Tuesday, April 1, 2025

ldapsearch error: "scope is required for a null based search"

This command:


ldapsearch -D binduser@acme.com -w ? -h globalADcatalog -b DC=acme,DC=com cn=myuser

Will sometimes give the error:

scope is required for a null based search

But if you simply change directories (to /opt, for example), the command will run just fine.

This is due to filename expansion in the shell, where you happen to have a file (or directory) with a single-character name in your current working directory. The correct way to get around this is to change the command to:

ldapsearch -D binduser@acme.com -w \? -h globalADcatalog -b DC=acme,DC=com cn=myuser

FYI: The "-w ?" tells ldapsearch to prompt you for a password, and the backslash quotes the question mark so the shell doesn't try to interpret it. I like using this form of the command rather than typing the password on the command line for security purposes:

  1. While the command is running, ANY user on the system can see the entire command line with the 'ps -ef' command.
  2. If you're using a shared account (like a service account), any other people sharing that account can see all previous commands with the 'history' command.

No comments: