7 INTERNET-DRAFT Kurt D. Zeilenga
8 Intended Category: Experimental OpenLDAP Foundation
9 Expires in six months 28 October 2005
14 <draft-zeilenga-ldap-turn-03.txt>
17 1. Status of this Memo
19 This document is intended to be, after appropriate review and
20 revision, submitted to the RFC Editor for publication as an
21 Experimental document. Distribution of this memo is unlimited.
22 Technical discussion of this document will take place on the IETF LDAP
23 Extensions mailing list <ldapext@ietf.org>. Please send editorial
24 comments directly to the author <Kurt@OpenLDAP.org>.
26 By submitting this Internet-Draft, each author represents that any
27 applicable patent or other IPR claims of which he or she is aware have
28 been or will be disclosed, and any of which he or she becomes aware
29 will be disclosed, in accordance with Section 6 of BCP 79.
31 Internet-Drafts are working documents of the Internet Engineering Task
32 Force (IETF), its areas, and its working groups. Note that other
33 groups may also distribute working documents as Internet-Drafts.
35 Internet-Drafts are draft documents valid for a maximum of six months
36 and may be updated, replaced, or obsoleted by other documents at any
37 time. It is inappropriate to use Internet-Drafts as reference material
38 or to cite them other than as "work in progress."
40 The list of current Internet-Drafts can be accessed at
41 http://www.ietf.org/1id-abstracts.html
43 The list of Internet-Draft Shadow Directories can be accessed at
44 http://www.ietf.org/shadow.html
47 Copyright (C) The Internet Society (2005). All Rights Reserved.
49 Please see the Full Copyright section near the end of this document
58 Zeilenga LDAP Turn Op [Page 1]
60 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
63 This specification describes a Lightweight Directory Access Protocol
64 (LDAP) extended operation to reverse (or "turn") the roles of client
65 and server for subsequent protocol exchanges in the session, or to
66 enable each peer to act as both client and server with respect to the
70 1. Background and Intent of Use
72 The Lightweight Directory Access Protocol (LDAP) [Roadmap][Protocol]
73 is a client-server protocol which typically operates over reliable
74 octet-stream transports such as the Transport Control Protocol (TCP).
75 Generally, the client initiates the stream by connecting to the
76 server's listener at some well-known address.
78 There are cases where it is desirable for the server to initiate the
79 stream. While it certainly is possible to write a technical
80 specification detailing how to implement server-initiated LDAP
81 sessions, this would require the design of new authentication and
82 other security mechanisms to support server-initiated LDAP sessions.
84 Instead, this document introduces an operation, the Turn operation,
85 which may be used to reverse the client-servers roles of the protocol
86 peers. This allows the initiating protocol peer to become server
89 As an additional feature, the Turn operation may be used to allow both
90 peers to act in both roles. This is useful where both peers are
91 directory servers that desire to request, as LDAP clients, operations
92 be performed by the other. This may be useful in replicated and/or
93 distributed environments.
95 This operation is intended to be used between protocol peers which
96 have established a mutual agreement, by means outside of the protocol,
97 which requires reversal of client-server roles, or allows both peers
98 to act both as client and server.
103 Protocol elements are described using ASN.1 [X.680] with implicit
104 tags. The term "BER-encoded" means the element is to be encoded using
105 the Basic Encoding Rules [X.690] under the restrictions detailed in
106 Section 5.2 of [Protocol].
114 Zeilenga LDAP Turn Op [Page 2]
116 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
119 The Turn operation is defined as a LDAP Extended Operation [Protocol,
120 Section 4.12] identified by the IANA-ASSIGNED-OID. The function of
121 the Turn Operation is to request that the client-server roles be
122 reversed, or, optionally to request that both protocol peers to be
123 able to act both as client and server in respect to the other.
128 The Turn request is an ExtendedRequest with the requestName field
129 containing the IANA-ASSIGNED-OID and a requestValue field is a
130 BER-encoded turnValue:
132 turnValue ::= SEQUENCE {
133 mutual BOOLEAN DEFAULT FALSE,
134 identifier LDAPString
137 A TRUE mutual field value indicates a request to allow both peers to
138 act both as client and server. A FALSE mutual field value indicates a
139 request to reserve the client and server roles.
141 The value of the identifier field is a locally-defined policy
142 identifier (typically associated with a mutual agreement for which
143 this turn is be executed as part of).
148 A Turn response is an ExtendedResponse where the responseName and
149 responseValue fields are absent. A resultCode of success is returned
150 if and only if the responder is willing and able to turn the session
151 as requested. Otherwise, a different resultCode is returned.
156 This extension's authentication model assumes separate authentication
157 of the peers in each of their roles. A separate Bind exchange is
158 expected between the peers in their new roles to establish identities
161 Upon completion of the Turn, the responding peer in its new client
162 role has an anonymous association at the initiating peer in its new
163 server role. If the turn was mutual, the authentication association
164 of the initiating peer in its pre-existing client role is left intact
165 at the responding peer in its pre-existing server role. If the turn
166 was not mutual, this association is void.
