-INTERNET-DRAFT Kurt D. Zeilenga
+
+INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Experimental OpenLDAP Foundation
-Expires in six months 8 February 2004
+Expires in six months 28 October 2005
LDAP Turn Operation
- <draft-zeilenga-ldap-turn-00.txt>
+ <draft-zeilenga-ldap-turn-03.txt>
1. Status of this Memo
- This document is an Internet-Draft and is in full conformance with all
- provisions of Section 10 of RFC2026.
-
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor for publication as an
Experimental document. Distribution of this memo is unlimited.
Extensions mailing list <ldapext@ietf.org>. Please send editorial
comments directly to the author <Kurt@OpenLDAP.org>.
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware have
+ been or will be disclosed, and any of which he or she becomes aware
+ will be disclosed, in accordance with Section 6 of BCP 79.
+
Internet-Drafts are working documents of the Internet Engineering Task
- Force (IETF), its areas, and its working groups. Note that other
+ Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
+
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as ``work in progress.''
+ time. It is inappropriate to use Internet-Drafts as reference material
+ or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
- <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
- Internet-Draft Shadow Directories can be accessed at
- <http://www.ietf.org/shadow.html>.
+ http://www.ietf.org/1id-abstracts.html
- Copyright (C) The Internet Society (2004). All Rights Reserved.
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html
+
+
+ Copyright (C) The Internet Society (2005). All Rights Reserved.
Please see the Full Copyright section near the end of this document
for more information.
Abstract
- This specification describes a Lightweight Directory Access Protocol
- (LDAP) extended operation to reverse (or "turn") the roles of client
- and server for subsequent protocol exchanges in the session.
-
-
Zeilenga LDAP Turn Op [Page 1]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
+
+
+ This specification describes a Lightweight Directory Access Protocol
+ (LDAP) extended operation to reverse (or "turn") the roles of client
+ and server for subsequent protocol exchanges in the session, or to
+ enable each peer to act as both client and server with respect to the
+ other.
1. Background and Intent of Use
- The Lightweight Directory Access Protocol (LDAP) [RFC3377] is a client
- / server protocol which typically operates over reliable octet stream
- transports such as the Transport Control Protocol (TCP). Generally,
- the client initiates the stream by connecting to the server's listener
- at some well-known address.
+ The Lightweight Directory Access Protocol (LDAP) [Roadmap][Protocol]
+ is a client-server protocol which typically operates over reliable
+ octet-stream transports such as the Transport Control Protocol (TCP).
+ Generally, the client initiates the stream by connecting to the
+ server's listener at some well-known address.
There are cases where it is desirable for the server to initiate the
stream. While it certainly is possible to write a technical
specification detailing how to implement server-initiated LDAP
- sessions, this would requiring designing new authentication and other
- security features to support server-initiated LDAP sessions.
+ sessions, this would require the design of new authentication and
+ other security mechanisms to support server-initiated LDAP sessions.
- This document instead introduces an operation, the Turn operation,
- which may be used to reverse the client / server roles of the
- protocol peers. This allows the initiating protocol peer to be server
- (after reversal).
+ Instead, this document introduces an operation, the Turn operation,
+ which may be used to reverse the client-servers roles of the protocol
+ peers. This allows the initiating protocol peer to become server
+ (after the reversal).
As an additional feature, the Turn operation may be used to allow both
peers to act in both roles. This is useful where both peers are
- directory servers which desire to issue, as LDAP clients, operations
- against the other. This may be useful in replicated environments.
+ directory servers that desire to request, as LDAP clients, operations
+ be performed by the other. This may be useful in replicated and/or
+ distributed environments.
- This operation is intended to used between protocol peers which have
- established a mutual agreement, by means outside of the protocol,
- which requires reversal of client / server roles or both peers to act
- both as client and server.
+ This operation is intended to be used between protocol peers which
+ have established a mutual agreement, by means outside of the protocol,
+ which requires reversal of client-server roles, or allows both peers
+ to act both as client and server.
1.1 Terminology
Protocol elements are described using ASN.1 [X.680] with implicit
tags. The term "BER-encoded" means the element is to be encoded using
the Basic Encoding Rules [X.690] under the restrictions detailed in
- Section 5.1 of [RFC2251].
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
+ Section 5.2 of [Protocol].
2. Turn Operation
- The Turn operation is defined as a LDAP Extended Operation [RFC2251,
- Section 4.12] identified by the IANA-ASSIGNED-OID. The function of
- the Turn Operation is to request that the client / server roles be
- reversed, or, optionally to request that both protocol peers to be
Zeilenga LDAP Turn Op [Page 2]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
- able to act both as client and server.
+ The Turn operation is defined as a LDAP Extended Operation [Protocol,
+ Section 4.12] identified by the IANA-ASSIGNED-OID. The function of
+ the Turn Operation is to request that the client-server roles be
+ reversed, or, optionally to request that both protocol peers to be
+ able to act both as client and server in respect to the other.
2.1. Turn Request
turnValue ::= SEQUENCE {
mutual BOOLEAN DEFAULT FALSE,
- identifier LDAPString,
+ identifier LDAPString
}
- A TRUE value of the mutual field indicates a request to allow both
- peers to act both as client and server while a FALSE value indicates a
+ A TRUE mutual field value indicates a request to allow both peers to
+ act both as client and server. A FALSE mutual field value indicates a
request to reserve the client and server roles.
The value of the identifier field is a locally-defined policy
- identifier (typicallly associated with a mutual agreement for which
- this turn is be executed as part of). This policy identifier is
- called the turn indicator.
+ identifier (typically associated with a mutual agreement for which
+ this turn is be executed as part of).
2.2. Turn Response
A Turn response is an ExtendedResponse where the responseName and
- response fields are absent. A resultCode of success is returned if
- and only if the responder is willing and able to turn the session as
- requested. Otherwise, a different resultCode is returned.
+ responseValue fields are absent. A resultCode of success is returned
+ if and only if the responder is willing and able to turn the session
+ as requested. Otherwise, a different resultCode is returned.
-3. Security Considerations
+3. Authentication
- It is generally recommended that before issuing the Turn operation the
- protocol peers:
+ This extension's authentication model assumes separate authentication
+ of the peers in each of their roles. A separate Bind exchange is
+ expected between the peers in their new roles to establish identities
+ in these roles.
- - establish each other identities through appropriate authentication
- mechanism,
- - establish appropriate data integrity, data confidentiality, and
- other protections,
- - establish an LDAP association between the initiating peer and the
- responding peer.
+ Upon completion of the Turn, the responding peer in its new client
+ role has an anonymous association at the initiating peer in its new
+ server role. If the turn was mutual, the authentication association
+ of the initiating peer in its pre-existing client role is left intact
+ at the responding peer in its pre-existing server role. If the turn
+ was not mutual, this association is void.
- And upon successful completion of turn:
- - establish an LDAP association in reverse.
- That is, for peer A connecting to peer B listening and where TLS and
+Zeilenga LDAP Turn Op [Page 3]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
-Zeilenga LDAP Turn Op [Page 3]
+ The responding peer may establish its identity in its client role by
+ requesting and successfully completing a Bind operation.
+
+ The remainder of this section discuss some authentication scenarios.
+ In the protocol exchange illustrations, A refers to the initiating
+ peer (the original client) and B refers to the responding peer (the
+ original server).
+
+3.1. Use with TLS and Simple Authentication
+
+ A->B: StartTLS Request
+ B->A: StartTLS(success) Response
+ A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
+ B->A: Bind(success) Response
+ A->B: Turn(TRUE,"XXYYZ") Request
+ B->A: Turn(success) Response
+ A->B: Bind(Simple(DN/Password)) Request
+ B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
+ A->B: Bind(success) Response
+
+ In this scenario, TLS (Transport Layer Security) [TLS] is started and
+ the initiating peer (the original client) establishes its identity
+ with the responding peer prior to the Turn using the the DN/password
+ mechanism of the Simple method of the Bind operation. After the turn,
+ the responding peer in its new client role establishes its identity
+ with the initiating peer in its new server role.
+
+
+3.2. Use with TLS and SASL EXTERNAL
+
+ A->B: StartTLS Request
+ B->A: StartTLS(success) Response
+ A->B: Bind(SASL(EXTERNAL)) Request
+ B->A: Bind(success) Response
+ A->B: Turn(TRUE,"XXYYZ") Request
+ B->A: Turn(success) Response
+ B->A: Bind(SASL(EXTERNAL)) Request
+ A->B: Bind(success) Response
+
+ In this scenario, TLS is started prior with each peer providing a
+ valid certificate and the initiating peer (the original client)
+ establishes its identity through the use of the EXTERNAL mechanism of
+ the SASL (Simple Authentication and Security Layer) [SASL] method of
+ the Bind operation prior to the Turn. After the turn, the responding
+ peer in its new client role establishes its identity with the
+ initiating peer in its new server role.
