mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
340 lines
12 KiB
Plaintext
340 lines
12 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
INTERNET-DRAFT Kurt D. Zeilenga
|
|||
|
Intended Category: Standard Track OpenLDAP Foundation
|
|||
|
Expires in six months 17 May 2002
|
|||
|
|
|||
|
|
|||
|
|
|||
|
LDAP "Who am I?" Operation
|
|||
|
<draft-zeilenga-ldap-authzid-06.txt>
|
|||
|
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document is an Internet-Draft and is in full conformance with all
|
|||
|
provisions of Section 10 of RFC2026.
|
|||
|
|
|||
|
This document is intended to be, after appropriate review and
|
|||
|
revision, submitted to the RFC Editor as a Standard Track document.
|
|||
|
Distribution of this memo is unlimited. Technical discussion of this
|
|||
|
document will take place on the IETF LDAP Extension Working Group
|
|||
|
mailing list <ietf-ldapext@netscape.com>. Please send editorial
|
|||
|
comments directly to the author <Kurt@OpenLDAP.org>.
|
|||
|
|
|||
|
Internet-Drafts are working documents of the Internet Engineering Task
|
|||
|
Force (IETF), its areas, and its working groups. Note that other
|
|||
|
groups may also distribute working documents as Internet-Drafts.
|
|||
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|||
|
and may be updated, replaced, or obsoleted by other documents at any
|
|||
|
time. It is inappropriate to use Internet-Drafts as reference
|
|||
|
material or to cite them other than as ``work in progress.''
|
|||
|
|
|||
|
The list of current Internet-Drafts can be accessed at
|
|||
|
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
|
|||
|
Internet-Draft Shadow Directories can be accessed at
|
|||
|
<http://www.ietf.org/shadow.html>.
|
|||
|
|
|||
|
Copyright 2002, The Internet Society. All Rights Reserved.
|
|||
|
|
|||
|
Please see the Copyright section near the end of this document for
|
|||
|
more information.
|
|||
|
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This specification provides a mechanism for Lightweight Directory
|
|||
|
Access Protocol (LDAP) clients to obtain the authorization identity
|
|||
|
which the server has associated with the user or application entity.
|
|||
|
This mechanism is specified as an LDAP extended operation called the
|
|||
|
LDAP "Who am I?" operation.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga LDAP "Who am I?" [Page 1]
|
|||
|
|
|||
|
INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
|
|||
|
|
|||
|
|
|||
|
Conventions
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in BCP 14 [RFC2119].
|
|||
|
|
|||
|
|
|||
|
1. Background and Intent of Use
|
|||
|
|
|||
|
This specification describes a Lightweight Directory Access Protocol
|
|||
|
(LDAP) [RFC2251] extended operation which clients can use to obtain
|
|||
|
the primary authorization identity in its primary form which the
|
|||
|
server has associated with the user or application entity.
|
|||
|
|
|||
|
Servers often associate multiple authorization identities with the
|
|||
|
client and each authorization identity may be represented by multiple
|
|||
|
authzId [RFC2829] strings. This operation requests and returns the
|
|||
|
authzId the server considers to be primary. In the specification, the
|
|||
|
term "the authorization identity" and "the authzid" are to generally
|
|||
|
read as "the primary authorization identity" and the "the primary
|
|||
|
authzid", respectively.
|
|||
|
|
|||
|
This specification is intended to replace the existing [AUTHCTL]
|
|||
|
mechanism which uses Bind request and response controls to request and
|
|||
|
return the authorization identity. Bind controls are not protected by
|
|||
|
the security layers established by the Bind operation which they are
|
|||
|
transferred as part of. While it is possible to establish security
|
|||
|
layers prior to the Bind operation, it is often desirable to only use
|
|||
|
security layers established by the Bind operation. An extended
|
|||
|
operation sent after a Bind operation is protected by the security
|
|||
|
layers established by the Bind operation.
|
|||
|
|
|||
|
There are other cases where it is desirable to request the
|
|||
|
authorization identity which the server associated with the client
|
|||
|
separately from the Bind operation. For example, the "Who am I?"
|
|||
|
operation can be augmented with a Proxied Authorization Control
|
|||
|
[PROXYCTL] to determine the authorization identity which the server
|
|||
|
associates with the identity asserted in the Proxied Authorization
|
|||
|
Control. The "Who am I?" operation can also be used prior to the Bind
|
|||
|
operation.
|
|||
|
|
|||
|
The LDAP "Who am I?" operation is named after the UNIX whoami(1)
|
|||
|
command. The whoami(1) command displays the effective user id.
|
|||
|
|
|||
|
|
|||
|
2. The "Who am I?" Operation
|
|||
|
|
|||
|
The "Who am I?" operation is defined as an LDAP Extended Operation
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga LDAP "Who am I?" [Page 2]
|
|||
|
|
|||
|
INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
|
|||
|
|
|||
|
|
|||
|
[RFC2251, Section 4.12] identified by the whoamiOID Object Identifier
|
|||
|
(OID). This section details the syntax of the operation's whoami
|
|||
|
request and response messages.
|
|||
|
|
|||
|
whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
|
|||
|
|
|||
|
|
|||
|
2.1. The whoami Request
|
|||
|
|
|||
|
The whoami request is an ExtendedRequest with the requestName field
|
|||
|
containing the whoamiOID OID and an absent requestValue field. For
|
|||
|
example, a whoami request could be encoded as the sequence of octets
|
|||
|
(in hex):
|
|||
|
|
|||
|
|
|||
|
2.2. The whoami Response
|
|||
|
|
|||
|
The whoami response is an ExtendedResponse where the responseName
|
|||
|
field is absent and, if present, the response field is empty or an
|
|||
|
authzId [RFC2829]. For example, a whoami response returning the
|
|||
|
authzid "u:kurt@OPENLDAP.ORG" (in response to the example request)
|
|||
|
would be encoded as the sequence of octets (in hex):
|
|||
|
|
|||
|
|
|||
|
|
|||
|
3. Operational Semantics
|
|||
|
|
|||
|
The function of the "Who am I?" operation is to request that the
|
|||
|
server returns the authorization identity it currently associates with
|
|||
|
the client. The client requests this authorization identity by
|
|||
|
issuing a whoami Request. The server responds to this request with a
|
|||
|
whoami Response.
|
|||
|
|
|||
|
If the server is willing and able to provide the authorization
|
|||
|
identity it associates with the client, the server SHALL return a
|
|||
|
whoami Response with a success resultCode. If the server is treating
|
|||
|
the client as an anonymous entity, the response field is empty.
|
|||
|
Otherwise the server is to provide the authzId [RFC2829] representing
|
|||
|
the authorization identity it currently associates with the client in
|
|||
|
the response field.
|
|||
|
|
|||
|
If the server is unwilling or unable to provide the authorization
|
|||
|
identity it associates with the client, the server SHALL return a
|
|||
|
whoami Response with an appropriate non-success resultCode (such as
|
|||
|
operationsError, protocolError, confidentialityRequired,
|
|||
|
insufficientAccessRights, busy, unavailable, unwillingToPerform, or
|
|||
|
other) and an absent response field.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga LDAP "Who am I?" [Page 3]
|
|||
|
|
|||
|
INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
|
|||
|
|
|||
|
|
|||
|
As described in [RFC2251] and [RFC2829], an LDAP session has an
|
|||
|
"anonymous" association until the client has been successfully
|
|||
|
authenticated using the Bind operation. Clients MUST NOT invoke the
|
|||
|
"Who Am I?" operation while any Bind operation is in progress,
|
|||
|
including between two Bind requests made as part of a multi-stage Bind
|
|||
|
operation.
|
|||
|
|
|||
|
|
|||
|
4. Extending the "Who am I?" operation with controls
|
|||
|
|
|||
|
Future specifications may extend the "Who am I?" operation using the
|
|||
|
control mechanism. When extended by controls, the "Who am I?"
|
|||
|
operation requests and returns the authorization identity the server
|
|||
|
associates with the client in a particular context indicated by the
|
|||
|
controls.
|
|||
|
|
|||
|
|
|||
|
4.1. Proxied Authorization Control
|
|||
|
|
|||
|
The Proxied Authorization Control [PROXYCTL] is used by clients to
|
|||
|
request that the operation it is attached to operates under the
|
|||
|
authorization of an assumed identity. The client provides the
|
|||
|
identity to assume in the Proxied Authorization request control. If
|
|||
|
the client is authorized to assume the requested identity, the server
|
|||
|
executes the operation as if the requested identity had issued the
|
|||
|
operation.
|
|||
|
|
|||
|
As servers often map the asserted authzId to another identity
|
|||
|
[RFC2829], it is desirable to request the server provide the authzId
|
|||
|
it associates with the assumed identity.
|
|||
|
|
|||
|
When a Proxied Authorization Control is be attached to the "Who Am I?"
|
|||
|
operation, the operation requests the return of the authzid the server
|
|||
|
associates with the identity asserted in the Proxied Authorization
|
|||
|
Control. The TBD result code is used to indicate that the server does
|
|||
|
not allow the client to assume the asserted identity. [[Note to RFC
|
|||
|
Editor: TBD is to be replaced with the name/code assigned by IANA for
|
|||
|
[PROXYCTL] use.]]
