4 Network Working Group M. Wahl
5 Internet-Draft Informed Control Inc.
6 Intended status: Standards Track May 9, 2007
7 Expires: November 10, 2007
10 LDAP Session Tracking Control
11 draft-wahl-ldap-session-03
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on November 10, 2007.
40 Copyright (C) The IETF Trust (2007).
55 Wahl Expires November 10, 2007 [Page 1]
57 Internet-Draft LDAP Session Tracking Control May 2007
62 Many network devices, application servers, and middleware components
63 of a enterprise software infrastructure generate some form of session
64 tracking identifiers, which are useful when analyzing activity and
65 accounting logs to group activity relating to a particular session.
66 This document discusses how Lightweight Directory Access Protocol
67 version 3 (LDAP) clients can include session tracking identifiers
68 with their LDAP requests. This information is provided through
69 controls in the requests the clients send to LDAP servers. The LDAP
70 server receiving these controls can include the session tracking
71 identifiers in the log messages it writes, enabling LDAP requests in
72 the LDAP server's logs to be correlated with activity in logs of
73 other components in the infrastructure. The control also enables
74 session tracking information to be generated by LDAP servers and
75 returned to clients and other servers. Three formats of session
76 tracking identifiers are defined in this document.
111 Wahl Expires November 10, 2007 [Page 2]
113 Internet-Draft LDAP Session Tracking Control May 2007
118 The majority of directory server implementations produce access logs
119 detailing each request they receive. These logs can be read using
120 log parsing tools or specialized log viewer applications. Typically
121 it will be possible, for each request logged by a directory server,
122 to determine the bind DN (or possibly another form of authentication
123 identity) of the client which sent the request to the server, and
124 many servers also log the IP address of the client that sent the
127 In the original OSI architecture, it was envisaged that users might
128 interact with a directory service through specialized applications,
129 known as Directory User Agents, which were the clients of the
130 Directory Access Protocol. Similarly, in early Internet directory
131 deployments, a majority of LDAP clients were desktop applications,
132 that used the LDAP protocol to search an enterprise directory for
133 address book/contact information.
135 Today, the majority of LDAP clients are embedded within middleware
136 and server applications. Legacy address book protocols might be
137 gatewayed into LDAP, or a server might consult an LDAP server in
138 order to check a user's password or obtain their preferences. While
139 the LDAP requests might result from a user's activity somewhere on
140 the network, it is rare for the user to be 'driving' the LDAP client,
141 and in most cases the user performing the activity is unaware that
142 LDAP requests are being generated on their behalf.
144 However, this information is important to directory system
145 administrators and auditors. They may wish to determine who is
146 making use of the directory service, or track the source of unusual
149 When a directory server administrator reviews a log file produced by
150 a directory server that has been accessed only by clients that are
151 themselves middleware, where the end user does not interact with the
152 middleware directly, only through other kinds of servers (e.g.
153 application servers or remote access servers), it will be difficult
154 to correlate between the directory server's log and the logs of the
155 servers which made use of this directory to determine why the LDAP
156 requests were made and who were responsible for causing them.
158 Reasons for this include:
160 o Directory servers are capable of performing many hundreds of
161 requests per second or more, and even with time synchronization
162 between the systems on which the directory server and middleware
163 are deployed, times of requests might not be logged accurately
167 Wahl Expires November 10, 2007 [Page 3]
169 Internet-Draft LDAP Session Tracking Control May 2007
172 enough to be able to correlate based on time: the server's logs
173 might be only to 1-second resolution.
175 o A single function on a middleware server, such as "authenticate a
176 user", may result in multiple LDAP requests being generated in
177 order to perform that request.
179 o Many high performance middleware servers implement connection
180 pooling, managing a set of persistent connections to each
181 directory server and multiplexing operations across the
182 connections. Each connection will have the same source IP address
183 and bind DN. If a particular activity causes multiple LDAP
184 requests to be generated, each LDAP request might be sent on a
185 different connection. Also, as LDAP is an asynchronous protocol,
186 middleware servers may have more than one request in progress on
187 each connection, asynchronously sending requests to the directory
188 server on each connection and processing the responses in whatever
189 order they are received.
191 This document defines a new control for use in LDAPv3 [1] operation
192 requests. This control contains session tracking information that
193 can be used to correlate log information present in the directory
194 server's log with the logs of other middleware servers.
