mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
508 lines
18 KiB
Plaintext
508 lines
18 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
INTERNET-DRAFT Kurt D. Zeilenga
|
||
Intended Category: Experimental OpenLDAP Foundation
|
||
Expires in six months 28 October 2005
|
||
|
||
|
||
|
||
LDAP Turn Operation
|
||
<draft-zeilenga-ldap-turn-03.txt>
|
||
|
||
|
||
1. Status of this Memo
|
||
|
||
This document is intended to be, after appropriate review and
|
||
revision, submitted to the RFC Editor for publication as an
|
||
Experimental document. Distribution of this memo is unlimited.
|
||
Technical discussion of this document will take place on the IETF LDAP
|
||
Extensions mailing list <ldapext@ietf.org>. Please send editorial
|
||
comments directly to the author <Kurt@OpenLDAP.org>.
|
||
|
||
By submitting this Internet-Draft, each author represents that any
|
||
applicable patent or other IPR claims of which he or she is aware have
|
||
been or will be disclosed, and any of which he or she becomes aware
|
||
will be disclosed, in accordance with Section 6 of BCP 79.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering Task
|
||
Force (IETF), its areas, and its working groups. Note that other
|
||
groups may also distribute working documents as Internet-Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference material
|
||
or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/1id-abstracts.html
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html
|
||
|
||
|
||
Copyright (C) The Internet Society (2005). All Rights Reserved.
|
||
|
||
Please see the Full Copyright section near the end of this document
|
||
for more information.
|
||
|
||
|
||
Abstract
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 1]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
This specification describes a Lightweight Directory Access Protocol
|
||
(LDAP) extended operation to reverse (or "turn") the roles of client
|
||
and server for subsequent protocol exchanges in the session, or to
|
||
enable each peer to act as both client and server with respect to the
|
||
other.
|
||
|
||
|
||
1. Background and Intent of Use
|
||
|
||
The Lightweight Directory Access Protocol (LDAP) [Roadmap][Protocol]
|
||
is a client-server protocol which typically operates over reliable
|
||
octet-stream transports such as the Transport Control Protocol (TCP).
|
||
Generally, the client initiates the stream by connecting to the
|
||
server's listener at some well-known address.
|
||
|
||
There are cases where it is desirable for the server to initiate the
|
||
stream. While it certainly is possible to write a technical
|
||
specification detailing how to implement server-initiated LDAP
|
||
sessions, this would require the design of new authentication and
|
||
other security mechanisms to support server-initiated LDAP sessions.
|
||
|
||
Instead, this document introduces an operation, the Turn operation,
|
||
which may be used to reverse the client-servers roles of the protocol
|
||
peers. This allows the initiating protocol peer to become server
|
||
(after the reversal).
|
||
|
||
As an additional feature, the Turn operation may be used to allow both
|
||
peers to act in both roles. This is useful where both peers are
|
||
directory servers that desire to request, as LDAP clients, operations
|
||
be performed by the other. This may be useful in replicated and/or
|
||
distributed environments.
|
||
|
||
This operation is intended to be used between protocol peers which
|
||
have established a mutual agreement, by means outside of the protocol,
|
||
which requires reversal of client-server roles, or allows both peers
|
||
to act both as client and server.
|
||
|
||
|
||
1.1 Terminology
|
||
|
||
Protocol elements are described using ASN.1 [X.680] with implicit
|
||
tags. The term "BER-encoded" means the element is to be encoded using
|
||
the Basic Encoding Rules [X.690] under the restrictions detailed in
|
||
Section 5.2 of [Protocol].
|
||
|
||
|
||
2. Turn Operation
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 2]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
The Turn operation is defined as a LDAP Extended Operation [Protocol,
|
||
Section 4.12] identified by the IANA-ASSIGNED-OID. The function of
|
||
the Turn Operation is to request that the client-server roles be
|
||
reversed, or, optionally to request that both protocol peers to be
|
||
able to act both as client and server in respect to the other.
|
||
|
||
|
||
2.1. Turn Request
|
||
|
||
The Turn request is an ExtendedRequest with the requestName field
|
||
containing the IANA-ASSIGNED-OID and a requestValue field is a
|
||
BER-encoded turnValue:
|
||
|
||
turnValue ::= SEQUENCE {
|
||
mutual BOOLEAN DEFAULT FALSE,
|
||
identifier LDAPString
|
||
}
|
||
|
||
A TRUE mutual field value indicates a request to allow both peers to
|
||
act both as client and server. A FALSE mutual field value indicates a
|
||
request to reserve the client and server roles.
|
||
|
||
The value of the identifier field is a locally-defined policy
|
||
identifier (typically associated with a mutual agreement for which
|
||
this turn is be executed as part of).
|
||
|
||
|
||
2.2. Turn Response
|
||
|
||
A Turn response is an ExtendedResponse where the responseName and
|
||
responseValue fields are absent. A resultCode of success is returned
|
||
if and only if the responder is willing and able to turn the session
|
||
as requested. Otherwise, a different resultCode is returned.
|
||
|
||
|
||
3. Authentication
|
||
|
||
This extension's authentication model assumes separate authentication
|
||
of the peers in each of their roles. A separate Bind exchange is
|
||
expected between the peers in their new roles to establish identities
|
||
in these roles.
|
||
|
||
Upon completion of the Turn, the responding peer in its new client
|
||
role has an anonymous association at the initiating peer in its new
|
||
server role. If the turn was mutual, the authentication association
|
||
of the initiating peer in its pre-existing client role is left intact
|
||
at the responding peer in its pre-existing server role. If the turn
|
||
was not mutual, this association is void.
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 3]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
The responding peer may establish its identity in its client role by
|
||
requesting and successfully completing a Bind operation.
|
||
|
||
The remainder of this section discuss some authentication scenarios.
|
||
In the protocol exchange illustrations, A refers to the initiating
|
||
peer (the original client) and B refers to the responding peer (the
|
||
original server).
|
||
|
||
3.1. Use with TLS and Simple Authentication
|
||
|
||
A->B: StartTLS Request
|
||
B->A: StartTLS(success) Response
|
||
A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
|
||
B->A: Bind(success) Response
|
||
A->B: Turn(TRUE,"XXYYZ") Request
|
||
B->A: Turn(success) Response
|
||
A->B: Bind(Simple(DN/Password)) Request
|
||
B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
|
||
A->B: Bind(success) Response
|
||
|
||
In this scenario, TLS (Transport Layer Security) [TLS] is started and
|
||
the initiating peer (the original client) establishes its identity
|
||
with the responding peer prior to the Turn using the the DN/password
|
||
mechanism of the Simple method of the Bind operation. After the turn,
|
||
the responding peer in its new client role establishes its identity
|
||
with the initiating peer in its new server role.
|
||
|
||
|
||
3.2. Use with TLS and SASL EXTERNAL
|
||
|
||
A->B: StartTLS Request
|
||
B->A: StartTLS(success) Response
|
||
A->B: Bind(SASL(EXTERNAL)) Request
|
||
B->A: Bind(success) Response
|
||
A->B: Turn(TRUE,"XXYYZ") Request
|
||
B->A: Turn(success) Response
|
||
B->A: Bind(SASL(EXTERNAL)) Request
|
||
A->B: Bind(success) Response
|
||
|
||
In this scenario, TLS is started prior with each peer providing a
|
||
valid certificate and the initiating peer (the original client)
|
||
establishes its identity through the use of the EXTERNAL mechanism of
|
||
the SASL (Simple Authentication and Security Layer) [SASL] method of
|
||
the Bind operation prior to the Turn. After the turn, the responding
|
||
peer in its new client role establishes its identity with the
|
||
initiating peer in its new server role.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 4]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
3.3. Use of mutual authentication and SASL EXTERNAL
|
||
|
||
A number of SASL mechanisms, such as GSSAPI [GSSAPI] and DIGEST-MD5
|
||
[DIGEST-MD5], support mutual authentication. The initiating peer, it
|
||
its new server role, may use the identity of the responding peer
|
||
established by a prior authentication exchange, as its source for
|
||
"external" identity in subsequent EXTERNAL exchange.
|
||
|
||
A->B: Bind(SASL(GSSAPI)) Request
|
||
<intermediate messages>
|
||
B->A: Bind(success) Response
|
||
A->B: Turn(TRUE,"XXYYZ") Request
|
||
B->A: Turn(success) Response
|
||
B->A: Bind(SASL(EXTERNAL)) Request
|
||
A->B: Bind(success) Response
|
||
|
||
In this scenario, a GSSAPI mutual-authentication exchange is completed
|
||
between the initiating peer (the original client) and the the
|
||
responding server (the original server) prior to the turn. After the
|
||
turn, the responding peer in its new client role requests the
|
||
initiating peer utilize an "external" identity to establish its LDAP
|
||
authorization identity.
|
||
|
||
|
||
4. TLS and SASL security layers
|
||
|
||
As described in [Protocol], LDAP supports both Transport Layer
|
||
Security (TLS) [TLS] and Simple Authentication and Security Layer
|
||
(SASL) [SASL] security frameworks. The following table illustrates
|
||
the relationship between the LDAP message layer, SASL layer, TLS
|
||
layer, and transport connection within an LDAP session.
|
||
|
||
+----------------------+
|
||
| LDAP message layer |
|
||
+----------------------+ > LDAP PDUs
|
||
+----------------------+ < data
|
||
| SASL layer |
|
||
+----------------------+ > SASL-protected data
|
||
+----------------------+ < data
|
||
| TLS layer |
|
||
Application +----------------------+ > TLS-protected data
|
||
------------+----------------------+ < data
|
||
Transport | transport connection |
|
||
+----------------------+
|
||
|
||
This extension does not alter this relationship, nor does it remove
|
||
the general restriction against multiple TLS layers, nor does it
|
||
remove the general restriction against multiple SASL layers.
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 5]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
As specified in [Protocol], the StartTLS operation is used to initiate
|
||
negotiation of a TLS layer. If a TLS is already installed, the
|
||
StartTLS operation must fail. Upon establishment of the TLS layer,
|
||
regardless of which peer issued the request to start TLS, the peer
|
||
which initiated the LDAP session (the original client) performs the
|
||
"server identity check" as described in Section 3.1.5 of [AuthMeth]
|
||
treating itself as the "client" and its peer as the "server".
|
||
|
||
As specified in [SASL], newly negotiated SASL security layer replace
|
||
the installed SASL security layer. Though the client/server roles in
|
||
LDAP, and hence SASL, may be reversed in subsequent exchanges, only
|
||
one SASL security layer may be installed at any instance.
|
||
|
||
|
||
5. Security Considerations
|
||
|
||
Implementors should be aware that the reversing of client/server roles
|
||
and/or allowing both peers to act as client and server likely
|
||
introduces security considerations not foreseen by the authors of this
|
||
document. In particular, the security implications of the design
|
||
choices made in the authentication and data security models for this
|
||
extension (discussed in sections 3 and 4, respectively) are not fully
|
||
studied. It is hoped that experimentation with this extension will
|
||
lead to better understanding of the security implications of these
|
||
models and other aspects of this extension, and that appropriate
|
||
considerations will be documented in a future document. The following
|
||
security considerations are apparent at this time.
|
||
|
||
Implementors should take special care to process LDAP, SASL, TLS, and
|
||
other events the appropriate roles for the peers. It is noted that
|
||
while the Turn reverses the client/server roles with LDAP, and in SASL
|
||
authentication exchanges, it does not reverse the roles within the TLS
|
||
layer or the transport connection.
|
||
|
||
The responding server (the original server) should restrict use of
|
||
this operation to authorized clients. Client knowledge of a valid
|
||
identifier should not be the sole factor in determining authorization
|
||
to turn.
|
||
|
||
Where the peers except to establish TLS, TLS should be started prior
|
||
to the Turn and any request to authenticate via the Bind operation.
|
||
|
||
LDAP security considerations [Protocol][AuthMeth] generally apply to
|
||
this extension.
|
||
|
||
|
||
6. IANA Considerations
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 6]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
Registration of the following values [BCP64bis] is requested.
|
||
|
||
|
||
6.1. Object Identifier
|
||
|
||
It is requested that IANA assign an LDAP Object Identifier to identify
|
||
the LDAP Turn Operation as defined in this document.
|
||
|
||
Subject: Request for LDAP Object Identifier Registration
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@OpenLDAP.org>
|
||
Specification: RFC XXXX
|
||
Author/Change Controller: Author
|
||
Comments:
|
||
Identifies the LDAP Turn Operation
|
||
|
||
|
||
6.2. LDAP Protocol Mechanism
|
||
|
||
It is requested that IANA register the LDAP Protocol Mechanism
|
||
described in this document.
|
||
|
||
Subject: Request for LDAP Protocol Mechanism Registration
|
||
Object Identifier: IANA-ASSIGNED-OID
|
||
Description: LDAP Turn Operation
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@openldap.org>
|
||
Usage: Extended Operation
|
||
Specification: RFC XXXX
|
||
Author/Change Controller: Author
|
||
Comments: none
|
||
|
||
|
||
7. Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
|
||
Email: Kurt@OpenLDAP.org
|
||
|
||
|
||
8. References
|
||
|
||
[[Note to the RFC Editor: please replace the citation tags used in
|
||
referencing Internet-Drafts with tags of the form RFCnnnn where
|
||
possible.]]
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 7]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
8.1. Normative References
|
||
|
||
[Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
|
||
Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
|
||
progress.
|
||
|
||
[Protocol] Sermersheim, J. (editor), "LDAP: The Protocol",
|
||
draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
|
||
|
||
[AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
|
||
Connection Level Security Mechanisms",
|
||
draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
|
||
|
||
[SASL] Melnikov, A. (Editor), "Simple Authentication and
|
||
Security Layer (SASL)",
|
||
draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.
|
||
|
||
[TLS] Dierks, T. and, E. Rescorla, "The TLS Protocol Version
|
||
1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in
|
||
progress.
|
||
|
||
[X.680] International Telecommunication Union -
|
||
Telecommunication Standardization Sector, "Abstract
|
||
Syntax Notation One (ASN.1) - Specification of Basic
|
||
Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
|
||
|
||
[X.690] International Telecommunication Union -
|
||
Telecommunication Standardization Sector, "Specification
|
||
of ASN.1 encoding rules: Basic Encoding Rules (BER),
|
||
Canonical Encoding Rules (CER), and Distinguished
|
||
Encoding Rules (DER)", X.690(2002) (also ISO/IEC
|
||
8825-1:2002).
|
||
|
||
|
||
8.2. Informative References
|
||
|
||
[BCP64bis] Zeilenga, K., "IANA Considerations for LDAP",
|
||
draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.
|
||
|
||
[GSSAPI] Linn, J., "Generic Security Service
|
||
Application Program Interface, Version 2, Update 1", RFC
|
||
2743, January 2000.
|
||
|
||
[DIGEST-MD5] Leach, P., C. Newman, and A. Melnikov, "Using Digest
|
||
Authentication as a SASL Mechanism",
|
||
draft-ietf-sasl-rfc2831bis-xx.txt, a work in progress.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 8]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
|
||
|
||
|
||
Intellectual Property Rights
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be found
|
||
in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this specification
|
||
can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
|
||
|
||
Full Copyright
|
||
|
||
Copyright (C) The Internet Society (2005).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Turn Op [Page 9]
|
||
|