mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
341 lines
12 KiB
Plaintext
341 lines
12 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
INTERNET-DRAFT Kurt D. Zeilenga
|
||
Intended Category: Standard Track OpenLDAP Foundation
|
||
Expires in six months 18 July 2004
|
||
|
||
|
||
The LDAP Assertion Control
|
||
<draft-zeilenga-ldap-assert-03.txt>
|
||
|
||
|
||
Status of this Memo
|
||
|
||
This document is intended to be, after appropriate review and
|
||
revision, submitted to the IESG for consideration as a Standard Track
|
||
document. Distribution of this memo is unlimited. Technical
|
||
discussion of this document will take place on the IETF LDAP
|
||
Extensions mailing list <ldapext@ietf.org>. Please send editorial
|
||
comments directly to the author <Kurt@OpenLDAP.org>.
|
||
|
||
By submitting this Internet-Draft, I accept the provisions of Section
|
||
4 of RFC 3667. By submitting this Internet-Draft, I certify that any
|
||
applicable patent or other IPR claims of which I am aware have been
|
||
disclosed, or will be disclosed, and any of which I become aware will
|
||
be disclosed, in accordance with RFC 3668.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering Task
|
||
Force (IETF), its areas, and its working groups. Note that other
|
||
groups may also distribute working documents as Internet-Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference material
|
||
or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
|
||
Internet-Draft Shadow Directories can be accessed at
|
||
<http://www.ietf.org/shadow.html>.
|
||
|
||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||
|
||
Please see the Full Copyright section near the end of this document
|
||
for more information.
|
||
|
||
|
||
Abstract
|
||
|
||
This document defines the Lightweight Directory Access Protocol (LDAP)
|
||
Assertion Control which allows a client to specify that a directory
|
||
|
||
|
||
|
||
Zeilenga LDAP Assertion Control [Page 1]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-assert-03 18 July 2004
|
||
|
||
|
||
operation should only be processed if an assertion applied to the
|
||
target entry of the operation is true. It can be used to construct
|
||
"test and set" and "test and clear" and other conditional operations.
|
||
|
||
|
||
1. Overview
|
||
|
||
This document defines the Lightweight Directory Access Protocol (LDAP)
|
||
[RFC3377] assertion control. The assertion control allows the client
|
||
to specify a condition which must be true for the operation to be
|
||
processed normally. Otherwise the operation fails.
|
||
|
||
The control can be used with the Modify operation [RFC2251] to perform
|
||
atomic "test and set" and "test and clear" operations as the asserted
|
||
condition is evaluated as an integral part the operation. The control
|
||
may be attached to other update operations to support conditional
|
||
addition, deletion, and renaming of objects.
|
||
|
||
The control may also be used with the search operation. Here the
|
||
assertion is applied to the base object of the search before searching
|
||
for objects matching the search scope and filter.
|
||
|
||
The control may also be used with the compare operation. Here it
|
||
extends the compare operation to allow a more complex assertion.
|
||
|
||
|
||
2. Terminology
|
||
|
||
Protocol elements are described using ASN.1 [X.680] with implicit
|
||
tags. The term "BER-encoded" means the element is to be encoded using
|
||
the Basic Encoding Rules [X.690] under the restrictions detailed in
|
||
Section 5.1 of [RFC2251].
|
||
|
||
DSA stands for Directory System Agent (or server).
|
||
DSE stands for DSA-specific Entry.
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in BCP 14 [RFC2119].
|
||
|
||
|
||
3. The Assertion Control
|
||
|
||
The assertion control is an LDAP Control [RFC2251] whose controlType
|
||
is IANA-ASSIGNED-OID and controlValue is a BER-encoded Filter
|
||
[RFC2251, Section 4.5.1]. The criticality may be TRUE or FALSE.
|
||
There is no corresponding response control.
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Assertion Control [Page 2]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-assert-03 18 July 2004
|
||
|
||
|
||
The control is appropriate for both LDAP interrogation and update
|
||
operations [RFC2251] including Add, Compare, Delete, Modify, ModifyDN
|
||
(rename), and Search. It is inappropriate for Abandon, Bind nor
|
||
Unbind operations. It is also inappropriate for the Start TLS
|
||
[RFC2830] operation.
|
||
|
||
When the control is attached to an LDAP request, the processing of the
|
||
request is conditional on the evaluation of the Filter as applied
|
||
against the target of the operation. If the Filter evaluates to TRUE,
|
||
then the request is processed normally. If the Filter evaluates to
|
||
FALSE or Undefined, then assertionFailed (IANA-ASSIGNED-CODE)
|
||
resultCode is returned and no further processing is performed.
|
||
|
||
For Add, Compare, and ModifyDN the target is indicated by the entry
|
||
field in the request. For Modify, the target is indicated by the
|
||
object field. For Delete, the target is indicated by the DelRequest
|
||
type. For the Compare operation and all update operations, the
|
||
evaluation of the assertion MUST be performed as an integral part of
|
||
the operation. That is, the evaluation of the assertion and the
|
||
normal processing of the operation SHALL be done as one atomic action.
