2 INTERNET-DRAFT Editor: R. Harrison
3 draft-ietf-ldapbis-authmeth-19.txt Novell, Inc.
4 Obsoletes: 2251, 2829, 2830 February 2006
5 Intended Category: Standards Track
13 LDAP: Authentication Methods
19 By submitting this Internet-Draft, each author represents that any
20 applicable patent or other IPR claims of which he or she is aware
21 have been or will be disclosed, and any of which he or she becomes
22 aware will be disclosed, in accordance with Section 6 of BCP 79.
24 This document is intended to be, after appropriate review and
25 revision, submitted to the RFC Editor as a Standard Track document.
26 Distribution of this memo is unlimited. Technical discussion of
27 this document will take place on the IETF LDAP Revision Working
28 Group mailing list <ietf-ldapbis@OpenLDAP.org>. Please send
29 editorial comments directly to the author
30 <roger_harrison@novell.com>.
32 Internet-Drafts are working documents of the Internet Engineering
33 Task Force (IETF), its areas, and its working groups. Note that
34 other groups may also distribute working documents as Internet-
37 Internet-Drafts are draft documents valid for a maximum of six
38 months and may be updated, replaced, or obsoleted by other documents
39 at any time. It is inappropriate to use Internet-Drafts as
40 reference material or to cite them other than as "work in progress."
42 The list of current Internet-Drafts can be accessed at
43 http://www.ietf.org/ietf/1id-abstracts.html
45 The list of Internet-Draft Shadow Directories can be accessed at
46 http://www.ietf.org/shadow.html.
50 This document describes authentication methods and security
51 mechanisms of the Lightweight Directory Access Protocol (LDAP).
55 Harrison Expires August 2006 [Page 1]
57 Internet-Draft LDAP Authentication Methods February 2006
59 This document details establishment of Transport Layer Security
60 (TLS) using the StartTLS operation.
62 This document details the simple Bind authentication method
63 including anonymous, unauthenticated, and name/password mechanisms
64 and the Simple Authentication and Security Layer (SASL) Bind
65 authentication method including the EXTERNAL mechanism.
67 This document discusses various authentication and authorization
68 states through which a session to an LDAP server may pass and the
69 actions that trigger these state changes.
71 This document, together with other documents in the LDAP Technical
72 Specification (see section 1 of [Roadmap]), obsoletes RFC 2251, RFC
77 1. Introduction.....................................................3
78 1.1. Relationship to Other Documents................................5
79 1.2. Conventions....................................................6
80 2. Implementation Requirements......................................7
81 3. StartTLS Operation...............................................7
82 3.1. TLS Establishment Procedures...................................7
83 3.1.1. StartTLS Request Sequencing..................................8
84 3.1.2. Client Certificate...........................................8
85 3.1.3. Server Identity Check........................................8
86 3.1.3.1. Comparison of DNS Names...................................10
87 3.1.3.2. Comparison of IP Addresses................................10
88 3.1.3.3. Comparison of other subjectName types.....................10
89 3.1.4. Discovery of Resultant Security Level.......................10
90 3.1.5. Refresh of Server Capabilities Information..................11
91 3.2. Effect of TLS on Authorization State..........................11
92 3.3. TLS Ciphersuites..............................................11
93 4. Authorization State.............................................12
94 5. Bind Operation..................................................13
95 5.1. Simple Authentication Method..................................13
96 5.1.1. Anonymous Authentication Mechanism of Simple Bind...........13
97 5.1.2. Unauthenticated Authentication Mechanism of Simple Bind.....13
98 5.1.3. Name/Password Authentication Mechanism of Simple Bind.......14
99 5.2. SASL Authentication Method....................................15
100 5.2.1. SASL Protocol Profile.......................................15
101 5.2.1.1. SASL Service Name for LDAP................................15
102 5.2.1.2. SASL Authentication Initiation and Protocol Exchange......15
103 5.2.1.3. Optional Fields...........................................16
104 5.2.1.4. Octet Where Negotiated Security Layers Take Effect........17
105 5.2.1.5. Determination of Supported SASL Mechanisms................17
106 5.2.1.6. Rules for Using SASL Layers...............................17
107 5.2.1.7. Support for Multiple Authentications......................18
108 5.2.1.8. SASL Authorization Identities.............................18
109 5.2.2. SASL Semantics Within LDAP..................................19
111 Harrison Expires August 2006 [Page 2]
113 Internet-Draft LDAP Authentication Methods February 2006
115 5.2.3. SASL EXTERNAL Authentication Mechanism......................19
116 5.2.3.1. Implicit Assertion........................................19
117 5.2.3.2. Explicit Assertion........................................20
118 6. Security Considerations.........................................20
119 6.1. General LDAP Security Considerations..........................20
120 6.2. StartTLS Security Considerations..............................21
121 6.3. Bind Operation Security Considerations........................21
122 6.3.1. Unauthenticated Mechanism Security Considerations...........21
123 6.3.2. Name/Password Mechanism Security Considerations.............22
124 6.3.3. Password-related Security Considerations....................22
125 6.3.4. Hashed Password Security Considerations.....................23
126 6.4.SASL Security Considerations...................................23
127 6.5. Related Security Considerations...............................23
128 7. IANA Considerations.............................................24
129 8. Acknowledgments.................................................24
130 9. Normative References............................................24
131 10. Informative References.........................................25
132 Author's Address...................................................26
133 Appendix A. Authentication and Authorization Concepts..............26
134 A.1. Access Control Policy.........................................26
135 A.2. Access Control Factors........................................26
136 A.3. Authentication, Credentials, Identity.........................27
137 A.4. Authorization Identity........................................27
138 Appendix B. Summary of Changes.....................................27
139 B.1. Changes Made to RFC 2251......................................28
140 B.1.1. Section 4.2.1 (Sequencing of the Bind Request)..............28
141 B.1.2. Section 4.2.2 (Authentication and Other Security Services)..28
142 B.2. Changes Made to RFC 2829......................................28
143 B.2.1. Section 4 (Required security mechanisms)....................29
144 B.2.2. Section 5.1 (Anonymous authentication procedure)............29
145 B.2.3. Section 6 (Password-based authentication)...................29
146 B.2.4. Section 6.1 (Digest authentication).........................29
147 B.2.5. Section 6.2 ("simple" authentication choice with TLS).......29
148 B.2.6. Section 6.3 (Other authentication choices with TLS).........29
149 B.2.7. Section 7.1 (Certificate-based authentication with TLS).....30
150 B.2.8. Section 8 (Other mechanisms)................................30
151 B.2.9. Section 9 (Authorization identity)..........................30
152 B.2.10. Section 10 (TLS Ciphersuites)..............................30
153 B.3. Changes Made to RFC 2830: ....................................30
154 B.3.1. Section 3.6 (Server Identity Check).........................30
155 B.3.2. Section 3.7 (Refresh of Server Capabilities Information)....31
156 B.3.3. Section 5.2 (Effects of TLS on Authorization Identity)......31
157 B.3.4. Section 5.1.1 (TLS Closure Effects).........................31
158 Appendix C. Changes for draft-ldapbis-authmeth-19..................31
159 Intellectual Property Rights.......................................32
160 Full Copyright Statement...........................................33
166 Harrison Expires August 2006 [Page 3]
168 Internet-Draft LDAP Authentication Methods February 2006
170 The Lightweight Directory Access Protocol (LDAP) [Roadmap] is a
171 powerful protocol for accessing directories. It offers means of
172 searching, retrieving and manipulating directory content and ways to
173 access a rich set of security functions.
175 It is vital that these security functions be interoperable among all
176 LDAP clients and servers on the Internet; therefore there has to be
177 a minimum subset of security functions that is common to all
178 implementations that claim LDAP conformance.
180 Basic threats to an LDAP directory service include (but are not
183 (1) Unauthorized access to directory data via data-retrieval
186 (2) Unauthorized access to directory data by monitoring access of
189 (3) Unauthorized access to reusable client authentication
190 information by monitoring access of others.
192 (4) Unauthorized modification of directory data.
194 (5) Unauthorized modification of configuration information.
196 (6) Denial of Service: Use of resources (commonly in excess) in a
197 manner intended to deny service to others.
199 (7) Spoofing: Tricking a user or client into believing that
200 information came from the directory when in fact it did not,
201 either by modifying data in transit or misdirecting the client's
202 transport connection. Tricking a user or client into sending
203 privileged information to a hostile entity that appears to be
204 the directory server but is not. Tricking a directory server
205 into believing that information came from a particular client
206 when in fact it came from a hostile entity.
