mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
508 lines
18 KiB
Plaintext
508 lines
18 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group K. Zeilenga
|
|||
|
Request for Comments: 4531 OpenLDAP Foundation
|
|||
|
Category: Experimental June 2006
|
|||
|
|
|||
|
|
|||
|
Lightweight Directory Access Protocol (LDAP)
|
|||
|
Turn Operation
|
|||
|
|
|||
|
|
|||
|
Status of This Memo
|
|||
|
|
|||
|
This memo defines an Experimental Protocol for the Internet
|
|||
|
community. It does not specify an Internet standard of any kind.
|
|||
|
Discussion and suggestions for improvement are requested.
|
|||
|
Distribution of this memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2006).
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This specification describes a Lightweight Directory Access Protocol
|
|||
|
(LDAP) extended operation to reverse (or "turn") the roles of client
|
|||
|
and server for subsequent protocol exchanges in the session, or to
|
|||
|
enable each peer to act as both client and server with respect to the
|
|||
|
other.
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
1. Background and Intent of Use ....................................2
|
|||
|
1.1. Terminology ................................................2
|
|||
|
2. Turn Operation ..................................................2
|
|||
|
2.1. Turn Request ...............................................3
|
|||
|
2.2. Turn Response ..............................................3
|
|||
|
3. Authentication ..................................................3
|
|||
|
3.1. Use with TLS and Simple Authentication .....................4
|
|||
|
3.2. Use with TLS and SASL EXTERNAL .............................4
|
|||
|
3.3. Use of Mutual Authentication and SASL EXTERNAL .............4
|
|||
|
4. TLS and SASL Security Layers ....................................5
|
|||
|
5. Security Considerations .........................................6
|
|||
|
6. IANA Considerations .............................................6
|
|||
|
6.1. Object Identifier ..........................................6
|
|||
|
6.2. LDAP Protocol Mechanism ....................................7
|
|||
|
7. References ......................................................7
|
|||
|
7.1. Normative References .......................................7
|
|||
|
7.2. Informative References .....................................8
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 1]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
1. Background and Intent of Use
|
|||
|
|
|||
|
The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511]
|
|||
|
is a client-server protocol that typically operates over reliable
|
|||
|
octet-stream transports, such as the Transport Control Protocol
|
|||
|
(TCP). Generally, the client initiates the stream by connecting to
|
|||
|
the server's listener at some well-known address.
|
|||
|
|
|||
|
There are cases where it is desirable for the server to initiate the
|
|||
|
stream. Although it certainly is possible to write a technical
|
|||
|
specification detailing how to implement server-initiated LDAP
|
|||
|
sessions, this would require the design of new authentication and
|
|||
|
other security mechanisms to support server-initiated LDAP sessions.
|
|||
|
|
|||
|
Instead, this document introduces an operation, the Turn operation,
|
|||
|
which may be used to reverse the client-server roles of the protocol
|
|||
|
peers. This allows the initiating protocol peer to become the server
|
|||
|
(after the reversal).
|
|||
|
|
|||
|
As an additional feature, the Turn operation may be used to allow
|
|||
|
both peers to act in both roles. This is useful where both peers are
|
|||
|
directory servers that desire to request, as LDAP clients, that
|
|||
|
operations be performed by the other. This may be useful in
|
|||
|
replicated and/or distributed environments.
|
|||
|
|
|||
|
This operation is intended to be used between protocol peers that
|
|||
|
have established a mutual agreement, by means outside of the
|
|||
|
protocol, that requires reversal of client-server roles, or allows
|
|||
|
both peers to act both as client and server.
|
|||
|
|
|||
|
1.1. Terminology
|
|||
|
|
|||
|
Protocol elements are described using ASN.1 [X.680] with implicit
|
|||
|
tags. The term "BER-encoded" means the element is to be encoded
|
|||
|
using the Basic Encoding Rules [X.690] under the restrictions
|
|||
|
detailed in Section 5.1 of [RFC4511].
|
|||
|
|
|||
|
2. Turn Operation
|
|||
|
|
|||
|
The Turn operation is defined as an LDAP-Extended Operation
|
|||
|
[Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID. The
|
|||
|
function of the Turn Operation is to request that the client-server
|
|||
|
roles be reversed, or, optionally, to request that both protocol
|
|||
|
peers be able to act both as client and server in respect to the
|
|||
|
other.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 2]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
2.1. Turn Request
|
|||
|
|
|||
|
The Turn request is an ExtendedRequest where the requestName field
|
|||
|
contains the 1.3.6.1.1.19 OID and the requestValue field is a BER-
|
|||
|
encoded turnValue:
|
|||
|
|
|||
|
turnValue ::= SEQUENCE {
|
|||
|
mutual BOOLEAN DEFAULT FALSE,
|
|||
|
identifier LDAPString
|
|||
|
}
|
|||
|
|
|||
|
A TRUE mutual field value indicates a request to allow both peers to
|
|||
|
act both as client and server. A FALSE mutual field value indicates
|
|||
|
a request to reserve the client and server roles.
