---
title: Supported LDAP controls
description: Controls provide a mechanism to extend the semantics and arguments of existing Lightweight Directory Access Protocol (LDAP) operations. You attach one or more controls to a single LDAP message. A control only affects the semantics of the message it is attached to. Controls sent by clients are called request controls. Controls returned by servers are called response controls.
component: pingds
version: 8.1
page_id: pingds:ldap-reference:controls
canonical_url: https://docs.pingidentity.com/pingds/8.1/ldap-reference/controls.html
revdate: 2025-10-22T14:42:39Z
keywords: ["Features", "LDAP", "Standards"]
section_ids:
  server_controls: Server controls
  client_controls: Client controls
---

# Supported LDAP controls

Controls *(tooltip: \<div class="paragraph">
\<p>An addition to an LDAP message to specify how to process the operation.\</p>
\</div>)* provide a mechanism to extend the semantics and arguments of existing Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
\<p>An open, cross-platform protocol used for interacting with directory services.\</p>
\</div>)* operations. You attach one or more controls to a single LDAP message. A control only affects the semantics of the message it is attached to. Controls sent by clients are called *request controls*. Controls returned by servers are called *response controls*.

DS software supports the following LDAP controls.

## Server controls

DS servers support the following controls:

* Account Usability Control

  Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

  Sun Microsystems control to determine whether a user account can be used to authenticate to the directory.

- Assertion request control

  Object Identifier: 1.3.6.1.1.12

  RFC: [RFC 4528: Lightweight Directory Access Protocol (LDAP) Assertion Control](https://www.rfc-editor.org/info/rfc4528)

* Authorization Identity request control

  Object Identifier: 2.16.840.1.113730.3.4.16

  RFC: [RFC 3829: Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls](https://www.rfc-editor.org/info/rfc3829)

- Get Effective Rights request control

  Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

  Internet-Draft: [draft-ietf-ldapext-acl-model: Access Control Model for LDAPv3](https://datatracker.ietf.org/doc/html/draft-ietf-ldapext-acl-model)

* Internal Modifications control

  Object Identifier: 1.3.6.1.4.1.36733.2.1.5.3

  Proprietary control that provides additional modifications to a request for internal operations.

- Manage DSAIT request control

  Object Identifier: 2.16.840.1.113730.3.4.2

  RFC: [RFC 3296: Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories](https://www.rfc-editor.org/info/rfc3296)

* Matched Values request control

  Object Identifier: 1.2.826.0.1.3344810.2.3

  RFC: [RFC 3876: Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3)](https://www.rfc-editor.org/info/rfc3876)

- No-Op Control

  Object Identifier: 1.3.6.1.4.1.4203.1.10.2

  Internet-Draft: [draft-zeilenga-ldap-noop: LDAP No-Op Control](https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-noop-01)

* Password Expired response control

  Object Identifier: 2.16.840.1.113730.3.4.4

  Internet-Draft: [draft-vchu-ldap-pwd-policy: Password Policy for LDAP Directories](https://datatracker.ietf.org/doc/html/draft-vchu-ldap-pwd-policy)

- Password Expiring response control

  Object Identifier: 2.16.840.1.113730.3.4.5

  Internet-Draft: [draft-vchu-ldap-pwd-policy: Password Policy for LDAP Directories](https://datatracker.ietf.org/doc/html/draft-vchu-ldap-pwd-policy)

* Password Policy response control

  Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

  Internet-Draft: [draft-behera-ldap-password-policy: Password Policy for LDAP Directories](https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy)

- Password Quality Advice controls

  Object Identifier: 1.3.6.1.4.1.36733.2.1.5.5

  Proprietary controls that are used for requesting and returning structured password quality advice. The request and response controls share the same OID.

  Interface stability: *Evolving*.

* Permissive Modify request control

  Object Identifier: 1.2.840.113556.1.4.1413

  Microsoft defined this control that, "Allows an LDAP modify to work under less restrictive conditions. Without it, a delete will fail if an attribute does not exist, and an add will fail if an attribute already exists. No data is needed in this control." ([source of quote](http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1413.html))

- Persistent Search request control

  Object Identifier: 2.16.840.1.113730.3.4.3

  Internet-Draft: [draft-ietf-ldapext-psearch: Persistent Search: A Simple LDAP Change Notification Mechanism](https://datatracker.ietf.org/doc/html/draft-ietf-ldapext-psearch)

* Post-Read request control

  Object Identifier: 1.3.6.1.1.13.2

  RFC: [RFC 4527: Lightweight Directory Access Protocol (LDAP) Read Entry Controls](https://www.rfc-editor.org/info/rfc4527)

- Post-Read response control

  Object Identifier: 1.3.6.1.1.13.2

  RFC: [RFC 4527: Lightweight Directory Access Protocol (LDAP) Read Entry Controls](https://www.rfc-editor.org/info/rfc4527)

* Pre-Read request control

  Object Identifier: 1.3.6.1.1.13.1

  RFC: [RFC 4527: Lightweight Directory Access Protocol (LDAP) Read Entry Controls](https://www.rfc-editor.org/info/rfc4527)

- Pre-Read response control

  Object Identifier: 1.3.6.1.1.13.1

  RFC: [RFC 4527: Lightweight Directory Access Protocol (LDAP) Read Entry Controls](https://www.rfc-editor.org/info/rfc4527)

* Proxied Authorization v1 request control

  Object Identifier: 2.16.840.1.113730.3.4.12

  Internet-Draft: [draft-weltman-ldapv3-proxy-04: LDAP Proxied Authorization Control](https://datatracker.ietf.org/doc/html/draft-weltman-ldapv3-proxy-04)

- Proxied Authorization v2 request control

  Object Identifier: 2.16.840.1.113730.3.4.18

  RFC: [RFC 4370: Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control](https://www.rfc-editor.org/info/rfc4370)

* Public Changelog Exchange Control

  Object Identifier: 1.3.6.1.4.1.26027.1.5.4

  DS control for using the bookmark cookie when reading the external change log.

