Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source4/ldap_server/devdocs/rfc4531.txt

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 18.5 KB

Line
1
2
3
4
5
6
7	Network Working Group K. Zeilenga
8	Request for Comments: 4531 OpenLDAP Foundation
9	Category: Experimental June 2006
10
11
12	Lightweight Directory Access Protocol (LDAP)
13	Turn Operation
14
15
16	Status of This Memo
17
18	This memo defines an Experimental Protocol for the Internet
19	community. It does not specify an Internet standard of any kind.
20	Discussion and suggestions for improvement are requested.
21	Distribution of this memo is unlimited.
22
23	Copyright Notice
24
25	Copyright (C) The Internet Society (2006).
26
27	Abstract
28
29	This specification describes a Lightweight Directory Access Protocol
30	(LDAP) extended operation to reverse (or "turn") the roles of client
31	and server for subsequent protocol exchanges in the session, or to
32	enable each peer to act as both client and server with respect to the
33	other.
34
35	Table of Contents
36
37	1. Background and Intent of Use ....................................2
38	1.1. Terminology ................................................2
39	2. Turn Operation ..................................................2
40	2.1. Turn Request ...............................................3
41	2.2. Turn Response ..............................................3
42	3. Authentication ..................................................3
43	3.1. Use with TLS and Simple Authentication .....................4
44	3.2. Use with TLS and SASL EXTERNAL .............................4
45	3.3. Use of Mutual Authentication and SASL EXTERNAL .............4
46	4. TLS and SASL Security Layers ....................................5
47	5. Security Considerations .........................................6
48	6. IANA Considerations .............................................6
49	6.1. Object Identifier ..........................................6
50	6.2. LDAP Protocol Mechanism ....................................7
51	7. References ......................................................7
52	7.1. Normative References .......................................7
53	7.2. Informative References .....................................8
54
55
56
57
58	Zeilenga Experimental [Page 1]
59
60
61	RFC 4531 LDAP Turn Operation June 2006
62
63
64	1. Background and Intent of Use
65
66	The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511]
67	is a client-server protocol that typically operates over reliable
68	octet-stream transports, such as the Transport Control Protocol
69	(TCP). Generally, the client initiates the stream by connecting to
70	the server's listener at some well-known address.
71
72	There are cases where it is desirable for the server to initiate the
73	stream. Although it certainly is possible to write a technical
74	specification detailing how to implement server-initiated LDAP
75	sessions, this would require the design of new authentication and
76	other security mechanisms to support server-initiated LDAP sessions.
77
78	Instead, this document introduces an operation, the Turn operation,
79	which may be used to reverse the client-server roles of the protocol
80	peers. This allows the initiating protocol peer to become the server
81	(after the reversal).
82
83	As an additional feature, the Turn operation may be used to allow
84	both peers to act in both roles. This is useful where both peers are
85	directory servers that desire to request, as LDAP clients, that
86	operations be performed by the other. This may be useful in
87	replicated and/or distributed environments.
88
89	This operation is intended to be used between protocol peers that
90	have established a mutual agreement, by means outside of the
91	protocol, that requires reversal of client-server roles, or allows
92	both peers to act both as client and server.
93
94	1.1. Terminology
95
96	Protocol elements are described using ASN.1 [X.680] with implicit
97	tags. The term "BER-encoded" means the element is to be encoded
98	using the Basic Encoding Rules [X.690] under the restrictions
99	detailed in Section 5.1 of [RFC4511].
100
101	2. Turn Operation
102
103	The Turn operation is defined as an LDAP-Extended Operation
104	[Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID. The
105	function of the Turn Operation is to request that the client-server
106	roles be reversed, or, optionally, to request that both protocol
107	peers be able to act both as client and server in respect to the
108	other.
109
110
111
112
113
114
115	Zeilenga Experimental [Page 2]
116
117
118	RFC 4531 LDAP Turn Operation June 2006
119
120
121	2.1. Turn Request
122
123	The Turn request is an ExtendedRequest where the requestName field
124	contains the 1.3.6.1.1.19 OID and the requestValue field is a BER-
125	encoded turnValue:
126
127	turnValue ::= SEQUENCE {
128	mutual BOOLEAN DEFAULT FALSE,
129	identifier LDAPString
130	}
131
132	A TRUE mutual field value indicates a request to allow both peers to
133	act both as client and server. A FALSE mutual field value indicates
134	a request to reserve the client and server roles.
