A LDAP Control is an extension to an operation. It tells the server to do something aside the standard operation, or it let the server send back some information to the client. A Control contains three different parts :
There are many controls available, some being standardized, other being server specific.
One or more control can be added to any operation.
Note that either the client or the server might not know about the controls being used, and if the criticality flag is set to FALSE, the server will ignore the control in this case.
Here is the list of controls the LDAP API currently know about. The following short names are used to name the LDAP Servers that support each control.
The C/S column indicate if the control is sent to the server (S), or back to the client (C) or can be used both ways (C/S).
| Name | OID | Description | C/S | RFC | LDAP Servers |
|---|---|---|---|---|---|
| AdDirSync | 1.2.840.113556.1.4.841 | Microsoft LDAP Control for Directory Synchronization | C/S | DIRSync draft | AD |
| AdPolicyHints | 1.2.840.113556.1.4.223 | Enforces the password history length constraint during password set | S | LDAP_SERVER_POLICY_HINTS_OID | AD |
| AdShowDeleted | 1.2.840.113556.1.4.417 | DirSync search returns deleted entries | C | LDAP_SERVER_SHOW_DELETED_OID | AD |
| Cascade | 1.3.6.1.4.1.18060.0.0.1 | Used to ask the server to delete an entry and all its descendants | S | None | AP |
| ChangeNotifications | 1.2.840.113556.1.4.528 | Registers the client to be notified when changes are made to an object in Active Directory. | S | LDAP_SERVER_NOTIFICATION_OID | AD |
| EntryChange | 2.16.840.1.113730.3.4.7 | Provides a simple mechanism by which an LDAP client can receive notification of changes that occur in an LDAP server | C | Persistent Search: A Simple LDAP Change Notification Mechanism | AP |
| ManageDSAIT | 2.16.840.1.113730.3.4.2 | Allows access to management objects as standard objects | S | RFC 3296 | AP/OL |
| PagedResults | 1.2.840.113556.1.4.319 | A request/response control used to implement a simple paging of search results | C/S | RFC 2696 | All |
| PasswordPolicy | 1.3.6.1.4.1.42.2.27.8.5.1 | The password policy control | C/S | PasswordPolicy draft | AP/OL |
| PermissiveModify | 1.2.840.113556.1.4.1413 | Allows an LDAP modify to work under less restrictive conditions | S | LDAP_SERVER_PERMISSIVE_MODIFY_OID | AD |
| PersistentSearch | 2.16.840.1.113730.3.4.3 | Provides a simple mechanism by which an LDAP client can receive notification of changes that occur in an LDAP server | S | Persistent Search | AP/OL |
| ProxiedAuthz | 2.16.840.1.113730.3.4.18 | Defines the Proxy Authorization request | S | RFC 4370 | AP/OL |
| SortRequest | 1.2.840.113556.1.4.473 | Server Side Sort request control | S | RFC 2891 | AP/OL |
| SortResponse | 1.2.840.113556.1.4.474 | Server Side Sort request control | C | RFC 2891 | AP/OL |
| Subentries | 1.3.6.1.4.1.4203.1.10.1 | Controls the visibility of entries and subentries | S | RFC 3672 | AP/OL |
| SyncDoneValue | 1.3.6.1.4.1.4203.1.9.1.3 | Control sent when replication has been completed. It contains a cookie. | C | RFC 4533 | AP/OL |
| SyncRequestValue | 1.3.6.1.4.1.4203.1.9.1.1 | Controls the syncrepl process | S | RFC 4533 | AP/OL |
| SyncStateValue | 1.3.6.1.4.1.4203.1.9.1.2 | Gives the syncrepl state | C | RFC 4533 | AP/OL |
| VirtualListViewRequest | 2.16.840.1.113730.3.4.9 | Sent to the server to request a subset of results | S | Scrolling View Browsing of Search Results | AP |
| VirtualListViewResponse | 2.16.840.1.113730.3.4.10 | Sent back to the client to give the search current status | C | Scrolling View Browsing of Search Results | AP |
It's quite simple. You just have to instanciate the control you want to use, set its value, and add it to the request you will send to the server. Here is an example with the ManageDsaIT control :
:::Java AddRequest addRequest = new AddRequestImpl(); // Create the request ManageDsaIT manageDSAIT = new ManageDsaITImpl(); // Instanciate the control manageDSAIT.setCritical( true ); // Set a value addRequest.addControl( manageDSAIT ); // Add the control to the request ...
and that's it !
Note that you have to create an instance of teh operation you want to send to the server, if yu want to add a control to it.
On the client side, you may want to check if there is a control and read it if so. This is a bit more complex, because you need to know which kind of control you are expecting. We will see with a more complex control, the Paged Search control (which allows the user to get a specific number of enries at each call). Here, we will fetch 4 entries in one go, until all the entries have been read, and as we have 10 entries to read, we will send 3 SearchRequest, teh first two will return 4 entries and the last one only 2.
