draft-weltman-ldapv3-proxy-xx.txt [plain text]
INTERNET-DRAFT Rob Weltman
Intended Category: Standards Track Netscape Communications Corp.
April 2003
LDAP Proxied Authorization Control
draft-weltman-ldapv3-proxy-12.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Task Force
(IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document defines the Lightweight Directory Access Protocol
(LDAP) Proxy Authorization Control. The Proxy Authorization Control
allows a client to request that an operation be processed under a
provided authorization identity instead of as the current
authorization identity associated with the connection.
1. Introduction
Proxy authorization allows a client to request that an operation be
processed under a provided authorization identity instead of as the
current authorization identity associated with the connection. This
document defines support for proxy authorization using the Control
mechanism [RFC 2251]. The Lightweight Directory Access Protocol
[LDAPV3] supports the use of the Simple Authentication and Security
Layer [SASL] for authentication and for supplying an authorization
identity distinct from the authentication identity, where the
authorization identity applies to the whole LDAP session. The Proxy
Authorization Control provides a mechanism for specifying an
authorization identity on a per operation basis, benefiting clients
that need to efficiently perform operations on behalf of multiple
users.
Expires October 2003 [Page 1]
�
PROXIED AUTHORIZATION CONTROL April 2003
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
used in this document are to be interpreted as described in
[KEYWORDS].
2. Publishing support for the Proxy Authorization Control
Support for the Proxy Authorization Control is indicated by the
presence of the Object Identifier (OID) "2.16.840.1.113730.3.4.18" in
the supportedControl attribute [RFC 2252] of a server's root DSE.
3. Proxy Authorization Control
A single Proxy Authorization Control may be included in any search,
compare, modify, add, delete, modify DN or extended operation request
message with the exception of any extension that causes a change in
authentication, authorization, or data confidentiality [RFC 2829],
such as Start TLS [LDAPTLS] as part of the controls field of the
LDAPMessage, as defined in [RFC 2251].
The controlType of the proxy authorization control is
"2.16.840.1.113730.3.4.18".
The criticality MUST be present and MUST be TRUE. This requirement
protects clients from submitting a request that is executed with an
unintended authorization identity.
The controlValue SHALL be present and contain either an authzId
[AUTH] representing the authorization identity for the request or
empty if an anonymous association is to be used.
The mechanism for determining proxy access rights is specific to the
server's proxy authorization policy.
If the requested authorization identity is recognized by the server,
and the client is authorized to adopt the requested authorization
identity, the request will be executed as if submitted by the proxy
authorization identity, otherwise the result code TBD is returned.
[Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced
with an IANA assigned LDAP Result Code (see RFC 3383 section 3.6]
4. Implementation Considerations
One possible interaction of proxy authorization and normal access
control is illustrated here for the case of search requests. During
evaluation of a search request, an entry which would have been
returned for the search if submitted by the proxy authorization
identity directly may not be returned if the server finds that the
requester does not have the right to assume the requested identity
for searching the entry, even if the entry is within the scope of a
search request under a base DN which does imply such rights. This
Expires October 2003 [Page 2]
�
PROXIED AUTHORIZATION CONTROL April 2003
means that fewer results, or no results, may be returned compared to
the case where the proxy authorization identity issued the request
directly. An example of such a case may be a system with fine-grained
access control, where the proxy right requester has proxy rights at
the top of a search tree, but not at or below a point or points
within the tree.
5. Security Considerations
The Proxy Authorization Control method is subject to general LDAP
security considerations [RFC 2251] [AUTH] [LDAPTLS]. The control may
be passed over a secure as well as over an insecure channel.
The control allows for an additional authorization identity to be
passed. In some deployments, these identities may contain
confidential information which require privacy protection.
Note that the server is responsible for determining if a proxy
authorization request is to be honored. "Anonymous" users SHOULD NOT
be allowed to assume the identity of others.
6. IANA Considerations
The OID "2.16.840.1.113730.3.4.18" is reserved for the Proxy
Authorization Control. It is to be registered as an LDAP Protocol
Mechanism [RFC 3383].
A result code for the case where the server does not execute a
request using the proxy authorization identity is to be assigned by
the IANA.
7. Copyright
Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
Expires October 2003 [Page 3]
�
PROXIED AUTHORIZATION CONTROL April 2003
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
8. Normative References
[KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
Requirement Levels", draft-bradner-key-words-03.txt, January,
1997.
[LDAPV3] Hodges, J. and R. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377, September
2002.
[SASL] J. Myers, "Simple Authentication and Security Layer (SASL)",
RFC 2222, October 1997
[AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
Methods for LDAP", RFC 2829, May 2000
[LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory
Access Protocol (v3): Extension for Transport Layer Security",
RFC 2830, May 2000
[RFC 2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol (v3)", RFC 2251, December 1997.
[RFC 2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
Directory Access Protocol (v3): Attribute Syntax Definitions",
RFC 2252, December 1997
[RFC 2829] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan,
"Authentication Methods for LDAP", RFC 2829, May 2000
[RFC 3383] K. Zeilenga, "Internet Assigned Numbers Authority (IANA)
Considerations for the Lightweight Directory Access Protocol
(LDAP)", RFC 3383, September 2002
9. Author's Address
Rob Weltman
Netscape Communications Corp.
360 W. Caribbean Drive
Sunnyvale, CA 94089
USA
Expires October 2003 [Page 4]
�
PROXIED AUTHORIZATION CONTROL April 2003
+1 650 937-3194
rweltman@netscape.com
10. Acknowledgements
Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim
Sermersheim of Novell, and Steven Legg of Adacel have contributed
with reviews of this document.
Expires October 2003 [Page 5]
