LDAP Controls

Controls provide a mechanism whereby the semantics and arguments of existing LDAP operations may be extended. One or more controls may be attached to a single LDAP message. A control only affects the semantics of the message it is attached to. Controls sent by clients are termed request controls, and those sent by servers are termed response controls.

OpenDJ software supports the following LDAP controls:

Account Usability Control

Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

Control originally provided by Sun Microsystems, used to determine whether a user account can be used to authenticate to the directory.

Assertion request control

Object Identifier: 1.3.6.1.1.12

Authorization Identity request control

Object Identifier: 2.16.840.1.113730.3.4.16

Authorization Identity response control

Object Identifier: 2.16.840.1.113730.3.4.15

Entry Change Notification response control

Object Identifier: 2.16.840.1.113730.3.4.7

Get Effective Rights request control

Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

Manage DSAIT request control

Object Identifier: 2.16.840.1.113730.3.4.2

Matched Values request control

Object Identifier: 1.2.826.0.1.3344810.2.3

No-Op Control

Object Identifier: 1.3.6.1.4.1.4203.1.10.2

Password Expired response control

Object Identifier: 2.16.840.1.113730.3.4.4

Password Expiring response control

Object Identifier: 2.16.840.1.113730.3.4.5

Password Policy response control

Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

Permissive Modify request control

Object Identifier: 1.2.840.113556.1.4.1413

Microsoft defined this control that, "Allows an LDAP modify to work under less restrictive conditions. Without it, a delete will fail if an attribute done not exist, and an add will fail if an attribute already exists. No data is needed in this control." (source of quote)

Persistent Search request control

Object Identifier: 2.16.840.1.113730.3.4.3

Post-Read request control

Object Identifier: 1.3.6.1.1.13.2

Post-Read response control

Object Identifier: 1.3.6.1.1.13.2

Pre-Read request control

Object Identifier: 1.3.6.1.1.13.1

Pre-Read response control

Object Identifier: 1.3.6.1.1.13.1

Proxied Authorization v1 request control

Object Identifier: 2.16.840.1.113730.3.4.12

Proxied Authorization v2 request control

Object Identifier: 2.16.840.1.113730.3.4.18

Public Changelog Exchange Control

Object Identifier: 1.3.6.1.4.1.26027.1.5.4

OpenDJ specific, for using the bookmark cookie when reading the external change log.

Server-Side Sort request control

Object Identifier: 1.2.840.113556.1.4.473

Server-Side Sort response control

Object Identifier: 1.2.840.113556.1.4.474

Simple Paged Results Control

Object Identifier: 1.2.840.113556.1.4.319

Subentries request controls

Object Identifier: 1.3.6.1.4.1.4203.1.10.1

Object Identifier: 1.3.6.1.4.1.7628.5.101.1

Subtree Delete request control

Object Identifier: 1.2.840.113556.1.4.805

Virtual List View request control

Object Identifier: 2.16.840.1.113730.3.4.9

Virtual List View response control

Object Identifier: 2.16.840.1.113730.3.4.10

The LDAP Relax Rules Control

Object Identifier: 1.3.6.1.4.1.4203.666.5.12