mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
340 lines
11 KiB
Plaintext
340 lines
11 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Internet Engineering Task Force (IETF) K. Zeilenga
|
|||
|
Request for Comments: 6171 Isode Limited
|
|||
|
Category: Standards Track March 2011
|
|||
|
ISSN: 2070-1721
|
|||
|
|
|||
|
|
|||
|
The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document defines the Lightweight Directory Access Protocol
|
|||
|
(LDAP) Don't Use Copy control extension, which allows a client to
|
|||
|
specify that copied information should not be used in providing
|
|||
|
service. This control is based upon the X.511 dontUseCopy service
|
|||
|
control option.
|
|||
|
|
|||
|
Status of This Memo
|
|||
|
|
|||
|
This is an Internet Standards Track document.
|
|||
|
|
|||
|
This document is a product of the Internet Engineering Task Force
|
|||
|
(IETF). It represents the consensus of the IETF community. It has
|
|||
|
received public review and has been approved for publication by the
|
|||
|
Internet Engineering Steering Group (IESG). Further information on
|
|||
|
Internet Standards is available in Section 2 of RFC 5741.
|
|||
|
|
|||
|
Information about the current status of this document, any errata,
|
|||
|
and how to provide feedback on it may be obtained at
|
|||
|
http://www.rfc-editor.org/info/rfc6171.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (c) 2011 IETF Trust and the persons identified as the
|
|||
|
document authors. All rights reserved.
|
|||
|
|
|||
|
This document is subject to BCP 78 and the IETF Trust's Legal
|
|||
|
Provisions Relating to IETF Documents
|
|||
|
(http://trustee.ietf.org/license-info) in effect on the date of
|
|||
|
publication of this document. Please review these documents
|
|||
|
carefully, as they describe your rights and restrictions with respect
|
|||
|
to this document. Code Components extracted from this document must
|
|||
|
include Simplified BSD License text as described in Section 4.e of
|
|||
|
the Trust Legal Provisions and are provided without warranty as
|
|||
|
described in the Simplified BSD License.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 1]
|
|||
|
|
|||
|
RFC 6171 LDAP Don't Use Copy Control March 2011
|
|||
|
|
|||
|
|
|||
|
This document may contain material from IETF Documents or IETF
|
|||
|
Contributions published or made publicly available before November
|
|||
|
10, 2008. The person(s) controlling the copyright in some of this
|
|||
|
material may not have granted the IETF Trust the right to allow
|
|||
|
modifications of such material outside the IETF Standards Process.
|
|||
|
Without obtaining an adequate license from the person(s) controlling
|
|||
|
the copyright in such materials, this document may not be modified
|
|||
|
outside the IETF Standards Process, and derivative works of it may
|
|||
|
not be created outside the IETF Standards Process, except to format
|
|||
|
it for publication as an RFC or to translate it into languages other
|
|||
|
than English.
|
|||
|
|
|||
|
1. Background and Intended Usage
|
|||
|
|
|||
|
This document defines the Lightweight Directory Access Protocol
|
|||
|
(LDAP) [RFC4510] Don't Use Copy control extension. The control may
|
|||
|
be attached to request messages to indicate that copied (replicated
|
|||
|
or cached) information [X.500] is not be used in providing service.
|
|||
|
This control is based upon the X.511 [X.511] dontUseCopy service
|
|||
|
control option.
|
|||
|
|
|||
|
The Don't Use Copy control is intended to be used where the client
|
|||
|
requires the service be provided using original (master) information
|
|||
|
[X.500]. In absence of this control, the server is free to make use
|
|||
|
of copied (i.e., non-authoritative) information in providing the
|
|||
|
requested service.
|
|||
|
|
|||
|
For instance, a client might desire to have an authoritative answer
|
|||
|
to a question of whether or not a particular user is a member of a
|
|||
|
group. To ask this question of a server, the client might issue a
|
|||
|
compare request [RFC4511], with the Don't Use Copy control, where the
|
|||
|
entry parameter is the Distinguished Name (DN) of the group, the
|
|||
|
ava.attributeDesc is 'member', and the ava.assertionValue is the DN
|
|||
|
of the user in question. If the server has access to the original
|
|||
|
(master) information directly or through chaining, it performs the
|
|||
|
operation against the original (master) information and returns
|
|||
|
compareTrue or compareFalse (or an error). If the server does not
|
|||
|
have access to the original information, the server is obligated to
|
|||
|
either return a referral or an error.
|
|||
|
|
|||
|
It is not intended that this control be used generally (e.g., for all
|
|||
|
LDAP interrogation operations) but only as required to ensure proper
|
|||
|
directory application behavior. In general, directory applications
|
|||
|
ought to designed to use copied information well.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 2]
|
|||
|
|
|||
|
RFC 6171 LDAP Don't Use Copy Control March 2011
|
|||
|
|
|||
|
|
|||
|
2. Terminology
|
|||
|
|
|||
|
DSA stands for Directory System Agent (or server).
|
|||
|
DSE stands for DSA-Specific Entry.
