2.2.3.1 Policy Location, Name, and Description Retrieval

When retrieving the assigned policy location, name, and description, an LDAP SearchRequest message MUST be sent to the domain controller with the parameters that follow:

Parameter

Value

baseObject

The IPsec policy DN that corresponds to the GPO in which to search for IPsec protocol settings: cn=ipsec,cn=Windows,cn=Microsoft,cn=Machine,cn={GPO GUID},cn=policies,cn=system,<domain naming context>

Scope

This value MUST be equal to 0, for the baseObject scope (as defined in [RFC2251]).

derefAliases

This MUST be set to 0 (neverDerefAliases) to dereference in searching.

sizeLimit

No limit is set (this MUST be set to 0).

timeLimit

The time limit MUST be infinite (it MUST be set to 0).

typesOnly

This MUST be set to FALSE as defined in [RFC2251].

Filter

The following LDAP filter (as specified in [RFC2254]) MUST be used:

(objectclass=*)

Attributes

None

If the preceding LDAP SearchRequest succeeds, then the following LDAP SearchRequest message MUST be sent to the domain controller with the parameters that follow:

Parameter

Value

baseObject

The IPsec policy DN that corresponds to the GPO in which to search for IPsec protocol settings: cn=ipsec,cn=Windows,cn=Microsoft,cn=Machine,cn={GPO GUID},cn=policies,cn=system,<domain naming context>

Scope

This value MUST be the value 0, for the baseObject scope (as defined in [RFC2251]).

derefAliases

This MUST be set to 0 (neverDerefAliases) to dereference in searching.

sizeLimit

No limit is set (this MUST be set to 0).

timeLimit

The time limit MUST be infinite (it MUST be set to 0).

typesOnly

This MUST be set to FALSE as defined in [RFC2251].

Filter

The following LDAP filter (as specified in [RFC2254]) MUST be used:

(objectclass=*)

Attributes

This field MUST specify the attributes ipsecOwnersReference, description, and ipsecName, as specified in section 2.2.2.