208 (8) Hijacking: An attacker seizes control of an established protocol
211 Threats (1), (4), (5), (6), (7) are (8) are active attacks. Threats
212 (2) and (3) are passive attacks.
214 Threats (1), (4), (5) and (6) are due to hostile clients. Threats
215 (2), (3), (7) and (8) are due to hostile agents on the path between
216 client and server or hostile agents posing as a server, e.g., IP
219 LDAP offers the following security mechanisms:
225 Harrison Expires August 2006 [Page 4]
227 Internet-Draft LDAP Authentication Methods February 2006
229 (1) Authentication by means of the Bind operation. The Bind
230 operation provides a simple method which supports anonymous,
231 unauthenticated, and name/password mechanisms, and the Simple
232 Authentication and Security Layer (SASL) method which supports a
233 wide variety of authentication mechanisms.
235 (2) Mechanisms to support vendor-specific access control facilities
236 (LDAP does not offer a standard access control facility).
238 (3) Data integrity service by means of security layers in Transport
239 Layer Security (TLS) or SASL mechanisms.
241 (4) Data confidentiality service by means of security layers in TLS
244 (5) Server resource usage limitation by means of administrative
245 limits configured on the server.
247 (6) Server authentication by means of the TLS protocol or SASL
250 LDAP may also be protected by means outside the LDAP protocol, e.g.,
251 with IP-level security [RFC4301].
253 Experience has shown that simply allowing implementations to pick
254 and choose the security mechanisms that will be implemented is not a
255 strategy that leads to interoperability. In the absence of
256 mandates, clients will continue to be written that do not support
257 any security function supported by the server, or worse, they will
258 only support mechanisms that provide inadequate security for most
261 It is desirable to allow clients to authenticate using a variety of
262 mechanisms including mechanisms where identities are represented as
263 distinguished names [X.501][Models] in string form [LDAPDN] or as
264 used in different systems (e.g., simple user names [RFC4013]).
265 Because some authentication mechanisms transmit credentials in plain
266 text form, and/or do not provide data security services and/or are
267 subject to passive attacks, it is necessary to ensure secure
268 interoperability by identifying a mandatory-to-implement mechanism
269 for establishing transport-layer security services.
271 The set of security mechanisms provided in LDAP and described in
272 this document is intended to meet the security needs for a wide
273 range of deployment scenarios and still provide a high degree of
274 interoperability among various LDAP implementations and deployments.
276 1.1. Relationship to Other Documents
278 This document is an integral part of the LDAP Technical
279 Specification [Roadmap].
284 Harrison Expires August 2006 [Page 5]
286 Internet-Draft LDAP Authentication Methods February 2006
288 This document, together with [Roadmap], [Protocol], and [Models],
289 obsoletes RFC 2251 in its entirety. Sections 4.2.1 (portions), and
290 4.2.2 of RFC 2251 are obsoleted by this document. Appendix B.1
291 summarizes the substantive changes made to RFC 2251 by this document.
293 This document obsoletes RFC 2829 in its entirety. Appendix B.2
294 summarizes the substantive changes made to RFC 2829 by this document.
296 Sections 2 and 4 of RFC 2830 are obsoleted by [Protocol]. The
297 remainder of RFC 2830 is obsoleted by this document. Appendix B.3
298 summarizes the substantive changes made to RFC 2830 by this document.
303 The key words "MUST", "MUST NOT", "SHALL", "SHOULD", "SHOULD NOT",
304 "MAY", and "OPTIONAL" in this document are to be interpreted as
305 described in RFC 2119 [RFC2119].
307 The term "user" represents any human or application entity which is
308 accessing the directory using a directory client. A directory
309 client (or client) is also known as a directory user agent (DUA).
311 The term "transport connection" refers to the underlying transport
312 services used to carry the protocol exchange, as well as
313 associations established by these services.
315 The term "TLS layer" refers to TLS services used in providing
316 security services, as well as associations established by these
319 The term "SASL layer" refers to SASL services used in providing
320 security services, as well as associations established by these
323 The term "LDAP message layer" refers to the LDAP Message (PDU)
324 services used in providing directory services, as well as
325 associations established by these services.
327 The term "LDAP session" refers to combined services (transport
328 connection, TLS layer, SASL layer, LDAP message layer) and their
331 In general, security terms in this document are used consistently
332 with the definitions provided in [RFC2828]. In addition, several
333 terms and concepts relating to security, authentication, and
334 authorization are presented in Appendix A of this document. While
335 the formal definition of these terms and concepts is outside the
336 scope of this document, an understanding of them is prerequisite to
337 understanding much of the material in this document. Readers who
338 are unfamiliar with security-related concepts are encouraged to
339 review Appendix A before reading the remainder of this document.
343 Harrison Expires August 2006 [Page 6]
345 Internet-Draft LDAP Authentication Methods February 2006
347 2. Implementation Requirements
349 LDAP server implementations MUST support the anonymous
350 authentication mechanism of the simple Bind method (section 5.1.1).
352 LDAP implementations that support any authentication mechanism other
353 than the anonymous authentication mechanism of the simple Bind
354 method MUST support the name/password authentication mechanism of
355 the simple Bind method (section 5.1.3) and MUST be capable of
356 protecting this name/password authentication using TLS as
357 established by the StartTLS operation (section 3).
359 Implementations SHOULD disallow the use of the name/password
360 authentication mechanism by default when suitable data security
361 services are not in place, and MAY provide other suitable data
362 security services for use with this authentication mechanism.
364 Implementations MAY support additional authentication mechanisms.
365 Some of these mechanisms are discussed below.
367 LDAP server implementations SHOULD support client assertion of
368 authorization identity via the SASL EXTERNAL mechanism (section
371 LDAP server implementations that support no authentication mechanism
372 other than the anonymous mechanism of the simple bind method SHOULD
373 support use of TLS as established by the the StartTLS operation
374 (section 3). (Other servers MUST support TLS per the second
375 paragraph of this section.)
377 Implementations supporting TLS MUST support the
378 TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite and SHOULD support the
379 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite. Support for the
380 latter ciphersuite is recommended to encourage interoperability with
381 implementations conforming to earlier LDAP StartTLS specifications.
384 3. StartTLS Operation
386 The Start Transport Layer Security (StartTLS) operation defined in
387 section 4.14 of [Protocol] provides the ability to establish TLS
388 [TLS] in an LDAP session.
390 The goals of using the TLS [TLS] protocol with LDAP are to ensure
391 data confidentiality and integrity, and to optionally provide for
392 authentication. TLS expressly provides these capabilities, although
393 the authentication services of TLS are available to LDAP only in
394 combination with the SASL EXTERNAL authentication method (see
395 section 5.2.3), and then only if the SASL EXTERNAL implementation
396 chooses to make use of the TLS credentials.
399 3.1. TLS Establishment Procedures
402 Harrison Expires August 2006 [Page 7]
404 Internet-Draft LDAP Authentication Methods February 2006
406 This section describes the overall procedures clients and servers
407 must follow for TLS establishment. These procedures take into
408 consideration various aspects of the TLS layer including discovery
409 of resultant security level and assertion of the client's
410 authorization identity.
413 3.1.1. StartTLS Request Sequencing
415 A client may send the StartTLS extended request at any time after
416 establishing an LDAP session, except:
418 - when TLS is currently established on the session,
419 - when a multi-stage SASL negotiation is in progress on the
421 - when there are outstanding responses for operation requests
422 previously issued on the session.
424 As described in [Protocol] Section 4.14.1, a (detected) violation of
425 any of these requirements results in a return of the operationsError
428 Client implementers should ensure that they strictly follow these
429 operation sequencing requirements to prevent interoperability
430 issues. Operational experience has shown that violating these
431 requirements causes interoperability issues because there are race
432 conditions that prevent servers from detecting some violations of
433 these requirements due to factors such as server hardware speed and
436 There is no general requirement that the client have or have not
437 already performed a Bind operation (section 5) before sending a
438 StartTLS operation request, however where a client intends to
439 perform both a Bind operation and a StartTLS operation, it SHOULD
440 first perform the StartTLS operation so that the Bind request and
441 response messages are protected by the data security services
442 established by the StartTLS operation.
445 3.1.2. Client Certificate
447 If an LDAP server requests or demands that a client provide a user
448 certificate during TLS negotiation and the client does not present a
449 suitable user certificate (e.g., one that can be validated), the
450 server may use a local security policy to determine whether to
451 successfully complete TLS negotiation.