|
|||
|
|
|||
|
The value of the identifier field is a locally defined policy
|
|||
|
identifier (typically associated with a mutual agreement for which
|
|||
|
this turn is be executed as part of).
|
|||
|
|
|||
|
2.2. Turn Response
|
|||
|
|
|||
|
A Turn response is an ExtendedResponse where the responseName and
|
|||
|
responseValue fields are absent. A resultCode of success is returned
|
|||
|
if and only if the responder is willing and able to turn the session
|
|||
|
as requested. Otherwise, a different resultCode is returned.
|
|||
|
|
|||
|
3. Authentication
|
|||
|
|
|||
|
This extension's authentication model assumes separate authentication
|
|||
|
of the peers in each of their roles. A separate Bind exchange is
|
|||
|
expected between the peers in their new roles to establish identities
|
|||
|
in these roles.
|
|||
|
|
|||
|
Upon completion of the Turn, the responding peer in its new client
|
|||
|
role has an anonymous association at the initiating peer in its new
|
|||
|
server role. If the turn was mutual, the authentication association
|
|||
|
of the initiating peer in its pre-existing client role is left intact
|
|||
|
at the responding peer in its pre-existing server role. If the turn
|
|||
|
was not mutual, this association is void.
|
|||
|
|
|||
|
The responding peer may establish its identity in its client role by
|
|||
|
requesting and successfully completing a Bind operation.
|
|||
|
|
|||
|
The remainder of this section discusses some authentication
|
|||
|
scenarios. In the protocol exchange illustrations, A refers to the
|
|||
|
initiating peer (the original client) and B refers to the responding
|
|||
|
peer (the original server).
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 3]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
3.1. Use with TLS and Simple Authentication
|
|||
|
|
|||
|
A->B: StartTLS Request
|
|||
|
B->A: StartTLS(success) Response
|
|||
|
A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
|
|||
|
B->A: Bind(success) Response
|
|||
|
A->B: Turn(TRUE,"XXYYZ") Request
|
|||
|
B->A: Turn(success) Response
|
|||
|
B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
|
|||
|
A->B: Bind(success) Response
|
|||
|
|
|||
|
In this scenario, TLS (Transport Layer Security) [RFC4346] is started
|
|||
|
and the initiating peer (the original client) establishes its
|
|||
|
identity with the responding peer prior to the Turn using the
|
|||
|
DN/password mechanism of the Simple method of the Bind operation.
|
|||
|
After the turn, the responding peer, in its new client role,
|
|||
|
establishes its identity with the initiating peer in its new server
|
|||
|
role.
|
|||
|
|
|||
|
3.2. Use with TLS and SASL EXTERNAL
|
|||
|
|
|||
|
A->B: StartTLS Request
|
|||
|
B->A: StartTLS(success) Response
|
|||
|
A->B: Bind(SASL(EXTERNAL)) Request
|
|||
|
B->A: Bind(success) Response
|
|||
|
A->B: Turn(TRUE,"XXYYZ") Request
|
|||
|
B->A: Turn(success) Response
|
|||
|
B->A: Bind(SASL(EXTERNAL)) Request
|
|||
|
A->B: Bind(success) Response
|
|||
|
|
|||
|
In this scenario, TLS is started (with each peer providing a valid
|
|||
|
certificate), and the initiating peer (the original client)
|
|||
|
establishes its identity through the use of the EXTERNAL mechanism of
|
|||
|
the SASL (Simple Authentication and Security Layer) [RFC4422] method
|
|||
|
of the Bind operation prior to the Turn. After the turn, the
|
|||
|
responding peer, in its new client role, establishes its identity
|
|||
|
with the initiating peer in its new server role.
|
|||
|
|
|||
|
3.3. Use of Mutual Authentication and SASL EXTERNAL
|
|||
|
|
|||
|
A number of SASL mechanisms, such as GSSAPI [SASL-K5], support mutual
|
|||
|
authentication. The initiating peer, in its new server role, may use
|
|||
|
the identity of the responding peer, established by a prior
|
|||
|
authentication exchange, as its source for "external" identity in
|
|||
|
subsequent EXTERNAL exchange.
