Supported LDAP controls
LDAP controls provide a mechanism to extend the semantics and arguments of existing LDAP operations. One or more controls may be attached to a single LDAP message. A control only affects the semantics of the message it is attached to. Controls sent by clients are called request controls. Controls returned by servers are called response controls.
DS software supports the following LDAP controls.
Server controls
DS servers support the following controls:
- Account Usability Control
-
Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
Sun Microsystems control to determine whether a user account can be used to authenticate to the directory.
- Assertion request control
-
Object Identifier: 1.3.6.1.1.12
- Get Effective Rights request control
-
Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
Internet-Draft: draft-ietf-ldapext-acl-model: Access Control Model for LDAPv3
- Internal Modifications control
-
Object Identifier: 1.3.6.1.4.1.36733.2.1.5.3
Proprietary control that provides additional modifications to a request for internal operations.
- Manage DSAIT request control
-
Object Identifier: 2.16.840.1.113730.3.4.2
- Matched Values request control
-
Object Identifier: 1.2.826.0.1.3344810.2.3
- No-Op Control
-
Object Identifier: 1.3.6.1.4.1.4203.1.10.2
Internet-Draft: draft-zeilenga-ldap-noop: LDAP No-Op Control
- Password Expired response control
-
Object Identifier: 2.16.840.1.113730.3.4.4
Internet-Draft: draft-vchu-ldap-pwd-policy: Password Policy for LDAP Directories
- Password Expiring response control
-
Object Identifier: 2.16.840.1.113730.3.4.5
Internet-Draft: draft-vchu-ldap-pwd-policy: Password Policy for LDAP Directories
- Password Policy response control
-
Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
- Password Quality Advice controls
-
Object Identifier: 1.3.6.1.4.1.36733.2.1.5.5
Proprietary controls that are used for requesting and returning structured password quality advice. The request and response controls share the same OID.
Interface stability: Evolving.
- Permissive Modify request control
-
Object Identifier: 1.2.840.113556.1.4.1413
Microsoft defined this control that, "Allows an LDAP modify to work under less restrictive conditions. Without it, a delete will fail if an attribute does not exist, and an add will fail if an attribute already exists. No data is needed in this control." (source of quote)
- Persistent Search request control
-
Object Identifier: 2.16.840.1.113730.3.4.3
- Post-Read request control
-
Object Identifier: 1.3.6.1.1.13.2
- Post-Read response control
-
Object Identifier: 1.3.6.1.1.13.2
- Pre-Read request control
-
Object Identifier: 1.3.6.1.1.13.1
- Pre-Read response control
-
Object Identifier: 1.3.6.1.1.13.1
- Proxied Authorization v2 request control
-
Object Identifier: 2.16.840.1.113730.3.4.18
- Public Changelog Exchange Control
-
Object Identifier: 1.3.6.1.4.1.26027.1.5.4
DS control for using the bookmark cookie when reading the external change log.
- Real Attributes Only Request Control
-
Object Identifier: 2.16.840.1.113730.3.4.17
Netscape control indicating that the request is only for attributes actually contained in the entry. Do not return virtual attributes even if they are explicitly requested.
The control has no value.
- Relax Rules Control
-
Object Identifier: 1.3.6.1.4.1.4203.666.5.12
Experimental LDAP control allowing a directory client application to request temporary relaxation of data and service model rules.
This control is always critical and doesn’t have a value.
- Replication Context control
-
Object Identifier: 1.3.6.1.4.1.36733.2.1.5.4
Proprietary control used internally to provide some replication-related context to requests. This control may be removed in the future.
- Replication repair control
-
Object Identifier: 1.3.6.1.4.1.26027.1.5.2
DS control that is used to modify the content of a replicated database on a single server without impacting the other servers that are replicated with this server.
- Server-Side Sort request control
-
Object Identifier: 1.2.840.113556.1.4.473
- Simple Paged Results Control
-
Object Identifier: 1.2.840.113556.1.4.319
- Subentries request controls
-
Object Identifier: 1.3.6.1.4.1.4203.1.10.1
Object Identifier: 1.3.6.1.4.1.7628.5.101.1
Internet-Draft: draft-ietf-ldup-subentry: LDAP Subentry Schema
- Subtree Delete request control
-
Object Identifier: 1.2.840.113556.1.4.805
Internet-Draft: draft-armijo-ldap-treedelete: Tree Delete Control
- Transaction ID control
-
Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1
Proprietary control enabling the common audit framework to associate an ID with a request. The ID is recorded with audit events, and can be used to correlate and track user interactions as they traverse the components of the Ping Identity Platform.
The control’s value is the UTF-8 encoding of the transaction ID.
- Virtual List View request control
-
Object Identifier: 2.16.840.1.113730.3.4.9
- Virtual Attributes Only Request Control
-
Object Identifier: 2.16.840.1.113730.3.4.19
Netscape control indicating that the request is only for virtual attributes. Do not return real attributes contained in the entry even if they are explicitly requested.
The control has no value.
Client controls
The Java SDK supports the following additional controls:
- Active Directory change notification control
-
Object Identifier: 1.2.840.113556.1.4.528
Microsoft Active Directory control for a client application to register with the directory to receive change notifications.
- Entry Change Notification response control
-
Object Identifier: 2.16.840.1.113730.3.4.7
- Load Balancer Connection Affinity control
-
Object Identifier: 1.3.6.1.4.1.36733.2.1.5.2
Proprietary control that provides a value for connection affinity when using a load balancer from the LDAP SDK.
When you use a DS SDK load balancer that does not support connection affinity, attach this control to LDAP operations that require affinity load balancing.
- Server-Side Sort response control
-
Object Identifier: 1.2.840.113556.1.4.474
- Virtual List View response control
-
Object Identifier: 2.16.840.1.113730.3.4.10