mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
2414 lines
99 KiB
Plaintext
2414 lines
99 KiB
Plaintext
|
||
|
||
Internet-Draft Editor: R. Harrison
|
||
Intended Category: Draft Standard Novell, Inc.
|
||
Document: draft-ietf-ldapbis-authmeth-05.txt March 2003
|
||
Obsoletes: RFC 2829, RFC 2830
|
||
|
||
|
||
LDAP: Authentication Methods
|
||
and
|
||
Connection Level Security Mechanisms
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is in full conformance with
|
||
all provisions of Section 10 of RFC2026.
|
||
|
||
This document is intended to be, after appropriate review and
|
||
revision, submitted to the RFC Editor as a Standard Track document.
|
||
Distribution of this memo is unlimited. Technical discussion of
|
||
this document will take place on the IETF LDAP Extension Working
|
||
Group mailing list <ietf-ldapbis@OpenLDAP.org>. Please send
|
||
editorial comments directly to the author
|
||
<roger_harrison@novell.com>.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that
|
||
other groups may also distribute working documents as Internet-
|
||
Drafts. Internet-Drafts are draft documents valid for a maximum of
|
||
six months and may be updated, replaced, or obsoleted by other
|
||
documents at any time. It is inappropriate to use Internet-Drafts
|
||
as reference material or to cite them other than as "work in
|
||
progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-
|
||
Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
Abstract
|
||
|
||
This document describes LDAPv3 (Lightweight Directory Access
|
||
Protocol v3) authentication methods and connection level security
|
||
mechanisms that are required of all conforming LDAPv3 server
|
||
implementations and makes recommendations for combinations of these
|
||
mechanisms to be used in various deployment circumstances.
|
||
|
||
Among the mechanisms described are
|
||
|
||
- various forms of authentication including anonymous
|
||
authentication, password-based authentication, and certificate
|
||
based authentication
|
||
- the use of SASL mechanisms with LDAPv3
|
||
- the use of TLS (Transport Layer Security) with LDAPv3
|
||
|
||
|
||
Harrison Expires September 2003 [Page 1]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
- the various authentication and authorization states through
|
||
which a connection to an LDAP server may pass and the actions
|
||
that trigger these state changes.
|
||
|
||
|
||
1. Conventions Used in this Document
|
||
|
||
1.1. Glossary of Terms
|
||
|
||
The following terms are used in this document. To aid the reader,
|
||
these terms are defined here.
|
||
|
||
- "user" represents any application which is an LDAP client using
|
||
the directory to retrieve or store information.
|
||
|
||
- "LDAP association" is used to distinguish the LDAP-level
|
||
connection from any underlying TLS-level connection that may or
|
||
may not exist.
|
||
|
||
1.2. Security Terms and Concepts
|
||
|
||
In general, security terms in this document are used consistently
|
||
with the definitions provided in [RFC2828]. In addition, several
|
||
terms and concepts relating to security, authentication, and
|
||
authorization are presented in Appendix B of this document. While
|
||
the formal definition of these terms and concepts is outside the
|
||
scope of this document, an understanding of them is prerequisite to
|
||
understanding much of the material in this document. Readers who are
|
||
unfamiliar with security-related concepts are encouraged to review
|
||
Appendix B before reading the remainder of this document.
|
||
|
||
1.3. Keywords
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in RFC 2119 [RFC2119].
|
||
|
||
2. Introduction
|
||
|
||
This document is an integral part of the LDAP Technical
|
||
Specification [ROADMAP]. This document replaces RFC 2829 and
|
||
portions of RFC 2830. Changes to RFC 2829 are summarized in Appendix
|
||
C and changes to RFC 2830 are summarized in Appendix D.
|
||
|
||
LDAPv3 is a powerful access protocol for directories. It offers
|
||
means of searching, retrieving and manipulating directory content,
|
||
and ways to access a rich set of security functions.
|
||
|
||
It is vital that these security functions be interoperable among all
|
||
LDAP clients and servers on the Internet; therefore there has to be
|
||
a minimum subset of security functions that is common to all
|
||
implementations that claim LDAPv3 conformance.
|
||
|
||
Basic threats to an LDAP directory service include:
|
||
|
||
Harrison Expires September 2003 [Page 2]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
(1) Unauthorized access to directory data via data-retrieval
|
||
operations,
|
||
|
||
(2) Unauthorized access to reusable client authentication
|
||
information by monitoring others' access,
|
||
|
||
(3) Unauthorized access to directory data by monitoring others'
|
||
access,
|
||
|
||
(4) Unauthorized modification of directory data,
|
||
|
||
(5) Unauthorized modification of configuration information,
|
||
|
||
(6) Unauthorized or excessive use of resources (denial of service),
|
||
and
|
||
|
||
(7) Spoofing of directory: Tricking a client into believing that
|
||
information came from the directory when in fact it did not,
|
||
either by modifying data in transit or misdirecting the client's
|
||
connection.
|
||
|
||
Threats (1), (4), (5) and (6) are due to hostile clients. Threats
|
||
(2), (3) and (7) are due to hostile agents on the path between
|
||
client and server or hostile agents posing as a server.
|
||
|
||
The LDAP protocol suite can be protected with the following security
|
||
mechanisms:
|
||
|
||
(1) Client authentication by means of the SASL [RFC2222] mechanism
|
||
set, possibly backed by the TLS [RFC2246] credentials exchange
|
||
mechanism,
|
||
|
||
(2) Client authorization by means of access control based on the
|
||
requestor's authenticated identity,
|
||
|
||
(3) Data integrity protection by means of the TLS protocol or SASL
|
||
mechanisms that provide data integrity services,
|
||
|
||
(4) Data confidentiality protection against snooping by means of the
|
||
TLS protocol or SASL mechanisms that provide data
|
||
confidentiality services,
|
||
|
||
(5) Server resource usage limitation by means of administrative
|
||
service limits configured on the server, and
|
||
|
||
(6) Server authentication by means of the TLS protocol or SASL
|
||
mechanism.
|
||
|
||
At the moment, imposition of access controls is done by means
|
||
outside the scope of the LDAPv3 protocol.
|
||
|
||
3. Rationale for LDAPv3 Security Mechanisms
|
||
|
||
|
||
|
||
Harrison Expires September 2003 [Page 3]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
It seems clear that allowing any implementation, faced with the
|
||
above requirements, to simply pick and choose among the possible
|
||
alternatives is not a strategy that is likely to lead to
|
||
interoperability. In the absence of mandates, clients will be
|
||
written that do not support any security function supported by the
|
||
server, or worse, they will support only mechanisms like the LDAPv3
|
||
simple bind using clear text passwords that provide inadequate
|
||
security for most circumstances.
|
||
|
||
Given the presence of the Directory, there is a strong desire to see
|
||
mechanisms where identities take the form of an LDAP distinguished
|
||
name [LDAPDN] and authentication data can be stored in the
|
||
directory. This means that this data must be updated outside the
|
||
protocol or only updated in sessions well protected against
|
||
snooping. It is also desirable to allow authentication methods to
|
||
carry authorization identities based on existing--non-LDAP DN--forms
|
||
of user identities for backwards compatibility with non-LDAP-based
|
||
authentication services.
|
||
|
||
The set of security mechanisms provided in LDAPv3 and described in
|
||
this document is intended to meet the security needs for a wide
|
||
range of deployment scenarios and still provide a high degree of
|
||
interoperability among various LDAPv3 implementations and
|
||
deployments. Appendix A contains example deployment scenarios that
|
||
list the mechanisms that might be used to achieve a reasonable level
|
||
of security in various circumstances.
|
||
|
||
4. Bind Operation
|
||
|
||
The Bind operation defined in section 4.2 of [Protocol] allows
|
||
authentication information to be exchanged between the client and
|
||
server.
|
||
|
||
4.1. Unbound Connection Treated as Anonymous ("Implied Anonymous Bind")
|
||
|
||
Unlike LDAP version 2, the client need not send a Bind Request in
|
||
the first PDU of the connection. The client may send any operation
|
||
request prior to binding, and the server MUST treat it as if it had
|
||
been performed after an anonymous bind operation. If the server
|
||
requires that the client bind before browsing or modifying the
|
||
directory, the server MAY reject a request other than binding,
|
||
unbinding or an extended request with the "operationsError" result.
|
||
|
||
|
||
4.2. Simple Authentication
|
||
|
||
The simple authentication option provides minimal authentication
|
||
facilities, with the contents of the authentication field consisting
|
||
only of a cleartext password. Note that the use of cleartext
|
||
passwords is strongly discouraged over open networks when the
|
||
underlying transport service cannot guarantee confidentiality (see
|
||
section 8).
|
||
|
||
4.3. SASL Authentication
|
||
|
||
Harrison Expires September 2003 [Page 4]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
The sasl authentication option allows for any mechanism defined for
|
||
use with SASL [RFC2222] not specifically prohibited by this document
|
||
(see section 4.3.1).
|
||
|
||
Clients sending a bind request with the sasl choice selected SHOULD
|
||
NOT send a value in the name field. Servers receiving a bind request
|
||
with the sasl choice selected SHALL ignore any value in the name
|
||
field.
|
||
|
||
The mechanism field in SaslCredentials contains the name of the
|
||
mechanism. The credentials field contains the arbitrary data used
|
||
for authentication, inside an OCTET STRING wrapper. Note that unlike
|
||
some Internet application protocols where SASL is used, LDAP is not
|
||
text-based, thus no Base64 transformations are performed on the
|
||
credentials.
|
||
|
||
If any SASL-based integrity or confidentiality services are enabled,
|
||
they take effect following the transmission by the server and
|
||
reception by the client of the final BindResponse with a resultCode
|
||
of success.
|
||
|
||
If a SASL security layer is negotiated, the client MUST discard all
|
||
information about the server fetched prior to the initiation of the
|
||
SASL negotiation. If the client is configured to support multiple
|
||
SASL mechanisms, it SHOULD fetch the supportedSASLmechanisms list
|
||
both before and after the SASL security layer is negotiated. This
|
||
allows the client to detect active attacks that remove supported
|
||
SASL mechanisms from the supportedSASLMechanisms list and allows the
|
||
client to ensure that it is using the best mechanism supported by
|
||
both client and server. (This requirement is a SHOULD to allow for
|
||
environments where the supportedSASLMechanisms list is provided to
|
||
the client through a different trusted source, e.g. as part of a
|
||
digitally signed object.)
|
||
|
||
The client can request that the server use authentication
|
||
information from a lower layer protocol by using the SASL EXTERNAL
|
||
mechanism (see section 5.2.2.).
|
||
|
||
4.3.1. Use of ANONYMOUS and PLAIN SASL Mechanisms
|
||
|
||
As LDAP includes native anonymous and plaintext authentication
|
||
methods, the "ANONYMOUS" and "PLAIN" SASL mechanisms are not used
|
||
with LDAP. If an authorization identity of a form different from a
|
||
DN is requested by the client, a data confidentiality mechanism that
|
||
protects the password in transit should be used.
|
||
|
||
4.3.2. Use of EXTERNAL SASL Mechanism
|
||
|
||
The "EXTERNAL" SASL mechanism can be used to request the LDAP server
|
||
make use of security credentials exchanged by a lower layer. If a
|
||
TLS session has not been established between the client and server
|
||
prior to making the SASL EXTERNAL Bind request and there is no other
|
||
external source of authentication credentials (e.g. IP-level
|
||
|
||
Harrison Expires September 2003 [Page 5]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
security [RFC2401]), or if during the process of establishing the
|
||
TLS session, the server did not request the client's authentication
|
||
credentials, the SASL EXTERNAL bind MUST fail with a resultCode of
|
||
inappropriateAuthentication. Any client authentication and
|
||
authorization state of the LDAP association is lost, so the LDAP
|
||
association is in an anonymous state after the failure (see
|
||
[Protocol] section 4.2.1).
