rfc6171 (dontUseCopy)

2024-11-27 02:22:00 +08:00 · 2011-03-16 19:16:14 +00:00 · 2011-03-16 19:16:14 +00:00 · 1c411cc3c6
commit 1c411cc3c6
parent 54387a1b38
1 changed files with 339 additions and 0 deletions
--- a/doc/rfc/rfc6171.txt
+++ b/doc/rfc/rfc6171.txt
@ -0,0 +1,339 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF)                       K. Zeilenga
+Request for Comments: 6171                                 Isode Limited
+Category: Standards Track                                     March 2011
+ISSN: 2070-1721
+
+
+The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control
+
+Abstract
+
+   This document defines the Lightweight Directory Access Protocol
+   (LDAP) Don't Use Copy control extension, which allows a client to
+   specify that copied information should not be used in providing
+   service.  This control is based upon the X.511 dontUseCopy service
+   control option.
+
+Status of This Memo
+
+   This is an Internet Standards Track document.
+
+   This document is a product of the Internet Engineering Task Force
+   (IETF).  It represents the consensus of the IETF community.  It has
+   received public review and has been approved for publication by the
+   Internet Engineering Steering Group (IESG).  Further information on
+   Internet Standards is available in Section 2 of RFC 5741.
+
+   Information about the current status of this document, any errata,
+   and how to provide feedback on it may be obtained at
+   http://www.rfc-editor.org/info/rfc6171.
+
+Copyright Notice
+
+   Copyright (c) 2011 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+   include Simplified BSD License text as described in Section 4.e of
+   the Trust Legal Provisions and are provided without warranty as
+   described in the Simplified BSD License.
+
+
+
+
+
+
+
+Zeilenga                     Standards Track                    [Page 1]
+
+RFC 6171               LDAP Don't Use Copy Control            March 2011
+
+
+   This document may contain material from IETF Documents or IETF
+   Contributions published or made publicly available before November
+   10, 2008.  The person(s) controlling the copyright in some of this
+   material may not have granted the IETF Trust the right to allow
+   modifications of such material outside the IETF Standards Process.
+   Without obtaining an adequate license from the person(s) controlling
+   the copyright in such materials, this document may not be modified
+   outside the IETF Standards Process, and derivative works of it may
+   not be created outside the IETF Standards Process, except to format
+   it for publication as an RFC or to translate it into languages other
+   than English.
+
+1.  Background and Intended Usage
+
+   This document defines the Lightweight Directory Access Protocol
+   (LDAP) [RFC4510] Don't Use Copy control extension.  The control may
+   be attached to request messages to indicate that copied (replicated
+   or cached) information [X.500] is not be used in providing service.
+   This control is based upon the X.511 [X.511] dontUseCopy service
+   control option.
+
+   The Don't Use Copy control is intended to be used where the client
+   requires the service be provided using original (master) information
+   [X.500].  In absence of this control, the server is free to make use
+   of copied (i.e., non-authoritative) information in providing the
+   requested service.
+
+   For instance, a client might desire to have an authoritative answer
+   to a question of whether or not a particular user is a member of a
+   group.  To ask this question of a server, the client might issue a
+   compare request [RFC4511], with the Don't Use Copy control, where the
+   entry parameter is the Distinguished Name (DN) of the group, the
+   ava.attributeDesc is 'member', and the ava.assertionValue is the DN
+   of the user in question.  If the server has access to the original
+   (master) information directly or through chaining, it performs the
+   operation against the original (master) information and returns
+   compareTrue or compareFalse (or an error).  If the server does not
+   have access to the original information, the server is obligated to
+   either return a referral or an error.
+
+   It is not intended that this control be used generally (e.g., for all
+   LDAP interrogation operations) but only as required to ensure proper
+   directory application behavior.  In general, directory applications
+   ought to designed to use copied information well.
+
+
+
+
+
+
+
+Zeilenga                     Standards Track                    [Page 2]
+
+RFC 6171               LDAP Don't Use Copy Control            March 2011
+
+
+2.  Terminology
+
+   DSA stands for Directory System Agent (or server).
+   DSE stands for DSA-Specific Entry.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+3.  The Don't Use Copy Control
+
+   The Don't Use Copy control is an LDAP Control [RFC4511] whose
+   controlType is 1.3.6.1.1.22 and controlValue is absent.  The
+   criticality MUST be TRUE.  There is no corresponding response
+   control.
+
+   The control is appropriate for LDAP interrogation operations,
+   including Compare and Search operations [RFC4511].  It is
+   inappropriate for all other operations, including Abandon, Bind,
+   Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511].
+
+   When the control is attached to an LDAP request, the requested
+   operation MUST NOT be performed on copied information.  That is, the
+   requested operation MUST be performed on original information.
