3.1.1.3.4.1.5 LDAP_SERVER_EXTENDED_DN_OID

  • Article

The LDAP_SERVER_EXTENDED_DN_OID control is used with an LDAP search request to cause the DC to return extended DNs. The extended form of an object's DN includes a string representation of the object's objectGUID attribute; for objects that have an objectSid attribute, the extended form also includes a string representation of that attribute. The DC uses this extended DN for all DNs in the LDAP search response. Attributes with Object(OR-Name) syntax are not affected by this control, because in those cases, the DC always uses the DN form as specified in [RFC2253].

The extended DN format is as follows:

<GUID=guid_value>;<SID=sid_value>;dn

where guid_value is the value of the object's objectGUID attribute, sid_value is the value of the object's objectSid attribute, and dn is the object's [RFC2253] DN. For objects that do not have an objectSid attribute, the format is instead as follows:

<GUID=guid_value>;dn

When sending this control to a Windows 2000 operating system DC, the controlValue field is omitted. When sending this control to a Windows Server 2003 operating system and later DC, the controlValue field is either omitted or is set to the BER encoding of the following ASN.1 structure:

 ExtendedDNRequestValue ::= SEQUENCE {
     Flag    INTEGER
 }

If the controlValue field is omitted, the value of Flag is treated as 0.

If the value of Flag is 0, the DC returns the values of the objectGUID and objectSid attributes as a hexadecimal representation of their binary format.

If the value of Flag is 1, the DC returns the GUID in dashed-string format ([RFC4122] section 3) and the SID in SDDL SID string format ([MS-DTYP] section 2.4.2.1). The returned SDDL SID string begins with "S-".

If the value of Flag is neither 0 nor 1, then it does not conform with the specification of this control and the server behaves as described in section 3.1.1.3.4.1.

For example, setting Flag to 0 (or omitting the controlValue field) might return the following extended DN:

<GUID=b3d4bfbd3c45ee4298e27b4a698a61b8>;<SID=01050000000000051500000061eb5b8c50ef705befda808bf4010000>;CN=Administrator, CN=Users,DC=Fabrikam,DC=com

While setting Flag to 1 would return the same object's extended DN in the following form:

<GUID=bdbfd4b3-453c-42ee-98e2-7b4a698a61b8>;<SID=S-1-5-21-2354834273-1534127952-2340477679-500>;CN=Administrator, CN=Users,DC=Fabrikam,DC=com

Sending this control to the DC does not cause the server to include any controls in its response.