453 If a client that has provided a suitable certificate subsequently
454 performs a Bind operation using the SASL EXTERNAL authentication
455 mechanism (section 5.2.3), information in the certificate may be
456 used by the server to identify and authenticate the client.
459 3.1.3. Server Identity Check
461 Harrison Expires August 2006 [Page 8]
463 Internet-Draft LDAP Authentication Methods February 2006
466 In order to prevent man-in-the-middle attacks the client MUST verify
467 the server's identity (as presented in the server's Certificate
468 message). In this section, the client's understanding of the
469 server's identity (typically the identity used to establish the
470 transport connection) is called the "reference identity".
472 The client determines the type (e.g., DNS name or IP address) of the
473 reference identity and performs a comparison between the reference
474 identity and each subjectAltName value of the corresponding type
475 until a match is produced. Once a match is produced, the server's
476 identity has been verified and the server identity check is
477 complete. Different subjectAltName types are matched in different
478 ways. Sections 3.1.3.1 - 3.1.3.3 explain how to compare values of
479 various subjectAltName types.
481 The client may map the reference identity to a different type prior
482 to performing a comparison. Mappings may be performed for all
483 available subjectAltName types to which the reference identity can
484 be mapped, however the reference identity should only be mapped to
485 types for which the mapping is either inherently secure (e.g.,
486 extracting the DNS name from a URI to compare with a subjectAltName
487 of type dNSName) or for which the mapping is performed in a secure
488 manner (e.g., using DNSSec, or using user- (or admin-) configured
489 host-to-address/address-to-host lookup tables).
491 The server's identity may also be verified by comparing the
492 reference identity to the Common Name (CN) [Schema] value in the
493 leaf RDN of the subjectName field of the server's certificate. This
494 comparison is performed using the rules for comparison of DNS names
495 in section 3.1.3.1 below, with the exception that no wildcard
496 matching is allowed. Although the use of the Common Name value is
497 existing practice, it is deprecated and Certification Authorities
498 are encouraged to provide subjectAltName values instead. Note that
499 the TLS implementation may represent DNs in certificates according
500 to X.500 or other conventions. For example, some X.500
501 implementations order the RDNs in a DN using a left-to-right (most
502 significant to least significant) convention instead of LDAP's
503 right-to-left convention.
505 If the server identity check fails, user-oriented clients SHOULD
506 either notify the user (clients may give the user the opportunity to
507 continue with the LDAP session in this case) or close the transport
508 connection and indicate that the server's identity is suspect.
509 Automated clients SHOULD close the transport connection and then
510 return or log an error indicating that the server's identity is
513 Beyond the server identity check described in this section, clients
514 should be prepared to do further checking to ensure that the server
515 is authorized to provide the service it is requested to provide.
516 The client may need to make use of local policy information in
517 making this determination.
520 Harrison Expires August 2006 [Page 9]
522 Internet-Draft LDAP Authentication Methods February 2006
525 3.1.3.1. Comparison of DNS Names
527 If the reference identity is an internationalized domain name,
528 conforming implementations MUST convert it to the ASCII Compatible
529 Encoding (ACE) format as specified in section 4 of RFC 3490
530 [RFC3490] before comparison with subjectAltName values of type
531 dNSName. Specifically, conforming implementations MUST perform the
532 conversion operation specified in section 4 of RFC 3490 as follows:
534 * in step 1, the domain name SHALL be considered a "stored
536 * in step 3, set the flag called "UseSTD3ASCIIRules";
537 * in step 4, process each label with the "ToASCII"
539 * in step 5, change all label separators to U+002E (full
542 After performing the "to-ASCII" conversion, the DNS labels and names
543 MUST be compared for equality according to the rules specified in
544 section 3 of RFC3490.
546 The '*' (ASCII 42) wildcard character is allowed in subjectAltName
547 values of type dNSName and then only as the left-most (least
548 significant) DNS label in that value. This wildcard matches any
549 left-most DNS label in the server name. That is, the subject
550 *.example.com matches the server names a.example.com and
551 b.example.com but does not match example.com or a.b.example.com.
554 3.1.3.2. Comparison of IP Addresses
556 When the reference identity is an IP address, the identity MUST be
557 converted to the "network byte order" octet string representation
558 [RFC791][RFC2460]. For IP Version 4, as specified in RFC 791, the
559 octet string will contain exactly four octets. For IP Version 6, as
560 specified in RFC 2460, the octet string will contain exactly sixteen
561 octets. This octet string is then compared against subjectAltName
562 values of type iPAddress. A match occurs if the reference identity
563 octet string and value octet strings are identical.
566 3.1.3.3. Comparison of other subjectName types
568 Client implementations MAY support matching against subjectAltName
569 values of other types as described in other documents.
572 3.1.4. Discovery of Resultant Security Level
579 Harrison Expires August 2006 [Page 10]
581 Internet-Draft LDAP Authentication Methods February 2006
583 After a TLS layer is established in an LDAP session, both parties
584 are to each independently decide whether or not to continue based on
585 local policy and the security level achieved. If either party
586 decides that the security level is inadequate for it to continue, it
587 SHOULD remove the TLS layer immediately after the TLS
588 (re)negotiation has completed (see [Protocol] section 4.14.3 and
589 section 3.2 below). Implementations may reevaluate the security
590 level at any time and, upon finding it inadequate, should remove the
594 3.1.5. Refresh of Server Capabilities Information
596 After a TLS layer is established in an LDAP session, the client
597 SHOULD discard or refresh all information about the server it
598 obtained prior to the initiation of the TLS negotiation and not
599 obtained through secure mechanisms. This protects against man-in-
600 the-middle attacks that may have altered any server capabilities
601 information retrieved prior to TLS layer installation.
603 The server may advertise different capabilities after installing a
604 TLS layer. In particular, the value of 'supportedSASLMechanisms'
605 may be different after a TLS layer has been installed (specifically,
606 the EXTERNAL and PLAIN [PLAIN] mechanisms are likely to be listed
607 only after a TLS layer has been installed).
610 3.2. Effect of TLS on Authorization State
612 The establishment, change, and/or closure of TLS may cause the
613 authorization state to move to a new state. This is discussed
614 further in Section 4.
617 3.3. TLS Ciphersuites
619 Several issues should be considered when selecting TLS ciphersuites
620 that are appropriate for use in a given circumstance. These issues
621 include the following:
623 - The ciphersuite's ability to provide adequate confidentiality
624 protection for passwords and other data sent over the transport
625 connection. Client and server implementers should recognize
626 that some TLS ciphersuites provide no confidentiality protection
627 while other ciphersuites that do provide confidentiality
628 protection may be vulnerable to being cracked using brute force
629 methods, especially in light of ever-increasing CPU speeds that
630 reduce the time needed to successfully mount such attacks.
632 - Client and server implementers should carefully consider the
633 value of the password or data being protected versus the level
634 of confidentiality protection provided by the ciphersuite to
635 ensure that the level of protection afforded by the ciphersuite
638 Harrison Expires August 2006 [Page 11]
640 Internet-Draft LDAP Authentication Methods February 2006
643 - The ciphersuite's vulnerability (or lack thereof) to man-in-the-
644 middle attacks. Ciphersuites vulnerable to man-in-the-middle
645 attacks SHOULD NOT be used to protect passwords or sensitive
646 data, unless the network configuration is such that the danger
647 of a man-in-the-middle attack is negligible.
649 - After a TLS negotiation (either initial or subsequent) is
650 completed, both protocol peers should independently verify that
651 the security services provided by the negotiated ciphersuite are
652 adequate for the intended use of the LDAP session. If not, the
653 TLS layer should be closed.
656 4. Authorization State
658 Every LDAP session has an associated authorization state. This
659 state is comprised of numerous factors such as what (if any)
660 authorization state has been established, how it was established,
661 and what security services are in place. Some factors may be
662 determined and/or affected by protocol events (e.g., Bind, StartTLS,
663 or TLS closure), and some factors may be determined by external
664 events (e.g., time of day or server load).
666 While it is often convenient to view authorization state in
667 simplistic terms (as we often do in this technical specification)
668 such as "an anonymous state", it is noted that authorization systems
669 in LDAP implementations commonly involve many factors which
670 interrelate in complex manners.
672 Authorization in LDAP is a local matter. One of the key factors in
673 making authorization decisions is authorization identity. The Bind
674 operation defined in section 4.2 of [Protocol] and discussed further
675 in section 5 below allows information to be exchanged between the
676 client and server to establish an authorization identity for the
677 LDAP session. The Bind operation may also be used to move the LDAP
678 session to an anonymous authorization state (see section 5.1.1).
