mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
396 lines
14 KiB
Plaintext
396 lines
14 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
INTERNET-DRAFT Kurt D. Zeilenga
|
||
Intended Category: Standard Track OpenLDAP Foundation
|
||
Expires in six months 1 November 2002
|
||
|
||
|
||
|
||
LDAP "Who am I?" Operation
|
||
<draft-zeilenga-ldap-authzid-08.txt>
|
||
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is in full conformance with all
|
||
provisions of Section 10 of RFC2026.
|
||
|
||
This document is intended to be, after appropriate review and
|
||
revision, submitted to the RFC Editor as a Standard Track document.
|
||
Distribution of this memo is unlimited. Technical discussion of this
|
||
document will take place on the IETF LDAP Extension Working Group
|
||
mailing list <ldapext@ietf.org>. Please send editorial comments
|
||
directly to the author <Kurt@OpenLDAP.org>.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering Task
|
||
Force (IETF), its areas, and its working groups. Note that other
|
||
groups may also distribute working documents as Internet-Drafts.
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as ``work in progress.''
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
|
||
Internet-Draft Shadow Directories can be accessed at
|
||
<http://www.ietf.org/shadow.html>.
|
||
|
||
Copyright 2002, The Internet Society. All Rights Reserved.
|
||
|
||
Please see the Copyright section near the end of this document for
|
||
more information.
|
||
|
||
|
||
Abstract
|
||
|
||
This specification provides a mechanism for Lightweight Directory
|
||
Access Protocol (LDAP) clients to obtain the authorization identity
|
||
which the server has associated with the user or application entity.
|
||
This mechanism is specified as an LDAP extended operation called the
|
||
LDAP "Who am I?" operation.
|
||
|
||
|
||
|
||
Zeilenga LDAP "Who am I?" [Page 1]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
|
||
|
||
|
||
Conventions
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in BCP 14 [RFC2119].
|
||
|
||
|
||
1. Background and Intent of Use
|
||
|
||
This specification describes a Lightweight Directory Access Protocol
|
||
(LDAP) [RFC3377] operation which clients can use to obtain the primary
|
||
authorization identity in its primary form which the server has
|
||
associated with the user or application entity. The operation is
|
||
called the "Who am I?" operation.
|
||
|
||
This specification is intended to replace the existing [AUTHCTL]
|
||
mechanism which uses Bind request and response controls to request and
|
||
return the authorization identity. Bind controls are not protected by
|
||
the security layers established by the Bind operation which they are
|
||
transferred as part of. While it is possible to establish security
|
||
layers using Start TLS [RFC2830] prior to the Bind operation, it is
|
||
often desirable to use security layers established by the Bind
|
||
operation. An extended operation sent after a Bind operation is
|
||
protected by the security layers established by the Bind operation.
|
||
|
||
There are other cases where it is desirable to request the
|
||
authorization identity which the server associated with the client
|
||
separately from the Bind operation. For example, the "Who am I?"
|
||
operation can be augmented with a Proxied Authorization Control
|
||
[PROXYCTL] to determine the authorization identity which the server
|
||
associates with the identity asserted in the Proxied Authorization
|
||
Control. The "Who am I?" operation can also be used prior to the Bind
|
||
operation.
|
||
|
||
Servers often associate multiple authorization identities with the
|
||
client and each authorization identity may be represented by multiple
|
||
authzId [RFC2829] strings. This operation requests and returns the
|
||
authzId the server considers to be primary. In the specification, the
|
||
term "the authorization identity" and "the authzId" are generally to
|
||
be read as "the primary authorization identity" and the "the primary
|
||
authzId", respectively.
|
||
|
||
|
||
2. The "Who am I?" Operation
|
||
|
||
The "Who am I?" operation is defined as an LDAP Extended Operation
|
||
[RFC2251, Section 4.12] identified by the whoamiOID Object Identifier
|
||
(OID). This section details the syntax of the operation's whoami
|
||
|
||
|
||
|
||
Zeilenga LDAP "Who am I?" [Page 2]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
|
||
|
||
|
||
request and response messages.