135
136	The value of the identifier field is a locally defined policy
137	identifier (typically associated with a mutual agreement for which
138	this turn is be executed as part of).
139
140	2.2. Turn Response
141
142	A Turn response is an ExtendedResponse where the responseName and
143	responseValue fields are absent. A resultCode of success is returned
144	if and only if the responder is willing and able to turn the session
145	as requested. Otherwise, a different resultCode is returned.
146
147	3. Authentication
148
149	This extension's authentication model assumes separate authentication
150	of the peers in each of their roles. A separate Bind exchange is
151	expected between the peers in their new roles to establish identities
152	in these roles.
153
154	Upon completion of the Turn, the responding peer in its new client
155	role has an anonymous association at the initiating peer in its new
156	server role. If the turn was mutual, the authentication association
157	of the initiating peer in its pre-existing client role is left intact
158	at the responding peer in its pre-existing server role. If the turn
159	was not mutual, this association is void.
160
161	The responding peer may establish its identity in its client role by
162	requesting and successfully completing a Bind operation.
163
164	The remainder of this section discusses some authentication
165	scenarios. In the protocol exchange illustrations, A refers to the
166	initiating peer (the original client) and B refers to the responding
167	peer (the original server).
168
169
170
171
172	Zeilenga Experimental [Page 3]
173
174
175	RFC 4531 LDAP Turn Operation June 2006
176
177
178	3.1. Use with TLS and Simple Authentication
179
180	A->B: StartTLS Request
181	B->A: StartTLS(success) Response
182	A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
183	B->A: Bind(success) Response
184	A->B: Turn(TRUE,"XXYYZ") Request
185	B->A: Turn(success) Response
186	B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
187	A->B: Bind(success) Response
188
189	In this scenario, TLS (Transport Layer Security) [RFC4346] is started
190	and the initiating peer (the original client) establishes its
191	identity with the responding peer prior to the Turn using the
192	DN/password mechanism of the Simple method of the Bind operation.
193	After the turn, the responding peer, in its new client role,
194	establishes its identity with the initiating peer in its new server
195	role.
196
197	3.2. Use with TLS and SASL EXTERNAL
198
199	A->B: StartTLS Request
200	B->A: StartTLS(success) Response
201	A->B: Bind(SASL(EXTERNAL)) Request
202	B->A: Bind(success) Response
203	A->B: Turn(TRUE,"XXYYZ") Request
204	B->A: Turn(success) Response
205	B->A: Bind(SASL(EXTERNAL)) Request
206	A->B: Bind(success) Response
207
208	In this scenario, TLS is started (with each peer providing a valid
209	certificate), and the initiating peer (the original client)
210	establishes its identity through the use of the EXTERNAL mechanism of
211	the SASL (Simple Authentication and Security Layer) [RFC4422] method
212	of the Bind operation prior to the Turn. After the turn, the
213	responding peer, in its new client role, establishes its identity
214	with the initiating peer in its new server role.
215
216	3.3. Use of Mutual Authentication and SASL EXTERNAL
217
218	A number of SASL mechanisms, such as GSSAPI [SASL-K5], support mutual
219	authentication. The initiating peer, in its new server role, may use
220	the identity of the responding peer, established by a prior
221	authentication exchange, as its source for "external" identity in
222	subsequent EXTERNAL exchange.
223
224	A->B: Bind(SASL(GSSAPI)) Request
225	<intermediate messages>
226
227
228
229	Zeilenga Experimental [Page 4]
230
231
232	RFC 4531 LDAP Turn Operation June 2006
233
234
235	B->A: Bind(success) Response
236	A->B: Turn(TRUE,"XXYYZ") Request
237	B->A: Turn(success) Response
238	B->A: Bind(SASL(EXTERNAL)) Request
239	A->B: Bind(success) Response
240
241	In this scenario, a GSSAPI mutual-authentication exchange is
242	completed between the initiating peer (the original client) and the
243	responding server (the original server) prior to the turn. After the
244	turn, the responding peer, in its new client role, requests that the
245	initiating peer utilize an "external" identity to establish its LDAP
246	authorization identity.