|
||
|
||
4.3.3. Other SASL Mechanisms
|
||
|
||
Other SASL mechanisms may be used with LDAP, but their usage is not
|
||
considered in this document.
|
||
|
||
4.4. SASL Authorization Identity
|
||
|
||
The authorization identity is carried as part of the SaslCredentials
|
||
credentials field in the Bind request and response.
|
||
|
||
When the "EXTERNAL" SASL mechanism is being negotiated, if the
|
||
credentials field is present, it contains an authorization identity
|
||
of the authzId form described below.
|
||
|
||
Other mechanisms define the location of the authorization identity
|
||
in the credentials field.
|
||
|
||
4.4.1. Authorization Identity Syntax
|
||
|
||
The authorization identity is a string in the UTF-8 character set,
|
||
corresponding to the following ABNF grammar [RFC2234]:
|
||
|
||
; Specific predefined authorization (authz) id schemes are
|
||
; defined below -- new schemes may be defined in the future.
|
||
|
||
authzId = dnAuthzId / uAuthzId
|
||
|
||
DNCOLON = %x64 %x6e %x3a ; "dn:"
|
||
UCOLON = %x75 %x3a ; "u:"
|
||
|
||
; distinguished-name-based authz id.
|
||
dnAuthzId = DNCOLON dn
|
||
dn = utf8string ; with syntax defined in [LDAPDN] section 3.
|
||
|
||
|
||
; unspecified authorization id, UTF-8 encoded.
|
||
uAuthzId = UCOLON userid
|
||
userid = utf8string ; syntax unspecified
|
||
|
||
The dnAuthzId choice allows client applications to assert
|
||
authorization identities in the form of a distinguished name. The
|
||
decision to allow or disallow an authentication identity to have
|
||
access to the requested authorization identity is a matter of local
|
||
policy ([SASL] section 4.2). For this reason there is no requirement
|
||
that the asserted dn be that of an entry in directory.
|
||
|
||
|
||
Harrison Expires September 2003 [Page 6]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
The uAuthzId choice allows for compatibility with client
|
||
applications that wish to assert an authorization identity to a
|
||
local directory but do not have that identity in distinguished name
|
||
form. The format of utf8string is defined as only a sequence of UTF-
|
||
8 encoded ISO 10646 characters, and further interpretation is
|
||
subject to prior agreement between the client and server.
|
||
|
||
For example, the userid could identify a user of a specific
|
||
directory service, or be a login name or the local-part of an RFC
|
||
822 email address. In general, a uAuthzId MUST NOT be assumed to be
|
||
globally unique.
|
||
|
||
Additional authorization identity schemes MAY be defined in future
|
||
versions of this document.
|
||
|
||
4.5. SASL Service Name for LDAP
|
||
|
||
For use with SASL [RFC2222], a protocol must specify a service name
|
||
to be used with various SASL mechanisms, such as GSSAPI. For LDAP,
|
||
the service name is "ldap", which has been registered with the IANA
|
||
as a GSSAPI service name.
|
||
|
||
4.6. SASL Integrity and Privacy Protections
|
||
|
||
Any negotiated SASL integrity and privacy protections SHALL start on
|
||
the first octet of the first LDAP PDU following successful
|
||
completion of the SASL bind operation. If lower level security layer
|
||
is negotiated, such as TLS, any SASL security services SHALL be
|
||
layered on top of such security layers regardless of the order of
|
||
their negotiation.
|
||
|
||
5. Start TLS Operation
|
||
|
||
The Start Transport Layer Security (StartTLS) operation defined in
|
||
section 4.13 of [Protocol] provides the ability to establish
|
||
Transport Layer Security [RFC2246] on an LDAP association.
|
||
|
||
5.1. Sequencing of the Start TLS Operation
|
||
|
||
This section describes the overall procedures clients and servers
|
||
must follow for TLS establishment. These procedures take into
|
||
consideration various aspects of the overall security of the LDAP
|
||
association including discovery of resultant security level and
|
||
assertion of the client's authorization identity.
|
||
|
||
Note that the precise effects, on a client's authorization identity,
|
||
of establishing TLS on an LDAP association are described in detail
|
||
in section 5.5.
|
||
|
||
5.1.1. Requesting to Start TLS on an LDAP Association
|
||
|
||
The client MAY send the Start TLS extended request at any time after
|
||
establishing an LDAP association, except that in the following cases
|
||
the client MUST NOT send a Start TLS extended request:
|
||
|
||
Harrison Expires September 2003 [Page 7]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
- if TLS is currently established on the connection, or
|
||
- during a multi-stage SASL negotiation, or
|
||
- if there are any LDAP operations outstanding on the
|
||
connection.
|
||
|
||
The result of violating any of these requirements is a resultCode of
|
||
operationsError, as described above in [Protocol] section 14.3.2.2.
|
||
|
||
In particular, there is no requirement that the client have or have
|
||
not already performed a Bind operation before sending a Start TLS
|
||
operation request. The client may have already performed a Bind
|
||
operation when it sends a Start TLS request, or the client might
|
||
have not yet bound.
|
||
|
||
If the client did not establish a TLS connection before sending any
|
||
other requests, and the server requires the client to establish a
|
||
TLS connection before performing a particular request, the server
|
||
MUST reject that request by sending a resultCode of
|
||
confidentialityRequired or strongAuthRequired. In response, the
|
||
client MAY send a Start TLS extended request, or it MAY choose to
|
||
close the connection.
|
||
|
||
5.1.2. Starting TLS
|
||
|
||
The server will return an extended response with the resultCode of
|
||
success if it is willing and able to negotiate TLS. It will return
|
||
other resultCodes (documented in [Protocol] section 4.13.2.2) if it
|
||
is unable to do so.
|
||
|
||
In the successful case, the client (which has ceased to transfer
|
||
LDAP requests on the connection) MUST either begin a TLS negotiation
|
||
or close the connection. The client will send PDUs in the TLS Record
|
||
Protocol directly over the underlying transport connection to the
|
||
server to initiate TLS negotiation [RFC2246].
|
||
|
||
5.1.3. TLS Version Negotiation
|
||
|
||
Negotiating the version of TLS or SSL to be used is a part of the
|
||
TLS Handshake Protocol, as documented in [RFC2246]. Please refer to
|
||
that document for details.
|
||
|
||
5.1.4. Discovery of Resultant Security Level
|
||
|
||
After a TLS connection is established on an LDAP association, both
|
||
parties MUST individually decide whether or not to continue based on
|
||
the privacy level achieved. Ascertaining the TLS connection's
|
||
privacy level is implementation dependent, and accomplished by
|
||
communicating with one's respective local TLS implementation.
|
||
|
||
If the client or server decides that the level of authentication or
|
||
privacy is not high enough for it to continue, it SHOULD gracefully
|
||
close the TLS connection immediately after the TLS negotiation has
|
||
completed (see [Protocol] section 4.13.3.1 and section 5.2.3 below).
|
||
|
||
Harrison Expires September 2003 [Page 8]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
If the client decides to continue, it MAY attempt to Start TLS
|
||
again, it MAY send an unbind request, or it MAY send any other LDAP
|
||
request.
|
||
|
||
5.1.5. Assertion of Client's Authorization Identity
|
||
|
||
The client MAY, upon receipt of a Start TLS response indicating
|
||
success, assert that a specific authorization identity be utilized
|
||
in determining the client's authorization status. The client
|
||
accomplishes this via an LDAP Bind request specifying a SASL
|
||
mechanism of "EXTERNAL" [RFC2222] (see section 5.5.1.2 below).
|
||
|
||
5.1.6. Server Identity Check
|
||
|
||
The client MUST check its understanding of the server's hostname
|
||
against the server's identity as presented in the server's
|
||
Certificate message, in order to prevent man-in-the-middle attacks.
|
||
|
||
Matching is performed according to these rules:
|
||
|
||
- The client MUST use the server hostname it used to open the LDAP
|
||
connection as the value to compare against the server name as
|
||
expressed in the server's certificate. The client MUST NOT use
|
||
the any other derived form of name including the server's
|
||
canonical DNS name.
|
||
|
||
- If a subjectAltName extension of type dNSName is present in the
|
||
certificate, it SHOULD be used as the source of the server's
|
||
identity.
|
||
|
||
- Matching is case-insensitive.
|
||
|
||
- The "*" wildcard character is allowed. If present, it applies
|
||
only to the left-most name component.
|
||
|
||
For example, *.bar.com would match a.bar.com and b.bar.com, but it
|
||
would not match a.x.bar.com nor would it match bar.com. If more
|
||
than one identity of a given type is present in the certificate
|
||
(e.g. more than one dNSName name), a match in any one of the set is
|
||
considered acceptable.
|
||
|
||
If the hostname does not match the dNSName-based identity in the
|
||
certificate per the above check, user-oriented clients SHOULD either
|
||
notify the user (clients MAY give the user the opportunity to
|
||
continue with the connection in any case) or terminate the
|
||
connection and indicate that the server's identity is suspect.
|
||
Automated clients SHOULD close the connection, returning and/or
|
||
logging an error indicating that the server's identity is suspect.
|
||
|
||
Beyond the server identity checks described in this section, clients
|
||
SHOULD be prepared to do further checking to ensure that the server
|
||
is authorized to provide the service it is observed to provide. The
|
||
client MAY need to make use of local policy information.
|
||
|
||
|
||
Harrison Expires September 2003 [Page 9]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
5.1.7. Refresh of Server Capabilities Information
|
||
|
||
Upon TLS session establishment, the client MUST discard all
|
||
information about the server fetched prior to the initiation of the
|
||
TLS negotiation and MUST refresh any cached server capabilities
|
||
information (e.g. from the server's root DSE; see section 3.4 of
|
||
[Protocol]). This is necessary to protect against active-
|
||
intermediary attacks that may have altered any server capabilities
|
||
information retrieved prior to TLS establishment.
|
||
|
||
The server MAY advertise different capabilities after TLS
|
||
establishment. In particular, the value of supportedSASLMechanisms
|
||
MAY be different after TLS has been negotiated (specifically, the
|
||
EXTERNAL mechanism or the proposed PLAIN mechanism are likely to
|
||
only be listed after a TLS negotiation has been performed).
|
||
|
||
5.2. Effects of TLS on a Client's Authorization Identity
|
||
|
||
This section describes the effects on a client's authorization
|
||
identity brought about by establishing TLS on an LDAP association.
|
||
The default effects are described first, and next the facilities for
|
||
client assertion of authorization identity are discussed including
|
||
error conditions. Finally, the effects of closing the TLS connection
|
||
are described.
|
||
|
||
Authorization identities and related concepts are described in
|
||
Appendix B.
|
||
|
||
5.2.1. Default Effects
|
||
|
||
Upon establishment of the TLS session onto the LDAP association, any
|
||
previously established authentication and authorization identities
|
||
MUST remain in force, including anonymous state. This holds even in
|
||
the case where the server requests client authentication via TLS --
|
||
e.g. requests the client to supply its certificate during TLS
|
||
negotiation (see [RFC2246]).