680 Upon initial establishment of the LDAP session, the session has an
681 anonymous authorization identity. Among other things this implies
682 that the client need not send a BindRequest in the first PDU of the
683 LDAP message layer. The client may send any operation request prior
684 to performing a Bind operation, and the server MUST treat it as if
685 it had been performed after an anonymous Bind operation (section
688 Upon receipt of a Bind request, the server immediately moves the
689 session to an anonymous authorization state. If the Bind request is
690 successful, the session is moved to the requested authentication
691 state with its associated authorization state. Otherwise, the
692 session remains in an anonymous state.
697 Harrison Expires August 2006 [Page 12]
699 Internet-Draft LDAP Authentication Methods February 2006
701 It is noted that other events both internal and external to LDAP may
702 result in the authentication and authorization states being moved to
703 an anonymous one. For instance, the establishment, change or
704 closure of data security services may result in a move to an
705 anonymous state, or the user's credential information (e.g.,
706 certificate) may have expired. The former is an example of an event
707 internal to LDAP whereas the latter is an example of an event
713 The Bind operation ([Protocol] section 4.2) allows authentication
714 information to be exchanged between the client and server to
715 establish a new authorization state.
717 The Bind request typically specifies the desired authentication
718 identity. Some Bind mechanisms also allow the client to specify the
719 authorization identity. If the authorization identity is not
720 specified, the server derives it from the authentication identity in
721 an implementation-specific manner.
723 If the authorization identity is specified, the server MUST verify
724 that the client's authentication identity is permitted to assume
725 (e.g., proxy for) the asserted authorization identity. The server
726 MUST reject the Bind operation with an invalidCredentials resultCode
727 in the Bind response if the client is not so authorized.
730 5.1. Simple Authentication Method
732 The simple authentication method of the Bind Operation provides
733 three authentication mechanisms:
735 - An anonymous authentication mechanism (section 5.1.1).
737 - An unauthenticated authentication mechanism (section 5.1.2).
739 - A name/password authentication mechanism using credentials
740 consisting of a name (in the form of an LDAP distinguished name
741 [LDAPDN]) and a password (section 5.1.3).
744 5.1.1. Anonymous Authentication Mechanism of Simple Bind
746 An LDAP client may use the anonymous authentication mechanism of the
747 simple Bind method to explicitly establish an anonymous
748 authorization state by sending a Bind request with a name value of
749 zero length and specifying the simple authentication choice
750 containing a password value of zero length.
753 5.1.2. Unauthenticated Authentication Mechanism of Simple Bind
756 Harrison Expires August 2006 [Page 13]
758 Internet-Draft LDAP Authentication Methods February 2006
760 An LDAP client may use the unauthenticated authentication mechanism
761 of the simple Bind method to establish an anonymous authorization
762 state by sending a Bind request with a name value (a distinguished
763 name in LDAP string form [LDAPDN] of non-zero length) and specifying
764 the simple authentication choice containing a password value of zero
767 The distinguished name value provided by the client is intended to
768 be used for trace (e.g., logging) purposes only. The value is not
769 to be authenticated or otherwise validated (including verification
770 that the DN refers to an existing directory object). The value is
771 not to be used (directly or indirectly) for authorization purposes.
773 Unauthenticated Bind operations can have significant security issues
774 (see section 6.3.1). In particular, users intending to perform
775 Name/Password Authentication may inadvertently provide an empty
776 password and thus cause poorly implemented clients to request
777 Unauthenticated access. Clients SHOULD be implemented to require
778 user selection of the Unauthenticated Authentication Mechanism by
779 means other than user input of an empty password. Clients SHOULD
780 disallow an empty password input to a Name/Password Authentication
781 user interface. Additionally, Servers SHOULD by default fail
782 Unauthenticated Bind requests with a resultCode of
786 5.1.3. Name/Password Authentication Mechanism of Simple Bind
788 An LDAP client may use the name/password authentication mechanism of
789 the simple Bind method to establish an authenticated authorization
790 state by sending a Bind request with a name value (a distinguished
791 name in LDAP string form [LDAPDN] of non-zero length) and specifying
792 the simple authentication choice containing an OCTET STRING password
793 value of non-zero length.
795 Servers that map the DN sent in the Bind request to a directory
796 entry with an associated set of one or more passwords used with this
797 mechanism will compare the presented password to that set of
798 passwords. The presented password is considered valid if it matches
799 any member of this set.
801 A resultCode of invalidDNSyntax indicates that the DN sent in the
802 name value is syntactically invalid. A resultCode of
803 invalidCredentials indicates that the DN is syntactically correct
804 but not valid for purposes of authentication, or the password is not
805 valid for the DN or the server otherwise considers the credentials
806 to be invalid. A resultCode of success indicates that the
807 credentials are valid and the server is willing to provide service
808 to the entity these credentials identify.
810 Server behavior is undefined for Bind requests specifying the
811 name/password authentication mechanism with a zero-length name value
812 and a password value of non-zero length.
815 Harrison Expires August 2006 [Page 14]
817 Internet-Draft LDAP Authentication Methods February 2006
819 The name/password authentication mechanism of the simple Bind method
820 is not suitable for authentication in environments without
821 confidentiality protection.
824 5.2. SASL Authentication Method
826 The sasl authentication method of the Bind Operation provides
827 facilities for using any SASL mechanism including authentication
828 mechanisms and other services (e.g., data security services).
831 5.2.1. SASL Protocol Profile
833 LDAP allows authentication via any SASL mechanism [SASL]. As LDAP
834 includes native anonymous and name/password (plain text)
835 authentication methods, the ANONYMOUS [ANONYMOUS] and PLAIN [PLAIN]
836 SASL mechanisms are typically not used with LDAP.
838 Each protocol that utilizes SASL services is required to supply
839 certain information profiling the way they are exposed through the
840 protocol ([SASL] section 4). This section explains how each of
841 these profiling requirements are met by LDAP.
844 5.2.1.1. SASL Service Name for LDAP
846 The SASL service name for LDAP is "ldap", which has been registered
847 with the IANA as a SASL service name.
850 5.2.1.2. SASL Authentication Initiation and Protocol Exchange
852 SASL authentication is initiated via a BindRequest message
853 ([Protocol] section 4.2) with the following parameters:
856 - The AuthenticationChoice is sasl.
857 - The mechanism element of the SaslCredentials sequence contains
858 the value of the desired SASL mechanism.
859 - The optional credentials field of the SaslCredentials sequence
860 MAY be used to provide an initial client response for
861 mechanisms that are defined to have the client send data first
862 (see [SASL] sections 3 and 5 ).
874 Harrison Expires August 2006 [Page 15]
876 Internet-Draft LDAP Authentication Methods February 2006
878 In general, a SASL authentication protocol exchange consists of a
879 series of server challenges and client responses, the contents of
880 which are specific to and defined by the SASL mechanism. Thus for
881 some SASL authentication mechanisms, it may be necessary for the
882 client to respond to one or more server challenges by sending
883 BindRequest messages multiple times. A challenge is indicated by
884 the server sending a BindResponse message with the resultCode set to
885 saslBindInProgress. This indicates that the server requires the
886 client to send a new BindRequest message with the same SASL
887 mechanism to continue the authentication process.
889 To the LDAP message layer, these challenges and responses are opaque
890 binary tokens of arbitrary length. LDAP servers use the
891 serverSaslCreds field (an OCTET STRING) in a BindResponse message to
892 transmit each challenge. LDAP clients use the credentials field
893 (an OCTET STRING) in the SaslCredentials sequence of a BindRequest
894 message to transmit each response. Note that unlike some Internet
895 protocols where SASL is used, LDAP is not text based and does not
896 Base64-transform these challenge and response values.
898 Clients sending a BindRequest message with the sasl choice selected
899 SHOULD send a zero-length value in the name field. Servers
900 receiving a BindRequest message with the sasl choice selected SHALL
901 ignore any value in the name field.
903 A client may abort a SASL Bind negotiation by sending a BindRequest
904 message with a different value in the mechanism field of
905 SaslCredentials or with an AuthenticationChoice other than sasl.
907 If the client sends a BindRequest with the sasl mechanism field as
908 an empty string, the server MUST return a BindResponse with a
909 resultCode of authMethodNotSupported. This will allow the client to
910 abort a negotiation if it wishes to try again with the same SASL
913 The server indicates completion of the SASL challenge-response
914 exchange by responding with a BindResponse in which the resultCode
915 value is not saslBindInProgress.
