LDAP Search – Server Controls

Some of the features shown are only available in NetTools v1.31.8 and above.

A number of predefined server-side controls are provided as a simple checkbox option, however, you can add additional server-side controls to the query via the Manage Controls dialog.  The dialog is displayed via the Controls button under the server-side control section, once you click on the Controls button the following dialog is displayed.

LDAP Controls

The dialog provides the ability to manage the server side controls that are included in the query. You can add, edit, or remove server side controls from this dialog.  To add a new control simply click on the add button and the following input dialog will be displayed.

Add LDAP Control

You can either manually enter the OID of the control you want to include, or you can use the dropdown list to select the common controls available in Active Directory.  The Value field is used to define the Value that is passed with the control.

The Value Type defines the encoding used for the Value entered, String or Integer, Non-BER encoded Integer or Raw Data.

For the String and Integer options the value is encoded using BER encoding, there is also the option to set if the Value is included in a BER Sequence.  Typically some of the Microsoft controls require the Value to be encapsulated in a BER sequence structure.

With Sequence encapsulation enabled, the Value of the member will be encoded as:

30 84 00 00 00 08 04 06 6D 65 6D 62 65 72
ASN.1 Structure Decode
  30 84 00 00 00 08 : Sequence (len: 8)
   | 04 06 : Octet String (len: 6)
   | 6D 65 6D 62 65 72 : member

Without Sequence Encapsulation, it will be:

04 06 6D 65 6D 62 65 72 
ASN.1 Structure Decode
   04 06 : Octet String (len: 6)
       6D 65 6D 62 65 72 : member

The Raw Data option adds the Value entered to the control without any encoding; this can be used to include specific data types or encoding schemes not currently supported in NetTools.   The Value for the Raw Data option must be entered in Hex; this can be with or without 0x; the values must be entered as two bytes separated by a space, e.g.  0x04 0x02 0x32 0x36, or 04 02 32 36.

The critical option is used to define if the control is critical to the operation of the query; if a control is marked as Critical and the server doesn't support that control, then the LDAP query will fail with Error: (0x0C) The control is critical, and the server does not support the control.

Currently, only server-side controls are supported; the support for client-side controls could be introduced in later versions of NetTools.

When controls are added, the OID is displayed in the list; if an OID is one of the AD common controls, then the OID and AD common names are displayed.

Manage Controls

The controls added in this dialog are in addition to the server-side controls that are selected on the LDAP Search options.

The Dump server control option, when enabled will do a hex and ASN.1 dump of the controls that are passed to the server with the query.  When the query is executed the control details will be displayed in the bottom Text output pane.

 

Leave a Reply

Your email address will not be published. Required fields are marked *