source: branches/samba-3.5.x/source4/ldap_server/devdocs/rfc4532.txt

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago

Samba 3.5.0: Initial import
File size: 13.9 KB
Line 
1
2
3
4
5
6
7Network Working Group K. Zeilenga
8Request for Comments: 4532 OpenLDAP Foundation
9Category: Standards Track June 2006
10
11
12 Lightweight Directory Access Protocol (LDAP)
13 "Who am I?" Operation
14
15Status of This Memo
16
17 This document specifies an Internet standards track protocol for the
18 Internet community, and requests discussion and suggestions for
19 improvements. Please refer to the current edition of the "Internet
20 Official Protocol Standards" (STD 1) for the standardization state
21 and status of this protocol. Distribution of this memo is unlimited.
22
23Copyright Notice
24
25 Copyright (C) The Internet Society (2006).
26
27Abstract
28
29 This specification provides a mechanism for Lightweight Directory
30 Access Protocol (LDAP) clients to obtain the authorization identity
31 the server has associated with the user or application entity. This
32 mechanism is specified as an LDAP extended operation called the LDAP
33 "Who am I?" operation.
34
351. Background and Intent of Use
36
37 This specification describes a Lightweight Directory Access Protocol
38 (LDAP) [RFC4510] operation that clients can use to obtain the primary
39 authorization identity, in its primary form, that the server has
40 associated with the user or application entity. The operation is
41 called the "Who am I?" operation.
42
43 This specification is intended to replace the existing Authorization
44 Identity Controls [RFC3829] mechanism, which uses Bind request and
45 response controls to request and return the authorization identity.
46 Bind controls are not protected by security layers established by the
47 Bind operation that includes them. While it is possible to establish
48 security layers using StartTLS [RFC4511][RFC4513] prior to the Bind
49 operation, it is often desirable to use security layers established
50 by the Bind operation. An extended operation sent after a Bind
51 operation is protected by the security layers established by the Bind
52 operation.
53
54
55
56
57
58Zeilenga Standards Track [Page 1]
59
60
61RFC 4532 LDAP "Who am I?" Operation June 2006
62
63
64 There are other cases where it is desirable to request the
65 authorization identity that the server associated with the client
66 separately from the Bind operation. For example, the "Who am I?"
67 operation can be augmented with a Proxied Authorization Control
68 [RFC4370] to determine the authorization identity that the server
69 associates with the identity asserted in the Proxied Authorization
70 Control. The "Who am I?" operation can also be used prior to the
71 Bind operation.
72
73 Servers often associate multiple authorization identities with the
74 client, and each authorization identity may be represented by
75 multiple authzId [RFC4513] strings. This operation requests and
76 returns the authzId that the server considers primary. In the
77 specification, the term "the authorization identity" and "the
78 authzId" are generally to be read as "the primary authorization
79 identity" and the "the primary authzId", respectively.
80
811.1. Conventions Used in This Document
82
83 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
85 document are to be interpreted as described in BCP 14 [RFC2119].
86
872. The "Who am I?" Operation
88
89 The "Who am I?" operation is defined as an LDAP Extended Operation
90 [RFC4511] identified by the whoamiOID Object Identifier (OID). This
91 section details the syntax of the operation's whoami request and
92 response messages.
93
94 whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
95
962.1. The whoami Request
97
98 The whoami request is an ExtendedRequest with a requestName field
99 containing the whoamiOID OID and an absent requestValue field. For
100 example, a whoami request could be encoded as the sequence of octets
101 (in hex):
102
103 30 1e 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31
104 2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 33
105
106
107
108
109
110
111
112
113
114
115Zeilenga Standards Track [Page 2]
116
117
118RFC 4532 LDAP "Who am I?" Operation June 2006
119
120
1212.2. The whoami Response
122
123 The whoami response is an ExtendedResponse where the responseName
124 field is absent and the response field, if present, is empty or an
125 authzId [RFC4513]. For example, a whoami response returning the
126 authzId "u:xxyyz@EXAMPLE.NET" (in response to the example request)
127 would be encoded as the sequence of octets (in hex):
128
129 30 21 02 01 02 78 1c 0a 01 00 04 00 04 00 8b 13
130 75 3a 78 78 79 79 7a 40 45 58 41 4d 50 4c 45 2e
131 4e 45 54
132
1333. Operational Semantics
134
135 The "Who am I?" operation provides a mechanism, a whoami Request, for
136 the client to request that the server return the authorization
137 identity it currently associates with the client. It also provides a
138 mechanism, a whoami Response, for the server to respond to that
139 request.
140
141 Servers indicate their support for this extended operation by
142 providing a whoamiOID object identifier as a value of the
143 'supportedExtension' attribute type in their root DSE. The server
144 SHOULD advertise this extension only when the client is willing and
145 able to perform this operation.
146
147 If the server is willing and able to provide the authorization
148 identity it associates with the client, the server SHALL return a
149 whoami Response with a success resultCode. If the server is treating
150 the client as an anonymous entity, the response field is present but
151 empty. Otherwise, the server provides the authzId [RFC4513]
152 representing the authorization identity it currently associates with
153 the client in the response field.
154
155 If the server is unwilling or unable to provide the authorization
156 identity it associates with the client, the server SHALL return a
157 whoami Response with an appropriate non-success resultCode (such as
158 operationsError, protocolError, confidentialityRequired,
159 insufficientAccessRights, busy, unavailable, unwillingToPerform, or
160 other) and an absent response field.
161
162 As described in [RFC4511] and [RFC4513], an LDAP session has an
163 "anonymous" association until the client has been successfully
164 authenticated using the Bind operation. Clients MUST NOT invoke the
165 "Who am I?" operation while any Bind operation is in progress,
166 including between two Bind requests made as part of a multi-stage
167
168
169
170
171
172Zeilenga Standards Track [Page 3]
173
174
175RFC 4532 LDAP "Who am I?" Operation June 2006
176
177
178 Bind operation. Where a whoami Request is received in violation of
179 this absolute prohibition, the server should return a whoami Response
180 with an operationsError resultCode.
181
1824. Extending the "Who am I?" Operation with Controls
183
184 Future specifications may extend the "Who am I?" operation using the
185 control mechanism [RFC4511]. When extended by controls, the "Who am
186 I?" operation requests and returns the authorization identity the
187 server associates with the client in a particular context indicated
188 by the controls.
189
1904.1. Proxied Authorization Control
191
192 The Proxied Authorization Control [RFC4370] is used by clients to
193 request that the operation it is attached to operate under the
194 authorization of an assumed identity. The client provides the
195 identity to assume in the Proxied Authorization request control. If
196 the client is authorized to assume the requested identity, the server
197 executes the operation as if the requested identity had issued the
198 operation.
199
200 As servers often map the asserted authzId to another identity
201 [RFC4513], it is desirable to request that the server provide the
202 authzId it associates with the assumed identity.
203
204 When a Proxied Authorization Control is be attached to the "Who am
205 I?" operation, the operation requests the return of the authzId the
206 server associates with the identity asserted in the Proxied
207 Authorization Control. The authorizationDenied (123) result code is
208 used to indicate that the server does not allow the client to assume
209 the asserted identity.
210
2115. Security Considerations
212
213 Identities associated with users may be sensitive information. When
214 they are, security layers [RFC4511][RFC4513] should be established to
215 protect this information. This mechanism is specifically designed to
216 allow security layers established by a Bind operation to protect the
217 integrity and/or confidentiality of the authorization identity.
218
219 Servers may place access control or other restrictions upon the use
220 of this operation. As stated in Section 3, the server SHOULD
221 advertise this extension when it is willing and able to perform the
222 operation.
223
224 As with any other extended operations, general LDAP security
225 considerations [RFC4510] apply.
226
227
228
229Zeilenga Standards Track [Page 4]
230
231
232RFC 4532 LDAP "Who am I?" Operation June 2006
233
234
2356. IANA Considerations
236
237 The OID 1.3.6.1.4.1.4203.1.11.3 is used to identify the LDAP "Who am
238 I?" extended operation. This OID was assigned [ASSIGN] by the
239 OpenLDAP Foundation, under its IANA-assigned private enterprise
240 allocation [PRIVATE], for use in this specification.
