Commit 70597ef0 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Trim drafts

parent 6849cd3d
This diff is collapsed.
This diff is collapsed.
INTERNET-DRAFT Rob Weltman
Intended Category: Standards Track Netscape Communications Corp.
May 2002
LDAP Proxied Authorization Control
draft-weltman-ldapv3-proxy-11.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Task Force
(IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document defines the Lightweight Directory Access Protocol
(LDAP) Proxied Authorization Control. The Proxied Authorization
Control allows a client to request that an operation be processed
under a provided authorization identity [AUTH] instead of as the
current authorization identity associated with the connection.
1. Introduction
This document defines support for proxied authorization using the
Control mechanism. LDAP [LDAPV3] supports the use of SASL [SASL] for
authentication and for supplying an authorization identity distinct
from the authentication identity, where the authorization identity
applies to the whole LDAP session. The proposed Proxied Authorization
Control provides a mechanism for specifying an authorization identity
on a per operation basis, benefiting clients that need to efficiently
perform operations on behalf of multiple users.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY", and
"MAY NOT" used in this document are to be interpreted as described
in [KEYWORDS].
Expires November 2002 [Page 1]
PROXIED AUTHORIZATION CONTROL May 2002
2. Publishing support for the Proxied Authorization Control
Support for the Proxied Authorization Control is indicated by the
presence of the OID "2.16.840.1.113730.3.4.18" in the
supportedControl attribute of a server's root DSE.
3. Proxied Authorization Control
A single Proxied Authorization Control may be included in any search,
compare, modify, add, delete, modDN or extended operation request
message (with the exception of any extension that causes a change in
authentication, authorization, or data confidentiality [RFC 2828],
such as startTLS) as part of the controls field of the LDAPMessage,
as defined in [LDAPV3].
The controlType of the proxied authorization control is
"2.16.840.1.113730.3.4.18".
The criticality MUST be present and MUST be TRUE. This requirement
protects clients from submitting a request that is executed with an
unintended authorization identity.
The controlValue is either an LDAPString [LDAPv3] containing an
authzId as defined in section 9 of [AUTH] to use as the authorization
identity for the request, or an empty value if the anonymous identity
is to be used.
The mechanism for determining proxy access rights is specific to the
server's access control policy.
If the requested authorization identity is recognized by the server,
and the client is authorized to adopt the requested authorization
identity, the request will be executed as if submitted by the proxied
authorization identity, otherwise the result code TBD is returned.
[Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced
with an IANA assigned LDAP Result Code (see draft-ietf-ldapbis-iana-
xx.txt, Section 3.5)]
4. Implementation Considerations
The interaction of proxied authorization access control and normal
access control is illustrated here for the case of search requests.
During evaluation of a search request, an entry which would have been
returned for the search if submitted by the proxied authorization
identity directly may not be returned if the server finds that the
requester does not have the right to assume the requested identity
for searching the entry, even if the entry is within the scope of a
search request under a base DN which does imply such rights. This
means that fewer results, or no results, may be returned compared to
the case where the proxied authorization identity issued the request
directly. An example of such a case may be a system with fine-grained
Expires November 2002 [Page 2]
PROXIED AUTHORIZATION CONTROL May 2002
access control, where the proxy right requester has proxy rights at
the top of a search tree, but not at or below a point or points
within the tree.
5. Security Considerations
The Proxied Authorization Control method is subject to general LDAP
security considerations [LDAPV3] [AUTH] [LDAPTLS]. The control may be
passed over a secure as well as over an insecure channel.
The control allows for an additional authorization identity to be
passed. In some deployments, these identities may contain
confidential information which require privacy protection.
Note that the server is responsible for determining if a proxied
authorization request is to be honored. "Anonymous" users SHOULD NOT
be allowed to assume the identity of others.
6. Copyright
Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
7. References
[LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol (v3)", RFC 2251, December 1997.
Expires November 2002 [Page 3]
PROXIED AUTHORIZATION CONTROL May 2002
[KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
Requirement Levels", draft-bradner-key-words-03.txt, January,
1997.
[SASL] J. Myers, "Simple Authentication and Security Layer (SASL)",
RFC 2222, October 1997
[AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
Methods for LDAP", RFC 2829, May 2000
[LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory
Access Protocol (v3): Extension for Transport Layer Security",
RFC 2830, May 2000
[RFC 2828] R. Shirey, "Internet Security Glossary", RFC 2828, May
2000
8. Author's Address
Rob Weltman
Netscape Communications Corp.