196 The words "MUST", "SHOULD" and "MAY" are used as defined in RFC 2119
199 1.1. Motivation for session tracking
201 A typical enterprise deployment with an application indirectly
202 relying upon the directory might resemble:
205 +------+ +--------+ +----------+ +--------+
206 | User | | Appli- | | Auth./ | LDAP | LDAP |
207 | +-----+ cation +-------+ Identity +------+ Server |
208 | | | Server | | Provider | | |
209 | A | | B | | C | | D |
210 +------+ +--------+ +----------+ +--------+
213 In this diagram, a user (A) makes some request of an application
214 server (B). The application server might rely on an integrated or
215 external authentication provider in order to check the user's
216 authentication credentials, or might use an identity provider to
217 obtain profile information about the user. This request might be
218 made through an API or a protocol other than LDAP, e.g. RADIUS,
219 Kerberos, SMB, etc. The authentication/identity provider (C) would
223 Wahl Expires November 10, 2007 [Page 4]
225 Internet-Draft LDAP Session Tracking Control May 2007
228 generate one or more LDAP requests and send them to an LDAP server
231 The LDAP server has the following information already available to it
232 through the LDAP protocol: the IP address and authentication
233 credentials of the authentication/identity provider (C). If the
234 provider has included the Proxy Authorization Control [11], then the
235 LDAP server might also receive the Distinguished Name or
236 authorization identity of either the user (A) or the application
237 server (B), depending on how the authentication/identity provider (C)
238 uses the directory. In order to obtain this distinguished name
239 however, the authentication/identity provider (C) might need to
240 perform one or more LDAP search or bind requests. If there is no
241 entry in the directory corresponding to the identity of the user (A)
242 or the application server (B), then there is no way in the base LDAP
243 specification or the Proxy Authorization Control for the
244 authentication/identity provider (C) to describe the user (A) or the
245 application server (B) to the LDAP server (D).
247 If either the application server (B) or the authentication/identity
248 provider (C) have generated a session identifier for tracking the
249 interactions of the user (A) for a particular session, then it is
250 useful to include this information with the requests made to the
251 directory server, so that this session identifier will show up in the
252 directory server's logs. That is the purpose of the control defined
279 Wahl Expires November 10, 2007 [Page 5]
281 Internet-Draft LDAP Session Tracking Control May 2007
284 2. Control definition
286 There is currently no standard way of describing a session: there are
287 many different formats for a session identifier, and each application
288 that tracks sessions typically has its own semantics for what a
289 session means. Thus, a control is defined using an extensible model,
290 in order to incorporate many different application's concepts and
291 formats of a session tracking identifier.
293 The value of the session identifier control encapsulates the
294 following four pieces of information: sessionSourceIp,
295 sessionSourceName, formatOID and sessionTrackingIdentifier.
297 The sessionSourceIp field is a US-ASCII string encoding of an IPv4 or
298 IPv6 [3] address of the component of the system which has generated a
299 session tracking identifier. The purpose of this field is to enable
300 the directory server administrator, even if they do not have a log
301 parser that understands a particular session tracking identifier
302 format, to at least be able to identify the server that manages the
303 session. Note that there is no guarantee of IP-level connectivity
304 between the directory server and the system which generated the
305 tracking identifier, and if Network Address Translation is being
306 used, the IP address in this field might be from a private use
309 The sessionSourceName field is a UTF-8 [4] encoded ISO 10646 [5] text
310 string. This field describes the component of the system which has
311 generated a session tracking identifier. The format of this field is
312 determined by the formatOID (discussed below); examples of contents
313 of a sessionSourceName field might be a hostname, a distinguished
314 name, or a web service address. This contents of this field is not
315 intended to identify an end user; instead it identifies the server
316 using a name other than the server's IP address.
318 The formatOID is a US-ASCII encoded dotted decimal representation of
319 an OBJECT IDENTIFIER. The OBJECT IDENTIFIER indicates the scheme
320 that is used to generate the sessionSourceName and
321 sessionTrackingIdentifier fields. As there is currently no standard
322 scheme for session information, it is expected that there will be
323 many different formats carried within this control. The OBJECT
324 IDENTIFIERs for three formats are presented in this document.
326 The sessionTrackingIdentifier field is a UTF-8 encoded ISO 10646
327 string. The session identifier SHOULD be limited to whitespace and
328 printable characters; non-printing and control characters SHOULD NOT
329 be used, and byte sequences that are not legal UTF-8 MUST NOT be
330 used. The syntax of the session identifier and its semantics (e.g.,
331 how values are compared for equality) are governed by the formatOID.
