3 INTERNET-DRAFT Rob Weltman
4 Intended Category: Standards Track Netscape Communications Corp.
7 LDAP Proxied Authorization Control
8 draft-weltman-ldapv3-proxy-11.txt
13 This document is an Internet-Draft and is in full conformance with
14 all provisions of Section 10 of RFC2026.
16 Internet-Drafts are working documents of the Internet Task Force
17 (IETF), its areas, and its working groups. Note that other groups
18 may also distribute working documents as Internet-Drafts.
20 Internet-Drafts are draft documents valid for a maximum of six months
21 and may be updated, replaced, or obsoleted by other documents at any
22 time. It is inappropriate to use Internet Drafts as reference
23 material or to cite them other than as "work in progress."
25 The list of current Internet-Drafts can be accessed at
26 http://www.ietf.org/ietf/1id-abstracts.txt
28 The list of Internet-Draft Shadow Directories can be accessed at
29 http://www.ietf.org/shadow.html.
34 This document defines the Lightweight Directory Access Protocol
35 (LDAP) Proxied Authorization Control. The Proxied Authorization
36 Control allows a client to request that an operation be processed
37 under a provided authorization identity [AUTH] instead of as the
38 current authorization identity associated with the connection.
43 This document defines support for proxied authorization using the
44 Control mechanism. LDAP [LDAPV3] supports the use of SASL [SASL] for
45 authentication and for supplying an authorization identity distinct
46 from the authentication identity, where the authorization identity
47 applies to the whole LDAP session. The proposed Proxied Authorization
48 Control provides a mechanism for specifying an authorization identity
49 on a per operation basis, benefiting clients that need to efficiently
50 perform operations on behalf of multiple users.
52 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY", and
53 "MAY NOT" used in this document are to be interpreted as described
58 Expires November 2002 [Page 1]
60 PROXIED AUTHORIZATION CONTROL May 2002
63 2. Publishing support for the Proxied Authorization Control
65 Support for the Proxied Authorization Control is indicated by the
66 presence of the OID "2.16.840.1.113730.3.4.18" in the
67 supportedControl attribute of a server's root DSE.
70 3. Proxied Authorization Control
72 A single Proxied Authorization Control may be included in any search,
73 compare, modify, add, delete, modDN or extended operation request
74 message (with the exception of any extension that causes a change in
75 authentication, authorization, or data confidentiality [RFC 2828],
76 such as startTLS) as part of the controls field of the LDAPMessage,
77 as defined in [LDAPV3].
79 The controlType of the proxied authorization control is
80 "2.16.840.1.113730.3.4.18".
82 The criticality MUST be present and MUST be TRUE. This requirement
83 protects clients from submitting a request that is executed with an
84 unintended authorization identity.
86 The controlValue is either an LDAPString [LDAPv3] containing an
87 authzId as defined in section 9 of [AUTH] to use as the authorization
88 identity for the request, or an empty value if the anonymous identity
91 The mechanism for determining proxy access rights is specific to the
92 server's access control policy.
94 If the requested authorization identity is recognized by the server,
95 and the client is authorized to adopt the requested authorization
96 identity, the request will be executed as if submitted by the proxied
97 authorization identity, otherwise the result code TBD is returned.
98 [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced
99 with an IANA assigned LDAP Result Code (see draft-ietf-ldapbis-iana-
100 xx.txt, Section 3.5)]
103 4. Implementation Considerations
105 The interaction of proxied authorization access control and normal
106 access control is illustrated here for the case of search requests.
107 During evaluation of a search request, an entry which would have been
108 returned for the search if submitted by the proxied authorization
109 identity directly may not be returned if the server finds that the
110 requester does not have the right to assume the requested identity
111 for searching the entry, even if the entry is within the scope of a
112 search request under a base DN which does imply such rights. This
113 means that fewer results, or no results, may be returned compared to
114 the case where the proxied authorization identity issued the request
115 directly. An example of such a case may be a system with fine-grained
117 Expires November 2002 [Page 2]
119 PROXIED AUTHORIZATION CONTROL May 2002
122 access control, where the proxy right requester has proxy rights at
123 the top of a search tree, but not at or below a point or points
127 5. Security Considerations
129 The Proxied Authorization Control method is subject to general LDAP
130 security considerations [LDAPV3] [AUTH] [LDAPTLS]. The control may be
131 passed over a secure as well as over an insecure channel.
133 The control allows for an additional authorization identity to be
134 passed. In some deployments, these identities may contain
135 confidential information which require privacy protection.
