3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID

The LDAP_SERVER_SD_FLAGS_OID control is used with an LDAP Search request to control the portion of a Windows security descriptor to retrieve. The DC returns only the specified portion of the security descriptors. It is also used with LDAP Add and Modify requests to control the portion of a Windows security descriptor to modify. The DC modifies only the specified portion of the security descriptor.

When sending this control to the DC, the controlValue field is set to the BER encoding of the following ASN.1 structure.

 SDFlagsRequestValue ::= SEQUENCE {
     Flags    INTEGER
 }

The Flags value has the following format presented in big-endian byte order. X denotes unused bits that SHOULD be set to 0 by the client and that MUST be ignored by the server.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

S
S
I

D
S
I

G
S
I

O
S
I

The Flags value is a combination of zero or more bit flags from the following table.

Bit flag name and value

Portion of security descriptor to retrieve/update

OWNER_SECURITY_INFORMATION (OSI)

0x1

Owner identifier of the object.

GROUP_SECURITY_INFORMATION (GSI)

0x2

Primary group identifier.

DACL_SECURITY_INFORMATION (DSI)

0x4

Discretionary access control list (DACL) of the object.

SACL_SECURITY_INFORMATION (SSI)

0x8

System access control list (SACL) of the object.

Specifying Flags with no bits set, or not using the LDAP_SERVER_SD_FLAGS_OID control, is equivalent to setting Flags to (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION). Sending this control to the DC does not cause the server to include any controls in its response.