3.1.1.3.4.1 LDAP Extended Controls
LDAP extended controls are an extensibility mechanism in version 3 of LDAP, as discussed in [RFC2251] section 4.1.12. The following sections describe the LDAP extended controls implemented by DCs in Microsoft Windows® 2000 operating system, Windows Server® 2003 operating system, Active Directory® Application Mode (ADAM), Windows Server® 2008 operating system, Windows Server® 2008 R2 operating system, and Windows Server® 2012 operating system (both AD DS and AD LDS).
The LDAP extended controls supported by a DC are exposed as OIDs in the supportedControl attribute of the rootDSE. Each OID corresponds to a human-readable name, as shown in the following table.
|
Extended control name |
OID |
|
LDAP_PAGED_RESULT_OID_STRING |
1.2.840.113556.1.4.319 |
|
LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID |
1.2.840.113556.1.4.521 |
|
LDAP_SERVER_DIRSYNC_OID |
1.2.840.113556.1.4.841 |
|
LDAP_SERVER_DOMAIN_SCOPE_OID |
1.2.840.113556.1.4.1339 |
|
LDAP_SERVER_EXTENDED_DN_OID |
1.2.840.113556.1.4.529 |
|
LDAP_SERVER_GET_STATS_OID |
1.2.840.113556.1.4.970 |
|
LDAP_SERVER_LAZY_COMMIT_OID |
1.2.840.113556.1.4.619 |
|
LDAP_SERVER_PERMISSIVE_MODIFY_OID |
1.2.840.113556.1.4.1413 |
|
LDAP_SERVER_NOTIFICATION_OID |
1.2.840.113556.1.4.528 |
|
LDAP_SERVER_RESP_SORT_OID |
1.2.840.113556.1.4.474 |
|
LDAP_SERVER_SD_FLAGS_OID |
1.2.840.113556.1.4.801 |
|
LDAP_SERVER_SEARCH_OPTIONS_OID |
1.2.840.113556.1.4.1340 |
|
LDAP_SERVER_SORT_OID |
1.2.840.113556.1.4.473 |
|
LDAP_SERVER_SHOW_DELETED_OID |
1.2.840.113556.1.4.417 |
|
LDAP_SERVER_TREE_DELETE_OID |
1.2.840.113556.1.4.805 |
|
LDAP_SERVER_VERIFY_NAME_OID |
1.2.840.113556.1.4.1338 |
|
LDAP_CONTROL_VLVREQUEST |
2.16.840.1.113730.3.4.9 |
|
LDAP_CONTROL_VLVRESPONSE |
2.16.840.1.113730.3.4.10 |
|
LDAP_SERVER_ASQ_OID |
1.2.840.113556.1.4.1504 |
|
LDAP_SERVER_QUOTA_CONTROL_OID |
1.2.840.113556.1.4.1852 |
|
LDAP_SERVER_RANGE_OPTION_OID |
1.2.840.113556.1.4.802 |
|
LDAP_SERVER_SHUTDOWN_NOTIFY_OID |
1.2.840.113556.1.4.1907 |
|
LDAP_SERVER_FORCE_UPDATE_OID |
1.2.840.113556.1.4.1974 |
|
LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID |
1.2.840.113556.1.4.1948 |
|
LDAP_SERVER_RODC_DCPROMO_OID |
1.2.840.113556.1.4.1341 |
|
LDAP_SERVER_DN_INPUT_OID |
1.2.840.113556.1.4.2026 |
|
LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID |
1.2.840.113556.1.4.2065 |
|
LDAP_SERVER_SHOW_RECYCLED_OID |
1.2.840.113556.1.4.2064 |
|
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID |
1.2.840.113556.1.4.2066 |
|
LDAP_SERVER_DIRSYNC_EX_OID |
1.2.840.113556.1.4.2090 |
|
LDAP_SERVER_UPDATE_STATS_OID |
1.2.840.113556.1.4.2205 |
|
LDAP_SERVER_TREE_DELETE_EX_OID |
1.2.840.113556.1.4.2204 |
|
LDAP_SERVER_SEARCH_HINTS_OID |
1.2.840.113556.1.4.2206 |
|
LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID |
1.2.840.113556.1.4.2211 |
|
LDAP_SERVER_POLICY_HINTS_OID |
1.2.840.113556.1.4.2239 |
The following table lists the set of LDAP extended controls supported in each Microsoft Windows® Server operating system or ADAM version.
