7 Internet Engineering Task Force (IETF) K. Zeilenga
8 Request for Comments: 6171 Isode Limited
9 Category: Standards Track March 2011
13 The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control
17 This document defines the Lightweight Directory Access Protocol
18 (LDAP) Don't Use Copy control extension, which allows a client to
19 specify that copied information should not be used in providing
20 service. This control is based upon the X.511 dontUseCopy service
25 This is an Internet Standards Track document.
27 This document is a product of the Internet Engineering Task Force
28 (IETF). It represents the consensus of the IETF community. It has
29 received public review and has been approved for publication by the
30 Internet Engineering Steering Group (IESG). Further information on
31 Internet Standards is available in Section 2 of RFC 5741.
33 Information about the current status of this document, any errata,
34 and how to provide feedback on it may be obtained at
35 http://www.rfc-editor.org/info/rfc6171.
39 Copyright (c) 2011 IETF Trust and the persons identified as the
40 document authors. All rights reserved.
42 This document is subject to BCP 78 and the IETF Trust's Legal
43 Provisions Relating to IETF Documents
44 (http://trustee.ietf.org/license-info) in effect on the date of
45 publication of this document. Please review these documents
46 carefully, as they describe your rights and restrictions with respect
47 to this document. Code Components extracted from this document must
48 include Simplified BSD License text as described in Section 4.e of
49 the Trust Legal Provisions and are provided without warranty as
50 described in the Simplified BSD License.
58 Zeilenga Standards Track [Page 1]
60 RFC 6171 LDAP Don't Use Copy Control March 2011
63 This document may contain material from IETF Documents or IETF
64 Contributions published or made publicly available before November
65 10, 2008. The person(s) controlling the copyright in some of this
66 material may not have granted the IETF Trust the right to allow
67 modifications of such material outside the IETF Standards Process.
68 Without obtaining an adequate license from the person(s) controlling
69 the copyright in such materials, this document may not be modified
70 outside the IETF Standards Process, and derivative works of it may
71 not be created outside the IETF Standards Process, except to format
72 it for publication as an RFC or to translate it into languages other
75 1. Background and Intended Usage
77 This document defines the Lightweight Directory Access Protocol
78 (LDAP) [RFC4510] Don't Use Copy control extension. The control may
79 be attached to request messages to indicate that copied (replicated
80 or cached) information [X.500] is not be used in providing service.
81 This control is based upon the X.511 [X.511] dontUseCopy service
84 The Don't Use Copy control is intended to be used where the client
85 requires the service be provided using original (master) information
86 [X.500]. In absence of this control, the server is free to make use
87 of copied (i.e., non-authoritative) information in providing the
90 For instance, a client might desire to have an authoritative answer
91 to a question of whether or not a particular user is a member of a
92 group. To ask this question of a server, the client might issue a
93 compare request [RFC4511], with the Don't Use Copy control, where the
94 entry parameter is the Distinguished Name (DN) of the group, the
95 ava.attributeDesc is 'member', and the ava.assertionValue is the DN
96 of the user in question. If the server has access to the original
97 (master) information directly or through chaining, it performs the
98 operation against the original (master) information and returns
99 compareTrue or compareFalse (or an error). If the server does not
100 have access to the original information, the server is obligated to
101 either return a referral or an error.
103 It is not intended that this control be used generally (e.g., for all
104 LDAP interrogation operations) but only as required to ensure proper
105 directory application behavior. In general, directory applications
106 ought to designed to use copied information well.
114 Zeilenga Standards Track [Page 2]
116 RFC 6171 LDAP Don't Use Copy Control March 2011
121 DSA stands for Directory System Agent (or server).
122 DSE stands for DSA-Specific Entry.
124 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
125 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
126 document are to be interpreted as described in RFC 2119 [RFC2119].
128 3. The Don't Use Copy Control
130 The Don't Use Copy control is an LDAP Control [RFC4511] whose
131 controlType is 1.3.6.1.1.22 and controlValue is absent. The
132 criticality MUST be TRUE. There is no corresponding response
135 The control is appropriate for LDAP interrogation operations,
136 including Compare and Search operations [RFC4511]. It is
137 inappropriate for all other operations, including Abandon, Bind,
138 Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511].
