From: Kurt Zeilenga Date: Wed, 16 Mar 2011 19:16:14 +0000 (+0000) Subject: rfc6171 (dontUseCopy) X-Git-Tag: MIGRATION_CVS2GIT~16 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=1c411cc3c6d2342f9de668765e621ea0ba04afdd;p=openldap rfc6171 (dontUseCopy) --- diff --git a/doc/rfc/rfc6171.txt b/doc/rfc/rfc6171.txt new file mode 100644 index 0000000000..d325fb470e --- /dev/null +++ b/doc/rfc/rfc6171.txt @@ -0,0 +1,339 @@ + + + + + + +Internet Engineering Task Force (IETF) K. Zeilenga +Request for Comments: 6171 Isode Limited +Category: Standards Track March 2011 +ISSN: 2070-1721 + + +The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control + +Abstract + + This document defines the Lightweight Directory Access Protocol + (LDAP) Don't Use Copy control extension, which allows a client to + specify that copied information should not be used in providing + service. This control is based upon the X.511 dontUseCopy service + control option. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6171. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + + +Zeilenga Standards Track [Page 1] + +RFC 6171 LDAP Don't Use Copy Control March 2011 + + + This document may contain material from IETF Documents or IETF + Contributions published or made publicly available before November + 10, 2008. The person(s) controlling the copyright in some of this + material may not have granted the IETF Trust the right to allow + modifications of such material outside the IETF Standards Process. + Without obtaining an adequate license from the person(s) controlling + the copyright in such materials, this document may not be modified + outside the IETF Standards Process, and derivative works of it may + not be created outside the IETF Standards Process, except to format + it for publication as an RFC or to translate it into languages other + than English. + +1. Background and Intended Usage + + This document defines the Lightweight Directory Access Protocol + (LDAP) [RFC4510] Don't Use Copy control extension. The control may + be attached to request messages to indicate that copied (replicated + or cached) information [X.500] is not be used in providing service. + This control is based upon the X.511 [X.511] dontUseCopy service + control option. + + The Don't Use Copy control is intended to be used where the client + requires the service be provided using original (master) information + [X.500]. In absence of this control, the server is free to make use + of copied (i.e., non-authoritative) information in providing the + requested service. + + For instance, a client might desire to have an authoritative answer + to a question of whether or not a particular user is a member of a + group. To ask this question of a server, the client might issue a + compare request [RFC4511], with the Don't Use Copy control, where the + entry parameter is the Distinguished Name (DN) of the group, the + ava.attributeDesc is 'member', and the ava.assertionValue is the DN + of the user in question. If the server has access to the original + (master) information directly or through chaining, it performs the + operation against the original (master) information and returns + compareTrue or compareFalse (or an error). If the server does not + have access to the original information, the server is obligated to + either return a referral or an error. + + It is not intended that this control be used generally (e.g., for all + LDAP interrogation operations) but only as required to ensure proper + directory application behavior. In general, directory applications + ought to designed to use copied information well. + + + + + + + +Zeilenga Standards Track [Page 2] + +RFC 6171 LDAP Don't Use Copy Control March 2011 + + +2. Terminology + + DSA stands for Directory System Agent (or server). + DSE stands for DSA-Specific Entry. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +3. The Don't Use Copy Control + + The Don't Use Copy control is an LDAP Control [RFC4511] whose + controlType is 1.3.6.1.1.22 and controlValue is absent. The + criticality MUST be TRUE. There is no corresponding response + control. + + The control is appropriate for LDAP interrogation operations, + including Compare and Search operations [RFC4511]. It is + inappropriate for all other operations, including Abandon, Bind, + Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511]. + + When the control is attached to an LDAP request, the requested + operation MUST NOT be performed on copied information. That is, the + requested operation MUST be performed on original information. + + If original (master) information for the target