jspωiki
LDAP_SERVER_SD_FLAGS_OID

Overview#

LDAP_SERVER_SD_FLAGS_OID (1.2.840.113556.1.4.801) is a SupportedControl for Microsoft Active Directory and used is used with an LDAP SearchRequest to control the portion of a Windows Security Descriptor to retrieve.

Typically a Domain Controller returns only the specified portion of the Security Descriptor. It is also used with LDAP Add Request and Modify Request to control the portion of a Windows security descriptor to modify.

When sending this control to the DC, the controlValue field is set to the BER encoding of the following ASN.1 structure.

SDFlagsRequestValue ::= SEQUENCE {
     Flags    INTEGER
}
The value of the control is an integer, which is used to identify which Security Descriptor (SD) parts the client intends to read or modify. When the control is not specified, the default value of 15 (0x0000000F) is used.

The Security Descriptor parts are identified using the following bit values:

If the LDAP_SERVER_SD_FLAGS_OID control is present in an LDAP SearchRequest, the server returns an Security Descriptor with the parts specified in the control when:

  • the Security Descriptor attribute name is explicitly mentioned in the requested attribute list
  • the requested attribute list is empty
  • all attributes are requested (RFC 2251 section 4.5.1).
Without the presence of this control, the server returns an Security Descriptor only when the Security Descriptor attribute name is explicitly mentioned in the requested attribute list.

For Modify Request operations, the bits identify which Security Descriptor parts are affected by the operation.

The client might supply values for other (or all) Security Descriptor fields. However, the server only updates the fields that are identified by the LDAP_SERVER_SD_FLAGS_OID control. The remaining fields are ignored.
When performing an LDAP Add Request operation, the client can supply an Security Descriptor flags control with the operation; however, it will be ignored by the server.

More Information#

There might be more information for this subject on one of the following: