This appendix describes the standard LDAP controls and extended operations supported by Oracle Unified Directory.
This appendix includes the following sections:
For information about using the LDAP controls, see Section 18.5.3, "Searching Using Controls."
A supported control is a mechanism for identifying the request control supported by the Oracle Unified Directory. The object identifier of these controls are listed in the supportedControl attribute of the server's root DSE.
Table B-1 lists the controls supported by the directory server.
If you have installed a proxy instance, see Table B-2, which lists the controls supported by the proxy as well as by the remote LDAP servers.
Table B-1 LDAP Controls Supported by the Directory Server
| OID | LDAP Control | RFC or draft |
|---|---|---|
|
1.2.826.0.1.3344810.2.3 |
Matched Values Control |
RFC3876 |
|
1.2.840.113556.1.4.319 |
Page Results Control |
RFC2696 |
|
1.2.840.113556.1.4.473 |
Server-side Sort Control |
RFC2891 |
|
1.2.840.113556.1.4.805 |
Subtree Delete Control |
Draft |
|
1.3.6.1.1.12 |
Assertion Control |
RFC4528 |
|
1.3.6.1.1.13.1 |
LDAP Pre-read Control |
RFC4527 |
|
1.3.6.1.1.13.2 |
LDAP Post-read Control |
RFC4527 |
|
1.3.6.1.4.1.26027.1.5.2 |
Replication Repair Control |
|
|
1.3.6.1.4.1.4203.1.10.2 |
LDAP No-Op Control |
Draft |
|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy Control |
Draft |
|
1.3.6.1.4.1.42.2.27.9.5.2 |
Get Effective Rights Control |
Draft |
|
1.3.6.1.4.1.42.2.27.9.5.8 |
Account Usability Control |
|
|
1.3.6.1.4.1.42.2.27.9.5.9 |
CSN (Change Number Control) |
Note: This control is for internal use only. |
|
1.3.6.1.4.1.4203.1.10.1 |
LDAP Subentry Request Control |
RFC3672 |
|
1.3.6.1.4.1.26027.2.3.1 |
Join Search Control |
|
|
1.3.6.1.4.1.26027.2.3.2 |
Proximity Search Control |
|
|
1.3.6.1.4.1.26027.2.3.4 |
External Changelog Cookie v2 Control |
Note: This control is for internal use only. |
|
2.16.840.1.113730.3.4.4 |
Password Expired Control |
Draft |
|
2.16.840.1.113730.3.4.5 |
Password Expiration Warning Control |
Draft |
|
2.16.840.1.113730.3.4.12 |
Proxy Authorization v1 Control |
Draft |
|
2.16.840.1.113730.3.4.18 |
Proxy Authorization v2 Control |
RFC4370 |
|
2.16.840.1.113730.3.4.16 |
Authorization Identity Request Control |
RFC3829 |
|
2.16.840.1.113730.3.4.17 |
Real Attributes Only Control |
|
|
2.16.840.1.113730.3.4.19 |
Virtual Attributes Only Control |
|
|
2.16.840.1.113730.3.4.2 |
Manage DSA IT Control |
RFC3296 |
|
2.16.840.1.113730.3.4.3 |
Persistent Search Control |
Draft |
|
2.16.840.1.113730.3.4.9 |
Virtual List View Control |
Draft |
|
2.16.840.1.113894.1.8.21 |
OID Search Count Control |
Note: This control is used to ensure compatibility with Oracle Internet Directory. For more information about the control, see Section D.14.8, "OID Search Count Request Control." |
|
2.16.840.1.113894.1.8.31 |
Execution context ID (ECID) |
ECID is an unique identifier used across several Oracle product components to track requests within the same transaction. It is used in OUD to track LDAP requests coming in from the client for a given ECID. Note: This control is for Oracle internal use only. |
Table B-2 LDAP Controls Supported by the Proxy
| OID | LDAP Control | RFC or draft | Supported by Proxy Workflow Element | Supported by Distribution Algorithm | Supported by Remote ODSEE | Supported by Remote Oracle Unified Directory Server | Notes |
|---|---|---|---|---|---|---|---|
|
1.2.826.0.1.3344810.2.3 |
Matched Values Control |
RFC3876 |
Yes |
Yes |
No |
Yes |
|
|
1.2.840.113556.1.4.319 |
Page Results Control |
RFC2696 |
Yes |
No |
No |
Yes |
|
|
1.2.840.113556.1.4.473 |
Server-side Sort Control |
RFC2891 |
Yes |
No |
Yes |
Yes |
Supported if all targeted entries are on the same remote LDAP server, and that remote LDAP server supports server-side LDAP control. |
|
1.2.840.113556.1.4.805 |
Subtree Delete Control |
Draft |
Yes |
No |
No |
Yes |
Supported if all targeted entries are on the same remote LDAP server, and that remote LDAP server supports subtree delete LDAP control. Not supported by the distribution algorithm because targeted entries can span multiple remote LDAP servers. |
|
1.3.6.1.4.1.26027.2.3.2 |
Proximity Search Control |
Yes |
Yes |
Yes |
Yes |
||
|
1.3.6.1.1.12 |
Assertion Control |
RFC4528 |
Yes |
Yes |
No |
Yes |
Supported if the remote LDAP server that hosts the targeted entry also supports assertion control. Therefore not supported in proxy configurations where all remote LDAP servers run Oracle Directory Server Enterprise Edition. |
|
1.3.6.1.1.13.1 |
