mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-15 03:01:09 +08:00
340 lines
11 KiB
Plaintext
340 lines
11 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Internet Engineering Task Force (IETF) K. Zeilenga
|
||
Request for Comments: 6171 Isode Limited
|
||
Category: Standards Track March 2011
|
||
ISSN: 2070-1721
|
||
|
||
|
||
The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control
|
||
|
||
Abstract
|
||
|
||
This document defines the Lightweight Directory Access Protocol
|
||
(LDAP) Don't Use Copy control extension, which allows a client to
|
||
specify that copied information should not be used in providing
|
||
service. This control is based upon the X.511 dontUseCopy service
|
||
control option.
|
||
|
||
Status of This Memo
|
||
|
||
This is an Internet Standards Track document.
|
||
|
||
This document is a product of the Internet Engineering Task Force
|
||
(IETF). It represents the consensus of the IETF community. It has
|
||
received public review and has been approved for publication by the
|
||
Internet Engineering Steering Group (IESG). Further information on
|
||
Internet Standards is available in Section 2 of RFC 5741.
|
||
|
||
Information about the current status of this document, any errata,
|
||
and how to provide feedback on it may be obtained at
|
||
http://www.rfc-editor.org/info/rfc6171.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (c) 2011 IETF Trust and the persons identified as the
|
||
document authors. All rights reserved.
|
||
|
||
This document is subject to BCP 78 and the IETF Trust's Legal
|
||
Provisions Relating to IETF Documents
|
||
(http://trustee.ietf.org/license-info) in effect on the date of
|
||
publication of this document. Please review these documents
|
||
carefully, as they describe your rights and restrictions with respect
|
||
to this document. Code Components extracted from this document must
|
||
include Simplified BSD License text as described in Section 4.e of
|
||
the Trust Legal Provisions and are provided without warranty as
|
||
described in the Simplified BSD License.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 1]
|
||
|
||
RFC 6171 LDAP Don't Use Copy Control March 2011
|
||
|
||
|
||
This document may contain material from IETF Documents or IETF
|
||
Contributions published or made publicly available before November
|
||
10, 2008. The person(s) controlling the copyright in some of this
|
||
material may not have granted the IETF Trust the right to allow
|
||
modifications of such material outside the IETF Standards Process.
|
||
Without obtaining an adequate license from the person(s) controlling
|
||
the copyright in such materials, this document may not be modified
|
||
outside the IETF Standards Process, and derivative works of it may
|
||
not be created outside the IETF Standards Process, except to format
|
||
it for publication as an RFC or to translate it into languages other
|
||
than English.
|
||
|
||
1. Background and Intended Usage
|
||
|
||
This document defines the Lightweight Directory Access Protocol
|
||
(LDAP) [RFC4510] Don't Use Copy control extension. The control may
|
||
be attached to request messages to indicate that copied (replicated
|
||
or cached) information [X.500] is not be used in providing service.
|
||
This control is based upon the X.511 [X.511] dontUseCopy service
|
||
control option.
|
||
|
||
The Don't Use Copy control is intended to be used where the client
|
||
requires the service be provided using original (master) information
|
||
[X.500]. In absence of this control, the server is free to make use
|
||
of copied (i.e., non-authoritative) information in providing the
|
||
requested service.
|
||
|
||
For instance, a client might desire to have an authoritative answer
|
||
to a question of whether or not a particular user is a member of a
|
||
group. To ask this question of a server, the client might issue a
|
||
compare request [RFC4511], with the Don't Use Copy control, where the
|
||
entry parameter is the Distinguished Name (DN) of the group, the
|
||
ava.attributeDesc is 'member', and the ava.assertionValue is the DN
|
||
of the user in question. If the server has access to the original
|
||
(master) information directly or through chaining, it performs the
|
||
operation against the original (master) information and returns
|
||
compareTrue or compareFalse (or an error). If the server does not
|
||
have access to the original information, the server is obligated to
|
||
either return a referral or an error.
|
||
|
||
It is not intended that this control be used generally (e.g., for all
|
||
LDAP interrogation operations) but only as required to ensure proper
|
||
directory application behavior. In general, directory applications
|
||
ought to designed to use copied information well.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 2]
|
||
|
||
RFC 6171 LDAP Don't Use Copy Control March 2011
|
||
|
||
|
||
2. Terminology
|
||
|
||
DSA stands for Directory System Agent (or server).
|
||
DSE stands for DSA-Specific Entry.