917 The serverSaslCreds field in the BindResponse can be used to include
918 an optional challenge with a success notification for mechanisms
919 which are defined to have the server send additional data along with
920 the indication of successful completion.
923 5.2.1.3. Optional Fields
925 As discussed above, LDAP provides an optional field for carrying an
926 initial response in the message initiating the SASL exchange and
927 provides an optional field for carrying additional data in the
928 message indicating outcome of the authentication exchange. As the
929 mechanism-specific content in these fields may be zero-length, SASL
930 requires protocol specifications to detail how an empty field is
931 distinguished from an absent field.
933 Harrison Expires August 2006 [Page 16]
935 Internet-Draft LDAP Authentication Methods February 2006
938 Zero-length initial response data is distinguished from no initial
939 response data in the initiating message, a BindRequest PDU, by the
940 presence of the SaslCredentials.credentials OCTET STRING (of length
941 zero) in that PDU. If the client does not intend to send an
942 initial response with the BindRequest initiating the SASL exchange,
943 it MUST omit the SaslCredentials.credentials OCTET STRING (rather
944 than including an zero-length OCTET STRING).
946 Zero-length additional data is distinguished from no additional
947 response data in the outcome message, a BindResponse PDU, by the
948 presence of the serverSaslCreds OCTET STRING (of length zero) in
949 that PDU. If a server does not intend to send additional data in
950 the BindResponse message indicating outcome of the exchange, the
951 server SHALL omit the serverSaslCreds OCTET STRING (rather than
952 including a zero-length OCTET STRING).
955 5.2.1.4. Octet Where Negotiated Security Layers Take Effect
957 SASL layers take effect following the transmission by the server and
958 reception by the client of the final BindResponse in the SASL
959 exchange with a resultCode of success.
961 Once a SASL layer providing data integrity or confidentiality
962 services takes effect, the layer remains in effect until a new layer
963 is installed (i.e. at the first octet following the final
964 BindResponse of the Bind operation that caused the new layer to take
965 effect). Thus, an established SASL layer is not affected by a
966 failed or non-SASL Bind.
969 5.2.1.5. Determination of Supported SASL Mechanisms
971 Clients may determine the SASL mechanisms a server supports by
972 reading the 'supportedSASLMechanisms' attribute from the root DSE
973 (DSA-Specific Entry) ([Models] section 5.1). The values of this
974 attribute, if any, list the mechanisms the server supports in the
975 current LDAP session state. LDAP servers SHOULD allow all clients--
976 even those with an anonymous authorization--to retrieve the
977 'supportedSASLMechanisms' attribute of the root DSE both before and
978 after the SASL authentication exchange. The purpose of the latter
979 is to allow the client to detect possible downgrade attacks (see
980 section 6.4 and [SASL] section 6.1.2).
982 Because SASL mechanisms provide critical security functions, clients
983 and servers should be configurable to specify what mechanisms are
984 acceptable and allow only those mechanisms to be used. Both clients
985 and servers must confirm that the negotiated security level meets
986 their requirements before proceeding to use the session.
989 5.2.1.6. Rules for Using SASL Layers
992 Harrison Expires August 2006 [Page 17]
994 Internet-Draft LDAP Authentication Methods February 2006
996 Upon installing a SASL layer, the client SHOULD discard or refresh
997 all information about the server it obtained prior to the initiation
998 of the SASL negotiation and not obtained through secure mechanisms.
1000 If a lower level security layer (such as TLS) is installed, any SASL
1001 layer SHALL be layered on top of such security layers regardless of
1002 the order of their negotiation. In all other respects, the SASL
1003 layer and other security layers act independently, e.g., if both a
1004 TLS layer and a SASL layer are in effect then removing the TLS layer
1005 does not affect the continuing service of the SASL layer.
1008 5.2.1.7. Support for Multiple Authentications
1010 LDAP supports multiple SASL authentications as defined in [SASL]
1014 5.2.1.8. SASL Authorization Identities
1016 Some SASL mechanisms allow clients to request a desired
1017 authorization identity for the LDAP session ([SASL] section 3.4.
1018 The decision to allow or disallow the current authentication
1019 identity to have access to the requested authorization identity is a
1020 matter of local policy. The authorization identity is a string of
1021 UTF-8 [RFC3629] encoded [Unicode] characters corresponding to the
1022 following ABNF [RFC2234bis] grammar:
1024 authzId = dnAuthzId / uAuthzId
1026 ; distinguished-name-based authz id
1027 dnAuthzId = "dn:" distinguishedName
1029 ; unspecified authorization id, UTF-8 encoded
1030 uAuthzId = "u:" userid
1031 userid = *UTF8 ; syntax unspecified
1033 where the distinguishedName rule is defined in section 3 of [LDAPDN]
1034 and the UTF8 rule is defined in section 1.4 of [Models].
1036 The dnAuthzId choice is used to assert authorization identities in
1037 the form of a distinguished name to be matched in accordance with
1038 the distinguishedNameMatch matching rule [Syntaxes]. There is no
1039 requirement that the asserted distinguishedName value be that of an
1040 entry in the directory.
1051 Harrison Expires August 2006 [Page 18]
1053 Internet-Draft LDAP Authentication Methods February 2006
1055 The uAuthzId choice allows clients to assert an authorization
1056 identity that is not in distinguished name form. The format of
1057 userid is defined only as a sequence of UTF-8 [RFC3629] encoded
1058 [Unicode] characters, and any further interpretation is a local
1059 matter. For example, the userid could identify a user of a specific
1060 directory service, be a login name or be an email address. A
1061 uAuthzId SHOULD NOT be assumed to be globally unique. To compare
1062 uAuthzID values, each uAuthzID value MUST be prepared as a "query"
1063 string using [RFC4013] and then the two values are compared octet-
1066 The above grammar is extensible. The authzId production may be
1067 extended to support additional forms of identities. Each form is
1068 distinguished by its unique prefix (see section 3.12 of [LDAPIANA]
1069 for registration requirements).
1072 5.2.2. SASL Semantics Within LDAP
1074 Implementers must take care to maintain the semantics of SASL
1075 specifications when handling data that has different semantics in
1078 For example, the SASL DIGEST-MD5 authentication mechanism [RFC2829]
1079 utilizes an authentication identity and a realm which are
1080 syntactically simple strings and semantically simple username and
1081 realm values ([DIGEST-MD5] section 2.1). These values are not LDAP
1082 DNs, and there is no requirement that they be represented or treated
1086 5.2.3. SASL EXTERNAL Authentication Mechanism
1088 A client can use the SASL EXTERNAL [SASL] mechanism to request the
1089 LDAP server to authenticate and establish a resulting authorization
1090 identity using security credentials exchanged by a lower security
1091 layer (such as by TLS authentication). If the client's
1092 authentication credentials have not been established at a lower
1093 security layer, the SASL EXTERNAL Bind MUST fail with a resultCode
1094 of inappropriateAuthentication. Although this situation has the
1095 effect of leaving the LDAP session in an anonymous state (section
1096 4), the state of any installed security layer is unaffected.
1098 A client may either request that its authorization identity be
1099 automatically derived from its authentication credentials exchanged
1100 at a lower security layer or it may explicitly provide a desired
1101 authorization identity. The former is known as an implicit
1102 assertion, and the latter as an explicit assertion.
1105 5.2.3.1. Implicit Assertion
1110 Harrison Expires August 2006 [Page 19]
1112 Internet-Draft LDAP Authentication Methods February 2006
1114 An implicit authorization identity assertion is performed by
1115 invoking a Bind request of the SASL form using the EXTERNAL
1116 mechanism name that does not include the optional credentials field
1117 (found within the SaslCredentials sequence in the BindRequest). The
1118 server will derive the client's authorization identity from the
1119 authentication identity supplied by a security layer (e.g., a public
1120 key certificate used during TLS layer installation) according to
1121 local policy. The underlying mechanics of how this is accomplished
1122 are implementation specific.
1125 5.2.3.2. Explicit Assertion
1127 An explicit authorization identity assertion is performed by
1128 invoking a Bind request of the SASL form using the EXTERNAL
1129 mechanism name that includes the credentials field (found within the
1130 SaslCredentials sequence in the BindRequest). The value of the
1131 credentials field (an OCTET STRING) is the asserted authorization
1132 identity and MUST be constructed as documented in section 5.2.1.8.
1135 6. Security Considerations
1137 Security issues are discussed throughout this document. The
1138 unsurprising conclusion is that security is an integral and
1139 necessary part of LDAP. This section discusses a number of LDAP-
1140 related security considerations.