|
||
|
||
5.2.2. Client Assertion of Authorization Identity
|
||
|
||
A client MAY either implicitly request that its LDAP authorization
|
||
identity be derived from its authenticated TLS credentials or it MAY
|
||
explicitly provide an authorization identity and assert that it be
|
||
used in combination with its authenticated TLS credentials. The
|
||
former is known as an implicit assertion, and the latter as an
|
||
explicit assertion.
|
||
|
||
5.2.2.1. Implicit Assertion
|
||
|
||
An implicit authorization identity assertion is accomplished after
|
||
TLS establishment by invoking a Bind request of the SASL form using
|
||
the "EXTERNAL" mechanism name [RFC2222] [Protocol] that SHALL NOT
|
||
include the optional credentials octet string (found within the
|
||
SaslCredentials sequence in the Bind Request). The server will
|
||
derive the client's authorization identity from the authentication
|
||
|
||
Harrison Expires September 2003 [Page 10]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
identity supplied in the client's TLS credentials (typically a
|
||
public key certificate) according to local policy. The underlying
|
||
mechanics of how this is accomplished are implementation specific.
|
||
|
||
5.2.2.2. Explicit Assertion
|
||
|
||
An explicit authorization identity assertion is accomplished after
|
||
TLS establishment by invoking a Bind request of the SASL form using
|
||
the "EXTERNAL" mechanism name [RFC2222] [Protocol] that SHALL
|
||
include the credentials octet string. This string MUST be
|
||
constructed as documented in section 4.4.1.
|
||
|
||
5.2.2.3. Error Conditions
|
||
|
||
For either form of assertion, the server MUST verify that the
|
||
client's authentication identity as supplied in its TLS credentials
|
||
is permitted to be mapped to the asserted authorization identity.
|
||
The server MUST reject the Bind operation with an invalidCredentials
|
||
resultCode in the Bind response if the client is not so authorized.
|
||
|
||
Additionally, with either form of assertion, if a TLS session has
|
||
not been established between the client and server prior to making
|
||
the SASL EXTERNAL Bind request and there is no other external source
|
||
of authentication credentials (e.g. IP-level security [RFC2401]), or
|
||
if during the process of establishing the TLS session, the server
|
||
did not request the client's authentication credentials, the SASL
|
||
EXTERNAL bind MUST fail with a result code of
|
||
inappropriateAuthentication.
|
||
|
||
After the above Bind operation failures, any client authentication
|
||
and authorization state of the LDAP association is lost (see
|
||
[Protocol] section 4.2.1), so the LDAP association is in an
|
||
anonymous state after the failure. The TLS session state is
|
||
unaffected, though a server MAY end the TLS session, via a TLS
|
||
close_notify message, based on the Bind failure (as it MAY at any
|
||
time).
|
||
|
||
5.2.3. TLS Connection Closure Effects
|
||
|
||
Closure of the TLS session MUST cause the LDAP association to move
|
||
to an anonymous authentication and authorization state regardless of
|
||
the state established over TLS and regardless of the authentication
|
||
and authorization state prior to TLS session establishment.
|
||
|
||
6. LDAP Association State Transition Tables
|
||
|
||
To comprehensively diagram the various authentication and TLS states
|
||
through which an LDAP association may pass, this section provides a
|
||
state transition table to represent a state diagram for the various
|
||
states through which an LDAP association may pass during the course
|
||
of its existence and the actions that cause these changes in state.
|
||
|
||
6.1. LDAP Association States
|
||
|
||
|
||
Harrison Expires September 2003 [Page 11]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
The following table lists the valid LDAP association states and
|
||
provides a description of each state. The ID for each state is used
|
||
in the state transition table in section 6.4.
|
||
|
||
ID State Description
|
||
-- --------------------------------------------------------------
|
||
S1 no Auth ID
|
||
no AuthZ ID
|
||
[TLS: no Creds, OFF]
|
||
S2 no Auth ID
|
||
no AuthZ ID
|
||
[TLS: no Creds, ON]
|
||
S3 no Auth ID
|
||
no AuthZ ID
|
||
[TLS: Creds Auth ID "I", ON]
|
||
S4 Auth ID = Xn
|
||
AuthZ ID= Y
|
||
[TLS: no Creds, OFF]
|
||
S5 Auth ID = Xn
|
||
AuthZ ID= Yn
|
||
[TLS: no Creds, ON]
|
||
S6 Auth ID = Xn
|
||
AuthZ ID= Yn
|
||
[TLS: Creds Auth ID "I", ON]
|
||
S7 Auth ID = I
|
||
AuthZ ID= J
|
||
[TLS: Creds Auth ID "I", ON]
|
||
S8 Auth ID = I
|
||
AuthZ ID= K
|
||
[TLS: Creds Auth ID "I", ON]
|
||
|
||
6.2. Actions that Affect LDAP Association State
|
||
|
||
The following table lists the actions that can affect the state of
|
||
an LDAP association. The ID for each action is used in the state
|
||
transition table in section 6.4.
|
||
|
||
ID Action
|
||
-- ------------------------------------------------
|
||
A1 Client binds anonymously
|
||
A2 Inappropriate authentication: client attempts an anonymous
|
||
bind or a bind without supplying credentials to a server that
|
||
requires the client to provide some form of credentials.
|
||
A3 Client Start TLS request
|
||
Server: client auth NOT required
|
||
A4 Client: Start TLS request
|
||
Server: client creds requested
|
||
Client: [TLS creds: Auth ID "I"]
|
||
A5 Client or Server: send TLS closure alert ([Protocol] section
|
||
X)
|
||
A6 Client: Bind w/simple password or SASL mechanism (e.g. DIGEST-
|
||
MD5 password, Kerberos, etc. -<2D> except EXTERNAL [Auth ID "X"
|
||
|
||
Harrison Expires September 2003 [Page 12]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
maps to AuthZ ID "Y"]
|
||
A7 Client Binds SASL EXTERNAL with credentials: AuthZ ID "J"
|
||
[Explicit Assertion (section 5.2.1.2.2)]
|
||
A8 Client Bind SASL EXTERNAL without credentials [Implicit
|
||
Assertion (section 5.2 .1.2.1)]
|
||
|
||
6.3. Decisions Used in Making LDAP Association State Changes
|
||
|
||
Certain changes in the state of an LDAP association are only allowed
|
||
if the server can affirmatively answer a question. These questions
|
||
are applied as part of the criteria for allowing or disallowing a
|
||
state change in the state transition table in section 6.4.
|
||
|
||
ID Decision Question
|
||
-- --------------------------------------------------------------
|
||
D1 Can TLS Credentials Auth ID "I" be mapped to AuthZ ID "J"?
|
||
D2 Can a valid AuthZ ID "K" be derived from TLS Credentials Auth
|
||
ID "I"?
|
||
|
||
6.4. LDAP Association State Transition Table
|
||
|
||
The LDAP Association table below lists the valid states for an LDAP
|
||
association and the actions that could affect them. For any given
|
||
row in the table, the Current State column gives the state of an
|
||
LDAP association, the Action column gives an action that could
|
||
affect the state of an LDAP assocation, and the Next State column
|
||
gives the resulting state of an LDAP association after the action
|
||
occurs.
|
||
|
||
The initial state for the state machine described in this table is
|
||
S1.
|
||
|
||
Current Next
|
||
State Action State Comment
|
||
------- ------------- ----- -----------------------------------
|
||
S1 A1 S1
|
||
S1 A2 S1 Error: Inappropriate authentication
|
||
S1 A3 S2
|
||
S1 A4 S3
|
||
S1 A6 S4
|
||
S1 A7 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
S1 A8 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
S2 A1 S2
|
||
S2 A2 S2 Error: Inappropriate authentication
|
||
S2 A5 S1
|
||
S2 A6 S5
|
||
S2 A7 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
|
||
Harrison Expires September 2003 [Page 13]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
S2 A8 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
S3 A1 S3
|
||
S3 A2 S3 Error: Inappropriate authentication
|
||
S3 A5 S1
|
||
S3 A6 S6
|
||
S3 A7 and D1=NO S3 Error: InvalidCredentials
|
||
S3 A7 and D1=YES S7
|
||
S3 A8 and D2=NO S3 Error: InvalidCredentials
|
||
S3 A8 and D2=YES S8
|
||
S4 A1 S1
|
||
S4 A2 S4 Error: Inappropriate Authentication
|
||
S4 A3 S5
|
||
S4 A4 S6
|
||
S4 A5 S1
|
||
S4 A6 S4
|
||
S4 A7 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
S4 A8 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
S5 A1 S2
|
||
S5 A2 S5 Error: Inappropriate Authentication
|
||
S5 A5 S1
|
||
S5 A6 S5
|
||
S5 A7 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
S5 A8 ? identity could be provided by
|
||
another underlying mechanism such
|
||
as IPSec.
|
||
S6 A1 S3
|
||
S6 A2 S6 Error: Inappropriate Authentication
|
||
S6 A5 S1
|
||
S6 A6 S6
|
||
S6 A7 and D1=NO S6 Error: InvalidCredentials
|
||
S6 A7 and D1=YES S7
|
||
S6 A8 and D2=NO S6 Error: InvalidCredentials
|
||
S6 A8 and D2=YES S8
|
||
S7 A1 S3
|
||
S7 A2 S7 Error: Inappropriate Authentication
|
||
S7 A5 S1
|
||
S7 A6 S6
|
||
S7 A7 S7
|
||
S7 A8 and D2=NO S3 Error: InvalidCredentials
|
||
S7 A8 and D2=YES S8
|
||
S8 A1 S3
|
||
S8 A2 S8 Error: Inappropriate Authentication
|
||
S8 A5 S1
|
||
S8 A6 S6
|
||
|
||
Harrison Expires September 2003 [Page 14]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
S8 A7 and D1=NO S6 Error: InvalidCredentials
|
||
S8 A7 and D1=YES S7
|
||
S8 A8 S8
|
||
|
||
|
||
7. Anonymous Authentication
|
||
|
||
Directory operations that modify entries or access protected
|
||
attributes or entries generally require client authentication.
|
||
Clients that do not intend to perform any of these operations
|
||
typically use anonymous authentication. Servers SHOULD NOT allow
|
||
clients with anonymous authentication to modify directory entries or
|
||
access sensitive information in directory entries.
|
||
|
||
LDAP implementations MUST support anonymous authentication, as
|
||
defined in section 7.1.
|
||
|
||
LDAP implementations MAY support anonymous authentication with TLS,
|
||
as defined in section 7.2.
|
||
|
||
While there MAY be access control restrictions to prevent access to
|
||
directory entries, an LDAP server SHOULD allow an anonymously-bound
|
||
client to retrieve the supportedSASLMechanisms attribute of the root
|
||
DSE.
|
||
|
||
An LDAP server MAY use other information about the client provided
|
||
by the lower layers or external means to grant or deny access even
|
||
to anonymously authenticated clients.
|
||
|
||
7.1. Anonymous Authentication Procedure
|
||
|
||
An LDAPv3 client that has not successfully completed a bind
|
||
operation on a connection is anonymously authenticated. See section
|
||
4.3.3.
|
||
|
||
An LDAP client MAY also choose to explicitly bind anonymously. A
|
||
client that wishes to do so MUST choose the simple authentication
|
||
option in the Bind Request (see section 4.1) and set the password to
|
||
be of zero length. (This is often done by LDAPv2 clients.) Typically
|
||
the name is also of zero length.
|
||
|
||
7.2. Anonymous Authentication and TLS
|
||
|
||
An LDAP client MAY use the Start TLS operation (section 5) to
|
||
negotiate the use of TLS security [RFC2246]. If the client has not
|
||
bound beforehand, then until the client uses the EXTERNAL SASL
|
||
mechanism to negotiate the recognition of the client's certificate,
|
||
the client is anonymously authenticated.