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in RFC 2119 [RFC2119].
|
||
|
||
3. The Don't Use Copy Control
|
||
|
||
The Don't Use Copy control is an LDAP Control [RFC4511] whose
|
||
controlType is 1.3.6.1.1.22 and controlValue is absent. The
|
||
criticality MUST be TRUE. There is no corresponding response
|
||
control.
|
||
|
||
The control is appropriate for LDAP interrogation operations,
|
||
including Compare and Search operations [RFC4511]. It is
|
||
inappropriate for all other operations, including Abandon, Bind,
|
||
Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511].
|
||
|
||
When the control is attached to an LDAP request, the requested
|
||
operation MUST NOT be performed on copied information. That is, the
|
||
requested operation MUST be performed on original information.
|
||
|
||
If original (master) information for the target or base object of the
|
||
operation is not available (either locally or through chaining), the
|
||
server MUST either return a referral directing the client to a server
|
||
believed to be better able to service the request or return an
|
||
appropriate result code (e.g., unwillingToPerform).
|
||
|
||
It is noted that a referral, if returned, is not necessarily to the
|
||
server holding the original (master) information. It is also noted
|
||
that an authoritative answer to the question might not be available
|
||
to the client for any number of reasons.
|
||
|
||
Where the client chases a referral to a server (as referenced by an
|
||
LDAP URL) in the server response in order to obtain an authoritative
|
||
response, the client MUST provide the dontUseCopy control with the
|
||
interrogation request it makes to the referred to server. While LDAP
|
||
allows return of other kinds of URIs, the syntax and semantics of
|
||
other kinds of URIs are left to future specifications. The
|
||
particulars of how to act upon other kinds of URIs are also left to
|
||
future specifications.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 3]
|
||
|
||
RFC 6171 LDAP Don't Use Copy Control March 2011
|
||
|
||
|
||
Servers implementing this technical specification SHOULD publish the
|
||
object identifier 1.3.6.1.1.22 as a value of the 'supportedControl'
|
||
attribute [RFC4512] in their root DSE. A server MAY choose to
|
||
advertise this extension only when the client is authorized to use
|
||
it.
|
||
|
||
4. Security Considerations
|
||
|
||
This control is intended to be provided where providing service using
|
||
copied information might lead to unexpected application behavior.
|
||
|
||
Use of the Don't Use Copy control may permit an attacker to perform
|
||
or amplify a denial-of-service attack by causing additional server
|
||
resources to be employed, such as when the server chooses to chain
|
||
the request instead of returning a referral. Servers capable of such
|
||
chaining can mitigate this threat by limiting chaining to a
|
||
particular group of authenticated entities.
|
||
|
||
LDAP is frequently used for storage and distribution of security-
|
||
sensitive information, including access control and security policy
|
||
information. Failure to use the Don't Use Copy control may thus
|
||
permit an attacker to gain unauthorized access by allowing reliance
|
||
on stale data.
|
||
|
||
5. IANA Considerations
|
||
|
||
5.1. Object Identifier
|
||
|
||
IANA has assigned an LDAP Object Identifier [RFC4520] to identify the
|
||
LDAP Don't Use Copy Control defined in this document.
|
||
|
||
Subject: Request for LDAP Object Identifier Registration
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
|
||
Specification: RFC 6171
|
||
Author/Change Controller: IESG
|
||
Comments:
|
||
Identifies the LDAP Don't Use Copy Control
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 4]
|
||
|
||
RFC 6171 LDAP Don't Use Copy Control March 2011
|
||
|
||
|
||
5.2. LDAP Protocol Mechanism
|
||
|
||
IANA has registered this protocol mechanism [RFC4520] as follows.
|
||
|
||
Subject: Request for LDAP Protocol Mechanism Registration
|
||
Object Identifier: 1.3.6.1.1.22
|
||
Description: Don't Use Copy Control
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
|
||
Usage: Control
|
||
Specification: RFC 6171
|
||
Author/Change Controller: IESG
|
||
Comments: none
|
||
|
||
6. Acknowledgements
|
||
|
||
The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie
|
||
for providing review and specific suggestions.
|
||
|
||
7. References
|
||
|
||
7.1. Normative References
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Technical Specification Road Map", RFC 4510, June
|
||
2006.
|
||
|
||
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
|
||
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
|
||
|
||
[RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Directory Information Models", RFC 4512, June
|
||
2006.
|
||
|
||
7.2. Informative References
|
||
|
||
[X.500] International Telecommunication Union - Telecommunication
|
||
Standardization Sector, "The Directory -- Overview of
|
||
concepts, models and services," X.500(1993) (also ISO/IEC
|
||
9594-1:1994).
|
||
|
||
[X.511] International Telecommunication Union - Telecommunication
|
||
Standardization Sector, "The Directory: Abstract Service
|
||
Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 5]
|
||
|
||
RFC 6171 LDAP Don't Use Copy Control March 2011
|
||
|
||
|
||
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
||
Considerations for the Lightweight Directory Access
|
||
Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
|
||
|
||
Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
Isode Limited
|
||
|
||
EMail: Kurt.Zeilenga@Isode.COM
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Standards Track [Page 6]
|
||
|