Active Directory rejects DirSync search request with DirSyncIncrementalValues flag

[johnallers]

Describe the bug
When performing an LDAP search using the DirSync control with DirSyncIncrementalValues enabled, the search will fail with LDAP Result Code 12 "Unavailable Critical Extension".

To Reproduce
Run a DirSync search and set the flag to DirSyncIncrementalValues.

Expected behavior
The DirSync search should succeed and return the relevant LDAP entries.

Code snippets

var conn *ldap.Conn
...

searchRequest := &ldap.SearchRequest{
	...
}

res, err := conn.DirSync(searchRequest, ldap.DirSyncIncrementalValues, 0, nil)
if err != nil {
	// Always fails
	return err
}

Additional context
Active Directory does not seem to like it when the flags are BER encoded as 5 bytes. I can workaround the issue by forcing the flags to encode as 4 bytes.

Change this line of code (this encodes to 02050080000000):

ldap/v3/control.go

Line 883 in 97082cc

seq.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, int64(c.Flags), "Flags"))

to (this encodes to 020480000000):

	flagsPacket := ber.Encode(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, nil, "Flags")
	flagsPacket.Value = int64(c.Flags)
	// encode as big-endian 4 bytes
	flagsBytes := []byte{
		byte((c.Flags >> 24) & 0xFF),
		byte((c.Flags >> 16) & 0xFF),
		byte((c.Flags >> 8) & 0xFF),
		byte((c.Flags) & 0xFF),
	}
	flagsPacket.Data.Write(flagsBytes)
	seq.AppendChild(flagsPacket)

Another LDAP client that ran across the same issue:

• https://github.com/cannatag/ldap3/blob/e023c0baea4458bbe8bec1fddb1fe135d3812cf7/ldap3/protocol/microsoft.py#L111-L115