|
||
|
||
Recommendations on TLS ciphersuites are given in section 10.
|
||
|
||
An LDAP server which requests that clients provide their certificate
|
||
during TLS negotiation MAY use a local security policy to determine
|
||
|
||
|
||
Harrison Expires September 2003 [Page 15]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
whether to successfully complete TLS negotiation if the client did
|
||
not present a certificate which could be validated.
|
||
|
||
8. Password-based Authentication
|
||
|
||
This section discusses various options for performing password-based
|
||
authentication to LDAPv3 compliant servers and the environments
|
||
suitable for their use.
|
||
|
||
8.1. Simple Authentication
|
||
|
||
The LDAP "simple" authentication choice is not suitable for
|
||
authentication in environments where there is no network or
|
||
transport layer confidentiality. LDAP implementations SHOULD support
|
||
authentication with the "simple" authentication choice when the
|
||
connection is protected against eavesdropping using TLS, as defined
|
||
in section 5. LDAP implementations SHOULD NOT support authentication
|
||
with the "simple" authentication choice unless the data on the
|
||
connection is protected using TLS or other data confidentiality and
|
||
data integrity protection.
|
||
|
||
8.2. Digest Authentication
|
||
|
||
LDAP servers that implement any password-based authentication method
|
||
MUST support authentication with a password using the DIGEST-MD5
|
||
SASL mechanism for password protection.
|
||
|
||
An LDAP client MAY determine whether the server supports this
|
||
mechanism by performing a search request on the root DSE, requesting
|
||
the supportedSASLMechanisms attribute, and checking whether the
|
||
string "DIGEST-MD5" is present as a value of this attribute.
|
||
|
||
In the first stage of authentication, when the client is performing
|
||
an "initial authentication" as defined in section 2.1 of [RFC2831],
|
||
the client sends a bind request in which the version number is 3,
|
||
the authentication choice is sasl, the sasl mechanism name is
|
||
"DIGEST-MD5", and the credentials are absent. The client then waits
|
||
for a response from the server to this request.
|
||
|
||
The server will respond with a bind response in which the resultCode
|
||
is saslBindInProgress, and the serverSaslCreds field is present. The
|
||
contents of this field is a string defined by "digest-challenge" in
|
||
section 2.1.1 of [RFC2831]. The server SHOULD include a realm
|
||
indication and MUST indicate support for UTF-8.
|
||
|
||
The client will send a bind request with a distinct message id, in
|
||
which the version number is 3, the authentication choice is sasl,
|
||
the sasl mechanism name is "DIGEST-MD5", and the credentials contain
|
||
the string defined by "digest-response" in section 2.1.2 of
|
||
[RFC2831]. The serv-type is "ldap".
|
||
|
||
The server will respond with a bind response in which the resultCode
|
||
is either success, or an error indication. If the authentication is
|
||
successful and the server does not support subsequent
|
||
|
||
Harrison Expires September 2003 [Page 16]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
authentication, then the credentials field is absent. If the
|
||
authentication is successful and the server supports subsequent
|
||
authentication, then the credentials field contains the string
|
||
defined by "response-auth" in section 2.1.3 of [RFC2831]. Support
|
||
for subsequent authentication is OPTIONAL in clients and servers.
|
||
|
||
8.3. "simple" authentication choice under TLS encryption
|
||
|
||
Following the negotiation of an appropriate TLS ciphersuite
|
||
providing connection confidentiality [RFC2246], a client MAY
|
||
authenticate to a directory that supports the simple authentication
|
||
choice by performing a simple bind operation.
|
||
|
||
The client will use the Start TLS operation [Protocol] to negotiate
|
||
the use of TLS security [RFC2246] on the connection to the LDAP
|
||
server. The client need not have bound to the directory beforehand.
|
||
|
||
For this authentication procedure to be successful, the client and
|
||
server MUST negotiate a ciphersuite which contains a bulk encryption
|
||
algorithm of appropriate strength. Recommendations on cipher suites
|
||
are given in section 10.
|
||
|
||
Following the successful completion of TLS negotiation, the client
|
||
MUST send an LDAP bind request with the version number of 3, the
|
||
name field containing a DN, and the "simple" authentication choice,
|
||
containing a password.
|
||
|
||
8.3.1. "simple" Authentication Choice
|
||
|
||
DSAs that map the DN sent in the bind request to a directory entry
|
||
with an associated set of one or more passwords will compare the
|
||
presented password to the set of passwords associated with that
|
||
entry. If there is a match, then the server will respond with
|
||
resultCode success, otherwise the server will respond with
|
||
resultCode invalidCredentials.
|
||
|
||
8.4. Other authentication choices with TLS
|
||
|
||
It is also possible, following the negotiation of TLS, to perform a
|
||
SASL authentication that does not involve the exchange of plaintext
|
||
reusable passwords. In this case the client and server need not
|
||
negotiate a ciphersuite that provides confidentiality if the only
|
||
service required is data integrity.
|
||
|
||
9. Certificate-based authentication
|
||
|
||
LDAP server implementations SHOULD support authentication via a
|
||
client certificate in TLS, as defined in section 5.2.2.
|
||
|
||
9.1. Certificate-based authentication with TLS
|
||
|
||
A user who has a public/private key pair in which the public key has
|
||
been signed by a Certification Authority may use this key pair to
|
||
authenticate to the directory server if the user's certificate is
|
||
|
||
Harrison Expires September 2003 [Page 17]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
requested by the server. The user's certificate subject field SHOULD
|
||
be the name of the user's directory entry, and the Certification
|
||
Authority that issued the user's certificate must be sufficiently
|
||
trusted by the directory server in order for the server to process
|
||
the certificate. The means by which servers validate certificate
|
||
paths is outside the scope of this document.
|
||
|
||
A server MAY support mappings for certificates in which the subject
|
||
field name is different from the name of the user's directory entry.
|
||
A server which supports mappings of names MUST be capable of being
|
||
configured to support certificates for which no mapping is required.
|
||
|
||
The client will use the Start TLS operation [Protocol] to negotiate
|
||
the use of TLS security [RFC2246] on the connection to the LDAP
|
||
server. The client need not have bound to the directory beforehand.
|
||
|
||
In the TLS negotiation, the server MUST request a certificate. The
|
||
client will provide its certificate to the server, and the server
|
||
MUST perform a private key-based encryption, proving it has the
|
||
private key associated with the certificate.
|
||
|
||
In deployments that require protection of sensitive data in transit,
|
||
the client and server MUST negotiate a ciphersuite that contains a
|
||
bulk encryption algorithm of appropriate strength. Recommendations
|
||
of cipher suites are given in section 10.
|
||
|
||
The server MUST verify that the client's certificate is valid. The
|
||
server will normally check that the certificate is issued by a known
|
||
certification authority (CA), and that none of the certificates on
|
||
the client's certificate chain are invalid or revoked. There are
|
||
several procedures by which the server can perform these checks.
|
||
|
||
Following the successful completion of TLS negotiation, the client
|
||
will send an LDAP bind request with the SASL "EXTERNAL" mechanism.
|
||
|
||
10. TLS Ciphersuites
|
||
|
||
The following ciphersuites defined in [RFC2246] MUST NOT be used for
|
||
confidentiality protection of passwords or data:
|
||
|
||
TLS_NULL_WITH_NULL_NULL
|
||
TLS_RSA_WITH_NULL_MD5
|
||
TLS_RSA_WITH_NULL_SHA
|
||
|
||
The following ciphersuites defined in [RFC2246] can be cracked
|
||
easily (less than a day of CPU time on a standard CPU in 2000).
|
||
These ciphersuites are NOT RECOMMENDED for use in confidentiality
|
||
protection of passwords or data. Client and server implementers
|
||
SHOULD carefully consider the value of the password or data being
|
||
protected before using these ciphersuites:
|
||
|
||
TLS_RSA_EXPORT_WITH_RC4_40_MD5
|
||
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
|
||
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
|
||
|
||
Harrison Expires September 2003 [Page 18]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
|
||
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
|
||
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
|
||
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|
||
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
|
||
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|
||
|
||
The following ciphersuites are vulnerable to man-in-the-middle
|
||
attacks, and SHOULD NOT be used to protect passwords or sensitive
|
||
data, unless the network configuration is such that the danger of a
|
||
man-in-the-middle attack is tolerable:
|
||
|
||
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
|
||
TLS_DH_anon_WITH_RC4_128_MD5
|
||
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|
||
TLS_DH_anon_WITH_DES_CBC_SHA
|
||
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
|
||
|
||
A client or server that supports TLS MUST support
|
||
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA and MAY support other ciphersuites
|
||
offering equivalent or better protection.
|
||
|
||
11. Security Considerations
|
||
|
||
Security issues are discussed throughout this memo; the
|
||
(unsurprising) conclusion is that mandatory security is important
|
||
and that session confidentiality protection is required when
|
||
snooping is a problem.
|
||
|
||
Servers are encouraged to prevent modifications by anonymous users.
|
||
Servers may also wish to minimize denial of service attacks by
|
||
timing out idle connections, and returning the unwillingToPerform
|
||
result code rather than performing computationally expensive
|
||
operations requested by unauthorized clients.
|
||
|
||
Operational experience shows that clients can misuse unauthenticated
|
||
access (simple bind with name but no password). For this reason,
|
||
servers SHOULD by default reject authentication requests that have a
|
||
DN with an empty password with an error of invalidCredentials.
|
||
|
||
Access control SHOULD be applied when reading sensitive information
|
||
or updating directory information.
|
||
|
||
A connection on which the client has not performed the Start TLS
|
||
operation or negotiated a suitable SASL mechanism for connection
|
||
integrity and encryption services is subject to man-in-the-middle
|
||
attacks to view and modify information in transit.
|
||
|
||
11.1. Start TLS Security Considerations
|
||
|
||
The goals of using the TLS protocol with LDAP are to ensure
|
||
connection confidentiality and integrity, and to optionally provide
|
||
for authentication. TLS expressly provides these capabilities, as
|
||
described in [RFC2246].
|
||
|
||
Harrison Expires September 2003 [Page 19]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
All security gained via use of the Start TLS operation is gained by
|
||
the use of TLS itself. The Start TLS operation, on its own, does not
|
||
provide any additional security.
|
||
|
||
Once established, TLS only provides for and ensures confidentiality
|
||
and integrity of the operations and data in transit over the LDAP
|
||
association--and only if the implementations on the client and
|
||
server support and negotiate it. The use of TLS does not provide or
|
||
ensure for confidentiality and/or non-repudiation of the data housed
|
||
by an LDAP-based directory server. Nor does it secure the data from
|
||
inspection by the server administrators.
|
||
|
||
The level of security provided though the use of TLS depends
|
||
directly on both the quality of the TLS implementation used and the
|
||
style of usage of that implementation. Additionally, an active-
|
||
intermediary attacker can remove the Start TLS extended operation
|
||
from the supportedExtension attribute of the root DSE. Therefore,
|
||
both parties SHOULD independently ascertain and consent to the
|
||
security level achieved once TLS is established and before beginning
|
||
use of the TLS connection. For example, the security level of the
|
||
TLS connection might have been negotiated down to plaintext.
|
||
|
||
Clients SHOULD either warn the user when the security level achieved
|
||
does not provide confidentiality and/or integrity protection, or be
|
||
configurable to refuse to proceed without an acceptable level of
|
||
security.
