Overview#
LDAP_SERVER_SD_FLAGS_OID (1.2.840.113556.1.4.801) is a SupportedControl for Microsoft Active Directory and used is used with an LDAP SearchRequest to control the portion of a Windows Security Descriptor to retrieve.Typically a Domain Controller returns only the specified portion of the Security Descriptor. It is also used with LDAP Add Request and Modify Request to control the portion of a Windows security descriptor to modify.
When sending this control to the DC, the controlValue field is set to the BER encoding of the following ASN.1 structure.
SDFlagsRequestValue ::= SEQUENCE { Flags INTEGER }The value of the control is an integer, which is used to identify which Security Descriptor (SD) parts the client intends to read or modify. When the control is not specified, the default value of 15 (0x0000000F) is used.
The Security Descriptor parts are identified using the following bit values:
- OWNER_SECURITY_INFORMATION
- GROUP_SECURITY_INFORMATION
- DACL_SECURITY_INFORMATION
- SACL_SECURITY_INFORMATION
If the LDAP_SERVER_SD_FLAGS_OID control is present in an LDAP SearchRequest, the server returns an Security Descriptor with the parts specified in the control when:
- the Security Descriptor attribute name is explicitly mentioned in the requested attribute list
- the requested attribute list is empty
- all attributes are requested (RFC 2251 section 4.5.1).
For Modify Request operations, the bits identify which Security Descriptor parts are affected by the operation.
More Information#
There might be more information for this subject on one of the following:- 1.2.840.113556.1.4.801
- DACL_SECURITY_INFORMATION
- GROUP_SECURITY_INFORMATION
- LDAP Extensions and Controls Listing
- LDAP_SERVER_BATCH_REQUEST_OID
- OWNER_SECURITY_INFORMATION
- SACL_SECURITY_INFORMATION
- Security Descriptor
- [#1] - 3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID
- based on information obtained 2019-02-28-
- [#2] - 6.1.3.2 SD Flags Control
- based on information obtained 2019-02-28-