1143 6.1. General LDAP Security Considerations
1145 LDAP itself provides no security or protection from accessing or
1146 updating the directory by other means than through the LDAP
1147 protocol, e.g., from inspection of server database files by database
1150 Sensitive data may be carried in almost any LDAP message and its
1151 disclosure may be subject to privacy laws or other legal regulation
1152 in many countries. Implementers should take appropriate measures to
1153 protect sensitive data from disclosure to unauthorized entities.
1155 A session on which the client has not established data integrity and
1156 privacy services (e.g., via StartTLS, IPsec or a suitable SASL
1157 mechanism) is subject to man-in-the-middle attacks to view and
1158 modify information in transit. Client and server implementers
1159 SHOULD take measures to protect sensitive data in the LDAP session
1160 from these attacks by using data protection services as discussed in
1161 this document. Clients and servers should provide the ability to be
1162 configured to require these protections. A resultCode of
1163 confidentialityRequired indicates that the server requires
1164 establishment of (stronger) data confidentiality protection in order
1165 to perform the requested operation.
1169 Harrison Expires August 2006 [Page 20]
1171 Internet-Draft LDAP Authentication Methods February 2006
1173 Access control should always be applied when reading sensitive
1174 information or updating directory information.
1176 Various security factors, including authentication and authorization
1177 information and data security services may change during the course
1178 of the LDAP session, or even during the performance of a particular
1179 operation. Implementations should be robust in the handling of
1180 changing security factors.
1183 6.2. StartTLS Security Considerations
1185 All security gained via use of the StartTLS operation is gained by
1186 the use of TLS itself. The StartTLS operation, on its own, does not
1187 provide any additional security.
1189 The level of security provided through the use of TLS depends
1190 directly on both the quality of the TLS implementation used and the
1191 style of usage of that implementation. Additionally, a man-in-the-
1192 middle attacker can remove the StartTLS extended operation from the
1193 'supportedExtension' attribute of the root DSE. Both parties SHOULD
1194 independently ascertain and consent to the security level achieved
1195 once TLS is established and before beginning use of the TLS-
1196 protected session. For example, the security level of the TLS layer
1197 might have been negotiated down to plaintext.
1199 Clients MUST either warn the user when the security level achieved
1200 does not provide an acceptable level of data confidentiality and/or
1201 data integrity protection, or be configurable to refuse to proceed
1202 without an acceptable level of security.
1204 As stated in section 3.1.2, a server may use a local security policy
1205 to determine whether to successfully complete TLS negotiation.
1206 Information in the user's certificate that is originated or verified
1207 by the certification authority should be used by the policy
1208 administrator when configuring the identification and authorization
1211 Server implementers SHOULD allow server administrators to elect
1212 whether and when data confidentiality and integrity are required, as
1213 well as elect whether authentication of the client during the TLS
1214 handshake is required.
1216 Implementers should be aware of and understand TLS security
1217 considerations as discussed in the TLS specification [TLS].
1220 6.3. Bind Operation Security Considerations
1222 This section discusses several security considerations relevant to
1223 LDAP authentication via the Bind operation.
1226 6.3.1. Unauthenticated Mechanism Security Considerations
1228 Harrison Expires August 2006 [Page 21]
1230 Internet-Draft LDAP Authentication Methods February 2006
1233 Operational experience shows that clients can (and frequently do)
1234 misuse the unauthenticated authentication mechanism of the simple
1235 Bind method (see section 5.1.2). For example, a client program
1236 might make a decision to grant access to non-directory information
1237 on the basis of successfully completing a Bind operation. LDAP
1238 server implementations may return a success response to an
1239 unauthenticated Bind request. This may erroneously leave the client
1240 with the impression that the server has successfully authenticated
1241 the identity represented by the distinguished name when in reality,
1242 an anonymous authorization state has been established. Clients that
1243 use the results from a simple Bind operation to make authorization
1244 decisions should actively detect unauthenticated Bind requests (by
1245 verifying that the supplied password is not empty) and react
1249 6.3.2. Name/Password Mechanism Security Considerations
1251 The name/password authentication mechanism of the simple Bind method
1252 discloses the password to the server, which is an inherent security
1253 risk. There are other mechanisms such as SASL DIGEST-MD5 [RFC2829]
1254 that do not disclose the password to the server.
1257 6.3.3. Password-related Security Considerations
1259 LDAP allows multi-valued password attributes. In systems where
1260 entries are expected to have one and only one password,
1261 administrative controls should be provided to enforce this behavior.
1263 The use of clear text passwords and other unprotected authentication
1264 credentials is strongly discouraged over open networks when the
1265 underlying transport service cannot guarantee confidentiality. LDAP
1266 implementations SHOULD NOT by default support authentication methods
1267 using clear text passwords and other unprotected authentication
1268 credentials unless the data on the session is protected using TLS or
1269 other data confidentiality and data integrity protection.
1271 The transmission of passwords in the clear--typically for
1272 authentication or modification--poses a significant security risk.
1273 This risk can be avoided by using SASL authentication [SASL]
1274 mechanisms that do not transmit passwords in the clear or by
1275 negotiating transport or session layer data confidentiality services
1276 before transmitting password values.
1278 To mitigate the security risks associated with the transfer of
1279 passwords, a server implementation that supports any password-based
1280 authentication mechanism that transmits passwords in the clear MUST
1281 support a policy mechanism that at the time of authentication or
1282 password modification, requires:
1284 A TLS layer has been successfully installed.
1287 Harrison Expires August 2006 [Page 22]
1289 Internet-Draft LDAP Authentication Methods February 2006
1293 Some other data confidentiality mechanism that protects the
1294 password value from eavesdropping has been provided.
1298 The server returns a resultCode of confidentialityRequired for
1299 the operation (i.e. name/password Bind with password value,
1300 SASL Bind transmitting a password value in the clear, add or
1301 modify including a userPassword value, etc.), even if the
1302 password value is correct.
1304 Server implementations may also want to provide policy mechanisms to
1305 invalidate or otherwise protect accounts in situations where a
1306 server detects that a password for an account has been transmitted
1310 6.3.4. Hashed Password Security Considerations
1312 Some authentication mechanisms (e.g., DIGEST-MD5) transmit a hash of
1313 the password value that may be vulnerable to offline dictionary
1314 attacks. Implementers should take care to protect such hashed
1315 password values during transmission using TLS or other
1316 confidentiality mechanisms.
1319 6.4.SASL Security Considerations
1321 Until data integrity service is installed on an LDAP session, an
1322 attacker can modify the transmitted values of the
1323 'supportedSASLMechanisms' attribute response and thus downgrade the
1324 list of available SASL mechanisms to include only the least secure
1325 mechanism. To detect this type of attack, the client may retrieve
1326 the SASL mechanisms the server makes available both before and after
1327 data integrity service is installed on an LDAP session. If the
1328 client finds that the integrity-protected list (the list obtained
1329 after data integrity service was installed) contains a stronger
1330 mechanism than those in the previously obtained list, the client
1331 should assume the previously obtained list was modified by an
1332 attacker. In this circumstance it is recommended that the client
1333 close the underlying transport connection and then reconnect to
1334 reestablish the session.
1337 6.5. Related Security Considerations
1339 Additional security considerations relating to the various
1340 authentication methods and mechanisms discussed in this document
1341 apply and can be found in [SASL], [RFC4013], [StringPrep] and
1346 Harrison Expires August 2006 [Page 23]
1348 Internet-Draft LDAP Authentication Methods February 2006
1350 7. IANA Considerations
1352 It is requested that the IANA update the LDAP Protocol Mechanism
1353 registry to indicate that this document and [Protocol] provide the
1354 definitive technical specification for the StartTLS
1355 (1.3.6.1.4.1.1466.20037) extended operation.
1360 This document combines information originally contained in RFC 2251,
1361 RFC 2829 and RFC 2830 which are products of the LDAP Extensions
1362 (LDAPEXT) Working Group.
1364 This document is a product of the IETF LDAP Revision (LDAPBIS)
1368 9. Normative References
1370 [[Note to the RFC Editor: please replace the citation tags used in
1371 referencing Internet-Drafts with tags of the form RFCnnnn.]]
1373 [LDAPDN] Zeilenga, Kurt D. (editor), "LDAP: String
1374 Representation of Distinguished Names", draft-ietf-
1375 ldapbis-dn-xx.txt, a work in progress.
1377 [LDAPIANA] Zeilenga, K., "IANA Considerations for LDAP", draft-
1378 ietf-ldapbis-bcp64-xx.txt, (a work in progress).
