--- title: Searching for soft deletes description: Soft-deleted entries are excluded from normal LDAP searches because they represent deleted entries. The updated ldapsearch tool supports these types of searches. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_search_soft_deletes canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_search_soft_deletes.html revdate: September 13, 2023 page_aliases: ["pd_ds_run_base_level_search_soft_delete_entry.adoc", "pd_ds_run_filtered_search_soft_delete_entry.adoc", "pd_ds_run_search_soft_delete_entry_access_ctrl.adoc"] section_ids: about-this-task: About this task steps: Steps running-a-base-level-search-on-a-soft-deleted-entry: Running a base-level search on a soft-deleted entry steps-2: Steps example: Example: result: Result: running-a-filtered-search-by-soft-delete-entry-object-class: Running a filtered search by soft-delete-entry object class steps-3: Steps example-2: Example: running-a-search-using-the-soft-delete-entry-access-control: Running a search using the soft delete entry access control about-this-task-2: About this task steps-4: Steps example-3: Example: example-4: Example: example-5: Example: --- # Searching for soft deletes Soft-deleted entries are excluded from normal LDAP searches because they represent deleted entries. The updated `ldapsearch` tool supports these types of searches. ## About this task There are three different ways to search for soft-deleted entries. ## Steps * To perform a base-level search on a soft-deleted entry by distinguished name (DN), run the `ldapsearch` command and specify the base DN of the specific soft-deleted entry that you are searching for. * To filter your search by `ds-soft-delete-entry` object class, run a search for all soft-deleted entries with the `ldapsearch` command with a filter on the `ds-soft-delete-entry` object class. * To return soft-deleted entries, use the soft-delete-entry-access-control with the LDAP search. The `ldapsearch` tool provides a shortcut option, `--includeSoftDeletedEntries`, that sends the control to the server for processing. The control allows for the following search possibilities: * Return only soft-deleted entries. * Return non-deleted entries along with soft-deleted entries. * Return only soft-deleted entries in undeleted form. ## Running a base-level search on a soft-deleted entry Use the command line to run a base-level search on a soft-deleted entry. ### Steps * Run the `ldapsearch` command using the base distinguished name (DN) of the specified soft-deleted entry. #### Example: ```shell $ bin/ldapsearch \ --baseDN entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=example,dc=com \ --searchScope base "(objectClass=*)" ``` #### Result: ``` # Soft-deleted entry DN: # entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=example,dc=com dn: entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: ds-soft-delete-entry postalAddress: Aartjan Aalders$59748 Willow Street$Green Bay, TN 66239 postalCode: 66239 description: This is the description for Aartjan Aalders. uid: user.1 userPassword: {SSHA}RdBCwQ2kIw57LukRthjrFBS/oFylJARnmTnorA== employeeNumber: 1 initials: AKA givenName: Aartjan pager: +1 197 025 3730 mobile: +1 890 430 9077 cn: Aartjan Aalders sn: Aalders telephoneNumber: +1 094 100 7524 street: 59748 Willow Street homePhone: +1 332 432 4295 l: Green Bay mail: user.3@maildomain.net st: TN ``` ## Running a filtered search by soft-delete-entry object class Retrieve all soft-deleted entries using the `ds-soft-delete-entry` object class. ### Steps * Run the `ldapsearch` command to retrieve all soft-deleted entries using the `ds-soft-delete-entry` object class. #### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com \ "(objectclass=ds-soft-delete-entry)" ``` ## Running a search using the soft delete entry access control The following examples use the `--includeSoftDeleteEntries` `{with-non-deleted-entries | without-non-deleted-entries | deleted-entries-in-undeleted-form}` option, which uses the soft delete entry access control. ### About this task You can use the `--control` option with the soft delete entry access control symbolic name, `softdeleteentryaccess`, or the `--control` option with the actual soft delete entry access control OID, `1.3.6.1.4.1.30221.2.5.24`. ### Steps 1. To return only soft-deleted entries, run `ldapsearch` using the `--includeSoftDeletedEntries` option with the value of `without-non-deleted-entries`. #### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com \ --includeSoftDeletedEntries without-non-deleted-entries \ --searchScope sub "(objectclass=*)" ``` 2. To return non-deleted entries along with soft-deleted entries, run `ldapsearch` using the `--includeSoftDeletedEntries` option with the value of `with-non-deleted-entries`. #### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com \ --includeSoftDeletedEntries with-non-deleted-entries \ --searchScope sub "(objectclass=*)" ``` 3. To return only soft-deleted entries in undeleted form, run `ldapsearch` using the `--includeSoftDeletedEntries` option with the value of `deleted-entries-in-undeleted-form`. Some applications require access to all entries in the server, including both active and soft-deleted entries. #### Example: The following command returns all entries that were soft-deleted but presents it in a form that is similar to a regular entry with the soft-delete DN in comments. This regular entry format does not show the actual soft-deleted DN but displays it in an "undeleted" form even though it is not actually "undeleted". The object class, `ds-soft-delete-entry`, is also not displayed. ```shell $ bin/ldapsearch --baseDN dc=example,dc=com \ --includeSoftDeletedEntries deleted-entries-in-undeleted-form \ --searchScope sub "(ds-soft-delete-from-dn=*)" # Soft-deleted entry DN: # entryUUID=2b5511e2-7616-389b-ab0c-025c805ad32c+uid=user.14,ou=People,dc=exam- ple,dc=com dn: uid=user.14,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson postalAddress: Abdalla Abdou$78929 Hillcrest Street$Elmira, ME 93080 postalCode: 93080 description: This is the description for Abdalla Abdou. uid: user.14 userPassword: {SSHA}7GkzWiMiU12m5m+xBV+ZsoX3gVacMcRtSwDTFg== employeeNumber: 14 initials: AFA givenName: Abdalla pager: +1 307 591 4870 mobile: +1 401 069 1289 cn: Abdalla Abdou sn: Abdou telephoneNumber: +1 030 505 6190 street: 78929 Hillcrest Street homePhone: +1 119 487 2328 l: Elmira mail: user.14@maildomain.net st: ME ```