|
||
|
||
whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
|
||
|
||
|
||
2.1. The whoami Request
|
||
|
||
The whoami request is an ExtendedRequest with the requestName field
|
||
containing the whoamiOID OID and an absent requestValue field. For
|
||
example, a whoami request could be encoded as the sequence of octets
|
||
(in hex):
|
||
|
||
30 1e 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31
|
||
2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 33
|
||
|
||
|
||
2.2. The whoami Response
|
||
|
||
The whoami response is an ExtendedResponse where the responseName
|
||
field is absent and the response field, if present, is empty or an
|
||
authzId [RFC2829]. For example, a whoami response returning the
|
||
authzId "u:kurt@OPENLDAP.ORG" (in response to the example request)
|
||
would be encoded as the sequence of octets (in hex):
|
||
|
||
30 21 02 01 02 78 1c 0a 01 00 04 00 04 00 8b 13
|
||
75 3a 6b 75 72 74 40 4f 50 45 4e 4c 44 41 50 2e
|
||
4f 52 47
|
||
|
||
|
||
3. Operational Semantics
|
||
|
||
The "Who am I?" operation provides a mechanism, a whoami Request, for
|
||
the client to request that the server returns the authorization
|
||
identity it currently associates with the client and provides a
|
||
mechanism, a whoami Response, for the server to respond to that
|
||
request.
|
||
|
||
If the server is willing and able to provide the authorization
|
||
identity it associates with the client, the server SHALL return a
|
||
whoami Response with a success resultCode. If the server is treating
|
||
the client as an anonymous entity, the response field is present but
|
||
empty. Otherwise the server provides the authzId [RFC2829]
|
||
representing the authorization identity it currently associates with
|
||
the client in the response field.
|
||
|
||
If the server is unwilling or unable to provide the authorization
|
||
identity it associates with the client, the server SHALL return a
|
||
whoami Response with an appropriate non-success resultCode (such as
|
||
|
||
|
||
|
||
Zeilenga LDAP "Who am I?" [Page 3]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
|
||
|
||
|
||
operationsError, protocolError, confidentialityRequired,
|
||
insufficientAccessRights, busy, unavailable, unwillingToPerform, or
|
||
other) and an absent response field.
|
||
|
||
As described in [RFC2251] and [RFC2829], an LDAP session has an
|
||
"anonymous" association until the client has been successfully
|
||
authenticated using the Bind operation. Clients MUST NOT invoke the
|
||
"Who Am I?" operation while any Bind operation is in progress,
|
||
including between two Bind requests made as part of a multi-stage Bind
|
||
operation.
|
||
|
||
|
||
4. Extending the "Who am I?" operation with controls
|
||
|
||
Future specifications may extend the "Who am I?" operation using the
|
||
control mechanism [RFC2251]. When extended by controls, the "Who am
|
||
I?" operation requests and returns the authorization identity the
|
||
server associates with the client in a particular context indicated by
|
||
the controls.
|
||
|
||
|
||
4.1. Proxied Authorization Control
|
||
|
||
The Proxied Authorization Control [PROXYCTL] is used by clients to
|
||
request that the operation it is attached to operates under the
|
||
authorization of an assumed identity. The client provides the
|
||
identity to assume in the Proxied Authorization request control. If
|
||
the client is authorized to assume the requested identity, the server
|
||
executes the operation as if the requested identity had issued the
|
||
operation.
|
||
|
||
As servers often map the asserted authzId to another identity
|
||
[RFC2829], it is desirable to request the server provide the authzId
|
||
it associates with the assumed identity.
|
||
|
||
When a Proxied Authorization Control is be attached to the "Who Am I?"
|
||
operation, the operation requests the return of the authzId the server
|
||
associates with the identity asserted in the Proxied Authorization
|
||
Control. The TBD result code is used to indicate that the server does
|
||
not allow the client to assume the asserted identity. [[Note to RFC
|
||
Editor: TBD is to be replaced with the name/code assigned by IANA for
|
||
[PROXYCTL] use.]]