335 Wahl Expires November 10, 2007 [Page 6]
337 Internet-Draft LDAP Session Tracking Control May 2007
340 For example, the session identifier might be a simple string encoding
341 of a decimal counter, a username, a timestamp, a fragment of XML, or
342 it might be something else, depending on the format.
344 2.1. Formal definition
346 This document defines a single LDAP control.
348 The controlType is 1.3.6.1.4.1.21008.108.63.1, the criticality MUST
349 be either FALSE or absent, and the controlValue MUST be present. The
350 controlValue OCTET STRING is always present and contains the bytes of
351 the BER [6] encoding of a value of the ASN.1 data type
352 SessionIdentifierControlValue, defined as follows:
354 LDAP-Session-Identifier-Control
355 DEFINITIONS IMPLICIT TAGS ::=
358 LDAPString ::= OCTET STRING -- UTF-8 encoded
359 LDAPOID ::= OCTET STRING -- Constrained to numericoid
361 SessionIdentifierControlValue ::= SEQUENCE {
362 sessionSourceIp LDAPString,
363 sessionSourceName LDAPString,
365 sessionTrackingIdentifier LDAPString
370 The sessionSourceIp element SHOULD NOT be longer than 42 characters
371 (the length necessary for a string representation of an IPv6
372 address), and MUST NOT be longer than 128 characters. Each character
373 will be encoded into a single byte. If the IP address of the system
374 which generated the session tracking identifier is not known, the
375 sessionSourceIp element SHOULD be of zero length.
377 The sessionSourceName element SHOULD NOT be longer than 1024
378 characters, and MUST NOT be longer than 65536 bytes. Note that in
379 the UTF-8 encoding a character MAY be encoded into more than one
380 byte. If no other addressing information about that system is known
381 or relevant to the format, the sessionSourceName element SHOULD be of
384 The formatOID element MUST contain only the US-ASCII encodings of the
385 ISO 10646 characters FULL STOP and DIGIT ZERO through DIGIT NINE
386 (0x2E, 0x30-0x39). The formatOID element MUST NOT be of zero length,
387 and SHOULD NOT be longer than 1024 characters.
391 Wahl Expires November 10, 2007 [Page 7]
393 Internet-Draft LDAP Session Tracking Control May 2007
396 The sessionTrackingIdentifier field MAY be of zero length (although
397 this might not be useful). There is no upper bound on the
398 sessionTrackingIdentifier, but it is suggested that values SHOULD NOT
399 be longer than 65536 characters without prior agreement with the
400 directory server administrator. Note that in the UTF-8 encoding a
401 character MAY be encoded into more than one byte.
405 The control MAY be included in any LDAP operation. The control has
406 order-dependent semantics.
408 A client might place the control on a message with a bindRequest,
409 searchRequest, modifyRequest, addRequest, delRequest, modDNRequest,
410 compareRequest or extendedReq. A client MAY include multiple
411 controls of this type in a single request. This enables the client
412 to incorporate multiple distinct session tracking identifiers with
415 When a network service is proxying or chaining LDAP, in which the
416 service receives an incoming LDAP request from a client and from this
417 generates one or more requests to other LDAP servers, the service
418 SHOULD include any controls of this type that it received from
419 clients in requests it generates, without modification. A service
420 MAY silently remove a control if that control would violate security
421 policy. If the service has its own session state identifier, it
422 SHOULD include the session identifier control it generates in the
423 Controls SEQUENCE after any session identifier controls received by
424 clients. (If there are multiple proxies involved, each will add
425 their own session state to the end of the controls list).
427 A server might place the control on message with a bindResponse,
428 searchResDone, modifyResponse, addResponse, delResponse,
429 modDNResponse, compareResponse, extendedResp or intermediateResponse.
430 The server can include the control in the response regardless of
431 whether the client included a control in the request or not. (The
432 control in a response is unsolicited, and a client which does not
433 recognize the control or a session tracking format can safely ignore
434 the control, as discussed in the following section). A server MAY
435 include multiple controls of this type in a response.
437 2.3. Extensibility considerations
439 The following section of this document defines 3 possible formats,
440 and it is expected that applications MAY define their own formats to
441 represent session tracking identifiers already implemented.
443 An application developer or server developer who wishes to transfer
447 Wahl Expires November 10, 2007 [Page 8]
449 Internet-Draft LDAP Session Tracking Control May 2007
452 their implementation's format for session tracking identifier within
453 an LDAP control MUST choose a new, unique, OBJECT IDENTIFIER to
454 represent this format.
