3.1.5.5 Writing the Assigned Policy Data

The administrative plug-in MUST connect to the domain controller as specified in sections 3.2.5.1 and 3.2.5.2. To write the new IPsec policy, the administrative plug-in MUST perform the LDAP operation specified in [MS-ADTS] section 7.6.1.6, "Performing an LDAP Operation on an ADConnection". The TaskInputADConnection value MUST be the ADCONNECTION_HANDLE object ([MS-DTYP] section 2.2.2, "ADCONNECTION_HANDLE") stored in ADConnectionHandle. The TaskInputRequestMessage MUST contain an LDAP AddRequest message ([RFC2251] section 4.7) with the following parameters:

Parameter

Value

Entry

The value for this parameter MUST be CN=ObjectPath, CN=IP Security, CN=System, DN for the root of the domain; where objectpath is ipsecfilter{Guid} (section 2.2.1.5), ipsecISAKMPPolicy{Guid} (section 2.2.1.2), ipsecNegotiationPolicy{Guid} (section 2.2.1.4), IPsecNFA{Guid} (section 2.2.1.3), or IpsecPolicy{Guid} (section 2.2.1.1).

Attributes

This field MUST specify the following attributes (sections 2.2.1.1, 2.2.1.2, 2.2.1.3, 2.2.1.4, and 2.2.1.5):

For all objects ipsecfilter{Guid}, ipsecISAKMPPolicy{Guid}, ipsecNegotiationPolicy{Guid}, IPsecNFA{Guid}, IpsecPolicy{Guid}:

  • objectClass

  • ipsecName

  • ipsecID

  • distinguishedName

  • description

  • ipsecData

  • ipsecDataType

For ipsecISAKMPPolicy{Guid}:

  • ipsecOwnersReference

For ipsecfilter{Guid}:

  • ipsecOwnersReference

For ipsecNegotiationPolicy{Guid}:

  • ipsecOwnersReference

  • ipsecNegotiationPolicyAction

  • ipsecNegotiationPolicyType

For IPsecNFA{Guid}:

  • ipsecOwnersReference

The administrative plug-in waits for a response. If the TaskReturnStatus does not signal success (0), then the administrative plug-in MUST log an error, and then unbind as specified in section 3.1.5.2.

Note When writing the new IPsec policy is complete, terminate the BindRequest as specified in section 3.1.5.2.