|
|||
|
|
|||
|
A->B: Bind(SASL(GSSAPI)) Request
|
|||
|
<intermediate messages>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 4]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
B->A: Bind(success) Response
|
|||
|
A->B: Turn(TRUE,"XXYYZ") Request
|
|||
|
B->A: Turn(success) Response
|
|||
|
B->A: Bind(SASL(EXTERNAL)) Request
|
|||
|
A->B: Bind(success) Response
|
|||
|
|
|||
|
In this scenario, a GSSAPI mutual-authentication exchange is
|
|||
|
completed between the initiating peer (the original client) and the
|
|||
|
responding server (the original server) prior to the turn. After the
|
|||
|
turn, the responding peer, in its new client role, requests that the
|
|||
|
initiating peer utilize an "external" identity to establish its LDAP
|
|||
|
authorization identity.
|
|||
|
|
|||
|
4. TLS and SASL Security Layers
|
|||
|
|
|||
|
As described in [RFC4511], LDAP supports both Transport Layer
|
|||
|
Security (TLS) [RFC4346] and Simple Authentication and Security Layer
|
|||
|
(SASL) [RFC4422] security frameworks. The following table
|
|||
|
illustrates the relationship between the LDAP message layer, SASL
|
|||
|
layer, TLS layer, and transport connection within an LDAP session.
|
|||
|
|
|||
|
+----------------------+
|
|||
|
| LDAP message layer |
|
|||
|
+----------------------+ > LDAP PDUs
|
|||
|
+----------------------+ < data
|
|||
|
| SASL layer |
|
|||
|
+----------------------+ > SASL-protected data
|
|||
|
+----------------------+ < data
|
|||
|
| TLS layer |
|
|||
|
Application +----------------------+ > TLS-protected data
|
|||
|
------------+----------------------+ < data
|
|||
|
Transport | transport connection |
|
|||
|
+----------------------+
|
|||
|
|
|||
|
This extension does not alter this relationship, nor does it remove
|
|||
|
the general restriction against multiple TLS layers, nor does it
|
|||
|
remove the general restriction against multiple SASL layers.
|
|||
|
|
|||
|
As specified in [RFC4511], the StartTLS operation is used to initiate
|
|||
|
negotiation of a TLS layer. If a TLS is already installed, the
|
|||
|
StartTLS operation must fail. Upon establishment of the TLS layer,
|
|||
|
regardless of which peer issued the request to start TLS, the peer
|
|||
|
that initiated the LDAP session (the original client) performs the
|
|||
|
"server identity check", as described in Section 3.1.5 of [RFC4513],
|
|||
|
treating itself as the "client" and its peer as the "server".
|
|||
|
|
|||
|
As specified in [RFC4422], a newly negotiated SASL security layer
|
|||
|
replaces the installed SASL security layer. Though the client/server
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 5]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
roles in LDAP, and hence SASL, may be reversed in subsequent
|
|||
|
exchanges, only one SASL security layer may be installed at any
|
|||
|
instance.
|
|||
|
|
|||
|
5. Security Considerations
|
|||
|
|
|||
|
Implementors should be aware that the reversing of client/server
|
|||
|
roles and/or allowing both peers to act as client and server likely
|
|||
|
introduces security considerations not foreseen by the authors of
|
|||
|
this document. In particular, the security implications of the
|
|||
|
design choices made in the authentication and data security models
|
|||
|
for this extension (discussed in Sections 3 and 4, respectively) are
|
|||
|
not fully studied. It is hoped that experimentation with this
|
|||
|
extension will lead to better understanding of the security
|
|||
|
implications of these models and other aspects of this extension, and
|
|||
|
that appropriate considerations will be documented in a future
|
|||
|
document. The following security considerations are apparent at this
|
|||
|
time.
|
|||
|
|
|||
|
Implementors should take special care to process LDAP, SASL, TLS, and
|
|||
|
other events in the appropriate roles for the peers. Note that while
|
|||
|
the Turn reverses the client/server roles with LDAP, and in SASL
|
|||
|
authentication exchanges, it does not reverse the roles within the
|
|||
|
TLS layer or the transport connection.
|
|||
|
|
|||
|
The responding server (the original server) should restrict use of
|
|||
|
this operation to authorized clients. Client knowledge of a valid
|
|||
|
identifier should not be the sole factor in determining authorization
|
|||
|
to turn.
|
|||
|
|
|||
|
Where the peers except to establish TLS, TLS should be started prior
|
|||
|
to the Turn and any request to authenticate via the Bind operation.
|
|||
|
|
|||
|
LDAP security considerations [RFC4511][RFC4513] generally apply to
|
|||
|
this extension.
|
|||
|
|
|||
|
6. IANA Considerations
|
|||
|
|
|||
|
The following values [RFC4520] have been registered by the IANA.
