3.1.5.1 Reading a Wireless or Wired Policy Object from Active Directory

  • Article

The following protocol sequences MUST be generated:

  1. An LDAP BindRequest from the administrative-side plug-in to the Group Policy server is generated. Authentication options MUST be specified in the LDAP BindRequest. In addition, message security can be requested of the underlying LDAP transport, as specified in section 2.1. The parameters MUST include the following.

    Parameter

    Value

    DN

    A zero-length string

    Authentication Algorithm

    Kerberos with credentials in Unicode (computer policy mode) or SPNEGO (user policy mode)

    Version

    3

  2. The plug-in MUST wait for a time-out period of at least 2 minutes (120 seconds) to receive an LDAP BindResponse. If the plug-in fails to receive the LDAP BindResponse within this time-out period, it MUST terminate the reading of the wireless or wired policy.<37>

    After the successful BindResponse, the plug-in MUST send an LDAP SearchRequest to the Group Policy server with the parameters in the following table.

    Parameter

    Value

    baseObject

    The LDAP DN for the wireless or wired Group Policy inside the computer section of the GPO.

    baseObject MUST always be in the following form:

    For BLOB-based wireless policy:

    CN=Wireless, CN=Windows, CN=Microsoft, Scoped GPO DN

    where Scoped GPO DN is as specified in [MS-GPOL].

    For XML-based wireless policy:

    CN=IEEE80211, CN=Windows, CN=Microsoft, Scoped GPO DN

    For wired Group Policy:

    CN=IEEE8023, CN=Windows, CN=Microsoft, Scoped GPO DN

    Scope

    This MUST be set to value 1. LDAP Search Request searches all entries in the first level below the base entry, which excludes the base entry.

    derefAliases

    This MUST be set to 0 (neverDerefAliases) to dereference in searching.

    sizeLimit

    This MUST be set to 0 (which specifies no limit).

    timeLimit

    This MUST be set to 0 (which specifies no limit).

    typesOnly

    This MUST be set to FALSE according to the LDAP definition of FALSE.

    Filter

    The query MUST be filtered so that only wireless or wired GPOs are returned.

    For BLOB-based wireless policy:

    The LDAP filter (objectClass= msieee80211-Policy) MUST be used.

    For XML-based wireless policy:

    The LDAP filter (objectClass= ms-net-ieee-80211-GroupPolicy) MUST be used.

    For wired Group Policy:

    The LDAP filter (objectClass= ms-net-ieee-8023-GroupPolicy) MUST be used.

    Attributes

    The following attribute names are passed as inputs to the LDAP search request:

    For BLOB-based wireless policy:

    msieee80211-ID: An identifier to uniquely identify a BLOB-based wireless Group Policy.

    msieee80211-Data: A data BLOB according to a well-defined format that describes the different settings in the policy. For more information about interpreting this data, see section 2.2.1.1.

    cn: Name of the policy.

    description: A user-defined description for the policy.

    whenChanged: Time stamp of the last time the policy was edited.

    For XML-based wireless policy:

    ms-net-ieee-80211-GP-PolicyGUID: A unique identifier to identify the policy object.

    ms-net-ieee-80211-GP-PolicyData: An XML string according to a well-defined schema. For more information, see section 2.2.

    cn: Name of the policy.

    description: A description for the policy.

    whenChanged: Time stamp of the last time the policy was edited.

    For wired Group Policy:

    ms-net-ieee-8023-GP-PolicyGUID: A unique identifier to identify the policy object.

    ms-net-ieee-8023-GP-PolicyData: An XML string according to a well-defined schema. For more information, see section 2.2.

    cn: Name of the policy.

    description: A description for the policy.

    whenChanged: Time stamp of the last time the policy was edited.

  3. A successful reply from the LDAP search request MUST contain one or more LDAP search response messages. Those messages MUST contain one or more searchResultEntries. The searchResultEntry MUST also contain an attributes field with the values for the attributes request in the LDAP search message. The format of the attributes is specified in section 2.2.

  4. An LDAP UnbindRequest is made by the plug-ins to close the connection, unless the plug-in will reuse the ADConnection Handle (section 3.1.1.1) for future requests.

    For details about creating, modifying, and deleting wired and wireless GPOs, see section 3.