247
248	4. TLS and SASL Security Layers
249
250	As described in [RFC4511], LDAP supports both Transport Layer
251	Security (TLS) [RFC4346] and Simple Authentication and Security Layer
252	(SASL) [RFC4422] security frameworks. The following table
253	illustrates the relationship between the LDAP message layer, SASL
254	layer, TLS layer, and transport connection within an LDAP session.
255
256	+----------------------+
257	\| LDAP message layer \|
258	+----------------------+ > LDAP PDUs
259	+----------------------+ < data
260	\| SASL layer \|
261	+----------------------+ > SASL-protected data
262	+----------------------+ < data
263	\| TLS layer \|
264	Application +----------------------+ > TLS-protected data
265	------------+----------------------+ < data
266	Transport \| transport connection \|
267	+----------------------+
268
269	This extension does not alter this relationship, nor does it remove
270	the general restriction against multiple TLS layers, nor does it
271	remove the general restriction against multiple SASL layers.
272
273	As specified in [RFC4511], the StartTLS operation is used to initiate
274	negotiation of a TLS layer. If a TLS is already installed, the
275	StartTLS operation must fail. Upon establishment of the TLS layer,
276	regardless of which peer issued the request to start TLS, the peer
277	that initiated the LDAP session (the original client) performs the
278	"server identity check", as described in Section 3.1.5 of [RFC4513],
279	treating itself as the "client" and its peer as the "server".
280
281	As specified in [RFC4422], a newly negotiated SASL security layer
282	replaces the installed SASL security layer. Though the client/server
283
284
285
286	Zeilenga Experimental [Page 5]
287
288
289	RFC 4531 LDAP Turn Operation June 2006
290
291
292	roles in LDAP, and hence SASL, may be reversed in subsequent
293	exchanges, only one SASL security layer may be installed at any
294	instance.
295
296	5. Security Considerations
297
298	Implementors should be aware that the reversing of client/server
299	roles and/or allowing both peers to act as client and server likely
300	introduces security considerations not foreseen by the authors of
301	this document. In particular, the security implications of the
302	design choices made in the authentication and data security models
303	for this extension (discussed in Sections 3 and 4, respectively) are
304	not fully studied. It is hoped that experimentation with this
305	extension will lead to better understanding of the security
306	implications of these models and other aspects of this extension, and
307	that appropriate considerations will be documented in a future
308	document. The following security considerations are apparent at this
309	time.
310
311	Implementors should take special care to process LDAP, SASL, TLS, and
312	other events in the appropriate roles for the peers. Note that while
313	the Turn reverses the client/server roles with LDAP, and in SASL
314	authentication exchanges, it does not reverse the roles within the
315	TLS layer or the transport connection.
316
317	The responding server (the original server) should restrict use of
318	this operation to authorized clients. Client knowledge of a valid
319	identifier should not be the sole factor in determining authorization
320	to turn.
321
322	Where the peers except to establish TLS, TLS should be started prior
323	to the Turn and any request to authenticate via the Bind operation.
324
325	LDAP security considerations [RFC4511][RFC4513] generally apply to
326	this extension.
327
328	6. IANA Considerations
329
330	The following values [RFC4520] have been registered by the IANA.
331
332	6.1. Object Identifier
333
334	The IANA has assigned an LDAP Object Identifier to identify the LDAP
335	Turn Operation, as defined in this document.
336
337
338
339
340
341
342
343	Zeilenga Experimental [Page 6]
344
345
346	RFC 4531 LDAP Turn Operation June 2006
347
348
349	Subject: Request for LDAP Object Identifier Registration
350	Person & email address to contact for further information:
351	Kurt Zeilenga <kurt@OpenLDAP.org>
352	Specification: RFC 4531
353	Author/Change Controller: Author
354	Comments:
355	Identifies the LDAP Turn Operation
356
357	6.2. LDAP Protocol Mechanism
358
359	The IANA has registered the LDAP Protocol Mechanism described in this
360	document.
