mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
407 lines
16 KiB
Plaintext
407 lines
16 KiB
Plaintext
|
||
Internet Draft J. Sermersheim
|
||
Personal Submission R. Harrison
|
||
Intended Category: Standard Track Novell, Inc
|
||
Document: draft-sermersheim-ldap-chaining-02.txt Feb 2004
|
||
|
||
|
||
|
||
LDAP Control to Specify Chaining Behavior
|
||
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is in full conformance with
|
||
all provisions of Section 10 of RFC2026.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that other
|
||
groups may also distribute working documents as Internet-Drafts.
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
Distribution of this memo is unlimited. Technical discussion of this
|
||
document will take place on the IETF LDAP Extensions Working Group
|
||
mailing list <ldapext@ietf.org>. Editorial comments may be sent to
|
||
the author <jimse@novell.com>.
|
||
|
||
|
||
Abstract
|
||
|
||
This document describes a Lightweight Directory Access Protocol
|
||
(LDAP) request control that allows specification of chaining behavior
|
||
for LDAP operations. By using the control with various LDAP
|
||
operations, a directory client (DUA), or directory server (DSA)
|
||
specifies whether or not a DSA or secondary DSA chains operations to
|
||
other DSAs or returns referrals and/or search result references to
|
||
the client.
|
||
|
||
|
||
1. Introduction
|
||
|
||
Many directory servers have the ability through the use of various
|
||
mechanisms to participate in a distributed directory model. A
|
||
distributed directory is one where the DIT is distributed over
|
||
multiple DSAs. One operation completion mechanism used by DSAs in a
|
||
distributed directory is chaining. Chaining is defined in [X.518],
|
||
and is the act of one DSA communicating a directory operation that
|
||
|
||
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 1
|
||
LDAP Control to Specify Chaining Behavior
|
||
|
||
originated from a DUA to another DSA in a distributed directory.
|
||
Contrast this with the act of passing referrals (4.1.11 of [RFC2251])
|
||
and SearchResultReferences (4.5.2 of [RFC2251]) back to the client.
|
||
Chaining may happen during the name resolution part of an operation
|
||
or during other parts of operations like search which apply to a
|
||
number of entries in a subtree.
|
||
|
||
This document does not attempt to define the distributed directory
|
||
model, nor does it attempt to define the manner in which DSAs chain
|
||
requests. This document defines a request control that the client can
|
||
use to specify whether parts of an operation should or should not be
|
||
chained.
|
||
|
||
|
||
2. Conventions
|
||
|
||
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
|
||
used in this document carry the meanings described in [RFC2119].
|
||
|
||
The term chaining may apply to uni-chaining as well as multi-chaining
|
||
(see [X.518]) depending on the capabilities and configuration of the
|
||
DSAs.
|
||
|
||
|
||
3. The Control
|
||
|
||
Support for the control is advertised by the presence of its
|
||
controlType in the supportedControl attribute of a server's root DSE.
|
||
|
||
This control MAY be included in any LDAP request operation except
|
||
abandon, unbind, and StartTLS as part of the controls field of the
|
||
LDAPMessage, as defined in Section 4.1.12 of [RFC2251]:
|
||
|
||
The controlType is set to <IANA-ASSIGNED-OID.1>. The criticality MAY
|
||
be set to either TRUE or FALSE. The controlValue is an OCTET STRING,
|
||
whose value is the following ChainingBehavior type, BER encoded
|
||
following the rules in Section 5.1 of [RFC2251]:
|
||
|
||
ChainingBehavior ::= SEQUENCE {
|
||
resolveBehavior Behavior OPTIONAL,
|
||
continuationBehavior Behavior OPTIONAL }
|
||
|
||
Behavior :: = ENUMERATED {
|
||
chainingPreferred (0),
|
||
chainingRequired (1),
|
||
referralsPreferred (2),
|
||
referralsRequired (3) }
|
||
|
||
resolveBehavior instructs the DSA what to do when a referral is
|
||
encountered during the local name resolution part of an operation. If
|
||
this field is not specified, other policy dictates the DSA's
|
||
behavior.
|
||
|
||
|
||
|
||
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 2
|
||
LDAP Control to Specify Chaining Behavior
|
||
|
||
continuationBehavior instructs the DSA what to do when a referral is
|
||
encountered after the name resolution part of an operation has
|
||
completed. This scenario occurs during search operations, and may
|
||
occur during yet to be defined future operations. If this field is
|
||
not specified, other policy dictates the DSA's behavior.
|
||
|
||
Behavior specifies whether the DSA should chain the operation or
|
||
return referrals when a target object is held by a remote service.
|
||
|
||
chainingPreferred indicates that the preference is that
|
||
chaining, rather than referrals, be used to provide the service.
|
||
When this value is set, the server attempts to chain the request
|
||
but if it can't it returns referrals.
|
||
|
||
chainingRequired indicates that chaining is to be used rather
|
||
than referrals to service the request. When this value is set,
|
||
the server MUST NOT return referrals. It either chains the
|
||
request or fails.
|
||
|
||
referralsPreferred indicates that the client wishes to receive
|
||
referrals rather than allow the server to chain the operation.
|
||
When this value is set, the server return referrals and search
|
||
references when possible, but may chain the operation otherwise.
|
||
|
||
referralsRequired indicates that chaining is prohibited. When
|
||
this value is set, the server MUST NOT chain the request to
|
||
other DSAs. Instead it returns referrals as necessary, or fails.
|
||
|
||
The following list assigns meanings to some of the result codes that
|
||
may occur due to this control being present:
|
||
|
||
- chainingRequired (IANA-ASSIGNED-1) Unable to process without
|
||
chaining.
|
||
- cannotChain (IANA-ASSIGNED-2) Unable to chain the request.
|
||
|
||
|
||
4. Notes to Implementors
|
||
|
||
<todo: add some>
|
||
|
||
|
||
4.1 Unbind and Abandon
|
||
|
||
Clients MUST NOT include the ChainingBehavior control with an Abandon
|
||
operation or an Unbind operation. Servers MUST ignore any chaining
|
||
control on the abandon and unbind requests. Servers that chain
|
||
operation are responsible to keep track of where an operation was
|
||
chained to for the purposes of unbind and abandon.
|
||
|
||
|
||
4.2 StartTLS
|
||
|
||
This operation cannot be chained because the TLS handshake protocol
|
||
does not allow man-in-the-middle attacks.
|
||
|
||
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 3
|
||
LDAP Control to Specify Chaining Behavior
|
||
|
||
|
||
|
||
5. Relationship with other Extensions
|
||
|
||
This control MAY be used with other controls or with extended
|
||
operations. When it is used with other controls or with extended
|
||
operations not listed here, server behavior is undefined unless
|
||
otherwise specified.
|
||
|
||
|
||
5.1 Relationship with ManageDsaIT
|
||
|
||
When this control is used along with the ManageDsaIT control, the
|
||
resolveBehavior value is evaluated. If resolveBehavior is such that
|
||
chaining is allowed, the DSA is allowed to chain the operation as
|
||
necessary until the last RDN is found.
|
||
|
||
For example: DSA1 holds the naming context <dc=net> and a subordinate
|
||
reference to <dc=example,dc=net>, DSA2 holds the naming context
|
||
<dc=example,dc=net> and a subordinate reference to
|
||
<dc=hostc,dc=example,dc=net>.
|
||
|
||
A modify operation accompanied by the ManageDsaIT control alone is
|
||
sent to DSA1. The base object of the modify operation is set to
|
||
<dc=hostc,dc=example,dc=net>. Since DSA1 does not hold the
|
||
<dc=hostc,dc=example,dc=net> IT DSE, a referral is returned for
|
||
<dc=example,dc=net>.
|
||
|
||
Next, the same modify operation is accompanied by both the
|
||
ManageDsaIT and the ChainingBehavior control where the
|
||
ChainingBehavior.resolveBehavior is set to chainingPreferred. In this
|
||
case, DSA1 chains to DSA2 when it encounters <dc=example,dc=net> and
|
||
DSA2 continues the operation. Since DSA2 holds the IT DSE
|
||
<dc=hostc,dc=example,dc=net>, the resolve portion completes, and the
|
||
rest of the operation proceeds.
|
||
|
||
|
||
6. Security Considerations
|
||
|
||
Because this control directs a DSA to chain requests to other DSAs,
|
||
it may be used in a denial of service attack. Implementers should be
|
||
cognizant of this possibility.
|
||
|
||
This control may be used to allow access to hosts and portions of the
|
||
DIT not normally available to clients. Servers supporting this
|
||
control should provide sufficient policy to prevent unwanted
|
||
occurrences of this.
|
||
|
||
|
||
7. IANA Considerations
|
||
|
||
Registration of the following values is requested [RFC3383].
|
||
|
||
|
||
|
||
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 4
|
||
LDAP Control to Specify Chaining Behavior
|
||
|
||
7.1. Object Identifiers
|
||
|
||
It is requested that IANA register upon Standards Action an LDAP
|
||
Object Identifier in identifying the protocol elements defined in
|
||
this technical specification. The following registration template is
|
||
suggested:
|
||
|
||
Subject: Request for LDAP OID Registration
|
||
Person & email address to contact for further information:
|
||
Jim Sermersheim
|
||
jimse@novell.com
|
||
Specification: RFCXXXX
|
||
Author/Change Controller: IESG
|
||
Comments:
|
||
One delegation will be made under the assigned OID:
|
||
|
||
IANA-ASSIGNED-OID.1 Chaining Behavior Request Control
|
||
|
||
|
||
7.2. LDAP Protocol Mechanism
|
||
|
||
It is requested that IANA register upon Standards Action the LDAP
|
||
protocol mechanism described in this document. The following
|
||
registration template is suggested:
|
||
|
||
Subject: Request for LDAP Protocol Mechanism Registration
|
||
Object Identifier: IANA-ASSIGNED-OID.1
|
||
Description: Chaining Behavior Request Control
|
||
Person & email address to contact for further information:
|
||
Jim Sermersheim
|
||
jimse@novell.com
|
||
Usage: Control
|
||
Specification: RFCXXXX
|
||
Author/Change Controller: IESG
|
||
Comments: none
|
||
|
||
|
||
7.3. LDAP Result Codes
|
||
|
||
It is requested that IANA register upon Standards Action the LDAP
|
||
result codes:
|
||
|
||
chainingRequired (IANA-ASSIGNED-1)
|
||
cannotChain (IANA-ASSIGNED-2)
|
||
|
||
The following registration template is suggested:
|
||
|
||
Subject: LDAP Result Code Registration
|
||
Person & email address to contact for further information:
|
||
Jim Sermersheim
|
||
jimse@novell.com
|
||
Result Code Name: chainingRequired
|
||
Result Code Name: cannotChain
|
||
Specification: RFCXXXX
|
||
|
||
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 5
|
||
LDAP Control to Specify Chaining Behavior
|
||
|
||
Author/Change Controller: IESG
|
||
Comments: request consecutive result codes be assigned
|
||
|
||
|
||
8. Normative References
|
||
|
||
[X.518]
|
||
ITU-T Rec. X.511, "The Directory: Abstract Service Definition", 1993.
|
||
|
||
[RFC2119]
|
||
Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement
|
||
Levels", Internet Draft, March 1997.
|
||
Available as RFC2119.
|
||
|
||
[RFC2251]
|
||
Wahl, M, S. Kille and T. Howes, "Lightweight Directory Access
|
||
Protocol (v3)", Internet Standard, December, 1997.
|
||
Available as RFC2251.
|
||
|
||
|
||
9. Authors' Addresses
|
||
|
||
Jim Sermersheim
|
||
Novell, Inc.
|
||
1800 South Novell Place
|
||
Provo, Utah 84606, USA
|
||
jimse@novell.com
|
||
+1 801 861-3088
|
||
|
||
Roger Harrison
|
||
Novell, Inc.
|
||
1800 South Novell Place
|
||
Provo, Utah 84606, USA
|
||
rharrison@novell.com
|
||
+1 801 861-2642
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 6
|
||
LDAP Control to Specify Chaining Behavior
|
||
|
||
Intellectual Property Rights
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
intellectual property or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; neither does it represent that it
|
||
has made any effort to identify any such rights. Information on the
|
||
IETF's procedures with respect to rights in standards-track and
|
||
standards-related documentation can be found in BCP-11. Copies of
|
||
claims of rights made available for publication and any assurances
|
||
of licenses to be made available, or the result of an attempt made
|
||
to obtain a general license or permission for the use of such
|
||
proprietary rights by implementors or users of this specification
|
||
can be obtained from the IETF Secretariat.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights which may cover technology that may be required to practice
|
||
this standard. Please address the information to the IETF Executive
|
||
Director.
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain
|
||
it or assist in its implementation may be prepared, copied,
|
||
published and distributed, in whole or in part, without restriction
|
||
of any kind, provided that the above copyright notice and this
|
||
paragraph are included on all such copies and derivative works.
|
||
However, this document itself may not be modified in any way, such
|
||
as by removing the copyright notice or references to the Internet
|
||
Society or other Internet organizations, except as needed for the
|
||
purpose of developing Internet standards in which case the
|
||
procedures for copyrights defined in the Internet Standards process
|
||
must be followed, or as required to translate it into languages
|
||
other than English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on
|
||
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
|
||
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
|
||
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 7
|
||
|