|
||
|
||
Client and server implementors SHOULD take measures to ensure proper
|
||
protection of credentials and other confidential data where such
|
||
measures are not otherwise provided by the TLS implementation.
|
||
|
||
Server implementors SHOULD allow for server administrators to elect
|
||
whether and when connection confidentiality and/or integrity is
|
||
required, as well as elect whether and when client authentication
|
||
via TLS is required.
|
||
|
||
Additional security considerations relating to the EXTERNAL
|
||
mechanism to negotiate TLS can be found in [RFC2222] and [RFC2246].
|
||
|
||
|
||
12. Acknowledgements
|
||
|
||
This document combines information originally contained in RFC 2829
|
||
and RFC 2830. The author acknowledges the work of Harald Tveit
|
||
Alvestrand, Jeff Hodges, Tim Howes, Steve Kille, RL "Bob" Morgan ,
|
||
and Mark Wahl, each of whom authored one or more of these documents.
|
||
RFC 2829 and RFC 2830 were products of the IETF LDAPEXT Working
|
||
Group. RFC 2251 was a product of the ASID Working Group.
|
||
|
||
This document is based upon input of the IETF LDAP Revision working
|
||
group. The contributions of its members is greatly appreciated.
|
||
|
||
13. Normative References
|
||
|
||
Harrison Expires September 2003 [Page 20]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC2222] Myers, J., "Simple Authentication and Security Layer
|
||
(SASL)", draft-myers-saslrev-xx.txt, a work in progress.
|
||
|
||
[RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
|
||
Specifications: ABNF", RFC 2234, November 1997.
|
||
|
||
[RFC2246] Dierks, T. and C. Allen. "The TLS Protocol Version 1.0",
|
||
RFC 2246, January 1999.
|
||
|
||
[RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as
|
||
a SASL Mechanism", RFC 2831, May 2000.
|
||
|
||
[LDAPDN] Zeilenga, Kurt D. (editor), "LDAP: String Representation of
|
||
Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work in
|
||
progress.
|
||
|
||
[Protocol] Sermersheim, J., "LDAP: The Protocol", draft-ietf-
|
||
ldapbis-protocol-xx.txt, a work in progress.
|
||
|
||
[ROADMAP] K. Zeilenga, "LDAP: Technical Specification Road Map",
|
||
draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
|
||
|
||
14. Informative References
|
||
|
||
[RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May
|
||
2000.
|
||
|
||
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
|
||
Internet Protocol", RFC 2401, November 1998.
|
||
|
||
|
||
15. Author's Address
|
||
|
||
Roger Harrison
|
||
Novell, Inc.
|
||
1800 S. Novell Place
|
||
Provo, UT 84606
|
||
+1 801 861 2642
|
||
roger_harrison@novell.com
|
||
|
||
16. Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2000). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph
|
||
are included on all such copies and derivative works. However, this
|
||
|
||
Harrison Expires September 2003 [Page 21]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Appendix A. Example Deployment Scenarios
|
||
|
||
The following scenarios are typical for LDAP directories on the
|
||
Internet, and have different security requirements. (In the
|
||
following discussion, "sensitive data" refers to information whose
|
||
disclosure, alteration, destruction, or loss would adversely affect
|
||
the interests or business of its owner or user. Also note that there
|
||
may be data that is protected but not sensitive.) This is not
|
||
intended to be a comprehensive list; other scenarios are possible,
|
||
especially on physically protected networks.
|
||
|
||
(1) A read-only directory, containing no sensitive data, accessible
|
||
to "anyone", and TCP connection hijacking or IP spoofing is not
|
||
a problem. Anonymous authentication, described in section 7, is
|
||
suitable for this type of deployment, and requires no additional
|
||
security functions except administrative service limits.
|
||
|
||
(2) A read-only directory containing no sensitive data; read access
|
||
is granted based on identity. TCP connection hijacking is not
|
||
currently a problem. This scenario requires data confidentiality
|
||
for sensitive authentication information AND data integrity for
|
||
all authentication information.
|
||
|
||
(3) A read-only directory containing no sensitive data; and the
|
||
client needs to ensure the identity of the directory server and
|
||
that the directory data is not modified while being returned
|
||
from the server. A data origin authentication service AND data
|
||
integrity service are required.
|
||
|
||
(4) A read-write directory, containing no sensitive data; read
|
||
access is available to "anyone", update access to properly
|
||
authorized persons. TCP connection hijacking is not currently a
|
||
problem. This scenario requires data confidentiality for
|
||
sensitive authentication information AND data integrity for all
|
||
authentication information.
|
||
|
||
|
||
Harrison Expires September 2003 [Page 22]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
(5) A directory containing sensitive data. This scenario requires
|
||
data confidentiality protection AND secure authentication.
|
||
|
||
Appendix B. Authentication and Authorization: Definitions and Concepts
|
||
|
||
This appendix defines basic terms, concepts, and interrelationships
|
||
regarding authentication, authorization, credentials, and identity.
|
||
These concepts are used in describing how various security
|
||
approaches are utilized in client authentication and authorization.
|
||
|
||
B.1. Access Control Policy
|
||
|
||
An access control policy is a set of rules defining the protection
|
||
of resources, generally in terms of the capabilities of persons or
|
||
other entities accessing those resources. A common expression of an
|
||
access control policy is an access control list. Security objects
|
||
and mechanisms, such as those described here, enable the expression
|
||
of access control policies and their enforcement. Access control
|
||
policies are typically expressed in terms of access control
|
||
attributes as described below.
|
||
|
||
B.2. Access Control Factors
|
||
|
||
A request, when it is being processed by a server, may be associated
|
||
with a wide variety of security-related factors (section 4.2 of
|
||
[Protocol]). The server uses these factors to determine whether and
|
||
how to process the request. These are called access control factors
|
||
(ACFs). They might include source IP address, encryption strength,
|
||
the type of operation being requested, time of day, etc. Some
|
||
factors may be specific to the request itself, others may be
|
||
associated with the connection via which the request is transmitted,
|
||
others (e.g. time of day) may be "environmental".
|
||
|
||
Access control policies are expressed in terms of access control
|
||
factors. E.g., a request having ACFs i,j,k can perform operation Y
|
||
on resource Z. The set of ACFs that a server makes available for
|
||
such expressions is implementation-specific.
|
||
|
||
B.3. Authentication, Credentials, Identity
|
||
|
||
Authentication credentials are the evidence supplied by one party to
|
||
another, asserting the identity of the supplying party (e.g. a user)
|
||
who is attempting to establish an association with the other party
|
||
(typically a server). Authentication is the process of generating,
|
||
transmitting, and verifying these credentials and thus the identity
|
||
they assert. An authentication identity is the name presented in a
|
||
credential.
|
||
|
||
There are many forms of authentication credentials -- the form used
|
||
depends upon the particular authentication mechanism negotiated by
|
||
the parties. For example: X.509 certificates, Kerberos tickets,
|
||
simple identity and password pairs. Note that an authentication
|
||
mechanism may constrain the form of authentication identities used
|
||
with it.
|
||
|
||
Harrison Expires September 2003 [Page 23]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
B.4. Authorization Identity
|
||
|
||
An authorization identity is one kind of access control factor. It
|
||
is the name of the user or other entity that requests that
|
||
operations be performed. Access control policies are often expressed
|
||
in terms of authorization identities; e.g., entity X can perform
|
||
operation Y on resource Z.
|
||
|
||
The authorization identity bound to an association is often exactly
|
||
the same as the authentication identity presented by the client, but
|
||
it may be different. SASL allows clients to specify an authorization
|
||
identity distinct from the authentication identity asserted by the
|
||
client's credentials. This permits agents such as proxy servers to
|
||
authenticate using their own credentials, yet request the access
|
||
privileges of the identity for which they are proxying [RFC2222].
|
||
Also, the form of authentication identity supplied by a service like
|
||
TLS may not correspond to the authorization identities used to
|
||
express a server's access control policy, requiring a server-
|
||
specific mapping to be done. The method by which a server composes
|
||
and validates an authorization identity from the authentication
|
||
credentials supplied by a client is implementation-specific.
|
||
|
||
Appendix C. RFC 2829 Change History
|
||
|
||
This appendix lists the changes made to the text of RFC 2829 in
|
||
preparing this document.
|
||
|
||
C.0. General Editorial Changes
|
||
Version -00
|
||
|
||
- Changed other instances of the term LDAP to LDAPv3 where v3 of
|
||
the protocol is implied. Also made all references to LDAPv3 use
|
||
the same wording.
|
||
|
||
- Miscellaneous grammatical changes to improve readability.
|
||
|
||
- Made capitalization in section headings consistent.
|
||
|
||
Version -01
|
||
|
||
- Changed title to reflect inclusion of material from RFC 2830 and
|
||
2251.
|
||
|
||
C.1. Changes to Section 1
|
||
|
||
Version -01
|
||
|
||
- Moved conventions used in document to a separate section.
|
||
|
||
C.2. Changes to Section 2
|
||
|
||
Version -01
|
||
|
||
|
||
Harrison Expires September 2003 [Page 24]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
- Moved section to an appendix.
|
||
|
||
C.3. Changes to Section 3
|
||
|
||
Version -01
|
||
|
||
- Moved section to an appendix.
|
||
|
||
C.4 Changes to Section 4
|
||
|
||
Version -00
|
||
|
||
- Changed "Distinguished Name" to "LDAP distinguished name".
|
||
|
||
C.5. Changes to Section 5
|
||
|
||
Version -00
|
||
|
||
- Added the following sentence: "Servers SHOULD NOT allow clients
|
||
with anonymous authentication to modify directory entries or
|
||
access sensitive information in directory entries."
|
||
|
||
C.5.1. Changes to Section 5.1
|
||
|
||
Version -00
|
||
|
||
- Replaced the text describing the procedure for performing an
|
||
anonymous bind (protocol) with a reference to section 4.2 of RFC
|
||
2251 (the protocol spec).
|
||
|
||
Version -01
|
||
|
||
- Brought text describing procedure for performing an anonymous
|
||
bind from section 4.2 of RFC 2251 bis. This text will be
|
||
removed from the draft standard version of that document.
|
||
|
||
C.6. Changes to Section 6.
|
||
|
||
Version -00
|
||
|
||
Reorganized text in section 6.1 as follows:
|
||
|
||
1. Added a new section (6.1) titled "Simple Authentication" and
|
||
moved one of two introductory paragraphs for section 6 into
|
||
section 6.1. Added sentences to the paragraph indicating:
|
||
|
||
a. simple authentication is not suitable for environments where
|
||
confidentiality is not available.
|
||
|
||
b. LDAP implementations SHOULD NOT support simple
|
||
authentication unless confidentiality and data integrity
|
||
mechanisms are in force.
|
||
|
||
|
||
|
||
Harrison Expires September 2003 [Page 25]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
2. Moved first paragraph of section 6 (beginning with "LDAP
|
||
implementations MUST support authentication with a password<72>")
|
||
to section on Digest Authentication (Now section 6.2).
|
||
|
||
C.6.1. Changes to Section 6.1.
|
||
|
||
Version -00 Renamed section to 6.2
|
||
|
||
- Added sentence from original section 6 indicating that the
|
||
DIGEST-MD5 SASL mechanism is required for all conforming LDAPv3
|
||
implementations
|
||
|
||
C.6.2. Changes to Section 6.2
|
||
|
||
Version -00
|
||
|
||
- Renamed section to 6.3
|
||
|
||
- Reworded first paragraph to remove reference to user and the
|
||
userPassword password attribute Made the first paragraph more
|
||
general by simply saying that if a directory supports simple
|
||
authentication that the simple bind operation MAY performed
|
||
following negotiation of a TLS ciphersuite that supports
|
||
confidentiality.
