Controls and extended operations

Controls and extended operations allow the LDAP protocol to be extended without changing the protocol itself.

Controls

Controls provide additional information to the server to control how it interprets a given request. For example, a delete subtree control can be specified on a LDAP delete request, indicating that the server should delete the entry and all its subordinate entries, rather than deleting just the entry specified. A control consists of three parts:

  • The control type, which is an OID identifying the control.
  • A criticality indicator, which specifies how the server should behave if it does not support the control. This is a Boolean value. FALSE indicates the control is not critical, and the server should ignore it if it doesn't support it. TRUE indicates the control is critical and the entire request should be failed (with an unsupported critical extension error) if the server cannot honor the control.
  • An optional control value, which contains other information specific to the control. The content of the control value is specified using ASN.1 notation. The value itself is the BER encoding of the control data.

Extended operations

Extended operations are used to start additional operations beyond the core LDAP operations. For example, extended operations have been defined to group a set of operations into a single transaction. An extended operation consists of:

  • The request name, an OID which identifies the specific operation.
  • An optional request value, which contains other information specific to the operation. The content of the request value is specified using ASN.1 notation. The value itself is the BER encoding of the request data.

Extended operations typically have an extended response. The response consists of:

  • The components of the standard LDAP result (error code, matched DN, and error message)
  • The response name, an OID which identifies the type of response
  • An optional value, which contains other information specific to the response. The content of the response value is specified using ASN.1 notation. The value itself is the BER encoding of the response data.