2.2.1.1.1 ipsecPolicy{GUID} Object Attribute Descriptions
The following table specifies the attributes of the ipsecPolicy class object (as specified in [MS-ADSC], [MS-ADA1], and [MS-ADA3]).
The types used in the following (and subsequent) tables are defined as follows: "LDAPString" as defined in [RFC2251] section 4.1.2; "UTC Coded String" defined as an LDAPString containing the generalized time syntax of the form YYYYMMDDHHMMSS[.|,fraction][(+|-HHMM)|Z], where Z means UTC; "Distinguished Name" as defined in [RFC2251] section 4.1.3; and "Octet String" as defined in [RFC2251] section 4.1.2.
|
Name |
Type |
Description |
|---|---|---|
|
objectClass |
LDAPString |
The Directory String that contains the object class. A typical value is "ipsecPolicy". This attribute is only used during policy creation. |
|
ipsecName |
LDAPString |
The user-constructed Directory String that contains the name for this policy. A typical value is "Secure Server Policy". |
|
description |
LDAPString |
The user-constructed Directory String that is intended to contain a description of the policy. A typical value is "Policy to secure corporate network traffic". |
|
whenChanged |
UTC–coded string |
The Unicode generalized time syntax of the time and date the policy was last changed. This value is set by the Active Directory server. |
|
ipsecID |
LDAPString |
A Directory String containing the curly braced GUID string value of this ipsecPolicy object. A typical value is like the following: "{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE}". |
|
distinguishedName |
Distinguished name |
The Directory String description of the directory location of this policy. This MUST be in the distinguished name (DN) format of [RFC2251]. This MUST be set by the protocol. A typical value is like the following: "CN=ipsecPolicy{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security,CN=System,DC=myDomain,DC=contoso,DC=com". |
|
ipsecISAKMPReference |
Distinguished name |
The Directory String reference to the ipsecISAKMPPolicy object that is associated with this policy. This MUST be in the DN format of [RFC2251]. A typical value is like the following: "CN=ipsecISAKMPPolicy{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE }, CN=IP Security,CN=System, DC=myDomain, DC=contoso,DC=com". This attribute is not used during ipsecPolicy creation; it is only used during modification. |
|
ipsecNFAReference |
A list of distinguished names |
A list of Directory String references to the ipsecNFA objects that are associated with this ipsecPolicy object. The list MUST be composed of DNs in the format specified in [RFC2251]. The separator between two DNs is 2 bytes of 0. For example: DN1-2bytesof0-DN2, where DN1 and DN2 are distinguished names. There can be multiple NFA references present; each NFA reference is a NULL-terminated DN. A typical value is like the following: "CN=ipsecNFA{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security, CN=System,DC=myDomain, DC=contoso,DC=com". This attribute is not used during policy creation; it is only used during policy modification. |
|
ipsecDataType |
LDAPString |
The identifier that describes the format of the following ipsecData attribute. This MUST be the base-10 Directory String representation of the unsigned integer value 0x100 (256). |
|
ipsecData |
Octet string |
The octet string representation of the binary data that specifies additional policy data stored as described in the following ipsecData–specific table. |
The following table specifies the contents of the ipsecData attribute.
Note that all fields specified in the following tables MUST appear in little-endian byte order.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
IPsec_Policy_ID (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Data-Length |
|||||||||||||||||||||||||||||||
|
Polling-Interval |
|||||||||||||||||||||||||||||||
|
Unused |
|||||||||||||||||||||||||||||||
IPsec_Policy_ID (16 bytes): The identifier that specifies this as describing the policy. This MUST be the GUID whose string representation is "{22202163-4f4c-11d1-863b-00a0248d3021}".
Data-Length (4 bytes): The length, in bytes, of the following data. This MUST be the unsigned integer value 0x00000004.
Polling-Interval (4 bytes): The number of seconds that the client waits before polling the IPsec Active Directory store to see if there have been any policy changes. This MUST be an unsigned integer value. Polling interval is 10,800 seconds when this value is set to 0.
Unused (1 byte): This value MUST always be written as 0x0 and MUST be ignored when read.