3 INTERNET-DRAFT Rob Weltman
4 Intended Category: Standards Track Netscape Communications Corp.
7 LDAP Proxied Authorization Control
8 draft-weltman-ldapv3-proxy-12.txt
13 This document is an Internet-Draft and is in full conformance with
14 all provisions of Section 10 of RFC2026.
16 Internet-Drafts are working documents of the Internet Task Force
17 (IETF), its areas, and its working groups. Note that other groups
18 may also distribute working documents as Internet-Drafts.
20 Internet-Drafts are draft documents valid for a maximum of six months
21 and may be updated, replaced, or obsoleted by other documents at any
22 time. It is inappropriate to use Internet Drafts as reference
23 material or to cite them other than as "work in progress."
25 The list of current Internet-Drafts can be accessed at
26 http://www.ietf.org/ietf/1id-abstracts.txt
28 The list of Internet-Draft Shadow Directories can be accessed at
29 http://www.ietf.org/shadow.html.
34 This document defines the Lightweight Directory Access Protocol
35 (LDAP) Proxy Authorization Control. The Proxy Authorization Control
36 allows a client to request that an operation be processed under a
37 provided authorization identity instead of as the current
38 authorization identity associated with the connection.
43 Proxy authorization allows a client to request that an operation be
44 processed under a provided authorization identity instead of as the
45 current authorization identity associated with the connection. This
46 document defines support for proxy authorization using the Control
47 mechanism [RFC 2251]. The Lightweight Directory Access Protocol
48 [LDAPV3] supports the use of the Simple Authentication and Security
49 Layer [SASL] for authentication and for supplying an authorization
50 identity distinct from the authentication identity, where the
51 authorization identity applies to the whole LDAP session. The Proxy
52 Authorization Control provides a mechanism for specifying an
53 authorization identity on a per operation basis, benefiting clients
54 that need to efficiently perform operations on behalf of multiple
58 Expires October 2003 [Page 1]
60 PROXIED AUTHORIZATION CONTROL April 2003
63 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
64 used in this document are to be interpreted as described in
68 2. Publishing support for the Proxy Authorization Control
70 Support for the Proxy Authorization Control is indicated by the
71 presence of the Object Identifier (OID) "2.16.840.1.113730.3.4.18" in
72 the supportedControl attribute [RFC 2252] of a server's root DSE.
75 3. Proxy Authorization Control
77 A single Proxy Authorization Control may be included in any search,
78 compare, modify, add, delete, modify DN or extended operation request
79 message with the exception of any extension that causes a change in
80 authentication, authorization, or data confidentiality [RFC 2829],
81 such as Start TLS [LDAPTLS] as part of the controls field of the
82 LDAPMessage, as defined in [RFC 2251].
84 The controlType of the proxy authorization control is
85 "2.16.840.1.113730.3.4.18".
87 The criticality MUST be present and MUST be TRUE. This requirement
88 protects clients from submitting a request that is executed with an
89 unintended authorization identity.
91 The controlValue SHALL be present and contain either an authzId
92 [AUTH] representing the authorization identity for the request or
93 empty if an anonymous association is to be used.
95 The mechanism for determining proxy access rights is specific to the
96 server's proxy authorization policy.
98 If the requested authorization identity is recognized by the server,
99 and the client is authorized to adopt the requested authorization
100 identity, the request will be executed as if submitted by the proxy
101 authorization identity, otherwise the result code TBD is returned.
102 [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced
103 with an IANA assigned LDAP Result Code (see RFC 3383 section 3.6]
106 4. Implementation Considerations
108 One possible interaction of proxy authorization and normal access
109 control is illustrated here for the case of search requests. During
110 evaluation of a search request, an entry which would have been
111 returned for the search if submitted by the proxy authorization
112 identity directly may not be returned if the server finds that the
113 requester does not have the right to assume the requested identity
114 for searching the entry, even if the entry is within the scope of a
115 search request under a base DN which does imply such rights. This
117 Expires October 2003 [Page 2]
119 PROXIED AUTHORIZATION CONTROL April 2003
122 means that fewer results, or no results, may be returned compared to
123 the case where the proxy authorization identity issued the request
124 directly. An example of such a case may be a system with fine-grained
125 access control, where the proxy right requester has proxy rights at
126 the top of a search tree, but not at or below a point or points
130 5. Security Considerations
132 The Proxy Authorization Control method is subject to general LDAP
133 security considerations [RFC 2251] [AUTH] [LDAPTLS]. The control may
134 be passed over a secure as well as over an insecure channel.
136 The control allows for an additional authorization identity to be
137 passed. In some deployments, these identities may contain
138 confidential information which require privacy protection.
140 Note that the server is responsible for determining if a proxy
141 authorization request is to be honored. "Anonymous" users SHOULD NOT
142 be allowed to assume the identity of others.
145 6. IANA Considerations
147 The OID "2.16.840.1.113730.3.4.18" is reserved for the Proxy
148 Authorization Control. It is to be registered as an LDAP Protocol
149 Mechanism [RFC 3383].
151 A result code for the case where the server does not execute a
152 request using the proxy authorization identity is to be assigned by
158 Copyright (C) The Internet Society (date). All Rights Reserved.
160 This document and translations of it may be copied and furnished to
161 others, and derivative works that comment on or otherwise explain it
162 or assist in its implementation may be prepared, copied, published
163 and distributed, in whole or in part, without restriction of any
164 kind, provided that the above copyright notice and this paragraph are
165 included on all such copies and derivative works. However, this
166 document itself may not be modified in any way, such as by removing
167 the copyright notice or references to the Internet Society or other
168 Internet organizations, except as needed for the purpose of
169 developing Internet standards in which case the procedures for
170 copyrights defined in the Internet Standards process must be
171 followed, or as required to translate it into languages other than
174 The limited permissions granted above are perpetual and will not be
176 Expires October 2003 [Page 3]
178 PROXIED AUTHORIZATION CONTROL April 2003
181 revoked by the Internet Society or its successors or assigns.
183 This document and the information contained herein is provided on an
184 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
185 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
186 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
187 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
188 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
191 8. Normative References
194 [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
195 Requirement Levels", draft-bradner-key-words-03.txt, January,
198 [LDAPV3] Hodges, J. and R. Morgan, "Lightweight Directory Access
199 Protocol (v3): Technical Specification", RFC 3377, September
202 [SASL] J. Myers, "Simple Authentication and Security Layer (SASL)",
203 RFC 2222, October 1997
205 [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
206 Methods for LDAP", RFC 2829, May 2000
208 [LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory
209 Access Protocol (v3): Extension for Transport Layer Security",
212 [RFC 2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
213 Protocol (v3)", RFC 2251, December 1997.
215 [RFC 2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
216 Directory Access Protocol (v3): Attribute Syntax Definitions",
217 RFC 2252, December 1997
219 [RFC 2829] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan,
220 "Authentication Methods for LDAP", RFC 2829, May 2000
222 [RFC 3383] K. Zeilenga, "Internet Assigned Numbers Authority (IANA)
223 Considerations for the Lightweight Directory Access Protocol
224 (LDAP)", RFC 3383, September 2002
229 Netscape Communications Corp.
230 360 W. Caribbean Drive
235 Expires October 2003 [Page 4]
237 PROXIED AUTHORIZATION CONTROL April 2003
241 rweltman@netscape.com
246 Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
247 Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim
248 Sermersheim of Novell, and Steven Legg of Adacel have contributed
249 with reviews of this document.
294 Expires October 2003 [Page 5]