|
|||
|
|
|||
|
6.1. Object Identifier
|
|||
|
|
|||
|
The IANA has assigned an LDAP Object Identifier to identify the LDAP
|
|||
|
Turn Operation, as defined in this document.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 6]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
Subject: Request for LDAP Object Identifier Registration
|
|||
|
Person & email address to contact for further information:
|
|||
|
Kurt Zeilenga <kurt@OpenLDAP.org>
|
|||
|
Specification: RFC 4531
|
|||
|
Author/Change Controller: Author
|
|||
|
Comments:
|
|||
|
Identifies the LDAP Turn Operation
|
|||
|
|
|||
|
6.2. LDAP Protocol Mechanism
|
|||
|
|
|||
|
The IANA has registered the LDAP Protocol Mechanism described in this
|
|||
|
document.
|
|||
|
|
|||
|
Subject: Request for LDAP Protocol Mechanism Registration
|
|||
|
Object Identifier: 1.3.6.1.1.19
|
|||
|
Description: LDAP Turn Operation
|
|||
|
Person & email address to contact for further information:
|
|||
|
Kurt Zeilenga <kurt@openldap.org>
|
|||
|
Usage: Extended Operation
|
|||
|
Specification: RFC 4531
|
|||
|
Author/Change Controller: Author
|
|||
|
Comments: none
|
|||
|
|
|||
|
7. References
|
|||
|
|
|||
|
7.1. Normative References
|
|||
|
|
|||
|
[RFC4346] Dierks, T. and, E. Rescorla, "The Transport Layer
|
|||
|
Security (TLS) Protocol Version 1.1", RFC 4346, April
|
|||
|
2006.
|
|||
|
|
|||
|
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
|
|||
|
Authentication and Security Layer (SASL)", RFC 4422,
|
|||
|
June 2006.
|
|||
|
|
|||
|
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
|
|||
|
Protocol (LDAP): Technical Specification Road Map", RFC
|
|||
|
4510, June 2006.
|
|||
|
|
|||
|
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
|
|||
|
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
|
|||
|
|
|||
|
[RFC4513] Harrison, R., Ed., "Lightweight Directory Access
|
|||
|
Protocol (LDAP): Authentication Methods and Security
|
|||
|
Mechanisms", RFC 4513, June 2006.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 7]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
[X.680] International Telecommunication Union -
|
|||
|
Telecommunication Standardization Sector, "Abstract
|
|||
|
Syntax Notation One (ASN.1) - Specification of Basic
|
|||
|
Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
|
|||
|
|
|||
|
[X.690] International Telecommunication Union -
|
|||
|
Telecommunication Standardization Sector,
|
|||
|
"Specification of ASN.1 encoding rules: Basic Encoding
|
|||
|
Rules (BER), Canonical Encoding Rules (CER), and
|
|||
|
Distinguished Encoding Rules (DER)", X.690(2002) (also
|
|||
|
ISO/IEC 8825-1:2002).
|
|||
|
|
|||
|
7.2. Informative References
|
|||
|
|
|||
|
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
|
|||
|
(IANA) Considerations for the Lightweight Directory
|
|||
|
Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
|
|||
|
|
|||
|
[SASL-K5] Melnikov, A., Ed., "The Kerberos V5 ("GSSAPI") SASL
|
|||
|
Mechanism", Work in Progress, May 2006.
|
|||
|
|
|||
|
Author's Address
|
|||
|
|
|||
|
Kurt D. Zeilenga
|
|||
|
OpenLDAP Foundation
|
|||
|
|
|||
|
EMail: Kurt@OpenLDAP.org
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 8]
|
|||
|
|
|||
|
RFC 4531 LDAP Turn Operation June 2006
|
|||
|
|
|||
|
|
|||
|
Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2006).
|
|||
|
|
|||
|
This document is subject to the rights, licenses and restrictions
|
|||
|
contained in BCP 78, and except as set forth therein, the authors
|
|||
|
retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|||
|
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|||
|
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|||
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|||
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed to
|
|||
|
pertain to the implementation or use of the technology described in
|
|||
|
this document or the extent to which any license under such rights
|
|||
|
might or might not be available; nor does it represent that it has
|
|||
|
made any independent effort to identify any such rights. Information
|
|||
|
on the procedures with respect to rights in RFC documents can be
|
|||
|
found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use of
|
|||
|
such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository at
|
|||
|
http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention any
|
|||
|
copyrights, patents or patent applications, or other proprietary
|
|||
|
rights that may cover technology that may be required to implement
|
|||
|
this standard. Please address the information to the IETF at
|
|||
|
ietf-ipr@ietf.org.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is provided by the IETF
|
|||
|
Administrative Support Activity (IASA).
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Experimental [Page 9]
|
|||
|
|