|
||
|
||
- Replaced "the name of the user's entry" with "a DN" since not
|
||
all bind operations are performed on behalf of a "user."
|
||
|
||
- Added Section 6.3.1 heading just prior to paragraph 5.
|
||
|
||
- Paragraph 5: replaced "The server" with "DSAs that map the DN
|
||
sent in the bind request to a directory entry with a
|
||
userPassword attribute."
|
||
|
||
C.6.3. Changes to section 6.3.
|
||
|
||
Version -00
|
||
|
||
- Renamed to section 6.4.
|
||
|
||
C.7. Changes to section 7.
|
||
|
||
none
|
||
|
||
C.7.1. Changes to section 7.1.
|
||
|
||
Version -00
|
||
|
||
- Clarified the entity issuing a certificate by moving the phrase
|
||
"to have issued the certificate" immediately after
|
||
"Certification Authority."
|
||
|
||
C.8. Changes to section 8.
|
||
|
||
|
||
Harrison Expires September 2003 [Page 26]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
Version -00
|
||
|
||
- Removed the first paragraph because simple authentication is
|
||
covered explicitly in section 6.
|
||
|
||
- Added section 8.1. heading just prior to second paragraph.
|
||
|
||
- Added section 8.2. heading just prior to third paragraph.
|
||
|
||
- Added section 8.3. heading just prior to fourth paragraph.
|
||
|
||
Version -01
|
||
|
||
- Moved entire section 8 of RFC 2829 into section 3.4 (Using SASL
|
||
for Other Security Services) to bring material on SASL
|
||
mechanisms together into one location.
|
||
|
||
C.9. Changes to section 9.
|
||
|
||
Version -00
|
||
|
||
- Paragraph 2: changed "EXTERNAL mechanism" to "EXTERNAL SASL
|
||
mechanism."
|
||
|
||
- Added section 9.1. heading.
|
||
|
||
- Modified a comment in the ABNF from "unspecified userid" to
|
||
"unspecified authz id".
|
||
|
||
- Deleted sentence, "A utf8string is defined to be the UTF-8
|
||
encoding of one or more ISO 10646 characters," because it is
|
||
redundant.
|
||
|
||
- Added section 9.1.1. heading.
|
||
|
||
- Added section 9.1.2. heading.
|
||
|
||
Version -01
|
||
|
||
- Moved entire section 9 to become section 3.5 so that it would be
|
||
with other SASL material.
|
||
|
||
C.10. Changes to Section 10.
|
||
|
||
Version -00
|
||
|
||
- Updated reference to cracking from a week of CPU time in 1997 to
|
||
be a day of CPU time in 2000.
|
||
|
||
- Added text: "These ciphersuites are NOT RECOMMENDED for use...
|
||
and server implementers SHOULD" to sentence just prior the
|
||
second list of ciphersuites.
|
||
|
||
|
||
|
||
Harrison Expires September 2003 [Page 27]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
- Added text: "and MAY support other ciphersuites offering
|
||
equivalent or better protection," to the last paragraph of the
|
||
section.
|
||
|
||
C.11. Changes to Section 11.
|
||
|
||
Version -01
|
||
|
||
- Moved to section 3.6 to be with other SASL material.
|
||
|
||
C.12. Changes to Section 12.
|
||
|
||
Version -00
|
||
|
||
- Inserted new section 12 that specifies when SASL protections
|
||
begin following SASL negotiation, etc. The original section 12
|
||
is renumbered to become section 13.
|
||
|
||
Version -01
|
||
|
||
- Moved to section 3.7 to be with other SASL material.
|
||
|
||
C.13. Changes to Section 13 (original section 12).
|
||
|
||
None
|
||
|
||
Appendix D. RFC 2830 Change History
|
||
|
||
This appendix lists the changes made to the text of RFC 2830 in
|
||
preparing this document.
|
||
|
||
D.0. General Editorial Changes
|
||
|
||
- Material showing the PDUs for the Start TLS response was broken
|
||
out into a new section.
|
||
|
||
- The wording of the definition of the Start TLS request and Start
|
||
TLS response was changed to make them parallel. NO changes were
|
||
made to the ASN.1 definition or the associated values of the
|
||
parameters.
|
||
|
||
- A separate section heading for graceful TLS closure was added
|
||
for parallelism with section on abrupt TLS closure.
|
||
|
||
Appendix E. RFC 2251 Change History
|
||
|
||
This appendix lists the changes made to the text of RFC 2251 in
|
||
preparing this document.
|
||
|
||
E.0. General Editorial Changes
|
||
|
||
- All material from section 4.2 of RFC 2251 was moved into this
|
||
document.
|
||
|
||
|
||
Harrison Expires September 2003 [Page 28]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
- A new section was created for the Bind Request
|
||
|
||
- Section 4.2.1 of RFC 2251 (Sequencing Bind Request) was moved
|
||
after the section on the Bind Response for parallelism with the
|
||
presentation of the Start TLS operations. The section was also
|
||
subdivided to explicitly call out the various effects being
|
||
described within it.
|
||
|
||
- All SASL profile information from RFC 2829 was brought within
|
||
the discussion of the Bind operation (primarily sections 4.4 -
|
||
4.7).
|
||
|
||
Appendix F. Change History to Combined Document
|
||
|
||
F.1. Changes for draft-ldap-bis-authmeth-02
|
||
|
||
General
|
||
|
||
- Added references to other LDAP standard documents, to sections
|
||
within the document, and fixed broken references.
|
||
|
||
- General editorial changes<65>punctuation, spelling, formatting,
|
||
etc.
|
||
|
||
Section 1.
|
||
|
||
- Added glossary of terms and added sub-section headings
|
||
|
||
Section 2.
|
||
|
||
- Clarified security mechanisms 3, 4, & 5 and brought language in
|
||
line with IETF security glossary.
|
||
|
||
Section 3.
|
||
|
||
- Brought language in requirement (3) in line with security
|
||
glossary.
|
||
|
||
- Clarified that information fetched prior to initiation of TLS
|
||
negotiation must be discarded
|
||
|
||
-Clarified that information fetched prior to initiation of SASL
|
||
negotiation must be discarded
|
||
|
||
- Rewrote paragraph on SASL negotiation requirements to clarify
|
||
intent
|
||
|
||
Section 4.4.
|
||
|
||
- Added stipulation that sasl choice allows for any SASL mechanism
|
||
not prohibited by this document. (Resolved conflict between this
|
||
statement and one that prohibited use of ANONYMOUS and PLAIN
|
||
SASL mechanisms.)
|
||
|
||
|
||
Harrison Expires September 2003 [Page 29]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
Section 5.3.6
|
||
|
||
- Added a.x.bar.com to wildcard matching example on hostname
|
||
check.
|
||
|
||
Section 6
|
||
|
||
- Added LDAP Association State Transition Tables to show the
|
||
various states through which an LDAP association may pass along
|
||
with the actions and decisions required to traverse from state
|
||
to state.
|
||
|
||
Appendix A
|
||
|
||
- Brought security terminology in line with IETF security glossary
|
||
throughout the appendix.
|
||
|
||
F.2. Changes for draft-ldap-bis-authmeth-03
|
||
|
||
General
|
||
|
||
- Added introductory notes and changed title of document and
|
||
references to conform to WG chair suggestions for the overall
|
||
technical specification.
|
||
|
||
- Several issues--G.13, G.14, G.16, G.17--were resolved without
|
||
requiring changes to the document.
|
||
|
||
Section 3
|
||
|
||
- Removed reference to /etc/passwd file and associated text.
|
||
|
||
Section 4
|
||
|
||
- Removed sections 4.1, 4.2 and parts of section 4.3. This
|
||
information was being duplicated in the protocol specification
|
||
and will now reside there permanently.
|
||
Section 4.2
|
||
|
||
- changed words, "not recommended" to "strongly discouraged"
|
||
|
||
Section 4.3
|
||
|
||
- Based on ldapbis WG discussion at IETF52 two sentences were
|
||
added indicating that clients SHOULD NOT send a DN value when
|
||
binding with the sasl choice and servers SHALL ignore any value
|
||
received in this circumstance.
|
||
-
|
||
|
||
Section 8.3.1
|
||
|
||
- Generalized the language of this section to not refer to any
|
||
specific password attribute or to refer to the directory entry
|
||
as a "user" entry.
|
||
|
||
Harrison Expires September 2003 [Page 30]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
Section 11
|
||
|
||
- Added security consideration regarding misuse of unauthenticated
|
||
access.
|
||
|
||
- Added security consideration requiring access control to be
|
||
applied only to authenticated users and recommending it be
|
||
applied when reading sensitive information or updating directory
|
||
information.
|
||
|
||
|
||
F.3. Changes for draft-ldap-bis-authmeth-04
|
||
|
||
General
|
||
|
||
- Changed references to use [RFCnnnn] format wherever possible.
|
||
(References to works in progress still use [name] format.)
|
||
- Various edits to correct typos and bring field names, etc. in
|
||
line with specification in [Protocol] draft.
|
||
|
||
- Several issues--G.13, G.14, G.16, G.17--were resolved without
|
||
requiring changes to the document.
|
||
|
||
Section 4.4.1.
|
||
|
||
- Changed ABNF grammar to use productions that are like those in
|
||
the model draft.
|
||
|
||
Section 5
|
||
|
||
- Removed sections 5.1, 5.2, and 5.4 that will be added to
|
||
[Protocol]. Renumbered sections to accommodate this change.
|
||
-
|
||
|
||
Section 6
|
||
|
||
- Reviewed LDAP Association State table for completeness and
|
||
accuracy. Renumbered actions A3, A4, and A5 to be A5, A3, and A4
|
||
respectively. Re-ordered several lines in the table to ensure
|
||
that actions are in ascending order (makes analyzing the table
|
||
much more logical). Added action A2 to several states where it
|
||
was missing and valid. Added actions A7 and A8 placeholders to
|
||
states S1, S2, S4 and S5 pending resolution of issue G.28.
|
||
|
||
Section 11
|
||
|
||
- Modified security consideration (originally added in -03)
|
||
requiring access control to be applied only to authenticated
|
||
users. This seems nonsensical because anonymous users may have
|
||
access control applied to limit permissible actions.
|
||
-
|
||
Section 13
|
||
|
||
|
||
Harrison Expires September 2003 [Page 31]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
- Verified all normative references and moved informative
|
||
references to a new section 14.
|
||
|
||
F.4. Changes for draft-ldap-bis-authmeth-05
|
||
|
||
General
|
||
|
||
- General editory changes to fix punctuation, spelling, line
|
||
length issues, etc.
|
||
- Verified and updated intra- and inter-document references
|
||
throughout.
|
||
- Document-wide review for proper usage of RFC 2119 keywords with
|
||
several changes to correct improper usage.
|
||
|
||
Abstract
|
||
- Updated to match current contents of documents. This was needed
|
||
due to movement of material on Bind and Start TLS operations to
|
||
[Protocol] in this revision.
|
||
|
||
Section 3.
|
||
|
||
- Renamed section to "Rationale for LDAPv3 Security Mechanisms"
|
||
and removed text that did not support this theme. Part of the
|
||
motivation for this change was to remove the implication of the
|
||
previous section title, "Required Security Mechanisms", and
|
||
other text found in the section that everything in the section
|
||
was a requirement
|
||
|
||
- Information from several removed paragraphs that describe
|
||
deployment scenarios will be added Appendix A in the next
|
||
revision of the draft.