137 Note that the server is responsible for determining if a proxied
138 authorization request is to be honored. "Anonymous" users SHOULD NOT
139 be allowed to assume the identity of others.
144 Copyright (C) The Internet Society (date). All Rights Reserved.
146 This document and translations of it may be copied and furnished to
147 others, and derivative works that comment on or otherwise explain it
148 or assist in its implementation may be prepared, copied, published
149 and distributed, in whole or in part, without restriction of any
150 kind, provided that the above copyright notice and this paragraph are
151 included on all such copies and derivative works. However, this
152 document itself may not be modified in any way, such as by removing
153 the copyright notice or references to the Internet Society or other
154 Internet organizations, except as needed for the purpose of
155 developing Internet standards in which case the procedures for
156 copyrights defined in the Internet Standards process must be
157 followed, or as required to translate it into languages other than
160 The limited permissions granted above are perpetual and will not be
161 revoked by the Internet Society or its successors or assigns.
163 This document and the information contained herein is provided on an
164 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
165 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
166 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
167 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
168 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
173 [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
174 Protocol (v3)", RFC 2251, December 1997.
176 Expires November 2002 [Page 3]
178 PROXIED AUTHORIZATION CONTROL May 2002
182 [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
183 Requirement Levels", draft-bradner-key-words-03.txt, January,
186 [SASL] J. Myers, "Simple Authentication and Security Layer (SASL)",
187 RFC 2222, October 1997
189 [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
190 Methods for LDAP", RFC 2829, May 2000
192 [LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory
193 Access Protocol (v3): Extension for Transport Layer Security",
196 [RFC 2828] R. Shirey, "Internet Security Glossary", RFC 2828, May
202 Netscape Communications Corp.
204 Mountain View, CA 94043
207 rweltman@netscape.com
212 Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
213 Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim
214 Sermersheim of Novell, and Steven Legg of Adacel have contributed
215 with reviews of this draft.
220 10.1 Changes from draft-weltman-ldapv3-proxy-10.txt
222 Clarified the interaction of proxy access rights and normal access
226 10.2 Changes from draft-weltman-ldapv3-proxy-09.txt
228 Removed description of Control mechanism from Abstract.
230 Added description of how this is different from SASL authz to the
234 Expires November 2002 [Page 4]
236 PROXIED AUTHORIZATION CONTROL May 2002
239 Reworded description of the value of the control (no semantic
241 Added new result code TBD for failure to acquire proxy rights.
243 Added references to RFCs 2829 and 2830 in Security section.
246 10.3 Changes from draft-weltman-ldapv3-proxy-08.txt
248 Proxied Authorization Control
250 Clarifications: the control may not be submitted with a startTLS
251 request; an empty controlValue implies the anonymous identity; only
252 one control may be included with a request.
254 Permission to execute as proxy
256 Replaced "proxy identity" with "proxied authorization identity".
259 Security Considerations
261 Added statement that anonymous users should not be allowed to assume
262 the identity of others.
265 10.4 Changes from draft-weltman-ldapv3-proxy-07.txt
267 Proxied Authorization Control
269 Clarification: the content of the control is an LDAPString.
272 10.5 Changes from draft-weltman-ldapv3-proxy-06.txt
292 Expires November 2002 [Page 5]
294 PROXIED AUTHORIZATION CONTROL May 2002
297 10.6 Changes from draft-weltman-ldapv3-proxy-05.txt
299 The control also applies to add and extended operations.
301 The control value is an authorization ID, not necessarily a DN.
303 Confidentiality concerns are mentioned.
306 10.7 Changes from draft-weltman-ldapv3-proxy-04.txt
308 The control does not apply to bind, unbind, or abandon operations.
310 The proxy DN is represented as a string in the control, rather than
311 embedded in a sequence.
313 Support for the control is published in the supportedControl
314 attribute of the root DSE, not in supportedExtensions.
316 The security section mentions confidentiality issues with exposing an
320 10.8 Changes from draft-weltman-ldapv3-proxy-03.txt
326 10.9 Changes from draft-weltman-ldapv3-proxy-02.txt
328 The Control is now called Proxied Authorization Control, rather than
329 Proxied Authentication Control, to reflect that no authentication
330 occurs as a consequence of processing the Control.
332 Rather than containing an LDAPDN as the Control value, the Control
333 contains a Sequence (which contains an LDAPDN). This is to provide
334 for future extensions.
350 Expires November 2002 [Page 6]