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in RFC 2119 [RFC2119].
|
|||
|
|
|||
|
3. The Don't Use Copy Control
|
|||
|
|
|||
|
The Don't Use Copy control is an LDAP Control [RFC4511] whose
|
|||
|
controlType is 1.3.6.1.1.22 and controlValue is absent. The
|
|||
|
criticality MUST be TRUE. There is no corresponding response
|
|||
|
control.
|
|||
|
|
|||
|
The control is appropriate for LDAP interrogation operations,
|
|||
|
including Compare and Search operations [RFC4511]. It is
|
|||
|
inappropriate for all other operations, including Abandon, Bind,
|
|||
|
Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511].
|
|||
|
|
|||
|
When the control is attached to an LDAP request, the requested
|
|||
|
operation MUST NOT be performed on copied information. That is, the
|
|||
|
requested operation MUST be performed on original information.
|
|||
|
|
|||
|
If original (master) information for the target or base object of the
|
|||
|
operation is not available (either locally or through chaining), the
|
|||
|
server MUST either return a referral directing the client to a server
|
|||
|
believed to be better able to service the request or return an
|
|||
|
appropriate result code (e.g., unwillingToPerform).
|
|||
|
|
|||
|
It is noted that a referral, if returned, is not necessarily to the
|
|||
|
server holding the original (master) information. It is also noted
|
|||
|
that an authoritative answer to the question might not be available
|
|||
|
to the client for any number of reasons.
|
|||
|
|
|||
|
Where the client chases a referral to a server (as referenced by an
|
|||
|
LDAP URL) in the server response in order to obtain an authoritative
|
|||
|
response, the client MUST provide the dontUseCopy control with the
|
|||
|
interrogation request it makes to the referred to server. While LDAP
|
|||
|
allows return of other kinds of URIs, the syntax and semantics of
|
|||
|
other kinds of URIs are left to future specifications. The
|
|||
|
particulars of how to act upon other kinds of URIs are also left to
|
|||
|
future specifications.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 3]
|
|||
|
|
|||
|
RFC 6171 LDAP Don't Use Copy Control March 2011
|
|||
|
|
|||
|
|
|||
|
Servers implementing this technical specification SHOULD publish the
|
|||
|
object identifier 1.3.6.1.1.22 as a value of the 'supportedControl'
|
|||
|
attribute [RFC4512] in their root DSE. A server MAY choose to
|
|||
|
advertise this extension only when the client is authorized to use
|
|||
|
it.
|
|||
|
|
|||
|
4. Security Considerations
|
|||
|
|
|||
|
This control is intended to be provided where providing service using
|
|||
|
copied information might lead to unexpected application behavior.
|
|||
|
|
|||
|
Use of the Don't Use Copy control may permit an attacker to perform
|
|||
|
or amplify a denial-of-service attack by causing additional server
|
|||
|
resources to be employed, such as when the server chooses to chain
|
|||
|
the request instead of returning a referral. Servers capable of such
|
|||
|
chaining can mitigate this threat by limiting chaining to a
|
|||
|
particular group of authenticated entities.
|
|||
|
|
|||
|
LDAP is frequently used for storage and distribution of security-
|
|||
|
sensitive information, including access control and security policy
|
|||
|
information. Failure to use the Don't Use Copy control may thus
|
|||
|
permit an attacker to gain unauthorized access by allowing reliance
|
|||
|
on stale data.
|
|||
|
|
|||
|
5. IANA Considerations
|
|||
|
|
|||
|
5.1. Object Identifier
|
|||
|
|
|||
|
IANA has assigned an LDAP Object Identifier [RFC4520] to identify the
|
|||
|
LDAP Don't Use Copy Control defined in this document.
|
|||
|
|
|||
|
Subject: Request for LDAP Object Identifier Registration
|
|||
|
Person & email address to contact for further information:
|
|||
|
Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
|
|||
|
Specification: RFC 6171
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments:
|
|||
|
Identifies the LDAP Don't Use Copy Control
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 4]
|
|||
|
|
|||
|
RFC 6171 LDAP Don't Use Copy Control March 2011
|
|||
|
|
|||
|
|
|||
|
5.2. LDAP Protocol Mechanism
|
|||
|
|
|||
|
IANA has registered this protocol mechanism [RFC4520] as follows.
|
|||
|
|
|||
|
Subject: Request for LDAP Protocol Mechanism Registration
|
|||
|
Object Identifier: 1.3.6.1.1.22
|
|||
|
Description: Don't Use Copy Control
|
|||
|
Person & email address to contact for further information:
|
|||
|
Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
|
|||
|
Usage: Control
|
|||
|
Specification: RFC 6171
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments: none
|
|||
|
|
|||
|
6. Acknowledgements
|
|||
|
|
|||
|
The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie
|
|||
|
for providing review and specific suggestions.
|
|||
|
|
|||
|
7. References
|
|||
|
|
|||
|
7.1. Normative References
|
|||
|
|
|||
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
|||
|
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
|||
|
(LDAP): Technical Specification Road Map", RFC 4510, June
|
|||
|
2006.
|
|||
|
|
|||
|
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
|
|||
|
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
|
|||
|
|
|||
|
[RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
|||
|
(LDAP): Directory Information Models", RFC 4512, June
|
|||
|
2006.
|
|||
|
|
|||
|
7.2. Informative References
|
|||
|
|
|||
|
[X.500] International Telecommunication Union - Telecommunication
|
|||
|
Standardization Sector, "The Directory -- Overview of
|
|||
|
concepts, models and services," X.500(1993) (also ISO/IEC
|
|||
|
9594-1:1994).
|
|||
|
|
|||
|
[X.511] International Telecommunication Union - Telecommunication
|
|||
|
Standardization Sector, "The Directory: Abstract Service
|
|||
|
Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 5]
|
|||
|
|
|||
|
RFC 6171 LDAP Don't Use Copy Control March 2011
|
|||
|
|
|||
|
|
|||
|
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
|||
|
Considerations for the Lightweight Directory Access
|
|||
|
Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
|
|||
|
|
|||
|
Author's Address
|
|||
|
|
|||
|
Kurt D. Zeilenga
|
|||
|
Isode Limited
|
|||
|
|
|||
|
EMail: Kurt.Zeilenga@Isode.COM
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 6]
|
|||
|
|