3.2.2.1.2.1 Search Requests

The CA SHOULD perform search requests demonstrated in the following figure.

Retrieving an ADConnection handle for reading user or computer object.

Figure 4: Retrieving an ADConnection handle for reading user or computer object.

The following steps describe the flow of the preceding figure.

  1. If the Collection_Of_End_Entity_Object_Query_AD_Connections ADM has no ADConnection handle:

    1. Invoke the "Initialize ADConnection" task ([MS-ADTS] section 7.6.1.1) to construct an ADConnection, with the following parameter:

      • TaskInputTargetName: NULL

      • TaskInputPortNumber: 3268

        Store the generated ADConnection handle in the ActiveDirectory_Connection variable.

    2. Perform a bind request as specified in section 3.2.2.1.2.2. Go to step 3.

  2. Remove from the Collection_Of_End_Entity_Object_Query_AD_Connections ADM element the ADConnection handle that was added the last, and use it as the ADConnection handle in the following steps.

  3. Invoke the "Perform an LDAP Operation on an ADConnection" task (see [MS-ADTS] section 7.6.1.6) with the following parameters:

    • TaskInputADConnection: ActiveDirectory_Connection

    • TaskInputRequestMessage: LDAP SearchRequest message (see [RFC2251] section 4.5.1), as follows:

      • baseObject: EndEntityDistinguishedName

      • scope: baseObject

      • filter: (|(objectCategory=user)(objectCategory=computer))

      • attributes: The CA SHOULD use the following attributes:

        • objectClass

        • cn

        • dNSHostName

        • mail

        • objectGUID

        • objectSid

        • userPrincipalName

      • sizeLimit: 10000

      • timeLimit: 120 <109>

      • derefAliases: neverDerefAliases

      • typesOnly: FALSE

    • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search. Set the output parameter EndEntityAttributes equal to TaskOutputResultMessage.

  4. If the TaskReturnStatus returned from LDAP search operation in step 3 is not 0, then:

    • Invoke the "Perform an LDAP Unbind on an ADConnection" task (see [MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set to the ActiveDirectory_Connection.

    • Repeat step 1.1

    • Perform steps 1 and 2 in section 3.2.2.1.2.2 with the exception that in step 1, use the following parameters:

      • TaskInputOptionName: LDAP_OPT_GETDSNAME_FLAGS

      • TaskInputOptionValue: Bitwise OR of the bits A, D, J, and R, as defined in [MS-NRPC] section 3.5.4.3.1

    • If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

      • InputReturnStatus: TaskReturnStatus

      • InputResultMessage: NULL

        Return the OutputHRESULT output parameter to the client and exit.

    • Repeat step 3. If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

      • InputReturnStatus: TaskReturnStatus

      • InputResultMessage: TaskOutputResultMessages

        Return the OutputHRESULT output parameter to the client and exit.

  5. If the number of ADConnection handles in the Collection_Of_End_Entity_Object_Query_AD_Connections ADM element is less than Config_Max_Number_Of_AD_Connections, add the ActiveDirectory_Connection variable to the Collection_Of_End_Entity_Object_Query_AD_Connections ADM element.

  6. Otherwise, invoke the "Perform an LDAP Unbind on an ADConnection" task (see [MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set to ActiveDirectory_Connection.