1380 [Matching] Hoffman, Paul and Steve Hanna, "Matching Text Strings
1381 in PKIX Certificates", draft-hoffman-pkix-stringmatch-
1382 xx.txt, a work in progress.
1384 [Models] Zeilenga, Kurt D. (editor), "LDAP: Directory
1385 Information Models", draft-ietf-ldapbis-models-xx.txt,
1388 [Protocol] Sermersheim, J., "LDAP: The Protocol", draft-ietf-
1389 ldapbis-protocol-xx.txt, a work in progress.
1391 [RFC791] Information Sciences Institute, "INTERNET PROTOCOL
1392 DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION", RFC
1393 791, September 1981.
1395 [RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
1396 Requirement Levels", BCP 14, RFC 2119, March 1997.
1398 [RFC2234bis] Crocker, D., Ed. and P. Overell, "Augmented BNF for
1399 Syntax Specifications: ABNF", draft-crocker-abnf-
1400 rfc2234bis-xx, a work in progress.
1402 [RFC2460] Deering, S., R. Hinden, "Internet Protocol, Version 6
1403 (IPv6)", RFC 2460, December 1998.
1405 Harrison Expires August 2006 [Page 24]
1407 Internet-Draft LDAP Authentication Methods February 2006
1410 [RFC3490] Falstrom, P., P. Hoffman, and A. Costello,
1411 "Internationalizing Domain Names In Applications
1412 (IDNA)", RFC 3490, March 2003.
1414 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
1415 10646", RFC 3629, STD 63, November 2003.
1417 [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
1418 Names and Passwords", RFC 4013, February 2005.
1420 [Roadmap] K. Zeilenga, "LDAP: Technical Specification Road Map",
1421 draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
1423 [SASL] Melnikov, A. (editor), "Simple Authentication and
1424 Security Layer (SASL)", draft-ietf-sasl-rfc2222bis-
1425 xx.txt, a work in progress.
1427 [Schema] Dally, K. (editor), "LDAP: User Schema", draft-ietf-
1428 ldapbis-user-schema-xx.txt, a work in progress.
1430 [StringPrep] M. Blanchet, "Preparation of Internationalized Strings
1431 ('stringprep')", draft-hoffman-rfc3454bis-xx.txt, a
1434 [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
1435 draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
1437 [TLS] Dierks, T. and C. Allen. "The TLS Protocol Version
1438 1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in
1441 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
1442 3.2.0" is defined by "The Unicode Standard, Version
1443 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
1444 61633-5), as amended by the "Unicode Standard Annex
1446 (http://www.unicode.org/reports/tr27/) and by the
1447 "Unicode Standard Annex #28: Unicode 3.2"
1448 (http://www.unicode.org/reports/tr28/).
1451 10. Informative References
1453 [[Note to the RFC Editor: please replace the citation tags used in
1454 referencing Internet-Drafts with tags of the form RFCnnnn.]]
1456 [ANONYMOUS] Zeilenga, K., "Anonymous SASL Mechanism", draft-
1457 zeilenga-sasl-anon-xx.txt, a work in progress.
1459 [DIGEST-MD5] Leach, P. C. Newman, and A. Melnikov, "Using Digest
1460 Authentication as a SASL Mechanism", draft-ietf-sasl-
1461 rfc2831bis-xx.txt, a work in progress.
1464 Harrison Expires August 2006 [Page 25]
1466 Internet-Draft LDAP Authentication Methods February 2006
1468 [PLAIN] Zeilenga, K.,"Plain SASL Mechanism", draft-zeilenga-
1469 sasl-plain-xx.txt, a work in progress.
1471 [RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May
1474 [RFC2829] Wahl, M. et al, "Authentication Methods for LDAP", RFC
1477 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
1478 Internet Protocol", RFC 4301, December 2005.
1484 1800 S. Novell Place
1488 roger_harrison@novell.com
1491 Appendix A. Authentication and Authorization Concepts
1493 This appendix is non-normative.
1495 This appendix defines basic terms, concepts, and interrelationships
1496 regarding authentication, authorization, credentials, and identity.
1497 These concepts are used in describing how various security
1498 approaches are utilized in client authentication and authorization.
1501 A.1. Access Control Policy
1503 An access control policy is a set of rules defining the protection
1504 of resources, generally in terms of the capabilities of persons or
1505 other entities accessing those resources. Security objects and
1506 mechanisms, such as those described here, enable the expression of
1507 access control policies and their enforcement.
1510 A.2. Access Control Factors
1512 A request, when it is being processed by a server, may be associated
1513 with a wide variety of security-related factors ([Protocol] section
1514 4.2). The server uses these factors to determine whether and how to
1515 process the request. These are called access control factors
1516 (ACFs). They might include source IP address, encryption strength,
1517 the type of operation being requested, time of day, etc.. Some
1518 factors may be specific to the request itself, others may be
1519 associated with the transport connection via which the request is
1520 transmitted, others (e.g., time of day) may be "environmental".
1523 Harrison Expires August 2006 [Page 26]
1525 Internet-Draft LDAP Authentication Methods February 2006
1527 Access control policies are expressed in terms of access control
1528 factors. For example, "a request having ACFs i,j,k can perform
1529 operation Y on resource Z." The set of ACFs that a server makes
1530 available for such expressions is implementation-specific.
1532 A.3. Authentication, Credentials, Identity
1534 Authentication credentials are the evidence supplied by one party to
1535 another, asserting the identity of the supplying party (e.g., a
1536 user) who is attempting to establish a new authorization state with
1537 the other party (typically a server). Authentication is the process
1538 of generating, transmitting, and verifying these credentials and
1539 thus the identity they assert. An authentication identity is the
1540 name presented in a credential.
1542 There are many forms of authentication credentials. The form used
1543 depends upon the particular authentication mechanism negotiated by
1544 the parties. X.509 certificates, Kerberos tickets, and simple
1545 identity and password pairs are all examples of authentication
1546 credential forms. Note that an authentication mechanism may
1547 constrain the form of authentication identities used with it.
1550 A.4. Authorization Identity
1552 An authorization identity is one kind of access control factor. It
1553 is the name of the user or other entity that requests that
1554 operations be performed. Access control policies are often
1555 expressed in terms of authorization identities; for example, "entity
1556 X can perform operation Y on resource Z."
1558 The authorization identity of an LDAP session is often semantically
1559 the same as the authentication identity presented by the client, but
1560 it may be different. SASL allows clients to specify an
1561 authorization identity distinct from the authentication identity
1562 asserted by the client's credentials. This permits agents such as
1563 proxy servers to authenticate using their own credentials, yet
1564 request the access privileges of the identity for which they are
1565 proxying [SASL]. Also, the form of authentication identity supplied
1566 by a service like TLS may not correspond to the authorization
1567 identities used to express a server's access control policy,
1568 requiring a server-specific mapping to be done. The method by which
1569 a server composes and validates an authorization identity from the
1570 authentication credentials supplied by a client is implementation
1574 Appendix B. Summary of Changes
1576 This appendix is non-normative.
1582 Harrison Expires August 2006 [Page 27]
1584 Internet-Draft LDAP Authentication Methods February 2006
1586 This appendix summarizes substantive changes made to RFC 2251, RFC
1587 2829 and RFC 2830. In addition to the specific changes detailed
1588 below, the reader of this document should be aware that numerous
1589 general editorial changes have been made to the original content
1590 from the source documents. These changes include the following:
1592 - The material originally found in RFC 2251 sections 4.2.1 and
1593 4.2.2, RFC 2829 (all sections except sections 2 and 4) and RFC
1594 2830 was combined into a single document
1596 - The combined material was substantially reorganized and edited
1597 to group related subjects, improve the document flow and clarify
1600 - Changes were made throughout the text to align with definitions
1601 of LDAP protocol layers and IETF security terminology.
1603 - Substantial updates and additions were made to security
1604 considerations from both documents based on current operational
1608 B.1. Changes Made to RFC 2251
1610 This section summarizes the substantive changes made to sections
1611 4.2.1 and 4.2.2 of RFC 2251 by this document. Additional
1612 substantive changes to section 4.2.1 of RFC 2251 are also documented
1616 B.1.1. Section 4.2.1 (Sequencing of the Bind Request)
1618 - Paragraph 1: Removed the sentence, "If at any stage the client
1619 wishes to abort the bind process it MAY unbind and then drop the
1620 underlying connection." The Unbind operation still permits this
1621 behavior, but it is not documented explicitly.
