Directory Services

LDAP Controls and Session Support

While session support can be initiated, maintained, and terminated without a single LDAP control or extended operation included in the DSML operations, the typical usage of a DSML session is to support LDAP controls and extended operations, which require a session to handle the multiple request-response communications.

To help determine when DSML sessions are required, LDAP controls and extended operations are categorized into four types:

The following table lists behavior that can be expected in session and stateless requests.

Control type Session request Stateless request
Session support required controls Allowed. Forbidden. Error response will be generated.
Stateless controls Allowed. Behavior should be identical to stateless. Allowed.
Unknown controls Allowed. Forbidden. Error reponse will be generated.
Forbidden controls Forbidden. Error response will be generated. Forbidden. Error response will be generated.

LDAP Controls and Extended Operations supported by Active Directory

The following table lists the set of LDAP controls and extended operations that are currently supported in Active Directory.

LDAP OID Name Description Control type
1.2.840.113556.1.4.319 LDAP_PAGED_RESULT_OID_STRING Paged search control Session required
1.2.840.113556.1.4.417 LDAP_SERVER_SHOW_DELETED_OID Show deleted control Stateless
1.2.840.113556.1.4.473 LDAP_SERVER_SORT_OID Server sort control Stateless
1.2.840.113556.1.4.521 LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID Cross-domain move control Stateless
1.2.840.113556.1.4.528 LDAP_SERVER_NOTIFICATION_OID Server search notification control Stateless
1.2.840.113556.1.4.529 LDAP_SERVER_EXTENDED_DN_OID Extended DN control Stateless
1.2.840.113556.1.4.619 LDAP_SERVER_LAZY_COMMIT_OID Lazy commit control Stateless
1.2.840.113556.1.4.801 LDAP_SERVER_SD_FLAGS_OID Security descriptor flags control Stateless
1.2.840.113556.1.4.805 LDAP_SERVER_TREE_DELETE_OID Tree delete control Stateless
1.2.840.113556.1.4.841 LDAP_SERVER_DIRSYNC_OID Directory synchronization control Stateless
1.2.840.113556.1.4.970 --- Get stats control (internal) Stateless
1.2.840.113556.1.4.1338 LDAP_SERVER_VERIFY_NAME_OID Verify name control Stateless
1.2.840.113556.1.4.1339 LDAP_SERVER_DOMAIN_SCOPE_OID Domain scope control Stateless
1.2.840.113556.1.4.1340 LDAP_SERVER_SEARCH_OPTIONS_OID Search options control Stateless
1.2.840.113556.1.4.1413 LDAP_SERVER_PERMISSIVE_MODIFY_OID Permissive modify control Stateless
1.2.840.113556.1.4.1504 LDAP_SERVER_ASQ_OID Attribute scoped query control Stateless
1.2.840.113556.1.4.1781 LDAP_SERVER_FAST_BIND_OID Fast concurrent bind extended operation Forbidden --- TTL refresh extended operation Stateless LDAP_START_TLS_OID Start TLS extended operation Forbidden
2.16.840.1.113730.3.4.9 LDAP_CONTROL_VLVREQUEST VLV request control Session required