|
Extended control name |
Windows 2000 |
Windows Server 2003 |
Windows Server® 2003 operating system with Service Pack 1 (SP1) |
ADAM RTW |
ADAM SP1 |
Windows Server 2008 |
Windows Server 2008 R2 |
Windows Server 2012 |
|
LDAP_PAGED_RESULT_OID_STRING |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_DIRSYNC_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_DOMAIN_SCOPE_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_EXTENDED_DN_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_GET_STATS_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_LAZY_COMMIT_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_PERMISSIVE_MODIFY_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_NOTIFICATION_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_RANGE_OPTION_OID* |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_RESP_SORT_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_SD_FLAGS_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_SEARCH_OPTIONS_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_SORT_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_SHOW_DELETED_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_TREE_DELETE_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_SERVER_VERIFY_NAME_OID |
X |
X |
X |
X |
X |
X |
X |
X |
|
LDAP_CONTROL_VLVREQUEST |
X |
X |
X |
X |
X |
X |
X |
|
|
LDAP_CONTROL_VLVRESPONSE |
X |
X |
X |
X |
X |
X |
X |
|
|
LDAP_SERVER_ASQ_OID |
X |
X |
X |
X |
X |
X |
X |
|
|
LDAP_SERVER_QUOTA_CONTROL_OID |
X |
X |
X |
X |
X |
X |
X |
|
|
LDAP_SERVER_SHUTDOWN_NOTIFY_OID** |
X |
X |
X |
X |
X |
|||
|
LDAP_SERVER_FORCE_UPDATE_OID |
X |
X |
X |
|||||
|
LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID |
X |
X |
X |
X |
||||
|
LDAP_SERVER_RODC_DCPROMO_OID |
X |
X |
X |
|||||
|
LDAP_SERVER_DN_INPUT_OID |
X |
X |
X |
|||||
|
LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID |
X |
X |
||||||
|
LDAP_SERVER_SHOW_RECYCLED_OID |
X |
X |
||||||
|
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID |
X |
X |
||||||
|
LDAP_SERVER_DIRSYNC_EX_OID |
X |
|||||||
|
LDAP_SERVER_UPDATE_STATS_OID |
X |
|||||||
|
LDAP_SERVER_TREE_DELETE_EX_OID |
X |
|||||||
|
LDAP_SERVER_SEARCH_HINTS_OID |
X |
|||||||
|
LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID |
X |
|||||||
|
LDAP_SERVER_POLICY_HINTS_OID |
X |
* This OID does not identify an LDAP extended control. Its presence in the supportedControl attribute indicates that the DC is capable of range retrieval (see section 3.1.1.3.1.3.2) of LDAP multivalued attributes. However, its absence does not indicate lack of support for range retrieval. This OID is not present in the supportedControl attribute of Windows 2000 DCs, but those DCs do support range retrieval.
** Although exposed on the supportedControl attribute of Windows Server 2003 SP1, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 DCs, this control is only functional on DCs running the Small Business Server version of that operating system.
A client sends a control to the DC by attaching a Control structure (defined in [RFC2251] section 4.1.12) to an LDAP operation. The client sets the controlType field to the control's OID and the controlValue field as specified in the discussion for the control that follows. If the controlValue field contains data that is not in conformance with the specification of the control, including the case where the controlValue field contains data and the specification of the control states that the controlValue field is omitted, then if the control is marked critical the server returns the error unavailableCriticalExtension / ERROR_INVALID_PARAMETER. If the controlValue field is incorrect but the control is not marked critical, the server ignores the control.
A control sent by the client to a DC is known as a request control. In some cases, the server includes a corresponding Control structure attached to the response for the LDAP operation. These controls, known as response controls, are discussed below in conjunction with the request control that causes that response control to be returned.
A brief description of each LDAP control is given in the following table. Additionally, each control is discussed in more detail in the sections that follow. References to ASN.1 and BER encoding in the following section are references to [ITUX680] and [ITUX690], respectively.