- Real Attributes Only Request Control

  Object Identifier: 2.16.840.1.113730.3.4.17

  Netscape control indicating that the request is only for attributes actually contained in the entry. Do not return virtual attributes even if they are explicitly requested.

  The control has no value.

* Relax Rules Control

  Object Identifier: 1.3.6.1.4.1.4203.666.5.12

  Experimental LDAP control allowing a directory client application to request temporary relaxation of data and service model rules.

  This control is always critical and doesn't have a value.

- Replication Context control

  Object Identifier: 1.3.6.1.4.1.36733.2.1.5.4

  Proprietary control used internally to provide some replication-related context to requests. This control may be removed in the future.

* Replication repair control

  Object Identifier: 1.3.6.1.4.1.26027.1.5.2

  DS control that is used to modify the content of a replicated database on a single server without impacting the other servers that are replicated with this server.

- Server-Side Sort request control

  Object Identifier: 1.2.840.113556.1.4.473

  RFC: [RFC 2891: LDAP Control Extension for Server Side Sorting of Search Results](https://www.rfc-editor.org/info/rfc2891)

* Simple Paged Results Control

  Object Identifier: 1.2.840.113556.1.4.319

  RFC: [RFC 2696: LDAP Control Extension for Simple Paged Results Manipulation](https://www.rfc-editor.org/info/rfc2696)

- Structured errors control

  Object Identifier: 1.3.6.1.4.1.36733.2.1.5.9

  DS control to request JSON-format structured error responses similar to the following:

  ```
  # Structured error: { "reason": <string>, "parameters": <object-listing-violations> }
  ```

  Not all errors have structured error responses.

* Subentries request controls

  Object Identifier: 1.3.6.1.4.1.4203.1.10.1

  RFC: [Subentries in the Lightweight Directory Access Protocol (LDAP)](https://www.rfc-editor.org/info/rfc3672)

  Object Identifier: 1.3.6.1.4.1.7628.5.101.1

  Internet-Draft: [draft-ietf-ldup-subentry: LDAP Subentry Schema](https://datatracker.ietf.org/doc/html/draft-ietf-ldup-subentry)

- Subtree Delete request control

  Object Identifier: 1.2.840.113556.1.4.805

  Internet-Draft: [draft-armijo-ldap-treedelete: Tree Delete Control](https://datatracker.ietf.org/doc/html/draft-armijo-ldap-treedelete)

* Transaction ID control

  Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1

  Proprietary control enabling the common audit framework to associate an ID with a request. The ID is recorded with audit events, and can be used to correlate and track user interactions as they traverse the components of the Ping Identity Platform.

  The control's value is the UTF-8 encoding of the transaction ID.

- Virtual List View request control

  Object Identifier: 2.16.840.1.113730.3.4.9

  Internet-Draft: [draft-ietf-ldapext-ldapv3-vlv: LDAP Extensions for Scrolling View Browsing of Search Results](https://datatracker.ietf.org/doc/html/draft-ietf-ldapext-ldapv3-vlv)

* Virtual Attributes Only Request Control

  Object Identifier: 2.16.840.1.113730.3.4.19

  Netscape control indicating that the request is only for virtual attributes. Do not return real attributes contained in the entry even if they are explicitly requested.

  The control has no value.

- W3C Trace Context Control

  Object Identifier: 1.3.6.1.4.1.36733.2.1.5.7

  Proprietary control to propagate [W3C trace context](https://www.w3.org/TR/trace-context) for distributed tracing.

  The control's value is a trace parent ID and an optional trace state.

## Client controls

The Java SDK supports the following additional controls:

* Active Directory change notification control

  Object Identifier: 1.2.840.113556.1.4.528

  Microsoft Active Directory control for a client application to register with the directory to receive change notifications.

- Authorization Identity response control

  Object Identifier: 2.16.840.1.113730.3.4.15

  RFC: [RFC 3829: Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls](https://www.rfc-editor.org/info/rfc3829)

* Entry Change Notification response control

  Object Identifier: 2.16.840.1.113730.3.4.7

  Internet-Draft: [draft-ietf-ldapext-psearch: Persistent Search: A Simple LDAP Change Notification Mechanism](https://datatracker.ietf.org/doc/html/draft-ietf-ldapext-psearch)

- Load Balancer Connection Affinity control

  Object Identifier: 1.3.6.1.4.1.36733.2.1.5.2

  Proprietary control that provides a value for connection affinity when using a load balancer from the LDAP SDK.

  When you use a DS SDK load balancer that does not support connection affinity, attach this control to LDAP operations that require affinity load balancing.

* Server-Side Sort response control

  Object Identifier: 1.2.840.113556.1.4.474

  RFC: [RFC 2891: LDAP Control Extension for Server Side Sorting of Search Results](https://www.rfc-editor.org/info/rfc2891)

- Virtual List View response control

  Object Identifier: 2.16.840.1.113730.3.4.10

  Internet-Draft: [draft-ietf-ldapext-ldapv3-vlv: LDAP Extensions for Scrolling View Browsing of Search Results](https://datatracker.ietf.org/doc/html/draft-ietf-ldapext-ldapv3-vlv)