361
362	Subject: Request for LDAP Protocol Mechanism Registration
363	Object Identifier: 1.3.6.1.1.19
364	Description: LDAP Turn Operation
365	Person & email address to contact for further information:
366	Kurt Zeilenga <kurt@openldap.org>
367	Usage: Extended Operation
368	Specification: RFC 4531
369	Author/Change Controller: Author
370	Comments: none
371
372	7. References
373
374	7.1. Normative References
375
376	[RFC4346] Dierks, T. and, E. Rescorla, "The Transport Layer
377	Security (TLS) Protocol Version 1.1", RFC 4346, April
378	2006.
379
380	[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
381	Authentication and Security Layer (SASL)", RFC 4422,
382	June 2006.
383
384	[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
385	Protocol (LDAP): Technical Specification Road Map", RFC
386	4510, June 2006.
387
388	[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
389	Protocol (LDAP): The Protocol", RFC 4511, June 2006.
390
391	[RFC4513] Harrison, R., Ed., "Lightweight Directory Access
392	Protocol (LDAP): Authentication Methods and Security
393	Mechanisms", RFC 4513, June 2006.
394
395
396
397
398
399
400	Zeilenga Experimental [Page 7]
401
402
403	RFC 4531 LDAP Turn Operation June 2006
404
405
406	[X.680] International Telecommunication Union -
407	Telecommunication Standardization Sector, "Abstract
408	Syntax Notation One (ASN.1) - Specification of Basic
409	Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
410
411	[X.690] International Telecommunication Union -
412	Telecommunication Standardization Sector,
413	"Specification of ASN.1 encoding rules: Basic Encoding
414	Rules (BER), Canonical Encoding Rules (CER), and
415	Distinguished Encoding Rules (DER)", X.690(2002) (also
416	ISO/IEC 8825-1:2002).
417
418	7.2. Informative References
419
420	[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
421	(IANA) Considerations for the Lightweight Directory
422	Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
423
424	[SASL-K5] Melnikov, A., Ed., "The Kerberos V5 ("GSSAPI") SASL
425	Mechanism", Work in Progress, May 2006.
426
427	Author's Address
428
429	Kurt D. Zeilenga
430	OpenLDAP Foundation
431
432	EMail: Kurt@OpenLDAP.org
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457	Zeilenga Experimental [Page 8]
458
459
460	RFC 4531 LDAP Turn Operation June 2006
461
462
463	Full Copyright Statement
464
465	Copyright (C) The Internet Society (2006).
466
467	This document is subject to the rights, licenses and restrictions
468	contained in BCP 78, and except as set forth therein, the authors
469	retain all their rights.
470
471	This document and the information contained herein are provided on an
472	"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
473	OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
474	ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
475	INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
476	INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
477	WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
478
479	Intellectual Property
480
481	The IETF takes no position regarding the validity or scope of any
482	Intellectual Property Rights or other rights that might be claimed to
483	pertain to the implementation or use of the technology described in
484	this document or the extent to which any license under such rights
485	might or might not be available; nor does it represent that it has
486	made any independent effort to identify any such rights. Information
487	on the procedures with respect to rights in RFC documents can be
488	found in BCP 78 and BCP 79.
489
490	Copies of IPR disclosures made to the IETF Secretariat and any
491	assurances of licenses to be made available, or the result of an
492	attempt made to obtain a general license or permission for the use of
493	such proprietary rights by implementers or users of this
494	specification can be obtained from the IETF on-line IPR repository at
495	http://www.ietf.org/ipr.
496
497	The IETF invites any interested party to bring to its attention any
498	copyrights, patents or patent applications, or other proprietary
499	rights that may cover technology that may be required to implement
500	this standard. Please address the information to the IETF at
501	ietf-ipr@ietf.org.
502
503	Acknowledgement
504
505	Funding for the RFC Editor function is provided by the IETF
506	Administrative Support Activity (IASA).
507
508
509
510
511
512
513
514	Zeilenga Experimental [Page 9]
515
516

Note: See TracBrowser for help on using the repository browser.

Download in other formats: