This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
LDAP_SERVER_SD_FLAGS_OID
LDAP_SERVER_SD_FLAGS_OID

Version management

Difference between version and

At line 1 added 244 lines
!!! Overview
[{$pagename}] ([1.2.840.113556.1.4.801]) is a [SupportedControl] for [Microsoft Active Directory] and used is used with an [LDAP] [SearchRequest] to control the portion of a Windows [Security Descriptor] to retrieve.
Typically a [Domain Controller] returns only the specified portion of the [Security Descriptor]. It is also used with [LDAP] [Add Request] and [Modify Request] to control the portion of a Windows security descriptor to modify.
When sending this control to the DC, the controlValue field is set to the [BER] encoding of the following [ASN.1] structure.
{{{SDFlagsRequestValue ::= SEQUENCE {
Flags INTEGER
}
}}}
The value of the control is an [integer], which is used to identify which [Security Descriptor] (SD) parts the client intends to read or modify. When the control is not specified, the default value of 15 (0x0000000F) is used.
The [Security Descriptor] parts are identified using the following [bit] values:
* [OWNER_SECURITY_INFORMATION]
* [GROUP_SECURITY_INFORMATION]
* [DACL_SECURITY_INFORMATION]
* [SACL_SECURITY_INFORMATION]
If the [{$pagename}] control is present in an LDAP [SearchRequest], the server returns an [Security Descriptor] with the parts specified in the control when:
* the [Security Descriptor] [attribute] name is explicitly mentioned in the requested attribute list
* the requested attribute list is empty
* all attributes are requested ([RFC 2251] section 4.5.1).
Without the presence of this control, the server returns an [Security Descriptor] only when the [Security Descriptor] [attribute] name is explicitly mentioned in the requested attribute list.
For [Modify Request] operations, the bits identify which [Security Descriptor] parts are affected by the operation.
%%warning
The client might supply values for other (or all) [Security Descriptor] fields. However, the server only updates the fields that are identified by the [{$pagename}] control. The remaining fields are ignored.\\
%%
%%warning
When performing an [LDAP] [Add Request] operation, the client can supply an [Security Descriptor] flags control with the operation; however, it __will be ignored by the server__.
%%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3888c2b7-35b9-45b7-afeb-b772aa932dd0|target='_blank'] - based on information obtained 2019-02-28-
* [#2] - [6.1.3.2 SD Flags Control|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/932a7a8d-8c93-4448-8093-c79b7d9ba499|target='_blank'] - based on information obtained 2019-02-28-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop