mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
396 lines
14 KiB
Plaintext
396 lines
14 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group K. Zeilenga
|
||
Request for Comments: 4532 OpenLDAP Foundation
|
||
Category: Standards Track June 2006
|
||
|
||
|
||
Lightweight Directory Access Protocol (LDAP)
|
||
"Who am I?" Operation
|
||
|
||
Status of This Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
Abstract
|
||
|
||
This specification provides a mechanism for Lightweight Directory
|
||
Access Protocol (LDAP) clients to obtain the authorization identity
|
||
the server has associated with the user or application entity. This
|
||
mechanism is specified as an LDAP extended operation called the LDAP
|
||
"Who am I?" operation.
|
||
|
||
1. Background and Intent of Use
|
||
|
||
This specification describes a Lightweight Directory Access Protocol
|
||
(LDAP) [RFC4510] operation that clients can use to obtain the primary
|
||
authorization identity, in its primary form, that the server has
|
||
associated with the user or application entity. The operation is
|
||
called the "Who am I?" operation.
|
||
|
||
This specification is intended to replace the existing Authorization
|
||
Identity Controls [RFC3829] mechanism, which uses Bind request and
|
||
response controls to request and return the authorization identity.
|
||
Bind controls are not protected by security layers established by the
|
||
Bind operation that includes them. While it is possible to establish
|
||
security layers using StartTLS [RFC4511][RFC4513] prior to the Bind
|
||
operation, it is often desirable to use security layers established
|
||
by the Bind operation. An extended operation sent after a Bind
|
||
operation is protected by the security layers established by the Bind
|
||
operation.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 1]
|
||
|
||
RFC 4532 LDAP "Who am I?" Operation June 2006
|
||
|
||
|
||
There are other cases where it is desirable to request the
|
||
authorization identity that the server associated with the client
|
||
separately from the Bind operation. For example, the "Who am I?"
|
||
operation can be augmented with a Proxied Authorization Control
|
||
[RFC4370] to determine the authorization identity that the server
|
||
associates with the identity asserted in the Proxied Authorization
|
||
Control. The "Who am I?" operation can also be used prior to the
|
||
Bind operation.
|
||
|
||
Servers often associate multiple authorization identities with the
|
||
client, and each authorization identity may be represented by
|
||
multiple authzId [RFC4513] strings. This operation requests and
|
||
returns the authzId that the server considers primary. In the
|
||
specification, the term "the authorization identity" and "the
|
||
authzId" are generally to be read as "the primary authorization
|
||
identity" and the "the primary authzId", respectively.
|
||
|
||
1.1. Conventions Used in This Document
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in BCP 14 [RFC2119].
|
||
|
||
2. The "Who am I?" Operation
|
||
|
||
The "Who am I?" operation is defined as an LDAP Extended Operation
|
||
[RFC4511] identified by the whoamiOID Object Identifier (OID). This
|
||
section details the syntax of the operation's whoami request and
|
||
response messages.
|
||
|
||
whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
|
||
|
||
2.1. The whoami Request
|
||
|
||
The whoami request is an ExtendedRequest with a requestName field
|
||
containing the whoamiOID OID and an absent requestValue field. For
|
||
example, a whoami request could be encoded as the sequence of octets
|
||
(in hex):
|
||
|
||
30 1e 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31
|
||
2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 33
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 2]
|
||
|
||
RFC 4532 LDAP "Who am I?" Operation June 2006
|
||
|
||
|
||
2.2. The whoami Response
|
||
|
||
The whoami response is an ExtendedResponse where the responseName
|
||
field is absent and the response field, if present, is empty or an
|
||
authzId [RFC4513]. For example, a whoami response returning the
|
||
authzId "u:xxyyz@EXAMPLE.NET" (in response to the example request)
|
||
would be encoded as the sequence of octets (in hex):
|
||
|
||
30 21 02 01 02 78 1c 0a 01 00 04 00 04 00 8b 13
|
||
75 3a 78 78 79 79 7a 40 45 58 41 4d 50 4c 45 2e
|
||
4e 45 54
|
||
|
||
3. Operational Semantics
|
||
|
||
The "Who am I?" operation provides a mechanism, a whoami Request, for
|
||
the client to request that the server return the authorization
|
||
identity it currently associates with the client. It also provides a
|
||
mechanism, a whoami Response, for the server to respond to that
|
||
request.
|
||
|
||
Servers indicate their support for this extended operation by
|
||
providing a whoamiOID object identifier as a value of the
|
||
'supportedExtension' attribute type in their root DSE. The server
|
||
SHOULD advertise this extension only when the client is willing and
|
||
able to perform this operation.
|
||
|
||
If the server is willing and able to provide the authorization
|
||
identity it associates with the client, the server SHALL return a
|
||
whoami Response with a success resultCode. If the server is treating
|
||
the client as an anonymous entity, the response field is present but
|
||
empty. Otherwise, the server provides the authzId [RFC4513]
|
||
representing the authorization identity it currently associates with
|
||
the client in the response field.
|
||
|
||
If the server is unwilling or unable to provide the authorization
|
||
identity it associates with the client, the server SHALL return a
|
||
whoami Response with an appropriate non-success resultCode (such as
|
||
operationsError, protocolError, confidentialityRequired,
|
||
insufficientAccessRights, busy, unavailable, unwillingToPerform, or
|
||
other) and an absent response field.
|
||
|
||
As described in [RFC4511] and [RFC4513], an LDAP session has an
|
||
"anonymous" association until the client has been successfully
|
||
authenticated using the Bind operation. Clients MUST NOT invoke the
|
||
"Who am I?" operation while any Bind operation is in progress,
|
||
including between two Bind requests made as part of a multi-stage
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 3]
|
||
|
||
RFC 4532 LDAP "Who am I?" Operation June 2006
|
||
|
||
|
||
Bind operation. Where a whoami Request is received in violation of
|
||
this absolute prohibition, the server should return a whoami Response
|
||
with an operationsError resultCode.
|
||
|
||
4. Extending the "Who am I?" Operation with Controls
|
||
|
||
Future specifications may extend the "Who am I?" operation using the
|
||
control mechanism [RFC4511]. When extended by controls, the "Who am
|
||
I?" operation requests and returns the authorization identity the
|
||
server associates with the client in a particular context indicated
|
||
by the controls.
|
||
|
||
4.1. Proxied Authorization Control
|
||
|
||
The Proxied Authorization Control [RFC4370] is used by clients to
|
||
request that the operation it is attached to operate under the
|
||
authorization of an assumed identity. The client provides the
|
||
identity to assume in the Proxied Authorization request control. If
|
||
the client is authorized to assume the requested identity, the server
|
||
executes the operation as if the requested identity had issued the
|
||
operation.
|
||
|
||
As servers often map the asserted authzId to another identity
|
||
[RFC4513], it is desirable to request that the server provide the
|
||
authzId it associates with the assumed identity.
|
||
|
||
When a Proxied Authorization Control is be attached to the "Who am
|
||
I?" operation, the operation requests the return of the authzId the
|
||
server associates with the identity asserted in the Proxied
|
||
Authorization Control. The authorizationDenied (123) result code is
|
||
used to indicate that the server does not allow the client to assume
|
||
the asserted identity.
|
||
|
||
5. Security Considerations
|
||
|
||
Identities associated with users may be sensitive information. When
|
||
they are, security layers [RFC4511][RFC4513] should be established to
|
||
protect this information. This mechanism is specifically designed to
|
||
allow security layers established by a Bind operation to protect the
|
||
integrity and/or confidentiality of the authorization identity.
|
||
|
||
Servers may place access control or other restrictions upon the use
|
||
of this operation. As stated in Section 3, the server SHOULD
|
||
advertise this extension when it is willing and able to perform the
|
||
operation.
|
||
|
||
As with any other extended operations, general LDAP security
|
||
considerations [RFC4510] apply.
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 4]
|
||
|
||
RFC 4532 LDAP "Who am I?" Operation June 2006
|
||
|
||
|
||
6. IANA Considerations
|
||
|
||
The OID 1.3.6.1.4.1.4203.1.11.3 is used to identify the LDAP "Who am
|
||
I?" extended operation. This OID was assigned [ASSIGN] by the
|
||
OpenLDAP Foundation, under its IANA-assigned private enterprise
|
||
allocation [PRIVATE], for use in this specification.
|
||
|
||
Registration of this protocol mechanism [RFC4520] has been completed
|
||
by the IANA.
|
||
|
||
Subject: Request for LDAP Protocol Mechanism Registration
|
||
Object Identifier: 1.3.6.1.4.1.4203.1.11.3
|
||
Description: Who am I?
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@openldap.org>
|
||
Usage: Extended Operation
|
||
Specification: RFC 4532
|
||
Author/Change Controller: IESG
|
||
Comments: none
|
||
|
||
7. Acknowledgement
|
||
|
||
This document borrows from prior work in this area, including
|
||
"Authentication Response Control" [RFC3829] by Rob Weltman, Mark
|
||
Smith, and Mark Wahl.
|
||
|
||
The LDAP "Who am I?" operation takes it's name from the UNIX
|
||
whoami(1) command. The whoami(1) command displays the effective user
|
||
ID.
|
||
|
||
8. References
|
||
|
||
8.1. Normative References
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC4370] Weltman, R., "Lightweight Directory Access Protocol (LDAP)
|
||
Proxied Authorization Control", RFC 4370, February 2006.
|
||
|
||
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Technical Specification Road Map", RFC 4510, June
|
||
2006.
|
||
|
||
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
|
||
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 5]
|
||
|
||
RFC 4532 LDAP "Who am I?" Operation June 2006
|
||
|
||
|
||
[RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Authentication Methods and Security Mechanisms",
|
||
RFC 4513, June 2006.
|
||
|
||
8.2. Informative References
|
||
|
||
[RFC3829] Weltman, R., Smith, M., and M. Wahl, "Lightweight Directory
|
||
Access Protocol (LDAP) Authorization Identity Request and
|
||
Response Controls", RFC 3829, July 2004.
|
||
|
||
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
||
Considerations for the Lightweight Directory Access
|
||
Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
|
||
|
||
[ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
|
||
http://www.openldap.org/foundation/oid-delegate.txt.
|
||
|
||
[PRIVATE] IANA, "Private Enterprise Numbers",
|
||
http://www.iana.org/assignments/enterprise-numbers.
|
||
|
||
Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
|
||
EMail: Kurt@OpenLDAP.org
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 6]
|
||
|
||
RFC 4532 LDAP "Who am I?" Operation June 2006
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is provided by the IETF
|
||
Administrative Support Activity (IASA).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 7]
|
||
|