or base object of the + operation is not available (either locally or through chaining), the + server MUST either return a referral directing the client to a server + believed to be better able to service the request or return an + appropriate result code (e.g., unwillingToPerform). + + It is noted that a referral, if returned, is not necessarily to the + server holding the original (master) information. It is also noted + that an authoritative answer to the question might not be available + to the client for any number of reasons. + + Where the client chases a referral to a server (as referenced by an + LDAP URL) in the server response in order to obtain an authoritative + response, the client MUST provide the dontUseCopy control with the + interrogation request it makes to the referred to server. While LDAP + allows return of other kinds of URIs, the syntax and semantics of + other kinds of URIs are left to future specifications. The + particulars of how to act upon other kinds of URIs are also left to + future specifications. + + + + + + + +Zeilenga Standards Track [Page 3] + +RFC 6171 LDAP Don't Use Copy Control March 2011 + + + Servers implementing this technical specification SHOULD publish the + object identifier 1.3.6.1.1.22 as a value of the 'supportedControl' + attribute [RFC4512] in their root DSE. A server MAY choose to + advertise this extension only when the client is authorized to use + it. + +4. Security Considerations + + This control is intended to be provided where providing service using + copied information might lead to unexpected application behavior. + + Use of the Don't Use Copy control may permit an attacker to perform + or amplify a denial-of-service attack by causing additional server + resources to be employed, such as when the server chooses to chain + the request instead of returning a referral. Servers capable of such + chaining can mitigate this threat by limiting chaining to a + particular group of authenticated entities. + + LDAP is frequently used for storage and distribution of security- + sensitive information, including access control and security policy + information. Failure to use the Don't Use Copy control may thus + permit an attacker to gain unauthorized access by allowing reliance + on stale data. + +5. IANA Considerations + +5.1. Object Identifier + + IANA has assigned an LDAP Object Identifier [RFC4520] to identify the + LDAP Don't Use Copy Control defined in this document. + + Subject: Request for LDAP Object Identifier Registration + Person & email address to contact for further information: + Kurt Zeilenga + Specification: RFC 6171 + Author/Change Controller: IESG + Comments: + Identifies the LDAP Don't Use Copy Control + + + + + + + + + + + + + +Zeilenga Standards Track [Page 4] + +RFC 6171 LDAP Don't Use Copy Control March 2011 + + +5.2. LDAP Protocol Mechanism + + IANA has registered this protocol mechanism [RFC4520] as follows. + + Subject: Request for LDAP Protocol Mechanism Registration + Object Identifier: 1.3.6.1.1.22 + Description: Don't Use Copy Control + Person & email address to contact for further information: + Kurt Zeilenga + Usage: Control + Specification: RFC 6171 + Author/Change Controller: IESG + Comments: none + +6. Acknowledgements + + The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie + for providing review and specific suggestions. + +7. References + +7.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol + (LDAP): Technical Specification Road Map", RFC 4510, June + 2006. + + [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access + Protocol (LDAP): The Protocol", RFC 4511, June 2006. + + [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol + (LDAP): Directory Information Models", RFC 4512, June + 2006. + +7.2. Informative References + + [X.500] International Telecommunication Union - Telecommunication + Standardization Sector, "The Directory -- Overview of + concepts, models and services," X.500(1993) (also ISO/IEC + 9594-1:1994). + + [X.511] International Telecommunication Union - Telecommunication + Standardization Sector, "The Directory: Abstract Service + Definition", X.511(1993) (also ISO/IEC 9594-3:1993). + + + + +Zeilenga Standards Track [Page 5] + +RFC 6171 LDAP Don't Use Copy Control March 2011 + + + [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) + Considerations for the Lightweight Directory Access + Protocol (LDAP)", BCP 64, RFC 4520, June 2006. + +Author's Address + + Kurt D. Zeilenga + Isode Limited + + EMail: Kurt.Zeilenga@Isode.COM + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Zeilenga Standards Track [Page 6] +