7 INTERNET-DRAFT Kurt D. Zeilenga
8 Intended Category: Standard Track OpenLDAP Foundation
9 Expires in six months 17 May 2002
13 LDAP "Who am I?" Operation
14 <draft-zeilenga-ldap-authzid-06.txt>
19 This document is an Internet-Draft and is in full conformance with all
20 provisions of Section 10 of RFC2026.
22 This document is intended to be, after appropriate review and
23 revision, submitted to the RFC Editor as a Standard Track document.
24 Distribution of this memo is unlimited. Technical discussion of this
25 document will take place on the IETF LDAP Extension Working Group
26 mailing list <ietf-ldapext@netscape.com>. Please send editorial
27 comments directly to the author <Kurt@OpenLDAP.org>.
29 Internet-Drafts are working documents of the Internet Engineering Task
30 Force (IETF), its areas, and its working groups. Note that other
31 groups may also distribute working documents as Internet-Drafts.
32 Internet-Drafts are draft documents valid for a maximum of six months
33 and may be updated, replaced, or obsoleted by other documents at any
34 time. It is inappropriate to use Internet-Drafts as reference
35 material or to cite them other than as ``work in progress.''
37 The list of current Internet-Drafts can be accessed at
38 <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
39 Internet-Draft Shadow Directories can be accessed at
40 <http://www.ietf.org/shadow.html>.
42 Copyright 2002, The Internet Society. All Rights Reserved.
44 Please see the Copyright section near the end of this document for
50 This specification provides a mechanism for Lightweight Directory
51 Access Protocol (LDAP) clients to obtain the authorization identity
52 which the server has associated with the user or application entity.
53 This mechanism is specified as an LDAP extended operation called the
54 LDAP "Who am I?" operation.
58 Zeilenga LDAP "Who am I?" [Page 1]
60 INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
67 document are to be interpreted as described in BCP 14 [RFC2119].
70 1. Background and Intent of Use
72 This specification describes a Lightweight Directory Access Protocol
73 (LDAP) [RFC2251] extended operation which clients can use to obtain
74 the primary authorization identity in its primary form which the
75 server has associated with the user or application entity.
77 Servers often associate multiple authorization identities with the
78 client and each authorization identity may be represented by multiple
79 authzId [RFC2829] strings. This operation requests and returns the
80 authzId the server considers to be primary. In the specification, the
81 term "the authorization identity" and "the authzid" are to generally
82 read as "the primary authorization identity" and the "the primary
83 authzid", respectively.
85 This specification is intended to replace the existing [AUTHCTL]
86 mechanism which uses Bind request and response controls to request and
87 return the authorization identity. Bind controls are not protected by
88 the security layers established by the Bind operation which they are
89 transferred as part of. While it is possible to establish security
90 layers prior to the Bind operation, it is often desirable to only use
91 security layers established by the Bind operation. An extended
92 operation sent after a Bind operation is protected by the security
93 layers established by the Bind operation.
95 There are other cases where it is desirable to request the
96 authorization identity which the server associated with the client
97 separately from the Bind operation. For example, the "Who am I?"
98 operation can be augmented with a Proxied Authorization Control
99 [PROXYCTL] to determine the authorization identity which the server
100 associates with the identity asserted in the Proxied Authorization
101 Control. The "Who am I?" operation can also be used prior to the Bind
104 The LDAP "Who am I?" operation is named after the UNIX whoami(1)
105 command. The whoami(1) command displays the effective user id.
108 2. The "Who am I?" Operation
110 The "Who am I?" operation is defined as an LDAP Extended Operation
114 Zeilenga LDAP "Who am I?" [Page 2]
116 INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
119 [RFC2251, Section 4.12] identified by the whoamiOID Object Identifier
120 (OID). This section details the syntax of the operation's whoami
121 request and response messages.
123 whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
126 2.1. The whoami Request
128 The whoami request is an ExtendedRequest with the requestName field
129 containing the whoamiOID OID and an absent requestValue field. For
130 example, a whoami request could be encoded as the sequence of octets
134 2.2. The whoami Response
136 The whoami response is an ExtendedResponse where the responseName
137 field is absent and, if present, the response field is empty or an
138 authzId [RFC2829]. For example, a whoami response returning the
139 authzid "u:kurt@OPENLDAP.ORG" (in response to the example request)
140 would be encoded as the sequence of octets (in hex):
144 3. Operational Semantics
146 The function of the "Who am I?" operation is to request that the
147 server returns the authorization identity it currently associates with
148 the client. The client requests this authorization identity by
149 issuing a whoami Request. The server responds to this request with a
152 If the server is willing and able to provide the authorization
153 identity it associates with the client, the server SHALL return a
154 whoami Response with a success resultCode. If the server is treating
155 the client as an anonymous entity, the response field is empty.
156 Otherwise the server is to provide the authzId [RFC2829] representing
157 the authorization identity it currently associates with the client in
160 If the server is unwilling or unable to provide the authorization
161 identity it associates with the client, the server SHALL return a
162 whoami Response with an appropriate non-success resultCode (such as
163 operationsError, protocolError, confidentialityRequired,
164 insufficientAccessRights, busy, unavailable, unwillingToPerform, or
165 other) and an absent response field.