456 The format determines the semantics of the sessionSourceName string,
457 and the sessionTrackingIdentifier string.
459 In general, when an LDAP server that has session tracking logging
460 enabled receives one or more of these controls with a request, the
461 server SHOULD include all fields of all of the controls with the
462 logging information for the request.
464 A LDAP server that supports third-party or extensible log parsing
465 tools SHOULD NOT reject or ignore a control if the formatOID value is
466 not recognized, as it is expected that applications may include
467 session tracking identifiers and want to make this information
468 available to log parsers for correlation purposes, even if the
469 directory server does not need to make any use of this information.
471 However, if the LDAP server does not recognize the control, the
472 control is not properly formatted, or the LDAP client is not
473 authorized to use this control, the LDAP server SHOULD ignore the
474 control and process the request as if the control had not been
477 When an LDAP client receives a response that includes this control,
478 the behavior depends on the client implementation. Clients SHOULD
479 silently ignore controls with formats they do not recognize, and
480 process the response as if the control had not been included.
503 Wahl Expires November 10, 2007 [Page 9]
505 Internet-Draft LDAP Session Tracking Control May 2007
508 3. Session tracking format definitions
510 This section defines three session tracking formats that can be used
511 within the session tracking control: two for RADIUS accounting, and
512 one based on usernames. Other formats can be defined in other
515 3.1. Formats for use with RADIUS accounting
517 This section defines two possible session tracking formats, that can
518 be used in LDAP clients that are part of or used by RADIUS servers
521 With formatOID set to 1.3.6.1.4.1.21008.108.63.1.1 within the control
522 value, the sessionTrackingIdentifier SHOULD contain the value of the
523 Acct-Session-Id RADIUS attribute (type 44), as defined in RFC 2866
524 [8]. (RFC 2866 section 5.5 states that the Acct-Session-Id SHOULD
525 contain UTF-8 encoded ISO 10646 characters.)
527 With formatOID set to 1.3.6.1.4.1.21008.108.63.1.2 within the control
528 value, the sessionTrackingIdentifier SHOULD contain the value of the
529 Acct-Multi-Session-Id RADIUS attribute (type 50), as defined in RFC
530 2866 [8]. (RFC 2866 section 5.11 states that the
531 Acct-Multi-Session-Id SHOULD contain UTF-8 encoded ISO 10646
534 In both of these two formats, the value of the sessionSourceIp field
535 SHOULD contain either a string encoding value of the IPv4 address
536 from the NAS-IP-Address RADIUS attribute (type 4), or a string
537 encoding of the IPv6 address from the value of the NAS-IPv6-Address
538 RADIUS attribute (type 95) as defined in RFC 3162 [9]. The value of
539 the sessionSourceName field SHOULD contain a string encoding the
540 value of the NAS-Identifier RADIUS attribute (type 32), if present,
541 or be of zero length if the NAS-Identifier RADIUS attribute was not
542 provided or was not in a recognized format.
544 3.2. Format for username accounting
546 This section defines another possible session tracking format that
547 can be used in LDAP clients that are part of applications which
548 identify users with simple string usernames.
550 With formatOID set to 1.3.6.1.4.1.21008.108.63.1.3 within the control
551 value, the sessionTrackingIdentifier SHOULD contain a username that
552 has already been authenticated by the application that is generating
553 the session. This format SHOULD NOT be used for purported names,
554 where the application has not verified that the username is valid.
559 Wahl Expires November 10, 2007 [Page 10]
561 Internet-Draft LDAP Session Tracking Control May 2007
564 The sessionSourceName field SHOULD contain the hostname where that
565 application is running, or be of zero length if the hostname is not
568 The username SHOULD be a SASL authorization identity string, as
569 described in section 3.4.1 of RFC 4422 [10]. It is expected that
570 these usernames are not globally unique, but are only unique within
571 the context of a particular application or particular enterprise. A
572 username need not be a distinguished name, and an implementation
573 receiving a control in this format MUST NOT assume that the contents
574 of the sessionTrackingIdentifier can be parsed as a distinguished
577 A control with this format differs from the Proxied Authorization
578 Control as defined in RFC 4370 [11], as the presence of this session
579 identifier control on a request SHOULD NOT influence the directory
580 server's access control decision of whether or how to perform that
583 Note that this format does not provide any information to
584 differentiate between multiple sessions or periods of interaction by
585 the same user. It is primarily intended for deployments which merely
586 need to be able to tie each directory operation to they identity of
587 the user whose activities caused the operation request to be
588 generated, even if the user might not even be represented in the
589 directory where the operations are being performed.