466 Ellis Street
Mountain View, CA 94043
USA
+1 650 937-3194
rweltman@netscape.com
9. Acknowledgements
Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim
Sermersheim of Novell, and Steven Legg of Adacel have contributed
with reviews of this draft.
10. Revision History
10.1 Changes from draft-weltman-ldapv3-proxy-10.txt
Clarified the interaction of proxy access rights and normal access
control evaluation.
10.2 Changes from draft-weltman-ldapv3-proxy-09.txt
Removed description of Control mechanism from Abstract.
Added description of how this is different from SASL authz to the
Introduction.
Expires November 2002 [Page 4]
PROXIED AUTHORIZATION CONTROL May 2002
Reworded description of the value of the control (no semantic
changes).
Added new result code TBD for failure to acquire proxy rights.
Added references to RFCs 2829 and 2830 in Security section.
10.3 Changes from draft-weltman-ldapv3-proxy-08.txt
Proxied Authorization Control
Clarifications: the control may not be submitted with a startTLS
request; an empty controlValue implies the anonymous identity; only
one control may be included with a request.
Permission to execute as proxy
Replaced "proxy identity" with "proxied authorization identity".
Security Considerations
Added statement that anonymous users should not be allowed to assume
the identity of others.
10.4 Changes from draft-weltman-ldapv3-proxy-07.txt
Proxied Authorization Control
Clarification: the content of the control is an LDAPString.
10.5 Changes from draft-weltman-ldapv3-proxy-06.txt
None
Expires November 2002 [Page 5]
PROXIED AUTHORIZATION CONTROL May 2002
10.6 Changes from draft-weltman-ldapv3-proxy-05.txt
The control also applies to add and extended operations.
The control value is an authorization ID, not necessarily a DN.
Confidentiality concerns are mentioned.
10.7 Changes from draft-weltman-ldapv3-proxy-04.txt
The control does not apply to bind, unbind, or abandon operations.
The proxy DN is represented as a string in the control, rather than
embedded in a sequence.
Support for the control is published in the supportedControl
attribute of the root DSE, not in supportedExtensions.
The security section mentions confidentiality issues with exposing an
additional identity.
10.8 Changes from draft-weltman-ldapv3-proxy-03.txt
None
10.9 Changes from draft-weltman-ldapv3-proxy-02.txt
The Control is now called Proxied Authorization Control, rather than
Proxied Authentication Control, to reflect that no authentication
occurs as a consequence of processing the Control.
Rather than containing an LDAPDN as the Control value, the Control
contains a Sequence (which contains an LDAPDN). This is to provide
for future extensions.
Expires November 2002 [Page 6]
\ No newline at end of file
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
Expires in six months 17 May 2002
LDAP Cancel Extended Operation
<draft-zeilenga-ldap-cancel-05.txt>
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Extension Working Group
mailing list <ietf-ldapext@netscape.com>. Please send editorial
comments directly to the author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
Copyright 2002, The Internet Society. All Rights Reserved.
Please see the Copyright section near the end of this document for
more information.
Abstract
This specification describes an LDAP (Lightweight Directory Access
Protocol) extended operation to cancel (or abandon) an outstanding
operation. Unlike the LDAP Abandon operation but like the X.511 DAP
Abandon operation, this operation has a response which provides an
indication of its outcome.
Zeilenga LDAP Cancel [Page 1]
INTERNET-DRAFT draft-zeilenga-ldap-cancel-05 17 May 2002
Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
Protocol elements are described using ASN.1 [X.680]. The term
"BER-encoded" means the element is to be encoded using the Basic
Encoding Rules [X.690] under the restrictions detailed in Section 5.1
of [RFC2251].
1. Background and Intent of Use
LDAP [RFC2251] provides an Abandon operation which clients may use to
cancel other operations. The Abandon operation does not have a
response and also calls for there to be no response of the abandoned
operation. These semantics provide the client with no clear
indication of the outcome of the Abandon operation.
X.511 DAP [X.511] provides an Abandon operation which does have a
response and also requires the abandoned operation to return a
response with indicating it was canceled. The Cancel operation is
modeled after the DAP Abandon operation.
The Cancel operation SHOULD be used instead of the LDAP Abandon
operation when the client needs an indication of the outcome. This
operation may be used to cancel both interrogation and update
operations.
4. Cancel Operation
The Cancel operation is defined as a LDAPv3 Extended Operation
[RFC2251, Section 4.12] identified by the OBJECT IDENTIFIER cancelOID.
