Overview#
An LDAP control is an element that may be included in an LDAP Message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed. If it is included in the response message, it can be used to provide additional information about the way the operation was processed.The SupportedControl by a particular LDAP server can be obtained by querying the RootDSE.
Examples of LDAP controls include:
- Account Usability Request Control -- This is a pair of request and response controls that indicate whether an account is able to authenticate to the server.
- Authorization Identity Request Control -- This is a pair of request and response controls that may be used to determine the authorization identity for a user as part of a bind operation.
- Entry Change Notification Control -- This is a control that is included in search result entry messages performed as part of a persistent search to indicate how an entry has been updated.
- Get Effective Rights Control -- This is a request control that may be used to obtain information about what rights a user has for accessing a given entry.
- LDAP Assertion Control -- This is a request control that may be used to ensure that an operation is only processed if the target entry matches a given assertion filter.
- LDAP No-Op Control -- This is a request control that may be used to ensure that a write operation does not actually change any information in the server but attempts to determine whether the operation would otherwise be successful.
- LDAP Post-Read Control -- This is a pair of request and response controls that may be used to retrieve an entry as it appeared immediately after performing an add, modify, or modify DN operation.
- LDAP Pre-Read Control -- This is a pair of request and response controls that may be used to retrieve an entry as it appeared immediately before performing a delete, modify, or modify DN operation.
- Manage DSA IT Control -- This is a request control that may be used to request that the server treat smart referrals as regular entries rather than as referrals.
- Matched Values Control -- This is a request control that may be used to request that entries returned from a search operation only include values matching a given filter.
- Persistent Search Control -- This is a request control that may be used to receive notification whenever an entry matching a given set of criteria is updated in the server.
- Proxied Authorization Control -- This is a request control that may be used to request that an operation be performed under the authorization of another user.
- Server Side Sort Control -- This is a request control that may be used to request that the server sort the results before returning them to the client.
- Simple Paged Results Control -- This is a request control that may be used to request that the server retrieve only a subset of the results, and when used repeatedly can allow the client to page through the result set.
- Virtual List View Control -- This is a pair of request and response controls that may be used to retrieve an arbitrary page of search results from the server.
- LDAP Dereference Control -- allows a DUA to request the DSA to return specific attributes of linked entries along with the link, under the assumption that this operation can be performed by the DSA in a more efficient manner than the DUA would itself by performing the complete sequence of required search operations.
- LDAP Extensions and Controls Listing - A perhaps more complete listing of SupportedControl values.We have an extensive LDAP Extensions and Controls Listing.
Definition#
An LDAP control is defined as follows: Control ::= SEQUENCE {
controlType LDAPOID,
criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING OPTIONAL }
The elements of a control include:
You can enhance an LDAP search by Searching Using Controls
eDirectory LDAP Virtual List View and Server Side Sort Controls!! More Information#
There might be more information for this subject on one of the following:- 1.3.6.1.4.1.1466.101.120.13
- 1.3.6.1.4.1.1466.101.120.7
- 1.3.6.1.4.1.1466.20037
- 1.3.6.1.4.1.42.2.27.8.5.1
- Account Usability Request Control
- Active Directory Service Interfaces
- Authorization Identity Request Control
- Control
- ControlType
- ControlValue
- Criticality
- DACL_SECURITY_INFORMATION
- Differences between LDAP 2 and 3 Protocols
- Directory Synchronization Control
- Directory Synchronization Control Extended
- Draft-behera-ldap-password-policy
- DxPwdMustChange
- Entry Change Notification Control
- GROUP_SECURITY_INFORMATION
- Get Effective Rights Control
- Glossary Of LDAP And Directory Terminology
- How To Use The Password Policy Control
- InsufficientPasswordQuality
- LDAP
- LDAP Assertion Control
- LDAP Dereference Control
- LDAP Extensions and Controls Listing
- LDAP Grouping of Related Operations
- LDAP Object Identifier Descriptors
- LDAP Post-Read Control
- LDAP Pre-Read Control
- LDAP Protocol Mechanisms
- LDAP Result Codes
- LDAP_CONTROL_NOT_FOUND
- LDAP_SERVER_BATCH_REQUEST_OID
- LDAP_SERVER_DOMAIN_SCOPE_OID
- LDAP_SERVER_EXTENDED_DN_OID
- LDAP_SERVER_PERMISSIVE_MODIFY
- LDAP_SERVER_RANGE_OPTION_OID
- LDAP_SERVER_SD_FLAGS_OID
- LDAP_SERVER_SEARCH_OPTIONS_OID
- Manage DSA IT Control
- Matched Values Control
- MustSupplyOldPassword
- OID
- OWNER_SECURITY_INFORMATION
- Password Expiration
- PasswordInHistory
- PasswordModNotAllowed
- PasswordPolicyRequest
- PasswordPolicyResponse
- PasswordTooShort
- PasswordTooYoung
- Persistent Search Control
- Proxied Authorization Control
- Real Attributes Only Control
- RootDSE
- SACL_SECURITY_INFORMATION
- SERVER_SEARCH_FLAG_DOMAIN_SCOPE
- Security Descriptor
- Simple Paged Results Control
- Simple Password
- Subtree Delete Control
- Transaction Specification Control
- View the Available Controls
- Virtual Attributes Only Control
- Virtual List View Control
- [#1] - 3.1.1.3.4.1 LDAP Extended Controls
- based on information obtained 2020-04-20