593 For example, if an application server "app.example.com" with IPv4
594 address "192.0.2.1" had authenticated an user with name "bloggs", and
595 then sent a search request to the LDAP directory in order to obtain
596 some public information on service configuration intending to provide
597 it to that user, the application might include a session identifier
598 control. The SessionIdentifierControlValue would have the following
599 ASN.1 value prior to encoding:
603 "192.0.2.1", -- sessionSourceIp
604 "app.example.com", -- sessionSourceName
605 "1.3.6.1.4.1.21008.108.63.1.3", -- formatOID
606 "bloggs" -- sessionTrackingIdentifier
615 Wahl Expires November 10, 2007 [Page 11]
617 Internet-Draft LDAP Session Tracking Control May 2007
620 The session identifier control would be sent with controlType
621 1.3.6.1.4.1.21008.108.63.1, criticality FALSE, and the controlValue
622 the BER encoding of the SessionIdentifierControlValue. The control
623 included with the LDAP request would resemble:
627 "1.3.6.1.4.1.21008.108.63.1", -- controlType
628 FALSE, -- criticality
629 '304204093139322e302e322e31040f6170702e6578616d706c652e636f6d
630 041c312e332e362e312e342e312e32313030382e3130382e36332e312e33
631 0406626c6f676773'H -- controlValue
671 Wahl Expires November 10, 2007 [Page 12]
673 Internet-Draft LDAP Session Tracking Control May 2007
676 4. Security Considerations
678 The session identifier controls used in this document are not
679 intended as a security control or proxy authentication mechanism, and
680 SHOULD NOT be used within a directory server to influence the
681 operation processing behavior.
683 Malicious clients might attempt to provide false or misleading
684 information in directory server logs through the use of this control.
685 LDAP servers SHOULD implement access checks which limit whether
686 session identifier information provided by a client is logged. LDAP
687 servers which implement this control SHOULD permit the administrator
688 of the directory server to configure that this control is ignored
689 unless the request containing the control was received from a client
690 that been authenticated. LDAP servers which implement this control
691 SHOULD permit the administrator of the directory server to configure
692 that this control is ignored unless the client is authorized to use
693 this or related controls, such as the Proxied Authorization Control
694 [11]. Session identifier information from clients which do not meet
695 the server's access check requirement SHOULD be silently discarded.
697 In some formats, session tracking identifiers may contain personal-
698 identifiable information, such as usernames or client IP addresses.
699 Unless data link, network or transport level encryption is being
700 used, this information might be visible to attackers monitoring the
701 network segments across which this information is being transmitted.
702 Implementations of LDAP clients which include this control in
703 requests sent to directory servers SHOULD support the use of
704 underlying security services that establish connection
705 confidentiality before the control is sent, such as a SASL mechanism
706 that negotiates a security layer, or the Start TLS operation.
708 Correlation of activities across multiple servers can enable
709 administrators and monitoring tools to construct a more accurate
710 picture of user behavior. In particular, this tracking control could
711 be used to determine the set of applications and services with which
712 a particular user has had interactions. Thus, this control would not
713 be appropriate to deployments intending to anonymize directory
714 requests. Session formats containing personal identifiable
715 information SHOULD NOT be used between systems in different
716 organizations where there is no existing agreement between those
717 organizations on privacy protection.
719 A value of the session tracking control might contain internal IP
720 addresses, hostnames and other identifiers that reveal the structure
721 of an enterprise network. A network service that generates its own
722 sessions SHOULD NOT send a session tracking control to a directory
723 server that is under different administration or in a different
727 Wahl Expires November 10, 2007 [Page 13]
729 Internet-Draft LDAP Session Tracking Control May 2007
732 security enclave from itself. A network service that is an LDAP
733 client and also either receives requests over another protocol that
734 contains session tracking identifiers or is proxying incoming LDAP
735 requests SHOULD NOT forward received session tracking identifiers to
736 a directory server that is under different administration or in a
737 different security enclave from itself. A packet inspecting firewall
738 that permits outgoing LDAP requests from an enterprise network SHOULD
739 silently remove any session tracking controls from requests that are
740 being sent to directory servers outside of the enterprise network for
741 which there is not a preexisting policy configured to allow the
742 session tracking control to be sent to that directory server.