170 Zeilenga LDAP Turn Op [Page 3]
172 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
175 The responding peer may establish its identity in its client role by
176 requesting and successfully completing a Bind operation.
178 The remainder of this section discuss some authentication scenarios.
179 In the protocol exchange illustrations, A refers to the initiating
180 peer (the original client) and B refers to the responding peer (the
183 3.1. Use with TLS and Simple Authentication
185 A->B: StartTLS Request
186 B->A: StartTLS(success) Response
187 A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
188 B->A: Bind(success) Response
189 A->B: Turn(TRUE,"XXYYZ") Request
190 B->A: Turn(success) Response
191 A->B: Bind(Simple(DN/Password)) Request
192 B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
193 A->B: Bind(success) Response
195 In this scenario, TLS (Transport Layer Security) [TLS] is started and
196 the initiating peer (the original client) establishes its identity
197 with the responding peer prior to the Turn using the the DN/password
198 mechanism of the Simple method of the Bind operation. After the turn,
199 the responding peer in its new client role establishes its identity
200 with the initiating peer in its new server role.
203 3.2. Use with TLS and SASL EXTERNAL
205 A->B: StartTLS Request
206 B->A: StartTLS(success) Response
207 A->B: Bind(SASL(EXTERNAL)) Request
208 B->A: Bind(success) Response
209 A->B: Turn(TRUE,"XXYYZ") Request
210 B->A: Turn(success) Response
211 B->A: Bind(SASL(EXTERNAL)) Request
212 A->B: Bind(success) Response
214 In this scenario, TLS is started prior with each peer providing a
215 valid certificate and the initiating peer (the original client)
216 establishes its identity through the use of the EXTERNAL mechanism of
217 the SASL (Simple Authentication and Security Layer) [SASL] method of
218 the Bind operation prior to the Turn. After the turn, the responding
219 peer in its new client role establishes its identity with the
220 initiating peer in its new server role.
226 Zeilenga LDAP Turn Op [Page 4]
228 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
231 3.3. Use of mutual authentication and SASL EXTERNAL
233 A number of SASL mechanisms, such as GSSAPI [GSSAPI] and DIGEST-MD5
234 [DIGEST-MD5], support mutual authentication. The initiating peer, it
235 its new server role, may use the identity of the responding peer
236 established by a prior authentication exchange, as its source for
237 "external" identity in subsequent EXTERNAL exchange.
239 A->B: Bind(SASL(GSSAPI)) Request
240 <intermediate messages>
241 B->A: Bind(success) Response
242 A->B: Turn(TRUE,"XXYYZ") Request
243 B->A: Turn(success) Response
244 B->A: Bind(SASL(EXTERNAL)) Request
245 A->B: Bind(success) Response
247 In this scenario, a GSSAPI mutual-authentication exchange is completed
248 between the initiating peer (the original client) and the the
249 responding server (the original server) prior to the turn. After the
250 turn, the responding peer in its new client role requests the
251 initiating peer utilize an "external" identity to establish its LDAP
252 authorization identity.
255 4. TLS and SASL security layers
257 As described in [Protocol], LDAP supports both Transport Layer
258 Security (TLS) [TLS] and Simple Authentication and Security Layer
259 (SASL) [SASL] security frameworks. The following table illustrates
260 the relationship between the LDAP message layer, SASL layer, TLS
261 layer, and transport connection within an LDAP session.
263 +----------------------+
264 | LDAP message layer |
265 +----------------------+ > LDAP PDUs
266 +----------------------+ < data
268 +----------------------+ > SASL-protected data
269 +----------------------+ < data
271 Application +----------------------+ > TLS-protected data
272 ------------+----------------------+ < data
273 Transport | transport connection |
274 +----------------------+
276 This extension does not alter this relationship, nor does it remove
277 the general restriction against multiple TLS layers, nor does it
278 remove the general restriction against multiple SASL layers.
282 Zeilenga LDAP Turn Op [Page 5]
284 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
287 As specified in [Protocol], the StartTLS operation is used to initiate
288 negotiation of a TLS layer. If a TLS is already installed, the
289 StartTLS operation must fail. Upon establishment of the TLS layer,
290 regardless of which peer issued the request to start TLS, the peer
291 which initiated the LDAP session (the original client) performs the
292 "server identity check" as described in Section 3.1.5 of [AuthMeth]
293 treating itself as the "client" and its peer as the "server".
295 As specified in [SASL], newly negotiated SASL security layer replace
296 the installed SASL security layer. Though the client/server roles in
297 LDAP, and hence SASL, may be reversed in subsequent exchanges, only
298 one SASL security layer may be installed at any instance.