:::Java
try ( LdapConnection connection = new LdapNetworkConnection( "MyServer", 389 ) )
{
connection.bind( "cn=user,ou=system", "secret" );
// Create the control, and tell it we want 4 entries for every call
PagedResults pagedControl = new PagedResultsImpl();
pagedControl.setSize( 4 );
// Read all the elements
List<Entry> results = new ArrayList<>();
// Create the SearchRequest
SearchRequest searchRequest = new SearchRequestImpl();
searchRequest.setBase( new Dn( "dc=users,ou=system" ) );
searchRequest.setFilter( "(cn=*)" );
searchRequest.setScope( SearchScope.SUBTREE );
while ( true )
{
// Add the PagedSearch control to the SearchRequest
searchRequest.addControl( pagedControl );
// Do the search now
try ( SearchCursor cursor = connection.search( searchRequest ) )
{
// Loop on all the entries we got back (Should be 4, or less)
while ( cursor.next() )
{
Entry result = cursor.getEntry();
results.add( result );
}
// Check if we have reached the size limit
if ( cursor.getSearchResultDone().getLdapResult().getResultCode() == ResultCodeEnum.SIZE_LIMIT_EXCEEDED )
{
break;
}
// Now check the returned controls
Map<String, Control> controls = cursor.getSearchResultDone().getControls();
// We should get a PagedResult response
PagedResults responseControl = ( PagedResults ) controls.get( PagedResults.OID );
if ( responseControl != null )
{
// check if this is over, ie the cookie is empty
byte[] cookie = responseControl.getCookie();
if ( Strings.isEmpty( cookie ) )
{
// Ok, we are done
break;
}
// Prepare the next iteration, sending a bad cookie
pagedControl.setCookie( cookie );
}
else
{
break;
}
}
}
// At this point, we should have read 10 entries
}
This sounds like a bit complex, but actually, this control is complex. What we are interested in is the way we get the control returned by the server. In this case, the control we are interested in is attached to the SearchResultDone response, which is the last result we have when reading the cursor. As we may have more than one control, the response conains a Map of controls, ot of which we should be able to retreive the PagedSearch control from its OID. This is what does this piece of code :
:::Java
...
// We should get a PagedResult response
PagedResults responseControl = ( PagedResults ) controls.get( PagedResults.OID );
...
If it's not null, we can proceed with the control.
Side note : in this piece of code, we don't close the connection nor the cursor, because they are Closeable : They will be close when we exit the try scope. This is a feature added in Java 7, called try with resources
A control used to initiate a synchronization with an Active Directory server, and get back the results. Check Microsoft LDAP Control for Directory Synchronization for a better understanding on how to use this control.
Sent to the server :
realReplControlValue ::= SEQUENCE {
flags integer
maxBytes integer
cookie OCTET STRING
}
This control is only valid when send with a SearchRequest.
Received from the server :
realReplControlValue ::= SEQUENCE {
flag integer
maxReturnLength integer
cookie OCTET STRING
}
The cookie read from this control has to be injected in the control sent to the server for the next search.
This is oe of the simplest control : it has no value, and he criticality flag may be absent.
It‘s used to get access to special objects, like referrals or subentries as normal objects. Let’s see what that means for referrals.
A Referral is a special object which once returned to the client, will automatically will redirect the client to another part of teh DIT (or to another LDAP server). So to speak, the end user does not see the referral, but the reffered entry. The question is : how do we set a referral, or how do we modify it ? We use the ManageDsaIT control.
Let say we have such an entry, which is actually a referal :
dn: uid=entryRef,ou=users,dc=acme,dc=com objectClass: extensibleObject objectClass: referral objectClass: top uid: entryref" ref: ldap://localhost:10389/uid=entry,ou=users,dc=acme,dc=com ref: ldap://trust:10389/uid=entry,ou=users,dc=trust,dc=com
A client searchingg for uid=entryRef,ou=users,dc=acme,dc=com will be redirected to uid=entry,ou=users,dc=acme,dc=com on the local server or on uid=entry,ou=users,dc=trust,dc=com on the trust server (it's up to the client to decide which entry to fetch).
If we want to modify this referral, we need to add the ManageDsaIT control :
:::Java
try ( LdapConnection connection = new LdapNetworkConnection( "MyServer", 389 ) )
{
connection.bind( "cn=user,ou=system", "secret" );
// modify the referral
ModifyRequest modifyRequest = new ModifyRequestImpl();
modifyRequest.setName( new Dn( "uid=entryRef,ou=users,dc=acme,dc=com" ) );
modifyRequest.add( "ref", "ldap://subsidiary:10389/uid=entry,ou=users,dc=subsidiary,dc=com" );
// Add the control
modifyRequest.addControl( new ManageDsaITImpl() );
// And apply the modification
connection.modify( modifyRequest );
}
Now, if we fetch the entry (still using the control), it will looks like :
dn: uid=entryRef,ou=users,dc=acme,dc=com objectClass: extensibleObject objectClass: referral objectClass: top uid: entryref" ref: ldap://localhost:10389/uid=entry,ou=users,dc=acme,dc=com ref: ldap://trust:10389/uid=entry,ou=users,dc=trust,dc=com ref: ldap://subsidiary:10389/uid=entry,ou=users,dc=subsidiary,dc=com
As you can see, a third ref value has been added.