|
Extended control name |
Description |
|
LDAP_PAGED_RESULT_OID_STRING |
Splits the results of an LDAP search across multiple result sets. |
|
LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID |
Used with an LDAP Modify DN operation to move an object from one domain to another domain. |
|
LDAP_SERVER_DIRSYNC_OID |
Used with an LDAP search operation to retrieve the changes made to objects since a previous LDAP_SERVER_DIRSYNC_OID search was performed. |
|
LDAP_SERVER_DOMAIN_SCOPE_OID |
Instructs the DC not to generate LDAP continuation references in response to a search operation. |
|
LDAP_SERVER_EXTENDED_DN_OID |
Used to request than an LDAP search operation return DNs in an extended format containing the values of the objectGUID and objectSid attributes. |
|
LDAP_SERVER_GET_STATS_OID |
Used with an LDAP search request to instruct the DC to return statistical data related to how the search was performed. |
|
LDAP_SERVER_LAZY_COMMIT_OID |
Instructs the DC that it MAY sacrifice durability guarantees on updates to improve performance. |
|
LDAP_SERVER_PERMISSIVE_MODIFY_OID |
Instructs the DC that an LDAP modify should succeed even if it attempts to add a value already present on the attribute or remove a value not present on the attribute. |
|
LDAP_SERVER_NOTIFICATION_OID |
Used with an LDAP search operation to register the client to be notified when changes are made to an object in the directory. |
|
LDAP_SERVER_SD_FLAGS_OID |
Instructs the DC which portions of a Windows security descriptor to retrieve during an LDAP search operation. |
|
LDAP_SERVER_SEARCH_OPTIONS_OID |
Used to pass flags to the DC to control search behaviors; specifically, to prevent LDAP continuation references from being generated and to search all NC replicas that are subordinate to the search base, even if the search base is not instantiated on the DC. |
|
LDAP_SERVER_SORT_OID and LDAP_SERVER_RESP_SORT_OID |
Request and response controls, respectively, for instructing the DC to sort the search results. |
|
LDAP_SERVER_SHOW_DELETED_OID |
Used with an LDAP operation to specify that tombstones and deleted-objects are visible to the operation. |
|
LDAP_SERVER_TREE_DELETE_OID |
Used with an LDAP delete operation to cause the server to recursively delete the entire subtree of objects located under the object specified in the search request (including the specified object). |
|
LDAP_SERVER_VERIFY_NAME_OID |
Permits the client to specify which GC the DC should use when processing an add or modify request to verify the existence of any objects pointed to by DN attribute values. |
|
LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE |
Request and response control, respectively, used with an LDAP search operation to retrieve a "sliding window" subset of the objects that satisfy the search request. |
|
LDAP_SERVER_ASQ_OID |
Used to specify that an LDAP search operation should not be performed against the object specified as the base in the search, but rather against the set of objects named by a specified attribute of Object(DS-DN) syntax on the base object. |
|
LDAP_SERVER_QUOTA_CONTROL_OID |
Used with an LDAP search operation to retrieve the quota of a user. |
|
LDAP_SERVER_RANGE_OPTION_OID |
Indicates that the server is capable of range retrieval (see section 3.1.1.3.1.3.2). |
|
LDAP_SERVER_SHUTDOWN_NOTIFY_OID |
Used with an LDAP search operation to cause the client to be notified when the DC is shutting down. |
|
LDAP_SERVER_FORCE_UPDATE_OID |
When attached to an LDAP update operation, causes the DC to perform the update even if that update would not affect the state of the DC. |
|
LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID |
Instructs the DC that, when performing a search using range retrieval (see section 3.1.1.3.1.3.2) on an attribute whose values are forward link values or back link values and the value of low is greater than or equal to the number of values in the attribute, no error should be returned. |
|
LDAP_SERVER_RODC_DCPROMO_OID |
This control is used as part of the process of promoting a computer to be an RODC. |
|
LDAP_SERVER_DN_INPUT_OID |
This control is used to specify the DN of an object during an LDAP operation. Currently this control is used only while retrieving the constructed attribute msDS-IsUserCachableAtRodc (see section 3.1.1.3.4.1.24). |
|
LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID |
Used with an LDAP search operation to specify that link attributes that refer to deleted-objects are visible to the search operation. If used in conjunction with LDAP_SERVER_SHOW_DELETED_OID or LDAP_SERVER_SHOW_RECYCLED_OID, link attributes that are stored on deleted-objects are also visible to the search operation. This applies both to the search filter and the set of attributes returned by the search operation. |
|
LDAP_SERVER_SHOW_RECYCLED_OID |
Used with an LDAP operation to specify that tombstones, deleted-objects, and recycled-objects are visible to the operation. |
|
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID |
The LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID control has the exact semantics and behaviors as LDAP_SERVER_POLICY_HINTS_OID (section 3.1.1.3.4.1.27); this control MAY be used by clients when the server does not support LDAP_SERVER_POLICY_HINTS_OID. Clients SHOULD use LDAP_SERVER_POLICY_HINTS_OID when it is supported by the server. |
|
LDAP_SERVER_DIRSYNC_EX_OID |
Used with an LDAP search operation to retrieve the changes made to objects since a previous LDAP_SERVER_DIRSYNC_EX_OID search was performed. |
|
LDAP_SERVER_UPDATE_STATS_OID |
The LDAP_SERVER_UPDATE_STATS_OID control indicates that the requester requires statistics from the DC. |
|
LDAP_SERVER_TREE_DELETE_EX_OID |
Used with an LDAP delete operation to cause the server to recursively delete the entire subtree of objects, up to a specified number of objects, located under the object specified in the search request (including the specified object). |
|
LDAP_SERVER_SEARCH_HINTS_OID |
Provides hints to the DC during LDAP search operations. |
|
LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID |
Monitors the result of an LDAP search operation and potentially modifies the return code. |
|
LDAP_SERVER_POLICY_HINTS_OID |
Used with an LDAP operation to enforce password history policies during password set. |