241
242 Registration of this protocol mechanism [RFC4520] has been completed
243 by the IANA.
244
245 Subject: Request for LDAP Protocol Mechanism Registration
246 Object Identifier: 1.3.6.1.4.1.4203.1.11.3
247 Description: Who am I?
248 Person & email address to contact for further information:
249 Kurt Zeilenga <kurt@openldap.org>
250 Usage: Extended Operation
251 Specification: RFC 4532
252 Author/Change Controller: IESG
253 Comments: none
254
2557. Acknowledgement
256
257 This document borrows from prior work in this area, including
258 "Authentication Response Control" [RFC3829] by Rob Weltman, Mark
259 Smith, and Mark Wahl.
260
261 The LDAP "Who am I?" operation takes it's name from the UNIX
262 whoami(1) command. The whoami(1) command displays the effective user
263 ID.
264
2658. References
266
2678.1. Normative References
268
269 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
270 Requirement Levels", BCP 14, RFC 2119, March 1997.
271
272 [RFC4370] Weltman, R., "Lightweight Directory Access Protocol (LDAP)
273 Proxied Authorization Control", RFC 4370, February 2006.
274
275 [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
276 (LDAP): Technical Specification Road Map", RFC 4510, June
277 2006.
278
279 [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
280 Protocol (LDAP): The Protocol", RFC 4511, June 2006.
281
282
283
284
285
286Zeilenga Standards Track [Page 5]
287
288
289RFC 4532 LDAP "Who am I?" Operation June 2006
290
291
292 [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
293 (LDAP): Authentication Methods and Security Mechanisms",
294 RFC 4513, June 2006.
295
2968.2. Informative References
297
298 [RFC3829] Weltman, R., Smith, M., and M. Wahl, "Lightweight Directory
299 Access Protocol (LDAP) Authorization Identity Request and
300 Response Controls", RFC 3829, July 2004.
301
302 [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
303 Considerations for the Lightweight Directory Access
304 Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
305
306 [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
307 http://www.openldap.org/foundation/oid-delegate.txt.
308
309 [PRIVATE] IANA, "Private Enterprise Numbers",
310 http://www.iana.org/assignments/enterprise-numbers.
311
312Author's Address
313
314 Kurt D. Zeilenga
315 OpenLDAP Foundation
316
317 EMail: Kurt@OpenLDAP.org
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343Zeilenga Standards Track [Page 6]
344
345
346RFC 4532 LDAP "Who am I?" Operation June 2006
347
348
349Full Copyright Statement
350
351 Copyright (C) The Internet Society (2006).
352
353 This document is subject to the rights, licenses and restrictions
354 contained in BCP 78, and except as set forth therein, the authors
355 retain all their rights.
356
357 This document and the information contained herein are provided on an
358 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
359 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
360 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
361 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
362 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
363 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
364
365Intellectual Property
366
367 The IETF takes no position regarding the validity or scope of any
368 Intellectual Property Rights or other rights that might be claimed to
369 pertain to the implementation or use of the technology described in
370 this document or the extent to which any license under such rights
371 might or might not be available; nor does it represent that it has
372 made any independent effort to identify any such rights. Information
373 on the procedures with respect to rights in RFC documents can be
374 found in BCP 78 and BCP 79.
375
376 Copies of IPR disclosures made to the IETF Secretariat and any
377 assurances of licenses to be made available, or the result of an
378 attempt made to obtain a general license or permission for the use of
379 such proprietary rights by implementers or users of this
380 specification can be obtained from the IETF on-line IPR repository at
381 http://www.ietf.org/ipr.
382
383 The IETF invites any interested party to bring to its attention any
384 copyrights, patents or patent applications, or other proprietary
385 rights that may cover technology that may be required to implement
386 this standard. Please address the information to the IETF at
387 ietf-ipr@ietf.org.
388
389Acknowledgement
390
391 Funding for the RFC Editor function is provided by the IETF
392 Administrative Support Activity (IASA).
393
394
395
396
397
398
399
400Zeilenga Standards Track [Page 7]
401
402
Note: See TracBrowser for help on using the repository browser.