+
+   If original (master) information for the target or base object of the
+   operation is not available (either locally or through chaining), the
+   server MUST either return a referral directing the client to a server
+   believed to be better able to service the request or return an
+   appropriate result code (e.g., unwillingToPerform).
+
+   It is noted that a referral, if returned, is not necessarily to the
+   server holding the original (master) information.  It is also noted
+   that an authoritative answer to the question might not be available
+   to the client for any number of reasons.
+
+   Where the client chases a referral to a server (as referenced by an
+   LDAP URL) in the server response in order to obtain an authoritative
+   response, the client MUST provide the dontUseCopy control with the
+   interrogation request it makes to the referred to server.  While LDAP
+   allows return of other kinds of URIs, the syntax and semantics of
+   other kinds of URIs are left to future specifications.  The
+    particulars of how to act upon other kinds of URIs are also left to
+   future specifications.
+
+
+
+
+
+
+
+Zeilenga                     Standards Track                    [Page 3]
+
+RFC 6171               LDAP Don't Use Copy Control            March 2011
+
+
+   Servers implementing this technical specification SHOULD publish the
+   object identifier 1.3.6.1.1.22 as a value of the 'supportedControl'
+   attribute [RFC4512] in their root DSE.  A server MAY choose to
+   advertise this extension only when the client is authorized to use
+   it.
+
+4.  Security Considerations
+
+   This control is intended to be provided where providing service using
+   copied information might lead to unexpected application behavior.
+
+   Use of the Don't Use Copy control may permit an attacker to perform
+   or amplify a denial-of-service attack by causing additional server
+   resources to be employed, such as when the server chooses to chain
+   the request instead of returning a referral.  Servers capable of such
+   chaining can mitigate this threat by limiting chaining to a
+   particular group of authenticated entities.
+
+   LDAP is frequently used for storage and distribution of security-
+   sensitive information, including access control and security policy
+   information.  Failure to use the Don't Use Copy control may thus
+   permit an attacker to gain unauthorized access by allowing reliance
+   on stale data.
+
+5.  IANA Considerations
+
+5.1.  Object Identifier
+
+   IANA has assigned an LDAP Object Identifier [RFC4520] to identify the
+   LDAP Don't Use Copy Control defined in this document.
+
+      Subject: Request for LDAP Object Identifier Registration
+      Person & email address to contact for further information:
+          Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
+      Specification: RFC 6171
+      Author/Change Controller: IESG
+      Comments:
+          Identifies the LDAP Don't Use Copy Control
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zeilenga                     Standards Track                    [Page 4]
+
+RFC 6171               LDAP Don't Use Copy Control            March 2011
+
+
+5.2.  LDAP Protocol Mechanism
+
+   IANA has registered this protocol mechanism [RFC4520] as follows.
+
+      Subject: Request for LDAP Protocol Mechanism Registration
+      Object Identifier: 1.3.6.1.1.22
+      Description: Don't Use Copy Control
+      Person & email address to contact for further information:
+          Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
+      Usage: Control
+      Specification: RFC 6171
+      Author/Change Controller: IESG
+      Comments: none
+
+6.  Acknowledgements
+
+   The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie
+   for providing review and specific suggestions.
+
+7.  References
+
+7.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC4510]  Zeilenga, K., Ed., "Lightweight Directory Access Protocol
+              (LDAP): Technical Specification Road Map", RFC 4510, June
+              2006.
+
+   [RFC4511]  Sermersheim, J., Ed., "Lightweight Directory Access
+              Protocol (LDAP): The Protocol", RFC 4511, June 2006.
+
+   [RFC4512]  Zeilenga, K., Ed., "Lightweight Directory Access Protocol
+              (LDAP): Directory Information Models", RFC 4512, June
+              2006.
+
+7.2.  Informative References
+
+   [X.500]    International Telecommunication Union - Telecommunication
+              Standardization Sector, "The Directory -- Overview of
+              concepts, models and services," X.500(1993) (also ISO/IEC
+              9594-1:1994).
+
+   [X.511]    International Telecommunication Union - Telecommunication
+              Standardization Sector, "The Directory: Abstract Service
+              Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
+
+
+
+
+Zeilenga                     Standards Track                    [Page 5]
+
+RFC 6171               LDAP Don't Use Copy Control            March 2011
+
+
+   [RFC4520]  Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
+              Considerations for the Lightweight Directory Access
+              Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
+
+Author's Address
+
+   Kurt D. Zeilenga
+   Isode Limited
+
+   EMail: Kurt.Zeilenga@Isode.COM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zeilenga                     Standards Track                    [Page 6]
+