|
||
|
||
|
||
- Paragraph beginning, " If TLS is negotiated, the client MUST
|
||
discard all information..." was moved to section 5.1.7 and
|
||
integrated with related material there.
|
||
|
||
- Paragraph beginning, "If a SASL security layer is negotiated..."
|
||
was moved to section 4.2
|
||
|
||
Section 4.l.
|
||
|
||
- Changed wording of first paragraph to clarify meaning.
|
||
|
||
Section 4.2.
|
||
- Added paragraph from section 3 of -04 beginning, "If a SASL
|
||
security layer is negotiated..."
|
||
|
||
Section 4.3.3.
|
||
- Renamed to "Other SASL Mechanisms" and completely rewrote the
|
||
section (one sentence) to generalize the treatment of SASL
|
||
mechanisms not explicitly mentioned in this document.
|
||
|
||
Section 4.4.1.
|
||
|
||
Harrison Expires September 2003 [Page 32]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
- Added paragraph beginning, "The dnAuthzID choice allows client
|
||
applications..." to clarify whether DN form authorization
|
||
identities have to also have a corresponding directory entry.
|
||
This change was based on editor's perception of WG consensus.
|
||
|
||
- Made minor clarifying edits in the paragraph beginning, "The
|
||
uAuthzID choice allows for compatibility..."
|
||
|
||
Section 5.1.1.
|
||
|
||
- Made minor clarifying edits in the last paragraph of the
|
||
section.
|
||
|
||
Section 5.1.7.
|
||
|
||
- Wording from section 3 paragraph beginning " If TLS is
|
||
negotiated, the client MUST discard all information..." was
|
||
moved to this section and integrated with existing text.
|
||
|
||
Section 5.2.
|
||
|
||
- Changed usage of "TLS connection" to "TLS session" throughout.
|
||
|
||
- Removed empty section 5.2.1 and renumbered sections it had
|
||
previously contained.
|
||
|
||
Section 8.
|
||
|
||
- Added introductory paragraph at beginning of section.
|
||
|
||
Section 8.1.
|
||
|
||
- Changed term "data privacy" to "data confidentiality" to be
|
||
consistent with usage in rest of document.
|
||
|
||
Section 8.2.
|
||
|
||
- Changed first paragraph to require implementations that
|
||
implement *password-based* authentication to implement and
|
||
support DIGEST-MD5 SASL authentication.
|
||
|
||
Section 11.
|
||
|
||
- First paragraph: changed "session encryption" to "session
|
||
confidentiality protection" to be consistent with usage in rest
|
||
of document.
|
||
|
||
Appendix A.
|
||
|
||
- Began changes to incorporate information on deployment scenarios
|
||
removed from section 3.
|
||
|
||
|
||
|
||
Harrison Expires September 2003 [Page 33]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
Appendix G. Issues to be Resolved
|
||
|
||
This appendix lists open questions and issues that need to be
|
||
resolved before work on this document is deemed complete.
|
||
|
||
G.1.
|
||
|
||
Section 1 lists 6 security mechanisms that can be used by LDAP
|
||
servers. I'm not sure what mechanism 5, "Resource limitation by
|
||
means of administrative limits on service controls" means.
|
||
|
||
Status: resolved. Changed wording to "administrative service limits"
|
||
to clarify meaning.
|
||
|
||
G.2.
|
||
|
||
Section 2 paragraph 1 defines the term, "sensitive." Do we want to
|
||
bring this term and other security-related terms in alignment with
|
||
usage with the IETF security glossary (RFC 2828)?
|
||
|
||
Status: resolved. WG input at IETF 51 was that we should do this, so
|
||
the appropriate changes have been made.
|
||
|
||
G.3.
|
||
|
||
Section 2, deployment scenario 2: What is meant by the term "secure
|
||
authentication function?"
|
||
|
||
Status: resolved. Based on the idea that a "secure authentication
|
||
function" could be provided by TLS, I changed the wording to require
|
||
data confidentiality for sensitive authentication information and
|
||
data integrity for all authentication information.
|
||
|
||
G.4.
|
||
|
||
Section 3, deployment scenario 3: What is meant by the phrase,
|
||
"directory data is authenticated by the server?"
|
||
|
||
Status: resolved. I interpreted this to mean the ability to ensure
|
||
the identity of the directory server and the integrity of the data
|
||
sent from that server to the client, and explictly stated such.
|
||
|
||
G.5.
|
||
|
||
Section 4 paragraph 3: What is meant by the phrase, "this means that
|
||
either this data is useless for faking authentication (like the Unix
|
||
"/etc/passwd" file format used to be)?"
|
||
|
||
Status: resolved. Discussion at IETF 52 along with discussions with
|
||
the original authors of this material have convinced us that this
|
||
reference is simply too arcane to be left in place. In -03 the text
|
||
has been modified to focus on the need to either update password
|
||
information in a protected fashion outside of the protocol or to
|
||
|
||
|
||
Harrison Expires September 2003 [Page 34]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
update it in session well protected against snooping, and the
|
||
reference to /etc/passwd has been removed.
|
||
|
||
G.6.
|
||
|
||
Section 4 paragraph 7 begins: "For a directory needing session
|
||
protection..." Is this referring to data confidentiality or data
|
||
integrity or both?
|
||
|
||
Status: resolved. Changed wording to say, "For a directory needing
|
||
data security (both data integrity and data confidentiality)..."
|
||
|
||
G.7.
|
||
|
||
Section 4 paragraph 8 indicates that "information about the server
|
||
fetched fetched prior to the TLS negotiation" must be discarded. Do
|
||
we want to explicitly state that this applies to information fetched
|
||
prior to the *completion* of the TLS negotiation or is this going
|
||
too far?
|
||
|
||
Status: resolved. Based on comments in the IETF 51 LDAPBIS WG
|
||
meeting, this has been changed to explicitly state, "fetched prior
|
||
to the initiation of the TLS negotiation..."
|
||
|
||
G.8.
|
||
|
||
Section 4 paragraph 9 indicates that clients SHOULD check the
|
||
supportedSASLMechanisms list both before and after a SASL security
|
||
layer is negotiated to ensure that they are using the best available
|
||
security mechanism supported mutually by the client and server. A
|
||
note at the end of the paragraph indicates that this is a SHOULD
|
||
since there are environments where the client might get a list of
|
||
supported SASL mechanisms from a different trusted source.
|
||
|
||
I wonder if the intent of this could be restated more plainly using
|
||
one of these two approaches (I've paraphrased for the sake of
|
||
brevity):
|
||
|
||
Approach 1: Clients SHOULD check the supportedSASLMechanisms
|
||
list both before and after SASL negotiation or clients SHOULD
|
||
use a different trusted source to determine available supported
|
||
SASL mechanisms.
|
||
|
||
Approach 2: Clients MUST check the supportedSASLMechanisms list
|
||
both before and after SASL negotiation UNLESS they use a
|
||
different trusted source to determine available supported SASL
|
||
mechanisms.
|
||
|
||
Status: resolved. WG input at IETF 51 was that Approach 1 was
|
||
probably best. I ended up keeping the basic structure similar to the
|
||
original to meet this intent.
|
||
|
||
G.9.
|
||
|
||
|
||
Harrison Expires September 2003 [Page 35]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
Section 6.3.1 states: "DSAs that map the DN sent in the bind request
|
||
to a directory entry with a userPassword attribute will... compare
|
||
[each value in the named user's entry]... with the presented
|
||
password." This implies that this applies only to user entries with
|
||
userPassword attributes. What about other types of entries that
|
||
might allow passwords and might store in the password information in
|
||
other attributes? Do we want to make this text more general?
|
||
|
||
Status: resolved in -03 draft by generalizing section 8.3.1 to not
|
||
refer to any specific password attribute and by removing the term
|
||
"user" in referring to the directory entry specified by the DN in
|
||
the bind request.
|
||
|
||
G.10 userPassword and simple bind
|
||
|
||
We need to be sure that we don't require userPassword to be the only
|
||
attribute used for authenticating via simple bind. (See 2251 sec 4.2
|
||
and authmeth 6.3.1. Work with Jim Sermersheim on resolution to this.
|
||
On publication state something like: "This is the specific
|
||
implementation of what we discussed in our general reorg
|
||
conversation on the list." (Source: Kurt Zeilenga)
|
||
|
||
Status: resolved in -03 draft by generalizing section 8.3.1 to not
|
||
refer to any specific password attribute and by removing the term
|
||
"user" in referring to the directory entry specified by the DN in
|
||
the bind request.
|
||
|
||
G.11. Meaning of LDAP Association
|
||
|
||
The original RFC 2830 uses the term "LDAP association" in describing
|
||
a connection between an LDAP client and server regardless of the
|
||
state of TLS on that connection. This term needs to be defined or
|
||
possibly changed.
|
||
|
||
Status: resolved. at IETF 51 Bob Morgan indicated that the term
|
||
"LDAP association" was intended to distinguish the LDAP-level
|
||
connection from the TLS-level connection. This still needs to be
|
||
clarified somewhere in the draft. Added "LDAP association" to a
|
||
glossary in section 1.
|
||
|
||
G.12. Is DIGEST-MD5 mandatory for all implementations?
|
||
|
||
Reading 2829bis I think DIGEST-MD5 is mandatory ONLY IF your server
|
||
supports password based authentication...but the following makes it
|
||
sound mandatory to provide BOTH password authentication AND DIGEST-
|
||
MD5:
|
||
|
||
"6.2. Digest authentication
|
||
|
||
LDAP implementations MUST support authentication with a password
|
||
using the DIGEST-MD5 SASL mechanism for password protection, as
|
||
defined in section 6.1."
|
||
|
||
The thing is for acl it would be nice (though not critical) to be
|
||
|
||
Harrison Expires September 2003 [Page 36]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
able to default the required authentication level for a subject to a
|
||
single "fairly secure" mechanism--if there is no such mandatory
|
||
authentication scheme then you cannot do that. (Source: Rob Byrne)
|
||
|
||
Status: resolved. -00 version of the draft added a sentence at the
|
||
beginning of section 8.2 stating that LDAP server implementations
|
||
must support this method.
|
||
|
||
G.13. Ordering of authentication levels requested
|
||
|
||
Again on the subject of authentication level, is it possible to
|
||
define an ordering on authentication levels which defines their
|
||
relative "strengths" ? This would be useful in acl as you could say
|
||
things like"a given aci grants access to a given subject at this
|
||
authentication level AND ABOVE". David Chadwick raised this before
|
||
in the context of denying access to a subject at a given
|
||
authentication level, in which case he wanted to express "deny
|
||
access to this subject at this authentication level AND TO ALL
|
||
IDENTITIES AUTHENTICATED BELOW THAT LEVEL". (Source: Rob Byrne)
|
||
|
||
Status: out of scope. This is outside the scope of this document and
|
||
will not be addressed.
|
||
|
||
G.14. Document vulnerabilities of various mechanisms
|
||
|
||
While I'm here...in 2829, I think it would be good to have some
|
||
comments or explicit reference to a place where the security
|
||
properties of the particular mandatory authentication schemes are
|
||
outlined. When I say "security properties" I mean stuff like "This
|
||
scheme is vulnerable to such and such attacks, is only safe if the
|
||
key size is > 50, this hash is widely considered the best, etc...".
|
||
I think an LDAP implementor is likely to be interested in that
|
||
information, without having to wade through the security RFCs.