+
+
+
+
+
+Zeilenga LDAP Turn Op [Page 4]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
+
+
+3.3. Use of mutual authentication and SASL EXTERNAL
+
+ A number of SASL mechanisms, such as GSSAPI [GSSAPI] and DIGEST-MD5
+ [DIGEST-MD5], support mutual authentication. The initiating peer, it
+ its new server role, may use the identity of the responding peer
+ established by a prior authentication exchange, as its source for
+ "external" identity in subsequent EXTERNAL exchange.
+
+ A->B: Bind(SASL(GSSAPI)) Request
+ <intermediate messages>
+ B->A: Bind(success) Response
+ A->B: Turn(TRUE,"XXYYZ") Request
+ B->A: Turn(success) Response
+ B->A: Bind(SASL(EXTERNAL)) Request
+ A->B: Bind(success) Response
+
+ In this scenario, a GSSAPI mutual-authentication exchange is completed
+ between the initiating peer (the original client) and the the
+ responding server (the original server) prior to the turn. After the
+ turn, the responding peer in its new client role requests the
+ initiating peer utilize an "external" identity to establish its LDAP
+ authorization identity.
+
+
+4. TLS and SASL security layers
+
+ As described in [Protocol], LDAP supports both Transport Layer
+ Security (TLS) [TLS] and Simple Authentication and Security Layer
+ (SASL) [SASL] security frameworks. The following table illustrates
+ the relationship between the LDAP message layer, SASL layer, TLS
+ layer, and transport connection within an LDAP session.
+
+ +----------------------+
+ | LDAP message layer |
+ +----------------------+ > LDAP PDUs
+ +----------------------+ < data
+ | SASL layer |
+ +----------------------+ > SASL-protected data
+ +----------------------+ < data
+ | TLS layer |
+ Application +----------------------+ > TLS-protected data
+ ------------+----------------------+ < data
+ Transport | transport connection |
+ +----------------------+
+
+ This extension does not alter this relationship, nor does it remove
+ the general restriction against multiple TLS layers, nor does it
+ remove the general restriction against multiple SASL layers.
+
+
+
+Zeilenga LDAP Turn Op [Page 5]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
+
+
+ As specified in [Protocol], the StartTLS operation is used to initiate
+ negotiation of a TLS layer. If a TLS is already installed, the
+ StartTLS operation must fail. Upon establishment of the TLS layer,
+ regardless of which peer issued the request to start TLS, the peer
+ which initiated the LDAP session (the original client) performs the
+ "server identity check" as described in Section 3.1.5 of [AuthMeth]
+ treating itself as the "client" and its peer as the "server".
+
+ As specified in [SASL], newly negotiated SASL security layer replace
+ the installed SASL security layer. Though the client/server roles in
+ LDAP, and hence SASL, may be reversed in subsequent exchanges, only
+ one SASL security layer may be installed at any instance.
- SASL/EXTERNAL were to be used, the sequence of operations would be:
+5. Security Considerations
- A->B: StartTLS
- A->B: Bind(SASL,EXTERNAL)
- A->B: Turn
- B->A: Bind(SASL,EXTERNAL)
+ Implementors should be aware that the reversing of client/server roles
+ and/or allowing both peers to act as client and server likely
+ introduces security considerations not foreseen by the authors of this
+ document. In particular, the security implications of the design
+ choices made in the authentication and data security models for this
+ extension (discussed in sections 3 and 4, respectively) are not fully
+ studied. It is hoped that experimentation with this extension will
+ lead to better understanding of the security implications of these
+ models and other aspects of this extension, and that appropriate
+ considerations will be documented in a future document. The following
+ security considerations are apparent at this time.
+ Implementors should take special care to process LDAP, SASL, TLS, and
+ other events the appropriate roles for the peers. It is noted that
+ while the Turn reverses the client/server roles with LDAP, and in SASL
+ authentication exchanges, it does not reverse the roles within the TLS
+ layer or the transport connection.
-4. IANA Considerations
+ The responding server (the original server) should restrict use of
+ this operation to authorized clients. Client knowledge of a valid
+ identifier should not be the sole factor in determining authorization
+ to turn.
- Registration of the following values [RFC3383] is requested.