This section details the syntax of the Cancel request and response
messages and defines additional LDAP resultCodes.
cancelOID OBJECT IDENTIFIER ::= IANA-ASSIGNED
cancelRequestValue ::= SEQUENCE {
cancelID MessageID
}
4.1. Cancel Request
The Cancel request is an ExtendedRequest with the requestName field
Zeilenga LDAP Cancel [Page 2]
INTERNET-DRAFT draft-zeilenga-ldap-cancel-05 17 May 2002
containing cancelOID OID and a requestValue field which contains a
cancelRequestValue value encoded per [RFC2251, Section 5.1]. The
cancelID field contains the message id associated with the operation
to be canceled.
4.2. Cancel Response
A Cancel response is an ExtendedResponse where the responseName and
response fields are absent.
4.3. Additional Result Codes
Implementations of this specification SHALL recognize the following
additional resultCode values:
canceled (IANA-ASSIGNED-1)
noSuchOperation (IANA-ASSIGNED-2)
tooLate (IANA-ASSIGNED-3)
cannotCancel (IANA-ASSIGNED-4)
5. Operational Semantics
The function of the Cancel Operation is to request that the server
cancel an outstanding operation issued within the same session.
The client requests the cancelation of an outstanding operation by
issuing a Cancel Response with a cancelID with the message id
identifying the outstanding operation. The Cancel Request itself has
a distinct message id. Clients SHOULD NOT request cancelation of an
operation multiple times.
If the server is unable to parse the requestValue or the requestValue
is absent, the server shall return protocolError.
If the server is willing and able to cancel the outstanding operation
identified by the cancelId, the server SHALL return a Cancel Response
with a success resultCode and the canceled operation SHALL fail with
canceled resultCode. Otherwise the Cancel Response SHALL have a
non-success resultCode and SHALL NOT have impact upon the outstanding
operation (if it exists).
The server SHALL return noSuchOperation if it has no knowledge of the
operation requested to be canceled.
The server SHALL return cannotCancel if the identified operation does
Zeilenga LDAP Cancel [Page 3]
INTERNET-DRAFT draft-zeilenga-ldap-cancel-05 17 May 2002
not support cancelation or the cancel operation could not be
performed. The following classes of operations are not cancelable:
- operations which have no response,
- operations which associate or disassociate authentication and/or
authorization associations,
- operations which establish or tear-down security services, and
- operations which abandon or cancel other operations.
Specifically, Abandon, Bind, Start TLS [RFC2830], Unbind and Cancel
operations are not cancelable.
If the result of the outstanding operation has been determined by the
server, the outstanding operation SHALL NOT be canceled and the cancel
operation SHALL result in tooLate.
Servers SHOULD indicate their support for this extended operation by
providing cancelOID as a value of the supportedExtension attribute
type in their root DSE. A server MAY choose to advertise this
extension only when the client is authorized and/or has established
the necessary security protections to use this operation. Clients
SHOULD verify the server implements this extended operation prior to
attempting the operation by asserting the supportedExtension attribute
contains a value of cancelOID.
6. Security Considerations
This operation is intended to allow a user to cancel operations they
previously issued. No user should be allowed to cancel an operation
issued by another user (within the same session or not). However, as
this operation may only be used to cancel within the same session and
LDAP requires operations to be abandoned upon bind requests, this is a
non-issue.
Some operations should not be cancelable for security reasons. This
specification disallows cancelation of Bind operation and Start TLS
extended operation so as to avoid adding complexity to authentication,
authorization, and security layer semantics. Designers of future
extended operations and/or controls SHOULD disallow abandonment and
cancelation when appropriate.
7. IANA Considerations
Zeilenga LDAP Cancel [Page 4]
INTERNET-DRAFT draft-zeilenga-ldap-cancel-05 17 May 2002
7.1. Object Identifiers
It is requested that IANA register a Directory Number OID for use in
this document upon Standards Action by the IESG. This OID will be
used to identify the LDAP Cancel extended operation as indicated
above. The following registration template is suggested:
Subject: Request for LDAP OID Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Specification: RFCXXX
Author/Change Controller: IESG
7.2. LDAP Result Codes
It is requested that IANA register the LDAP result codes:
canceled (IANA-ASSIGNED-1)
noSuchOperation (IANA-ASSIGNED-2)
tooLate (IANA-ASSIGNED-3)
cannotCancel (IANA-ASSIGNED-4)
upon Standards Action by the IESG. The following registration
template is suggested:
Subject: LDAP Result Code Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Result Code Name: canceled
Result Code Name: noSuchOperation
Result Code Name: tooLate
Result Code Name: cannotCancel
Specification: RFCXXXX
Author/Change Controller: IESG
Comments: request four consecutive result codes be assigned
8. Acknowledgment
This document is based upon input from the IETF LDAPext working group.
9. Normative References
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.