INTERNET-DRAFT Rob Weltman Intended Category: Standards Track Netscape Communications Corp. May 2002 LDAP Proxied Authorization Control draft-weltman-ldapv3-proxy-11.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document defines the Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control. The Proxied Authorization Control allows a client to request that an operation be processed under a provided authorization identity [AUTH] instead of as the current authorization identity associated with the connection. 1. Introduction This document defines support for proxied authorization using the Control mechanism. LDAP [LDAPV3] supports the use of SASL [SASL] for authentication and for supplying an authorization identity distinct from the authentication identity, where the authorization identity applies to the whole LDAP session. The proposed Proxied Authorization Control provides a mechanism for specifying an authorization identity on a per operation basis, benefiting clients that need to efficiently perform operations on behalf of multiple users. The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY", and "MAY NOT" used in this document are to be interpreted as described in [KEYWORDS]. Expires November 2002 [Page 1] PROXIED AUTHORIZATION CONTROL May 2002 2. Publishing support for the Proxied Authorization Control Support for the Proxied Authorization Control is indicated by the presence of the OID "2.16.840.1.113730.3.4.18" in the supportedControl attribute of a server's root DSE. 3. Proxied Authorization Control A single Proxied Authorization Control may be included in any search, compare, modify, add, delete, modDN or extended operation request message (with the exception of any extension that causes a change in authentication, authorization, or data confidentiality [RFC 2828], such as startTLS) as part of the controls field of the LDAPMessage, as defined in [LDAPV3]. The controlType of the proxied authorization control is "2.16.840.1.113730.3.4.18". The criticality MUST be present and MUST be TRUE. This requirement protects clients from submitting a request that is executed with an unintended authorization identity. The controlValue is either an LDAPString [LDAPv3] containing an authzId as defined in section 9 of [AUTH] to use as the authorization identity for the request, or an empty value if the anonymous identity is to be used. The mechanism for determining proxy access rights is specific to the server's access control policy. If the requested authorization identity is recognized by the server, and the client is authorized to adopt the requested authorization identity, the request will be executed as if submitted by the proxied authorization identity, otherwise the result code TBD is returned. [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced with an IANA assigned LDAP Result Code (see draft-ietf-ldapbis-iana- xx.txt, Section 3.5)] 4. Implementation Considerations The interaction of proxied authorization access control and normal access control is illustrated here for the case of search requests. During evaluation of a search request, an entry which would have been returned for the search if submitted by the proxied authorization identity directly may not be returned if the server finds that the requester does not have the right to assume the requested identity for searching the entry, even if the entry is within the scope of a search request under a base DN which does imply such rights. This means that fewer results, or no results, may be returned compared to the case where the proxied authorization identity issued the request directly. An example of such a case may be a system with fine-grained Expires November 2002 [Page 2] PROXIED AUTHORIZATION CONTROL May 2002 access control, where the proxy right requester has proxy rights at the top of a search tree, but not at or below a point or points within the tree. 5. Security Considerations The Proxied Authorization Control method is subject to general LDAP security considerations [LDAPV3] [AUTH] [LDAPTLS]. The control may be passed over a secure as well as over an insecure channel. The control allows for an additional authorization identity to be passed. In some deployments, these identities may contain confidential information which require privacy protection. Note that the server is responsible for determining if a proxied authorization request is to be honored. "Anonymous" users SHOULD NOT be allowed to assume the identity of others. 6. Copyright Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 7. References [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. Expires November 2002 [Page 3] PROXIED AUTHORIZATION CONTROL May 2002 [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement Levels", draft-bradner-key-words-03.txt, January, 1997. [SASL] J. Myers, "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997 [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication Methods for LDAP", RFC 2829, May 2000 [LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000 [RFC 2828] R. Shirey, "Internet Security Glossary", RFC 2828, May 2000 8. Author's Address Rob Weltman Netscape Communications Corp. 466 Ellis Street Mountain View, CA 94043 USA +1 650 937-3194 rweltman@netscape.com 9. Acknowledgements Mark Smith of Netscape Communications Corp., Mark Wahl of Sun Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim Sermersheim of Novell, and Steven Legg of Adacel have contributed with reviews of this draft. 10. Revision History 10.1 Changes from draft-weltman-ldapv3-proxy-10.txt Clarified the interaction of proxy access rights and normal access control evaluation. 10.2 Changes from draft-weltman-ldapv3-proxy-09.txt Removed description of Control mechanism from Abstract. Added description of how this is different from SASL authz to the Introduction. Expires November 2002 [Page 4] PROXIED AUTHORIZATION CONTROL May 2002 Reworded description of the value of the control (no semantic changes). Added new result code TBD for failure to acquire proxy rights. Added references to RFCs 2829 and 2830 in Security section. 10.3 Changes from draft-weltman-ldapv3-proxy-08.txt Proxied Authorization Control Clarifications: the control may not be submitted with a startTLS request; an empty controlValue implies the anonymous identity; only one control may be included with a request. Permission to execute as proxy Replaced "proxy identity" with "proxied authorization identity". Security Considerations Added statement that anonymous users should not be allowed to assume the identity of others. 10.4 Changes from draft-weltman-ldapv3-proxy-07.txt Proxied Authorization Control Clarification: the content of the control is an LDAPString. 10.5 Changes from draft-weltman-ldapv3-proxy-06.txt None Expires November 2002 [Page 5] PROXIED AUTHORIZATION CONTROL May 2002 10.6 Changes from draft-weltman-ldapv3-proxy-05.txt The control also applies to add and extended operations. The control value is an authorization ID, not necessarily a DN. Confidentiality concerns are mentioned. 10.7 Changes from draft-weltman-ldapv3-proxy-04.txt The control does not apply to bind, unbind, or abandon operations. The proxy DN is represented as a string in the control, rather than embedded in a sequence. Support for the control is published in the supportedControl attribute of the root DSE, not in supportedExtensions. The security section mentions confidentiality issues with exposing an additional identity. 10.8 Changes from draft-weltman-ldapv3-proxy-03.txt None 10.9 Changes from draft-weltman-ldapv3-proxy-02.txt The Control is now called Proxied Authorization Control, rather than Proxied Authentication Control, to reflect that no authentication occurs as a consequence of processing the Control. Rather than containing an LDAPDN as the Control value, the Control contains a Sequence (which contains an LDAPDN). This is to provide for future extensions. Expires November 2002 [Page 6]