|
||
|
||
For search operation, the target is indicated by the baseObject field
|
||
and the evaluation is done after "finding" but before "searching"
|
||
[RFC2251]. Hence, no entries or continuations references are returned
|
||
if the assertion fails.
|
||
|
||
Servers implementing this technical specification SHOULD publish the
|
||
object identifier IANA-ASSIGNED-OID as a value of the
|
||
'supportedControl' attribute [RFC2252] in their root DSE. A server
|
||
MAY choose to advertise this extension only when the client is
|
||
authorized to use it.
|
||
|
||
Other documents may specify how this control applies to other LDAP
|
||
operations. In doing so, they must state how the target entry is
|
||
determined.
|
||
|
||
|
||
4. Security Considerations
|
||
|
||
The filter may, like other components of the request, contain
|
||
sensitive information. When so, this information should be
|
||
appropriately protected.
|
||
|
||
As with any general assertion mechanism, the mechanism can be used to
|
||
determine directory content. Hence, this mechanism SHOULD be subject
|
||
to appropriate access controls.
|
||
|
||
Some assertions may be very complex, requiring significant time and
|
||
|
||
|
||
|
||
Zeilenga LDAP Assertion Control [Page 3]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-assert-03 18 July 2004
|
||
|
||
|
||
resources to evaluate. Hence, this mechanism SHOULD be subject to
|
||
appropriate administrative controls.
|
||
|
||
All security considerations for the base operations [RFC2251] to which
|
||
this control is attached to apply, as do general LDAP security
|
||
considerations [RFC3377].
|
||
|
||
|
||
5. IANA Considerations
|
||
|
||
5.1. Object Identifier
|
||
|
||
It is requested that IANA assign upon Standards Action an LDAP Object
|
||
Identifier [RFC3383] to identify the LDAP Assertion Control defined in
|
||
this document.
|
||
|
||
Subject: Request for LDAP Object Identifier Registration
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@OpenLDAP.org>
|
||
Specification: RFC XXXX
|
||
Author/Change Controller: IESG
|
||
Comments:
|
||
Identifies the LDAP Assertion Control
|
||
|
||
5.2 LDAP Protocol Mechanism
|
||
|
||
Registration of this protocol mechanism [RFC3383] is requested.
|
||
|
||
Subject: Request for LDAP Protocol Mechanism Registration
|
||
Object Identifier: IANA-ASSIGNED-OID
|
||
Description: Assertion Control
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@openldap.org>
|
||
Usage: Control
|
||
Specification: RFC XXXX
|
||
Author/Change Controller: IESG
|
||
Comments: none
|
||
|
||
|
||
5.3 LDAP Result Code
|
||
|
||
Assignment of an LDAP Result Code [RFC3383] called 'assertionFailed'
|
||
is requested.
|
||
|
||
Subject: LDAP Result Code Registration
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@OpenLDAP.org>
|
||
Result Code Name: assertionFailed
|
||
|
||
|
||
|
||
Zeilenga LDAP Assertion Control [Page 4]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-assert-03 18 July 2004
|
||
|
||
|
||
Specification: RFC XXXX
|
||
Author/Change Controller: IESG
|
||
Comments: none
|
||
|
||
|
||
6. Acknowledgments
|
||
|
||
The assertion control concept is attributed to Morteza Ansari.
|
||
|
||
|
||
7. Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
|
||
Email: Kurt@OpenLDAP.org
|
||
|
||
|
||
8. Normative References
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
|
||
|
||
[RFC2251] Wahl, M., T. Howes and S. Kille, "Lightweight Directory
|
||
Access Protocol (v3)", RFC 2251, December 1997.
|
||
|
||
[RFC2252] Wahl, M., A. Coulbeck, T. Howes, and S. Kille,
|
||
"Lightweight Directory Access Protocol (v3): Attribute
|
||
Syntax Definitions", RFC 2252, December 1997.
|
||
|
||
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
|
||
Protocol (v3): Technical Specification", RFC 3377,
|
||
September 2002.
|
||
|
||
|
||
9. Informative References
|
||
|
||
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
|
||
(also RFC 3383), September 2002.
|
||
|
||
|
||
|
||
Intellectual Property Rights
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
|
||
|
||
|
||
Zeilenga LDAP Assertion Control [Page 5]
|
||
|
||
INTERNET-DRAFT draft-zeilenga-ldap-assert-03 18 July 2004
|
||
|
||
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be found
|
||
in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this specification
|
||
can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
|
||
|
||
Full Copyright
|
||
|
||
Copyright (C) The Internet Society (2004). This document is subject
|
||
to the rights, licenses and restrictions contained in BCP 78, and
|
||
except as set forth therein, the authors retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga LDAP Assertion Control [Page 6]
|
||
|
||
|
||
|