1623 - Clarified that the session is moved to an anonymous state upon
1624 receipt of the BindRequest PDU and that it is only moved to a
1625 non-anonymous state if and when the Bind request is successful.
1628 B.1.2. Section 4.2.2 (Authentication and Other Security Services)
1630 - RFC 2251 states that anonymous authentication MUST be performed
1631 using the simple bind method. This specification defines the
1632 anonymous authentication mechanism of the simple bind method and
1633 requires all conforming implementations to support it. Other
1634 authentication mechanisms producing anonymous authentication and
1635 authorization state may also be implemented and used by
1636 conforming implementations.
1639 B.2. Changes Made to RFC 2829
1641 Harrison Expires August 2006 [Page 28]
1643 Internet-Draft LDAP Authentication Methods February 2006
1646 This section summarizes the substantive changes made to RFC 2829.
1649 B.2.1. Section 4 (Required security mechanisms)
1651 - The name/password authentication mechanism (see section B.2.5
1652 below) protected by TLS replaces the SASL DIGEST-MD5 mechanism
1653 as LDAP's mandatory-to-implement password-based authentication
1654 mechanism. Implementations are encouraged to continue
1655 supporting SASL DIGEST-MD5 [RFC2829].
1658 B.2.2. Section 5.1 (Anonymous authentication procedure)
1660 - Clarified that anonymous authentication involves a name value of
1661 zero length and a password value of zero length. The
1662 unauthenticated authentication mechanism was added to handle
1663 simple Bind requests involving a name value with a non-zero
1664 length and a password value of zero length.
1667 B.2.3. Section 6 (Password-based authentication)
1669 - See section B.2.1.
1672 B.2.4. Section 6.1 (Digest authentication)
1674 - As the SASL-DIGEST-MD5 mechanism is no longer mandatory to
1675 implement, this section is now historical and was not included
1676 in this document. RFC 2829 section 6.1 continues to document the
1677 SASL DIGEST-MD5 authentication mechanism.
1680 B.2.5. Section 6.2 ("simple" authentication choice with TLS)
1682 - Renamed the "simple" authentication mechanism to the
1683 name/password authentication mechanism to better describe it.
1685 - The use of TLS was generalized to align with definitions of LDAP
1686 protocol layers. TLS establishment is now discussed as an
1687 independent subject and is generalized for use with all
1688 authentication mechanisms and other security layers.
1690 - Removed the implication that the userPassword attribute is the
1691 sole location for storage of password values to be used in
1692 authentication. There is no longer any implied requirement for
1693 how or where passwords are stored at the server for use in
1697 B.2.6. Section 6.3 (Other authentication choices with TLS)
1700 Harrison Expires August 2006 [Page 29]
1702 Internet-Draft LDAP Authentication Methods February 2006
1704 - See section B.2.5.
1707 B.2.7. Section 7.1 (Certificate-based authentication with TLS)
1709 - See section B.2.5.
1712 B.2.8. Section 8 (Other mechanisms)
1714 - All SASL authentication mechanisms are explicitly allowed within
1715 LDAP. Specifically, this means the SASL ANONYMOUS and SASL PLAIN
1716 mechanisms are no longer precluded from use within LDAP.
1719 B.2.9. Section 9 (Authorization identity)
1721 - Specified matching rules for dnAuthzID and uAuthzID values. In
1722 particular, the DN value in the dnAuthzID form must be matched
1723 using DN matching rules and the uAuthzID value MUST be prepared
1724 using SASLprep rules before being compared octet-wise.
1726 - Clarified that uAuthzID values should not be assumed to be
1730 B.2.10. Section 10 (TLS Ciphersuites)
1732 - TLS Ciphersuite recommendations are no longer included in this
1733 specification. Implementations must still support the
1734 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite.
1736 - Clarified that anonymous authentication involves a name value of
1737 zero length and a password value of zero length. The
1738 unauthenticated authentication mechanism was added to handle
1739 simple Bind requests involving a name value with a non-zero
1740 length and a password value of zero length.
1743 B.3. Changes Made to RFC 2830:
1745 This section summarizes the substantive changes made to sections 3
1746 and 5 of RFC 2830. Readers should consult [Protocol] for summaries
1747 of changes to other sections.
1750 B.3.1. Section 3.6 (Server Identity Check)
1759 Harrison Expires August 2006 [Page 30]
1761 Internet-Draft LDAP Authentication Methods February 2006
1763 - Substantially updated the server identity check algorithm to
1764 ensure that it is complete and robust. In particular, the use
1765 of all relevant values in the subjectAltName and the subjectName
1766 fields are covered by the algorithm and matching rules are
1767 specified for each type of value. Mapped (derived) forms of the
1768 server identity may now be used when the mapping is performed in
1772 B.3.2. Section 3.7 (Refresh of Server Capabilities Information)
1774 - Clients are no longer required to always refresh information
1775 about server capabilities following TLS establishment to allow
1776 for situations where this information was obtained through a
1780 B.3.3. Section 5.2 (Effects of TLS on Authorization Identity)
1782 - Establishing a TLS layer on an LDAP session may now cause the
1783 authorization state of the LDAP session to change.
1786 B.3.4. Section 5.1.1 (TLS Closure Effects)
1788 - Closing a TLS layer on an LDAP session changes the
1789 authentication and authorization state of the LDAP session based
1790 on local policy. Specifically, this means that implementations
1791 are not required to to change the authentication and
1792 authorization states to anonymous upon TLS closure.
1795 Appendix C. Changes for draft-ldapbis-authmeth-19
1797 [[Note to RFC Editor: Please remove this appendix upon publication
1798 of this Internet-Draft as an RFC.]]
1800 This appendix is non-normative.
1802 This appendix summarizes changes made in this revision of the
1807 - This draft has addressed all issues raised for the -18 version.
1809 - Several minor edits for clarity and to remove typos based on
1810 feedback from WG, IETF and IESG reviews.
1813 - Added statement regarding RFCs obsoleted by this document.
1818 Harrison Expires August 2006 [Page 31]
1820 Internet-Draft LDAP Authentication Methods February 2006
1822 - Changed mandatory-to-implement TLS ciphersuite from
1823 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA to
1824 TLS_RSA_WITH_3DES_EDE_CBC_SHA based on IESG recommendation and
1828 - Clarified that 'supportedSASLMechanisms' should be retrievable
1829 by all clients both before and after SASL negotiation to allow
1830 detection of mechanism downgrade attacks.
1833 - Changed wording to reflect the fact that SASL layers cannot be
1834 uninstalled from the session.
1837 - Removed reference to IPsec as a source of authorization identity.
1840 - When TLS layer does not provide an acceptable level of security
1841 client MUST warn the user or refuse to proceed. (This was
1842 changed from SHOULD based on IESG recommendation and WG
1845 - Added a security consideration regarding the proper usage of
1846 information found in the client certificate.
1849 - Added a new section on SASL security considerations that
1850 discusses SASL mechanism downgrade attacks.
1853 - Replaced references to RFC 2401 with RFC 4301.
1855 Intellectual Property Rights
1857 The IETF takes no position regarding the validity or scope of any
1858 Intellectual Property Rights or other rights that might be claimed
1859 to pertain to the implementation or use of the technology described
1860 in this document or the extent to which any license under such
1861 rights might or might not be available; nor does it represent that
1862 it has made any independent effort to identify any such rights.
1863 Information on the procedures with respect to rights in RFC
1864 documents can be found in BCP 78 and BCP 79.
1866 Copies of IPR disclosures made to the IETF Secretariat and any
1867 assurances of licenses to be made available, or the result of an
1868 attempt made to obtain a general license or permission for the use
1869 of such proprietary rights by implementers or users of this
1870 specification can be obtained from the IETF on-line IPR repository
1871 at http://www.ietf.org/ipr.
1877 Harrison Expires August 2006 [Page 32]
1879 Internet-Draft LDAP Authentication Methods February 2006
1881 The IETF invites any interested party to bring to its attention any
1882 copyrights, patents or patent applications, or other proprietary
1883 rights that may cover technology that may be required to implement
1884 this standard. Please address the information to the IETF at ietf-
1887 Full Copyright Statement
1889 Copyright (C) The Internet Society (2006).
1891 This document is subject to the rights, licenses and restrictions
1892 contained in BCP 78, and except as set forth therein, the authors
1893 retain all their rights.
1895 This document and the information contained herein are provided on
1896 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
1897 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
1898 INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
1899 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1900 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1901 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1936 Harrison Expires August 2006 [Page 33]