3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID
The LDAP_SERVER_SD_FLAGS_OID control is used with an LDAP Search request to control the portion of a Windows security descriptor to retrieve. The DC returns only the specified portion of the security descriptors. It is also used with LDAP Modify requests2 to control the portion of a Windows security descriptor to modify. The DC modifies only the specified portion of the security descriptor.
When sending this control to the DC, the controlValue field is set to the BER encoding of the following ASN.1 structure.
-
SDFlagsRequestValue ::= SEQUENCE { Flags INTEGER }
The Flags value has the following format presented in big-endian byte order. X denotes unused bits that SHOULD be set to 0 by the client and that MUST be ignored by the server.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
S |
D |
G |
O |
The Flags value is a combination of zero or more bit flags from the following table.
-
Bit flag name and value
Portion of security descriptor to retrieve/update
OWNER_SECURITY_INFORMATION (OSI)
0x1
Owner identifier of the object.
GROUP_SECURITY_INFORMATION (GSI)
0x2
Primary group identifier.
DACL_SECURITY_INFORMATION (DSI)
0x4
Discretionary access control list (DACL) of the object.
SACL_SECURITY_INFORMATION (SSI)
0x8
System access control list (SACL) of the object.
Specifying Flags with no bits set, or not using the LDAP_SERVER_SD_FLAGS_OID control, is equivalent to setting Flags to (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION). Sending this control to the DC does not cause the server to include any controls in its response.
2 Clarified the use of the LDAP_SERVER_SD_FLAGS_OID control with respect to LDAP Modify requests in the operating systems specified by [MSFT-CVE-2021-42291], each with its related MSKB article download installed.