LDAP controls

Controls are special objects which may be sent alongside an LDAP request to alter LDAP server behavior while performing the request. There may also be controls sent by the server alongside the response to provide more information, usually to answer a control object from the request.

Note:

Not all controls are supported by all LDAP servers. To know which controls are supported by a server, you need to query the root DSE by reading an empty dn with the filter (objectClass=*).

Example #1 Testing support for paged result control

<?php

// $ds is a valid link identifier for a directory server

$result ldap_read($ds'''(objectClass=*)', ['supportedControl']);
if (!
in_array(LDAP_CONTROL_PAGEDRESULTSldap_get_entries($ds$result)[0]['supportedcontrol'])) {
  die(
"This server does not support paged result control");
}

?>

As of PHP 7.3, you can send controls with your request in all request functions using the serverctrls parameter. When a ext version of a function exists, you should use it if you want to get access to the full response object and be able to parse response controls from it using ldap_parse_result().

serverctrls must be an array containing an array for each control to send, containing the following keys:

oid (string)
The OID of the control. You should use constants starting with LDAP_CONTROL_ for this. See LDAP Constants.
iscritical (boolean)
If a control is noted as critical, the request will fail if the control is not supported by the server, or if it fails to be applied. Note that some controls should always be marked as critical as noted in the RFC introducing them. Defaults to FALSE.
value (mixed)
If applicable, the value of the control. Read below for more information.

Most control values are sent to the server BER-encoded. You may either BER-encode the value yourself, or you can instead pass an array with the correct keys so that the encoding is done for you. Supported controls to be passed as an array are:

  • LDAP_CONTROL_PAGEDRESULTS Expected keys are [size] and [cookie]

  • LDAP_CONTROL_ASSERT Expected key is filter

  • LDAP_CONTROL_VALUESRETURNFILTER Expected key is filter

  • LDAP_CONTROL_PRE_READ Expected key is attrs

  • LDAP_CONTROL_POST_READ Expected key is attrs

  • LDAP_CONTROL_SORTREQUEST Expects an array of arrays with keys attr, [oid], [reverse].

  • LDAP_CONTROL_VLVREQUEST Expected keys are before, after, attrvalue|(offset, count), [context]

The following controls do not need any value:

  • LDAP_CONTROL_PASSWORDPOLICYREQUEST

  • LDAP_CONTROL_MANAGEDSAIT

  • LDAP_CONTROL_DONTUSECOPY

The control LDAP_CONTROL_PROXY_AUTHZ is a special case as its value is not expected to be BER-encoded, so you can directly use a string for its value.

When controls are parsed by ldap_parse_result(), values are turned into an array if supported. This is supported for:

  • LDAP_CONTROL_PASSWORDPOLICYRESPONSE Keys are expire, grace, [error]

  • LDAP_CONTROL_PAGEDRESULTS Keys are size, cookie

  • LDAP_CONTROL_PRE_READ Keys are dn and LDAP attributes names

  • LDAP_CONTROL_POST_READ Keys are dn and LDAP attributes names

  • LDAP_CONTROL_SORTRESPONSE Keys are errcode, [attribute]

  • LDAP_CONTROL_VLVRESPONSE Keys are target, count, errcode, context