783 Wahl Expires November 10, 2007 [Page 14]
785 Internet-Draft LDAP Session Tracking Control May 2007
788 5. IANA Considerations
790 This control will be registered as follows:
792 Subject: Request for LDAP Protocol Mechanism Registration
794 Object Identifier: 1.3.6.1.4.1.21008.108.63.1
796 Description: Session Tracking Identifier
798 Person & email address to contact for further information:
799 Mark Wahl <Mark.Wahl@informed-control.com>
803 Specification: (I-D) RFC XXXX
805 Author/Change Controller: Mark Wahl
808 The OBJECT IDENTIFIER for particular session identifier formats
809 defined for other applications need not be registered with IANA.
839 Wahl Expires November 10, 2007 [Page 15]
841 Internet-Draft LDAP Session Tracking Control May 2007
846 This control was inspired by conversations with Greg Lavender. Neil
847 Wilson provided useful feedback on this document.
895 Wahl Expires November 10, 2007 [Page 16]
897 Internet-Draft LDAP Session Tracking Control May 2007
902 7.1. Normative References
904 [1] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP):
905 Technical Specification Road Map", RFC 4510, June 2006.
907 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
908 Levels", RFC 2119, BCP 14, March 1997.
910 [3] Hinden, R., "IP Version 6 Addressing Architecture", RFC 1884,
913 [4] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
914 RFC 3629, November 2003.
916 [5] "Universal Multiple-Octet Coded Character Set (UCS) -
917 Architecture and Basic Multilingual Plane, ISO/IEC 10646-1:
920 [6] "ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002, "Information
921 technology - ASN.1 encoding rules: Specification of Basic
922 Encoding Rules (BER), Canonical Encoding Rules (CER) and
923 Distinguished Encoding Rules (DER)", 2002.".
925 [7] Rigney, C., "Remote Authentication Dial In User Service
926 (RADIUS)", RFC 2865, June 2000.
928 [8] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
930 [9] Aboba, B., "RADIUS and IPv6", RFC 3162, August 2001.
932 [10] Melnikov, A., "Simple Authentication and Security Layer
933 (SASL)", RFC 4422, June 2006.
935 7.2. Informative References
937 [11] Weltman, R., "Lightweight Directory Access Protocol (LDAP)
938 Proxied Authorization Control", RFC 4370, February 2006.
951 Wahl Expires November 10, 2007 [Page 17]
953 Internet-Draft LDAP Session Tracking Control May 2007
956 Appendix A. Copyright
958 Copyright (C) The IETF Trust (2007). This document is subject to the
959 rights, licenses and restrictions contained in BCP 78, and except as
960 set forth therein, the authors retain all their rights. This
961 document and the information contained herein are provided on an "AS
962 IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
963 IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
964 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
965 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
966 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
967 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1007 Wahl Expires November 10, 2007 [Page 18]
1009 Internet-Draft LDAP Session Tracking Control May 2007
1015 Informed Control Inc.
1020 Email: mark.wahl@informed-control.com
1063 Wahl Expires November 10, 2007 [Page 19]
1065 Internet-Draft LDAP Session Tracking Control May 2007
1068 Full Copyright Statement
1070 Copyright (C) The IETF Trust (2007).
1072 This document is subject to the rights, licenses and restrictions
1073 contained in BCP 78, and except as set forth therein, the authors
1074 retain all their rights.
1076 This document and the information contained herein are provided on an
1077 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1078 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1079 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1080 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1081 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1082 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1085 Intellectual Property
1087 The IETF takes no position regarding the validity or scope of any
1088 Intellectual Property Rights or other rights that might be claimed to
1089 pertain to the implementation or use of the technology described in
1090 this document or the extent to which any license under such rights
1091 might or might not be available; nor does it represent that it has
1092 made any independent effort to identify any such rights. Information
1093 on the procedures with respect to rights in RFC documents can be
1094 found in BCP 78 and BCP 79.
1096 Copies of IPR disclosures made to the IETF Secretariat and any
1097 assurances of licenses to be made available, or the result of an
1098 attempt made to obtain a general license or permission for the use of
1099 such proprietary rights by implementers or users of this
1100 specification can be obtained from the IETF on-line IPR repository at
1101 http://www.ietf.org/ipr.
1103 The IETF invites any interested party to bring to its attention any
1104 copyrights, patents or patent applications, or other proprietary
1105 rights that may cover technology that may be required to implement
1106 this standard. Please address the information to the IETF at
1112 Funding for the RFC Editor function is provided by the IETF
1113 Administrative Support Activity (IASA).
1119 Wahl Expires November 10, 2007 [Page 20]
projects / openldap / blob