3.2.2.1.1.1 Search Requests
The CA SHOULD perform search requests demonstrated in the following figure.
Figure 3: Retrieving ADConnection handle for reading objects under certificate templates and enrollment services containers
The preceding figure describes the algorithm used for retrieving an ADConnection handle for reading objects under certificate templates and enrollment services containers.
The following steps describe the flow of the preceding figure:
If the CertificateTemplatesAndEnrollmentServices_AD_Connection ADM element is NULL:
Invoke the "Initialize ADConnection" task ([MS-ADTS] section 7.6.1.1) to construct an ADConnection with the following parameters:
TaskInputTargetName: NULL
TaskInputPortNumber: If the value of the Config_CA_LDAP_Flags datum has 0x0000001 (LDAPF_SSLENABLE) bit set, use port 636. Otherwise, use port 389.
Store the returned ADConnection handle in the ActiveDirectory_Connection variable.
Perform a bind request as specified in section 3.2.2.1.1.2. Store the returned ADConnection handle in the CertificateTemplatesAndEnrollmentServices_AD_Connection ADM element.
Obtain the distinguished name for the Certificate Templates Container (section 2.2.2.11.1) or Enrollment Services Container (section 2.2.2.11.2) as specified in the following steps:
Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:
TaskInputADConnection: CertificateTemplatesAndEnrollmentServices_AD_Connection
TaskInputRequestMessage: LDAP SearchRequest message (see [RFC2251] section 4.5.1) as follows:
baseObject: distinguished name of the rootDSE object, as specified in [MS-ADTS] section 3.1.1.3.2.1
scope: baseObject
filter: (objectCategory=*)
attributes: The CA SHOULD use the following attributes:
configurationNamingContext
defaultNamingContext
sizeLimit: 10000
timeLimit: 120
derefAliases: neverDerefAliases
typesOnly: FALSE
TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.
If the TaskReturnStatus returned in the previous step is not 0, go to step 4.
If InputContainer is equal to Certificate Templates Container, set ContainerDistinguishedName equal to the concatenation of "CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration" path and the value for configurationNamingContext attribute from step 2.1.
If InputContainer is equal to Enrollment Services Container, set ContainerDistinguishedName equal to the concatenation of "CN=Enrollment Services,CN=Public Key Services,CN=Services, CN=Configuration" path and the value for configurationNamingContext attribute from step 2.1.
Read all objects under the Certificate Templates Container or Enrollment Services Container as follows: Repeat step 2.1 with the following modifications:
baseObject: ContainerDistinguishedName
scope: wholeSubtree
filter: The CA SHOULD use the following filters:
If InputContainer is equal to Certificate Templates Container: (objectCategory=pKICertificateTemplate).
If InputContainer is equal to Enrollment Services Container: (&(objectCategory=pKIEnrollmentServce)(cn=SomeCA)), where SomeCA is a sanitized name, as specified in section 3.1.1.4.1.1, of the CA.
attributes: The CA SHOULD use the following attributes:
If InputContainer is equal to Certificate Templates Container:
cn
flags
ntSecurityDescriptor
revision
pKICriticalExtensions
pKIDefaultCSPs
pKIDefaultKeySpec
pKIEnrollmentAccess
pKIExpirationPeriod
pKIExtendedKeyUsage
pKIKeyUsage
pKIMaxIssuingDepth
pKIOverlapPeriod
msPKI-Template-Schema-Version
msPKI-Template-Minor-Revision
msPKI-RA-Signature
msPKI-Minimal-Key-Size
msPKI-Cert-Template-OID
msPKI-Supersede-Templates
msPKI-RA-Policies
msPKI-RA-Application-Policies
msPKI-Certificate-Policy
msPKI-Certificate-Application-Policy
msPKI-Enrollment-Flag
msPKI-Private-Key-Flag
msPKI-Certificate-Name-Flag
If InputContainer is equal to Enrollment Services Container:
certificateTemplates
cn
displayName
dNSHostName
controls: Sequence of two Control structures, as follows:
Control
controlType: LDAP_SERVER_SD_FLAGS_OID_W (see [MS-ADTS] section 3.1.1.3.4.1.11)
criticality: TRUE
controlValue:
Flags: DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION
Control
controlType: LDAP_SERVER_PERMISSIVE_MODIFY_OID_W (see [MS-ADTS] section 3.1.1.3.4.1.8)
criticality: FALSE
TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search. Set CertificateTemplatesandEnrollmentServicesObjects equal to TaskOutputResultMessage
If the TaskReturnStatus returned in step 2 is not 0, then,
Invoke the "Perform an LDAP Unbind on an ADConnection" task (see [MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set to CertificateTemplatesAndEnrollmentServices_AD_Connection.
Repeat step 1.1
Perform steps 1 and 2 in section 3.2.2.1.1.2 with the exception that in step 1, use the following parameters:
TaskInputOptionName: LDAP_OPT_GETDSNAME_FLAGS
TaskInputOptionValue: Bitwise OR of the bits A, D, and R, as defined in [MS-NRPC] section 3.5.4.3.1.
If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:
InputReturnStatus: TaskReturnStatus
InputResultMessage: TaskOutputResultMessages
Return the OutputHRESULT output parameter to the client and exit.
Repeat step 3. If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:
InputReturnStatus: TaskReturnStatus
InputResultMessage: TaskOutputResultMessages
Return the OutputHRESULT output parameter to the client and exit.