IBMLdapProxyControl

  • Name: IBMLdapProxyControl
  • Description: Used to provide bind and connection information about extended operation requests that result in LDAP requests to another LDAP server. It is required on GetDnForUserid and GetPrivileges extended operation requests. The IBMLdapProxyControl server control and the GetDnForUserid and GetPrivileges extended operation requests are deprecated.
  • Assigned object identifier: 1.3.18.0.2.10.6
  • Target of control: EXOP backend of server
  • Control criticality: Critical
  • Values: The following ASN.1 (Abstract Syntax Notation One) syntax describes the BER (Basic Encoding Rules) encoding of the control value. 
    ControlValue ::= SEQUENCE {
   BindInformation           [0]     BindInfo OPTIONAL,
   ConnectInformation        [1]     ConnectInfo OPTIONAL
}

Where,
   ConnectInfo ::= LDAPURL

   BindInfo ::= SEQUENCE {
     Bind DN                     LDAPDN,
     Auth                        AuthenticationChoice
   }

   AuthenticationChoice ::= CHOICE {
     Simple              [0]     OCTET STRING,
     Sasl                [3]     SaslCredentials
   }

   SaslCredentials ::= SEQUENCE {
     Mechanism                   LDAPString,
     Credentials                 OCTET STRING OPTIONAL
   }
  • Detailed description: This control provides information about extended operation requests that result in the use of the LDAP client to make LDAP requests to another LDAP server. The EXOP backend uses the connection information and the bind information specified in the control to establish an LDAP connection. Then, using the established connection, it issues additional LDAP directory requests to the server.
    If the ConnectInformation is not specified, the EXOP backend attempts to open a connection to its local host using a default port of 389. Otherwise, it uses the LDAP URL specified to open a connection. The specified URL must have the following form: 
    ldap[s]://host[:port]
    where:
    • host is a DNS-style host name.
    • port is an optional port number.
    • ldaps causes the EXOP backend to open a secure LDAP directory connection. The LDAP server must be set up to use SSL and it cannot use the sslKeyRingPWStashFile option. See Setting up for SSL/TLS for more information about SSL configuration.

    If the BindInfo is not specified, the EXOP backend makes all of its LDAP requests anonymously. Otherwise, it uses the Bind DN and the AuthenticationChoice to bind to the LDAP server specified in the ConnectInformation. The EXOP backend does not support the SASL authentication choice which is described in the ASN.1.

    If the control is specified more than once in a request, the server returns LDAP_PROTOCOL_ERROR.