LDAP Pre-read Control |
RFC4527 |
Yes |
Yes |
Complies sufficiently for the proxy to work |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support LDAP pre-read control. Required for the global index catalog. In Oracle Unified Directory directory servers, this control must be enabled. |
|
1.3.6.1.1.13.2 |
LDAP Post-read Control |
RFC4527 |
Yes |
Yes |
No |
Yes |
Supported if the remote LDAP servers that hosts the targeted entries also support LDAP post-read control. Therefore not supported in proxy configurations where all remote LDAP servers run Oracle Directory Server Enterprise Edition. In Oracle Unified Directory directory servers, this control must be enabled. |
|
1.3.6.1.4.1.26027.1.5.2 |
Replication Repair Control |
No |
No |
No |
Yes |
Not supported by the proxy. To repair data inconsistency across remote LDAP servers, bypass the proxy and send the control directly to the remote LDAP servers running Oracle Unified Directory. For remote LDAP servers running Oracle Directory Server Enterprise Edition, see the |
|
|
1.3.6.1.4.1.4203.1.10.2 |
LDAP No-Op Control |
Draft |
Yes |
Yes |
No |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support the LDAP no-op control. Therefore not supported in proxy configurations where all remote LDAP servers run Oracle Directory Server Enterprise Edition. |
|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy Control |
Draft |
Yes |
Yes |
Yes |
Yes |
|
|
1.3.6.1.4.1.42.2.27.9.5.2 |
Get Effective Rights Control |
Draft |
Yes |
Yes |
Yes |
Yes |
If this control is to be used by a configuration of the proxy where remote LDAP servers run Oracle Unified Directory, then the aclRights and aclRightsInfo controls need to be authorized in Oracle Unified Directory, if you have sufficient credentials. |
|
1.3.6.1.4.1.42.2.27.9.5.8 |
Account Usability Control |
Yes |
Yes |
Yes |
Yes |
||
|
1.3.6.1.4.1.4203.1.10.1 |
LDAP Subentry Request Control |
RFC3672 |
Yes |
Yes |
No |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support the LDAP sub-entry control. |
|
1.3.6.1.4.1.26027.1.5.4 |
External Changelog Cookie Control |
Yes |
Yes |
No |
Yes |
||
|
1.3.6.1.4.1.42.2.27.9.5.9 |
CSN (Change Number Control) Note: This control is for internal use only. |
Yes |
Yes |
Yes |
Yes |
Dedicated to replication, appropriate for modifyRequest, delRequest, and modDNRequest LDAP messages. Required for the global index catalog. |
|
|
2.16.840.1.113730.3.4.12 |
Proxy Authorization v1 Control |
Draft |
Yes |
Yes |
Yes |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support the proxy-authorization v1 control. If the proxy is configured in this control mode, the remote LDAP server must also support the get effective rights control. |
|
2.16.840.1.113730.3.4.18 |
Proxy Authorization v2 Control |
RFC4370 |
Yes |
Yes |
Yes |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support the proxy-authorization v2 control. If the proxy is configured in this control mode, the remote LDAP server must also support the get effective rights control. |
|
2.16.840.1.113730.3.4.16 |
Authorization Identity Request Control |
RFC3829 |
Yes |
Yes |
Yes |
Yes |
Supported if the remote LDAP server that hosts the target entry also supports the authorization identity request control. |
|
2.16.840.1.113730.3.4.17 |
Real Attributes Only Control |
Yes |
Yes |
Yes |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support the real attributes only control. |
|
|
2.16.840.1.113730.3.4.19 |
Virtual Attributes Only Control |
Yes |
Yes |
Yes |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support the virtual attributes only request control. |
|
|
2.16.840.1.113730.3.4.2 |
Manage DSA IT |
RFC3296 |
Yes |
Yes |
Yes |
Yes |
|
|
2.16.840.1.113730.3.4.3 |
Persistent Search Control |
Draft |
Yes |
Yes |
Yes |
Yes |
Supported if the remote LDAP servers that host the targeted entries also support the persistent search control. |
|
2.16.840.1.113730.3.4.9 |
Virtual List View Control |
Draft |
Yes |
No |
Yes |
Yes |
Supported if all of the targeted entries are located on the same remote LDAP server, and that server supports virtual list view control. |
A supported extension is a mechanism for identifying the extended operation supported by the Oracle Unified Directory. The object identifier of these extended operations are listed in the supportedExtension attribute of the server's root DSE.
The supported extensions for the Oracle Unified Directory include:
The Password Policy State extended operation
The Get Connection ID extended operation
The Get Symmetric Key extended operation