|
||
|
||
|
||
5. Security Considerations
|
||
|
||
Identities associated with users may be sensitive information. When
|
||
so, security layers [RFC2829][RFC2830] should be established to
|
||
|
||
|
||
|
||
Zeilenga LDAP "Who am I?" [Page 4]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
|
||
|
||
|
||
protect this information. This mechanism is specifically designed to
|
||
allow security layers established by a Bind operation to protect the
|
||
integrity and/or confidentiality of the authorization identity.
|
||
|
||
Servers may place access control or other restrictions upon the use of
|
||
this operation.
|
||
|
||
As with any other extended operations, general LDAP security
|
||
considerations [RFC3377] apply.
|
||
|
||
|
||
6. IANA Considerations
|
||
|
||
This OID 1.3.6.1.4.1.4203.1.11.3 to identify the LDAP "Who Am I?
|
||
extended operation. This OID was assigned [ASSIGN] by OpenLDAP
|
||
Foundation, under its IANA-assigned private enterprise allocation
|
||
[PRIVATE], for use in this specification.
|
||
|
||
Registration of this protocol mechansism is requested [RFC3383].
|
||
|
||
Subject: Request for LDAP Protocol Mechansism Registration
|
||
|
||
Object Identifier: 1.3.6.1.4.1.4203.1.11.3
|
||
|
||
Description: Who am I?
|
||
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@openldap.org>
|
||
|
||
Usage: Extended Operation
|
||
|
||
Specification: RFCxxxx
|
||
|
||
Author/Change Controller: IESG
|
||
|
||
Comments: none
|
||
|
||
|
||
7. Acknowledgment
|
||
|
||
This document borrows from prior work in this area including
|
||
"Authentication Response Control" [AUTHCTL] by Rob Weltman, Mark Smith
|
||
and Mark Wahl.
|
||
|
||
The LDAP "Who am I?" operation takes it name from the UNIX whoami(1)
|
||
command. The whoami(1) command displays the effective user id.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP "Who am I?" [Page 5]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
|
||
|
||
|
||
8. Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
<Kurt@OpenLDAP.org>
|
||
|
||
|
||
9. Normative References
|
||
|
||
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
|
||
|
||
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
|
||
Protocol (v3)", RFC 2251, December 1997.
|
||
|
||
[RFC2829] M. Wahl, H. Alvestrand, J. Hodges, RL "Bob" Morgan,
|
||
"Authentication Methods for LDAP", RFC 2829, June 2000.
|
||
|
||
[RFC2830] J. Hodges, R. Morgan, and M. Wahl, "Lightweight Directory
|
||
Access Protocol (v3): Extension for Transport Layer
|
||
Security", RFC 2830, May 2000.
|
||
|
||
[RFC3377] J. Hodges, R. Morgan, "Lightweight Directory Access
|
||
Protocol (v3): Technical Specification", RFC 3377,
|
||
September 2002.
|
||
|
||
[PROXYCTL] R. Weltman, "LDAP Proxied Authentication Control", draft-
|
||
weltman-ldapv3-proxy-xx.txt (a work in progress).
|
||
|
||
|
||
10. Informative References
|
||
|
||
[RFC3383] K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
|
||
RFC 3383), September 2002.
|
||
|
||
[ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
|
||
http://www.openldap.org/foundation/oid-delegate.txt.
|
||
|
||
[AUTHCTL] R. Weltman, M. Smith, M. Wahl, "LDAP Authentication
|
||
Response Control", draft-weltman-ldapv3-auth-response-
|
||
xx.txt (a work in progress).
|
||
|
||
[PRIVATE] IANA, "Private Enterprise Numbers",
|
||
http://www.iana.org/assignments/enterprise-numbers.
|
||
|
||
|
||
Copyright 2002, The Internet Society. All Rights Reserved.
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP "Who am I?" [Page 6]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-authzid-08 1 November 2002
|
||
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published and
|
||
distributed, in whole or in part, without restriction of any kind,
|
||
provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be followed,
|
||
or as required to translate it into languages other than English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP "Who am I?" [Page 7]
|
||
|