301 5. Security Considerations
303 Implementors should be aware that the reversing of client/server roles
304 and/or allowing both peers to act as client and server likely
305 introduces security considerations not foreseen by the authors of this
306 document. In particular, the security implications of the design
307 choices made in the authentication and data security models for this
308 extension (discussed in sections 3 and 4, respectively) are not fully
309 studied. It is hoped that experimentation with this extension will
310 lead to better understanding of the security implications of these
311 models and other aspects of this extension, and that appropriate
312 considerations will be documented in a future document. The following
313 security considerations are apparent at this time.
315 Implementors should take special care to process LDAP, SASL, TLS, and
316 other events the appropriate roles for the peers. It is noted that
317 while the Turn reverses the client/server roles with LDAP, and in SASL
318 authentication exchanges, it does not reverse the roles within the TLS
319 layer or the transport connection.
321 The responding server (the original server) should restrict use of
322 this operation to authorized clients. Client knowledge of a valid
323 identifier should not be the sole factor in determining authorization
326 Where the peers except to establish TLS, TLS should be started prior
327 to the Turn and any request to authenticate via the Bind operation.
329 LDAP security considerations [Protocol][AuthMeth] generally apply to
333 6. IANA Considerations
338 Zeilenga LDAP Turn Op [Page 6]
340 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
343 Registration of the following values [BCP64bis] is requested.
346 6.1. Object Identifier
348 It is requested that IANA assign an LDAP Object Identifier to identify
349 the LDAP Turn Operation as defined in this document.
351 Subject: Request for LDAP Object Identifier Registration
352 Person & email address to contact for further information:
353 Kurt Zeilenga <kurt@OpenLDAP.org>
354 Specification: RFC XXXX
355 Author/Change Controller: Author
357 Identifies the LDAP Turn Operation
360 6.2. LDAP Protocol Mechanism
362 It is requested that IANA register the LDAP Protocol Mechanism
363 described in this document.
365 Subject: Request for LDAP Protocol Mechanism Registration
366 Object Identifier: IANA-ASSIGNED-OID
367 Description: LDAP Turn Operation
368 Person & email address to contact for further information:
369 Kurt Zeilenga <kurt@openldap.org>
370 Usage: Extended Operation
371 Specification: RFC XXXX
372 Author/Change Controller: Author
381 Email: Kurt@OpenLDAP.org
386 [[Note to the RFC Editor: please replace the citation tags used in
387 referencing Internet-Drafts with tags of the form RFCnnnn where
394 Zeilenga LDAP Turn Op [Page 7]
396 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
399 8.1. Normative References
401 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
402 Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
405 [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol",
406 draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
408 [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
409 Connection Level Security Mechanisms",
410 draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
412 [SASL] Melnikov, A. (Editor), "Simple Authentication and
413 Security Layer (SASL)",
414 draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.
416 [TLS] Dierks, T. and, E. Rescorla, "The TLS Protocol Version
417 1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in
420 [X.680] International Telecommunication Union -
421 Telecommunication Standardization Sector, "Abstract
422 Syntax Notation One (ASN.1) - Specification of Basic
423 Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
425 [X.690] International Telecommunication Union -
426 Telecommunication Standardization Sector, "Specification
427 of ASN.1 encoding rules: Basic Encoding Rules (BER),
428 Canonical Encoding Rules (CER), and Distinguished
429 Encoding Rules (DER)", X.690(2002) (also ISO/IEC
433 8.2. Informative References
435 [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP",
436 draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.
438 [GSSAPI] Linn, J., "Generic Security Service
439 Application Program Interface, Version 2, Update 1", RFC
442 [DIGEST-MD5] Leach, P., C. Newman, and A. Melnikov, "Using Digest
443 Authentication as a SASL Mechanism",
444 draft-ietf-sasl-rfc2831bis-xx.txt, a work in progress.
450 Zeilenga LDAP Turn Op [Page 8]
452 INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
455 Intellectual Property Rights
457 The IETF takes no position regarding the validity or scope of any
458 Intellectual Property Rights or other rights that might be claimed to
459 pertain to the implementation or use of the technology described in
460 this document or the extent to which any license under such rights
461 might or might not be available; nor does it represent that it has
462 made any independent effort to identify any such rights. Information
463 on the procedures with respect to rights in RFC documents can be found
464 in BCP 78 and BCP 79.
466 Copies of IPR disclosures made to the IETF Secretariat and any
467 assurances of licenses to be made available, or the result of an
468 attempt made to obtain a general license or permission for the use of
469 such proprietary rights by implementers or users of this specification
470 can be obtained from the IETF on-line IPR repository at
471 http://www.ietf.org/ipr.
473 The IETF invites any interested party to bring to its attention any
474 copyrights, patents or patent applications, or other proprietary
475 rights that may cover technology that may be required to implement
476 this standard. Please address the information to the IETF at
483 Copyright (C) The Internet Society (2005).
485 This document is subject to the rights, licenses and restrictions
486 contained in BCP 78, and except as set forth therein, the authors
487 retain all their rights.
489 This document and the information contained herein are provided on an
490 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
491 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
492 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
493 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
494 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
495 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
506 Zeilenga LDAP Turn Op [Page 9]