140 When the control is attached to an LDAP request, the requested
141 operation MUST NOT be performed on copied information. That is, the
142 requested operation MUST be performed on original information.
144 If original (master) information for the target or base object of the
145 operation is not available (either locally or through chaining), the
146 server MUST either return a referral directing the client to a server
147 believed to be better able to service the request or return an
148 appropriate result code (e.g., unwillingToPerform).
150 It is noted that a referral, if returned, is not necessarily to the
151 server holding the original (master) information. It is also noted
152 that an authoritative answer to the question might not be available
153 to the client for any number of reasons.
155 Where the client chases a referral to a server (as referenced by an
156 LDAP URL) in the server response in order to obtain an authoritative
157 response, the client MUST provide the dontUseCopy control with the
158 interrogation request it makes to the referred to server. While LDAP
159 allows return of other kinds of URIs, the syntax and semantics of
160 other kinds of URIs are left to future specifications. The
161 particulars of how to act upon other kinds of URIs are also left to
162 future specifications.
170 Zeilenga Standards Track [Page 3]
172 RFC 6171 LDAP Don't Use Copy Control March 2011
175 Servers implementing this technical specification SHOULD publish the
176 object identifier 1.3.6.1.1.22 as a value of the 'supportedControl'
177 attribute [RFC4512] in their root DSE. A server MAY choose to
178 advertise this extension only when the client is authorized to use
181 4. Security Considerations
183 This control is intended to be provided where providing service using
184 copied information might lead to unexpected application behavior.
186 Use of the Don't Use Copy control may permit an attacker to perform
187 or amplify a denial-of-service attack by causing additional server
188 resources to be employed, such as when the server chooses to chain
189 the request instead of returning a referral. Servers capable of such
190 chaining can mitigate this threat by limiting chaining to a
191 particular group of authenticated entities.
193 LDAP is frequently used for storage and distribution of security-
194 sensitive information, including access control and security policy
195 information. Failure to use the Don't Use Copy control may thus
196 permit an attacker to gain unauthorized access by allowing reliance
199 5. IANA Considerations
201 5.1. Object Identifier
203 IANA has assigned an LDAP Object Identifier [RFC4520] to identify the
204 LDAP Don't Use Copy Control defined in this document.
206 Subject: Request for LDAP Object Identifier Registration
207 Person & email address to contact for further information:
208 Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
209 Specification: RFC 6171
210 Author/Change Controller: IESG
212 Identifies the LDAP Don't Use Copy Control
226 Zeilenga Standards Track [Page 4]
228 RFC 6171 LDAP Don't Use Copy Control March 2011
231 5.2. LDAP Protocol Mechanism
233 IANA has registered this protocol mechanism [RFC4520] as follows.
235 Subject: Request for LDAP Protocol Mechanism Registration
236 Object Identifier: 1.3.6.1.1.22
237 Description: Don't Use Copy Control
238 Person & email address to contact for further information:
239 Kurt Zeilenga <Kurt.Zeilenga@Isode.COM>
241 Specification: RFC 6171
242 Author/Change Controller: IESG
247 The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie
248 for providing review and specific suggestions.
252 7.1. Normative References
254 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
255 Requirement Levels", BCP 14, RFC 2119, March 1997.
257 [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
258 (LDAP): Technical Specification Road Map", RFC 4510, June
261 [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
262 Protocol (LDAP): The Protocol", RFC 4511, June 2006.
264 [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
265 (LDAP): Directory Information Models", RFC 4512, June
268 7.2. Informative References
270 [X.500] International Telecommunication Union - Telecommunication
271 Standardization Sector, "The Directory -- Overview of
272 concepts, models and services," X.500(1993) (also ISO/IEC
275 [X.511] International Telecommunication Union - Telecommunication
276 Standardization Sector, "The Directory: Abstract Service
277 Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
282 Zeilenga Standards Track [Page 5]
284 RFC 6171 LDAP Don't Use Copy Control March 2011
287 [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
288 Considerations for the Lightweight Directory Access
289 Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
296 EMail: Kurt.Zeilenga@Isode.COM
338 Zeilenga Standards Track [Page 6]
projects / openldap / blob