+ Where the peers except to establish TLS, TLS should be started prior
+ to the Turn and any request to authenticate via the Bind operation.
+ LDAP security considerations [Protocol][AuthMeth] generally apply to
+ this extension.
-4.1. Object Identifier
+
+6. IANA Considerations
+
+
+
+
+Zeilenga LDAP Turn Op [Page 6]
+\f
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
+
+
+ Registration of the following values [BCP64bis] is requested.
+
+
+6.1. Object Identifier
It is requested that IANA assign an LDAP Object Identifier to identify
the LDAP Turn Operation as defined in this document.
Identifies the LDAP Turn Operation
-4.2. LDAP Protocol Mechanism
+6.2. LDAP Protocol Mechanism
It is requested that IANA register the LDAP Protocol Mechanism
described in this document.
Comments: none
-5. Normative References
+7. Author's Address
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14 (also RFC 2119), March 1997.
+ Kurt D. Zeilenga
+ OpenLDAP Foundation
+ Email: Kurt@OpenLDAP.org
+8. References
-Zeilenga LDAP Turn Op [Page 4]
+ [[Note to the RFC Editor: please replace the citation tags used in
+ referencing Internet-Drafts with tags of the form RFCnnnn where
+ possible.]]
+
+
+
+
+
+Zeilenga LDAP Turn Op [Page 7]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
- [RFC2251] Wahl, M., T. Howes and S. Kille, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
+8.1. Normative References
- [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
- Protocol (v3): Technical Specification", RFC 3377,
- September 2002.
+ [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
+ Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
+ progress.
+
+ [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol",
+ draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
+
+ [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
+ Connection Level Security Mechanisms",
+ draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
+
+ [SASL] Melnikov, A. (Editor), "Simple Authentication and
+ Security Layer (SASL)",
+ draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.
+
+ [TLS] Dierks, T. and, E. Rescorla, "The TLS Protocol Version
+ 1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in
+ progress.
[X.680] International Telecommunication Union -
Telecommunication Standardization Sector, "Abstract
Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
+ Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
[X.690] International Telecommunication Union -
Telecommunication Standardization Sector, "Specification
of ASN.1 encoding rules: Basic Encoding Rules (BER),
Canonical Encoding Rules (CER), and Distinguished
- Encoding Rules (DER)", X.690(1997) (also ISO/IEC
- 8825-1:1998).
+ Encoding Rules (DER)", X.690(2002) (also ISO/IEC
+ 8825-1:2002).
-6. Informative References
+8.2. Informative References
- [RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
- (also RFC 3383), September 2002.
+ [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP",
+ draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.
+ [GSSAPI] Linn, J., "Generic Security Service
+ Application Program Interface, Version 2, Update 1", RFC
+ 2743, January 2000.
-7. Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- Email: Kurt@OpenLDAP.org
+ [DIGEST-MD5] Leach, P., C. Newman, and A. Melnikov, "Using Digest
+ Authentication as a SASL Mechanism",
+ draft-ietf-sasl-rfc2831bis-xx.txt, a work in progress.
-Intellectual Property Rights
-
- The IETF takes no position regarding the validity or scope of any
- intellectual property or other rights that might be claimed to pertain
- to the implementation or use of the technology described in this
- document or the extent to which any license under such rights might or
- might not be available; neither does it represent that it has made any
- effort to identify any such rights. Information on the IETF's
- procedures with respect to rights in standards-track and
- standards-related documentation can be found in BCP-11. Copies of
- claims of rights made available for publication and any assurances of
- licenses to be made available, or the result of an attempt made to
- obtain a general license or permission for the use of such proprietary
-
-Zeilenga LDAP Turn Op [Page 5]
+Zeilenga LDAP Turn Op [Page 8]
\f
-INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
+INTERNET-DRAFT draft-zeilenga-ldap-turn-03 28 October 2005
+
+Intellectual Property Rights
- rights by implementors or users of this specification can be obtained
- from the IETF Secretariat.
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be found
+ in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this specification
+ can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
- rights which may cover technology that may be required to practice
- this standard. Please address the information to the IETF Executive
- Director.
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
Full Copyright
- Copyright (C) The Internet Society (2004). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published and
- distributed, in whole or in part, without restriction of any kind,
- provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be followed,
- or as required to translate it into languages other than English.
+ Copyright (C) The Internet Society (2005).
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga LDAP Turn Op [Page 6]
+Zeilenga LDAP Turn Op [Page 9]
\f
-\r