN=admin,DC=domain,DC=local" -w Password123 -b "DC=DOMAIN,DC=LOCAL" "(&(objectclass=user))" sAMAccountName

Search with Minimal Output

ldapsearch -H ldap://172.16.5.5 -x -D "user@domain.local" -w Password123 -b "DC=DOMAIN,DC=LOCAL" -LLL "(objectclass=user)" cn sAMAccountName

Useful Attributes to Query

AttributeDescription
sAMAccountNameLogon name
userPrincipalNameUPN (user@domain)
cnCommon name
distinguishedNameFull DN path
memberOfGroup memberships
userAccountControlAccount flags (enabled/disabled, etc.)
pwdLastSetLast password change
lastLogonLast logon timestamp
lockoutTimeAccount lockout time
badPwdCountFailed password attempts
minPwdLengthMinimum password length (domain-level)
lockoutThresholdLockout threshold (domain-level)
pwdHistoryLengthPassword history length (domain-level)
pwdPropertiesPassword complexity flags (domain-level)

Password Policy Attributes

AttributeDescription
minPwdLengthMinimum password length
maxPwdAgeMaximum password age
minPwdAgeMinimum password age
pwdHistoryLengthPassword history length
pwdProperties0 = no complexity, 1 = complexity enabled
lockoutThresholdBad password attempts before lockout
lockoutDurationLockout duration (in 100-nanosecond intervals, negative)
lockOutObservationWindowLockout counter reset window

Tips

  • Use -LLL for clean, parseable output
  • Pipe through grep, awk, or cut to extract specific fields
  • Anonymous binds are a legacy config (disabled by default since Windows Server 2003)
  • Use -H ldap:// instead of the deprecated -h flag in newer versions