|
|||
|
|
|||
|
|
|||
|
5. Security Considerations
|
|||
|
|
|||
|
Identities associated with users may be sensitive information. When
|
|||
|
so, security layers [RFC2829][RFC2830] should be established to
|
|||
|
protect this information. This mechanism is specifically designed to
|
|||
|
allow security layers established by a Bind operation to protect the
|
|||
|
integrity and/or confidentiality of the authorization identity.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga LDAP "Who am I?" [Page 4]
|
|||
|
|
|||
|
INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
|
|||
|
|
|||
|
|
|||
|
Servers may place access control or other restrictions upon the use of
|
|||
|
this operation.
|
|||
|
|
|||
|
As with any other extended operations, general LDAP considerations
|
|||
|
apply. These are detailed in [RFC2251], [RFC2829], and [RFC2830].
|
|||
|
|
|||
|
|
|||
|
6. IANA Considerations
|
|||
|
|
|||
|
No IANA assignments are requested.
|
|||
|
|
|||
|
This document uses the OID 1.3.6.1.4.1.4203.1.11.3 to identify the
|
|||
|
LDAP "Who Am I? extended operation. This OID was assigned [ASSIGN] by
|
|||
|
OpenLDAP Foundation under its IANA assigned private enterprise
|
|||
|
allocation [PRIVATE] for use in this specification.
|
|||
|
|
|||
|
|
|||
|
7. Acknowledgment
|
|||
|
|
|||
|
This document borrows from prior work in this area including
|
|||
|
"Authentication Response Control" [AUTHCTL] by Rob Weltman, Mark Smith
|
|||
|
and Mark Wahl.
|
|||
|
|
|||
|
|
|||
|
8. Author's Address
|
|||
|
|
|||
|
Kurt D. Zeilenga
|
|||
|
OpenLDAP Foundation
|
|||
|
<Kurt@OpenLDAP.org>
|
|||
|
|
|||
|
|
|||
|
9. Normative References
|
|||
|
|
|||
|
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
|
|||
|
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
|
|||
|
|
|||
|
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
|
|||
|
Protocol (v3)", RFC 2251, December 1997.
|
|||
|
|
|||
|
[RFC2829] M. Wahl, H. Alvestrand, J. Hodges, RL "Bob" Morgan,
|
|||
|
"Authentication Methods for LDAP", RFC 2829, June 2000.
|
|||
|
|
|||
|
[RFC2830] J. Hodges, R. Morgan, and M. Wahl, "Lightweight Directory
|
|||
|
Access Protocol (v3): Extension for Transport Layer
|
|||
|
Security", RFC 2830, May 2000.
|
|||
|
|
|||
|
[PROXYCTL] R. Weltman, "LDAP Proxied Authentication Control", draft-
|
|||
|
weltman-ldapv3-proxy-xx.txt (a work in progress).
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga LDAP "Who am I?" [Page 5]
|
|||
|
|
|||
|
INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
|
|||
|
|
|||
|
|
|||
|
10. Informative References
|
|||
|
|
|||
|
[ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
|
|||
|
http://www.openldap.org/foundation/oid-delegate.txt.
|
|||
|
|
|||
|
[AUTHCTL] R. Weltman, M. Smith, M. Wahl, "LDAP Authentication
|
|||
|
Response Control", draft-weltman-ldapv3-auth-response-
|
|||
|
xx.txt (a work in progress).
|
|||
|
|
|||
|
[PRIVATE] IANA, "Private Enterprise Numbers",
|
|||
|
http://www.iana.org/assignments/enterprise-numbers.
|
|||
|
|
|||
|
|
|||
|
Copyright 2002, The Internet Society. All Rights Reserved.
|
|||
|
|
|||
|
This document and translations of it may be copied and furnished to
|
|||
|
others, and derivative works that comment on or otherwise explain it
|
|||
|
or assist in its implementation may be prepared, copied, published and
|
|||
|
distributed, in whole or in part, without restriction of any kind,
|
|||
|
provided that the above copyright notice and this paragraph are
|
|||
|
included on all such copies and derivative works. However, this
|
|||
|
document itself may not be modified in any way, such as by removing
|
|||
|
the copyright notice or references to the Internet Society or other
|
|||
|
Internet organizations, except as needed for the purpose of
|
|||
|
developing Internet standards in which case the procedures for
|
|||
|
copyrights defined in the Internet Standards process must be followed,
|
|||
|
or as required to translate it into languages other than English.
|
|||
|
|
|||
|
The limited permissions granted above are perpetual and will not be
|
|||
|
revoked by the Internet Society or its successors or assigns.
|
|||
|
|
|||
|
This document and the information contained herein is provided on an
|
|||
|
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
|
|||
|
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|||
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|||
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga LDAP "Who am I?" [Page 6]
|
|||
|
|