170 Zeilenga LDAP "Who am I?" [Page 3]
172 INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
175 As described in [RFC2251] and [RFC2829], an LDAP session has an
176 "anonymous" association until the client has been successfully
177 authenticated using the Bind operation. Clients MUST NOT invoke the
178 "Who Am I?" operation while any Bind operation is in progress,
179 including between two Bind requests made as part of a multi-stage Bind
183 4. Extending the "Who am I?" operation with controls
185 Future specifications may extend the "Who am I?" operation using the
186 control mechanism. When extended by controls, the "Who am I?"
187 operation requests and returns the authorization identity the server
188 associates with the client in a particular context indicated by the
192 4.1. Proxied Authorization Control
194 The Proxied Authorization Control [PROXYCTL] is used by clients to
195 request that the operation it is attached to operates under the
196 authorization of an assumed identity. The client provides the
197 identity to assume in the Proxied Authorization request control. If
198 the client is authorized to assume the requested identity, the server
199 executes the operation as if the requested identity had issued the
202 As servers often map the asserted authzId to another identity
203 [RFC2829], it is desirable to request the server provide the authzId
204 it associates with the assumed identity.
206 When a Proxied Authorization Control is be attached to the "Who Am I?"
207 operation, the operation requests the return of the authzid the server
208 associates with the identity asserted in the Proxied Authorization
209 Control. The TBD result code is used to indicate that the server does
210 not allow the client to assume the asserted identity. [[Note to RFC
211 Editor: TBD is to be replaced with the name/code assigned by IANA for
215 5. Security Considerations
217 Identities associated with users may be sensitive information. When
218 so, security layers [RFC2829][RFC2830] should be established to
219 protect this information. This mechanism is specifically designed to
220 allow security layers established by a Bind operation to protect the
221 integrity and/or confidentiality of the authorization identity.
226 Zeilenga LDAP "Who am I?" [Page 4]
228 INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
231 Servers may place access control or other restrictions upon the use of
234 As with any other extended operations, general LDAP considerations
235 apply. These are detailed in [RFC2251], [RFC2829], and [RFC2830].
238 6. IANA Considerations
240 No IANA assignments are requested.
242 This document uses the OID 1.3.6.1.4.1.4203.1.11.3 to identify the
243 LDAP "Who Am I? extended operation. This OID was assigned [ASSIGN] by
244 OpenLDAP Foundation under its IANA assigned private enterprise
245 allocation [PRIVATE] for use in this specification.
250 This document borrows from prior work in this area including
251 "Authentication Response Control" [AUTHCTL] by Rob Weltman, Mark Smith
262 9. Normative References
264 [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
265 Requirement Levels", BCP 14 (also RFC 2119), March 1997.
267 [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
268 Protocol (v3)", RFC 2251, December 1997.
270 [RFC2829] M. Wahl, H. Alvestrand, J. Hodges, RL "Bob" Morgan,
271 "Authentication Methods for LDAP", RFC 2829, June 2000.
273 [RFC2830] J. Hodges, R. Morgan, and M. Wahl, "Lightweight Directory
274 Access Protocol (v3): Extension for Transport Layer
275 Security", RFC 2830, May 2000.
277 [PROXYCTL] R. Weltman, "LDAP Proxied Authentication Control", draft-
278 weltman-ldapv3-proxy-xx.txt (a work in progress).
282 Zeilenga LDAP "Who am I?" [Page 5]
284 INTERNET-DRAFT draft-zeilenga-ldap-authzid-06 17 May 2002
287 10. Informative References
289 [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
290 http://www.openldap.org/foundation/oid-delegate.txt.
292 [AUTHCTL] R. Weltman, M. Smith, M. Wahl, "LDAP Authentication
293 Response Control", draft-weltman-ldapv3-auth-response-
294 xx.txt (a work in progress).
296 [PRIVATE] IANA, "Private Enterprise Numbers",
297 http://www.iana.org/assignments/enterprise-numbers.
300 Copyright 2002, The Internet Society. All Rights Reserved.
302 This document and translations of it may be copied and furnished to
303 others, and derivative works that comment on or otherwise explain it
304 or assist in its implementation may be prepared, copied, published and
305 distributed, in whole or in part, without restriction of any kind,
306 provided that the above copyright notice and this paragraph are
307 included on all such copies and derivative works. However, this
308 document itself may not be modified in any way, such as by removing
309 the copyright notice or references to the Internet Society or other
310 Internet organizations, except as needed for the purpose of
311 developing Internet standards in which case the procedures for
312 copyrights defined in the Internet Standards process must be followed,
313 or as required to translate it into languages other than English.
315 The limited permissions granted above are perpetual and will not be
316 revoked by the Internet Society or its successors or assigns.
318 This document and the information contained herein is provided on an
319 "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
320 ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
321 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
322 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
323 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
338 Zeilenga LDAP "Who am I?" [Page 6]