|
||
(Source: Rob Byrne)
|
||
|
||
Status: out of scope. This is outside the scope of this document and
|
||
will not be addressed.
|
||
|
||
G.15. Include a StartTLS state transition table
|
||
|
||
The pictoral representation it is nominally based on is here (URL
|
||
possibly folded):
|
||
|
||
http://www.stanford.edu/~hodges/doc/LDAPAssociationStateDiagram-
|
||
1999-12-14.html
|
||
|
||
(Source: Jeff Hodges)
|
||
|
||
Status: In Process. Table provided in -03. Review of content for
|
||
accuracy in -04. Additional review is needed, plus comments from WG
|
||
members indicate that additional description of each state's meaning
|
||
would be helpful.
|
||
|
||
|
||
|
||
Harrison Expires September 2003 [Page 37]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
G.16. Empty sasl credentials question
|
||
|
||
I spent some more time looking microscopically at ldap-auth-methods
|
||
and ldap-ext-tls drafts. The drafts say that the credential must
|
||
have the form dn:xxx or u:xxx or be absent, and although they don't
|
||
say what to do in the case of an empty octet string I would say that
|
||
we could send protocolError (claim it is a bad PDU).
|
||
|
||
There is still the question of what to do if the credential is 'dn:'
|
||
(or 'u:') followed by the empty string. (Source: ariel@columbia.edu
|
||
via Jeff Hodges)
|
||
|
||
Status: resolved. Kurt Zeilenga indicated during ldapbis WG
|
||
discussion at IETF 52 that SASL AuthzID credentials empty and absent
|
||
are equivalent in the latest SASL ID. This resolves the issue.
|
||
|
||
G.17. Hostname check from MUST to SHOULD?
|
||
|
||
I am uneasy about the hostname check. My experience from PKI with
|
||
HTTP probably is a contributing factor; we have people using the
|
||
short hostname to get to a server which naturally has the FQDN in
|
||
the certificate, no end of problems. I have a certificate on my
|
||
laptop which has the FQDN for the casse when the system is on our
|
||
Columbia network with a fixed IP; when I dial in however, I have
|
||
some horrible dialup name, and using the local https server becomes
|
||
annoying. Issuing a certificate in the name 'localhost' is not a
|
||
solution! Wildcard match does not solve this problem. For these
|
||
reasons I am inclined to argue for 'SHOULD' instead of
|
||
'MUST' in paragraph...
|
||
|
||
Also, The hostname check against the name in the certificate is a
|
||
very weak means of preventing man-in-the-middle attacks; the proper
|
||
solution is not here yet (SecureDNS or some equivalent). Faking out
|
||
DNS is not so hard, and we see this sort of thing in the press on a
|
||
pretty regular basis, where site A hijacks the DNS server for site B
|
||
and gets all their requests. Some mention of this should be made in
|
||
the draft. (Source: ariel@columbia.edu via Jeff Hodges)
|
||
|
||
Status: resolved. Based on discussion at IETF 52 ldapbis WG meeting,
|
||
this text will stand as it is. The check is a MUST, but the behavior
|
||
afterward is a SHOULD. This gives server implementations the room to
|
||
maneuver as needed.
|
||
|
||
G.18. Must SASL DN exist in the directory?
|
||
|
||
If the 'dn:' form of sasl creds is used, is it the intention of the
|
||
draft(ers) that this DN must exist in the directory and the client
|
||
will have the privileges associated with that entry, or can the
|
||
server map the sasl DN to perhaps some other DN in the directory,
|
||
in an implementation-dependent fashion?
|
||
|
||
We already know that if *no* sasl credentials are presented, the DN
|
||
or altname in the client certificate may be mapped to a DN in an
|
||
implementation-dependent fashion, or indeed to something not in the
|
||
|
||
Harrison Expires September 2003 [Page 38]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
directory at all. (Right?) (Source: ariel@columbia.edu via Jeff
|
||
Hodges)
|
||
|
||
Status: resolved. (11/12/02)Based on my research I propose that the
|
||
DN MUST exist in the directory when the DN form of sasl creds is
|
||
used. I have made this proposal to the ldapbis mailing list.
|
||
|
||
(11/21/02) Feedback from mailing list has proposed removing this
|
||
paragraph entirely because (1) explicit assertion of authorization
|
||
identity should only be done when proxying (2) mapping of the
|
||
asserted authorization identity is implementation specific and
|
||
policy driven [SASL] section 4.2, and (3) keeping this paragraph is
|
||
not required for interoperability.
|
||
|
||
G.19. DN used in conjunction with SASL mechanism
|
||
|
||
We need to specify whether the DN field in Bind operation can/cannot
|
||
be used when SASL mechanism is specified. (source: RL Bob)
|
||
|
||
Status: resolved. (-03) Based on ldapbis WG discussion at IETF52 two
|
||
sentences were added to section 4.3 indicating that clients SHOULD
|
||
NOT send a DN value when binding with the sasl choice and servers
|
||
SHALL ignore any value received in this circumstance. During edits
|
||
for -04 version of draft it was noted that [Protocol] section 4.2
|
||
conflicts with this draft. The editor of [Protocol] has been
|
||
notified of the discrepancy, and they have been handled.
|
||
|
||
G.20. Bind states
|
||
|
||
Differences between unauthenticated and anonymous. There are four
|
||
states you can get into. One is completely undefined (this is now
|
||
explicitly called out in [Protocol]). This text needs to be moved
|
||
from [Protocol] to this draft. (source: Jim Sermersheim)
|
||
|
||
Status: Resolved. There are four states: (1) no name, no password
|
||
(anon); (2) name, no password (anon); (3) no name, password
|
||
(invalid); (4) name, password (simple bind). States 1, 2, and 4 are
|
||
called out in [AuthMeth]. State 3 is called out in [Protocol]; this
|
||
seems appropriate based on review of alternatives.
|
||
|
||
G.21. Misuse of unauthenticated access
|
||
|
||
Add a security consideration that operational experience shows that
|
||
clients can misuse unauthenticated access (simple bind with name but
|
||
no password). Servers SHOULD by default reject authentication
|
||
requests that have a DN with an empty password with an error of
|
||
invalidCredentials. (Source: Kurt Zeilenga and Chris Newman (Sun))
|
||
|
||
Status: Resolved. Added to security considerations in <20>03.
|
||
|
||
G.22. Need to move StartTLS protocol information to [Protocol]
|
||
|
||
Status: Resolved. Removed Sections 5.1, 5.2, and 5.4 for -04 and
|
||
they are [Protocol] -11.
|
||
|
||
Harrison Expires September 2003 [Page 39]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
|
||
G.23. Split Normative and Non-normative references into separate
|
||
sections.
|
||
|
||
Status: Resolved. Changes made in -04
|
||
|
||
G.24. What is the authentication state if a Bind operation is
|
||
abandoned?
|
||
|
||
Status: In process. (11/12/02) This text was suggested to be added
|
||
to [Protocol] -11 to cover what happens if a bind operation is
|
||
abandoned:
|
||
|
||
"If a server receives an Abandon request for a Bind operation, the
|
||
server SHOULD leave the connection in the anonymous state. Clients
|
||
that abandon a Bind operation MUST rebind after abandoning the Bind
|
||
request in order to have a known authentication state on the
|
||
connection."
|
||
|
||
(11/21/02) Jim Sermersheim prposed the following wording on the
|
||
ldapbis mail list: "Authentication from earlier binds are
|
||
subsequently ignored. A failed or abandoned Bind Operation has the
|
||
effect of leaving the connection in an anonymous state. Clients MUST
|
||
rebind after abandoning a bind operation in order to determine a
|
||
known authentication state."
|
||
|
||
Once this is resolved in [Protocol] the state table in section 6 of
|
||
[AuthMeth] will need to be updated to reflect the consensus wording.
|
||
|
||
G.25. Difference between checking server hostname and server's
|
||
canonical DNS name in Server Identity Check?
|
||
|
||
Section 5.1.6: I now understand the intent of the check (prevent
|
||
man-in-the-middle attacks). But what is the subtle difference
|
||
between the "server hostname" and the "server's canonical DNS name"?
|
||
(Source: Tim Hahn)
|
||
|
||
Status: In Process. (11/12/02) Sent suggested wording change to this
|
||
paragraph to the ldapbis mail list and also asked for opinion as to
|
||
whether we should discuss the distinction between server DNS
|
||
hostname and server canonical DNS hostname in [AuthMeth].
|
||
|
||
(11/21/02): RL Bob Morgan will provide wording that allows
|
||
derivations of the name that are provided securely.
|
||
|
||
6.26. Server Identity Check using servers located via SRV records
|
||
|
||
Section 5.1.6: What should be done if the server was found using SRV
|
||
records based on the "locate" draft/RFC? (Source: Tim Hahn).
|
||
|
||
Status: Resolved. Section 5 of draft-ietf-ldapext-locate-08
|
||
specifically calls out how the server identity should be performed
|
||
if the server is located using the method defined in that draft.
|
||
|
||
|
||
Harrison Expires September 2003 [Page 40]
|
||
|
||
Authentication Methods for LDAPv3
|
||
|
||
This is the right location for this information, and the coverage
|
||
appears to be adequate.
|
||
|
||
G.27 Inconsistency in effect of TLS closure on LDAP association.
|
||
|
||
Section 5.4.1 of authmeth -03 (section 4.1 of RFC2830) states that
|
||
TLS closure alert will leave the LDAP association intact. Contrast
|
||
this with Section 5.5.2 (section 5.2 of RFC2830) that says that the
|
||
closure of the TLS connection MUST cause the LDAP association to
|
||
move to an anonymous authentication.
|
||
|
||
Status: in process. (11/12/02) This is actually a [Protocol] issue
|
||
because these sections have now been moved to [Protocol] -11. I have
|
||
proposed the following text for Section 5.4.1 of [AuthMeth] -03
|
||
(section 4.13.3.1 of [Protocol]) to resolve this apparent
|
||
discrepancy:
|
||
|
||
"Either the client or server MAY terminate the TLS connection on an
|
||
LDAP association by sending a TLS closure alert. The LDAP
|
||
connection remains open for further communication after TLS closure
|
||
occurs although the authentication state of the LDAP connection is
|
||
affected (see [AuthMeth] section 5.2.2).
|
||
|
||
(11/21/02): resolution to this is expected in [Protocol] -12
|
||
|
||
G.28 Ordering of external sources of authorization identities
|
||
|
||
Section 4.3.2 implies that external sources of authorization
|
||
identities other than TLS are permitted. What is the behavior when
|
||
two external sources of authentication credentials are available
|
||
(e.g. TLS and IPsec are both present (is this possible?)) and a SASL
|
||
EXTERNAL Bind operation is performed?
|
||
|
||
Status: resolved. 11/20/02: Resolved by Section 4.2 of [SASL] which
|
||
states that the decision to allow or disallow the asserted identity
|
||
is based on an implementation defined policy.
|
||
|
||
G.29 Rewrite of Section 10, TLS Ciphersuites
|
||
|
||
This section contains anachronistic references and needs to be
|
||
updated/rewritten in a way that provides useful guidance for future
|
||
readers in a way that will transcend the passage of time.
|
||
|
||
G.30 Update to Appendix A, Example Deployment Scenarios
|
||
|
||
This section needs to be updated to indicate which security
|
||
mechanisms and/or combinations of security mechanisms described
|
||
elsewhere in the document can provide the types of protections
|
||
suggested in this appendix.
|
||
|
||
|
||
|
||
|
||
|
||
Harrison Expires September 2003 [Page 41]
|
||
|