mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
3faab3e6dd
(This used to be commit d3f8b813b3
)
508 lines
18 KiB
Plaintext
508 lines
18 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group K. Zeilenga
|
||
Request for Comments: 4531 OpenLDAP Foundation
|
||
Category: Experimental June 2006
|
||
|
||
|
||
Lightweight Directory Access Protocol (LDAP)
|
||
Turn Operation
|
||
|
||
|
||
Status of This Memo
|
||
|
||
This memo defines an Experimental Protocol for the Internet
|
||
community. It does not specify an Internet standard of any kind.
|
||
Discussion and suggestions for improvement are requested.
|
||
Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
Abstract
|
||
|
||
This specification describes a Lightweight Directory Access Protocol
|
||
(LDAP) extended operation to reverse (or "turn") the roles of client
|
||
and server for subsequent protocol exchanges in the session, or to
|
||
enable each peer to act as both client and server with respect to the
|
||
other.
|
||
|
||
Table of Contents
|
||
|
||
1. Background and Intent of Use ....................................2
|
||
1.1. Terminology ................................................2
|
||
2. Turn Operation ..................................................2
|
||
2.1. Turn Request ...............................................3
|
||
2.2. Turn Response ..............................................3
|
||
3. Authentication ..................................................3
|
||
3.1. Use with TLS and Simple Authentication .....................4
|
||
3.2. Use with TLS and SASL EXTERNAL .............................4
|
||
3.3. Use of Mutual Authentication and SASL EXTERNAL .............4
|
||
4. TLS and SASL Security Layers ....................................5
|
||
5. Security Considerations .........................................6
|
||
6. IANA Considerations .............................................6
|
||
6.1. Object Identifier ..........................................6
|
||
6.2. LDAP Protocol Mechanism ....................................7
|
||
7. References ......................................................7
|
||
7.1. Normative References .......................................7
|
||
7.2. Informative References .....................................8
|
||
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 1]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
1. Background and Intent of Use
|
||
|
||
The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511]
|
||
is a client-server protocol that typically operates over reliable
|
||
octet-stream transports, such as the Transport Control Protocol
|
||
(TCP). Generally, the client initiates the stream by connecting to
|
||
the server's listener at some well-known address.
|
||
|
||
There are cases where it is desirable for the server to initiate the
|
||
stream. Although it certainly is possible to write a technical
|
||
specification detailing how to implement server-initiated LDAP
|
||
sessions, this would require the design of new authentication and
|
||
other security mechanisms to support server-initiated LDAP sessions.
|
||
|
||
Instead, this document introduces an operation, the Turn operation,
|
||
which may be used to reverse the client-server roles of the protocol
|
||
peers. This allows the initiating protocol peer to become the server
|
||
(after the reversal).
|
||
|
||
As an additional feature, the Turn operation may be used to allow
|
||
both peers to act in both roles. This is useful where both peers are
|
||
directory servers that desire to request, as LDAP clients, that
|
||
operations be performed by the other. This may be useful in
|
||
replicated and/or distributed environments.
|
||
|
||
This operation is intended to be used between protocol peers that
|
||
have established a mutual agreement, by means outside of the
|
||
protocol, that requires reversal of client-server roles, or allows
|
||
both peers to act both as client and server.
|
||
|
||
1.1. Terminology
|
||
|
||
Protocol elements are described using ASN.1 [X.680] with implicit
|
||
tags. The term "BER-encoded" means the element is to be encoded
|
||
using the Basic Encoding Rules [X.690] under the restrictions
|
||
detailed in Section 5.1 of [RFC4511].
|
||
|
||
2. Turn Operation
|
||
|
||
The Turn operation is defined as an LDAP-Extended Operation
|
||
[Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID. The
|
||
function of the Turn Operation is to request that the client-server
|
||
roles be reversed, or, optionally, to request that both protocol
|
||
peers be able to act both as client and server in respect to the
|
||
other.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 2]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
2.1. Turn Request
|
||
|
||
The Turn request is an ExtendedRequest where the requestName field
|
||
contains the 1.3.6.1.1.19 OID and the requestValue field is a BER-
|
||
encoded turnValue:
|
||
|
||
turnValue ::= SEQUENCE {
|
||
mutual BOOLEAN DEFAULT FALSE,
|
||
identifier LDAPString
|
||
}
|
||
|
||
A TRUE mutual field value indicates a request to allow both peers to
|
||
act both as client and server. A FALSE mutual field value indicates
|
||
a request to reserve the client and server roles.
|
||
|
||
The value of the identifier field is a locally defined policy
|
||
identifier (typically associated with a mutual agreement for which
|
||
this turn is be executed as part of).
|
||
|
||
2.2. Turn Response
|
||
|
||
A Turn response is an ExtendedResponse where the responseName and
|
||
responseValue fields are absent. A resultCode of success is returned
|
||
if and only if the responder is willing and able to turn the session
|
||
as requested. Otherwise, a different resultCode is returned.
|
||
|
||
3. Authentication
|
||
|
||
This extension's authentication model assumes separate authentication
|
||
of the peers in each of their roles. A separate Bind exchange is
|
||
expected between the peers in their new roles to establish identities
|
||
in these roles.
|
||
|
||
Upon completion of the Turn, the responding peer in its new client
|
||
role has an anonymous association at the initiating peer in its new
|
||
server role. If the turn was mutual, the authentication association
|
||
of the initiating peer in its pre-existing client role is left intact
|
||
at the responding peer in its pre-existing server role. If the turn
|
||
was not mutual, this association is void.
|
||
|
||
The responding peer may establish its identity in its client role by
|
||
requesting and successfully completing a Bind operation.
|
||
|
||
The remainder of this section discusses some authentication
|
||
scenarios. In the protocol exchange illustrations, A refers to the
|
||
initiating peer (the original client) and B refers to the responding
|
||
peer (the original server).
|
||
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 3]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
3.1. Use with TLS and Simple Authentication
|
||
|
||
A->B: StartTLS Request
|
||
B->A: StartTLS(success) Response
|
||
A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
|
||
B->A: Bind(success) Response
|
||
A->B: Turn(TRUE,"XXYYZ") Request
|
||
B->A: Turn(success) Response
|
||
B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
|
||
A->B: Bind(success) Response
|
||
|
||
In this scenario, TLS (Transport Layer Security) [RFC4346] is started
|
||
and the initiating peer (the original client) establishes its
|
||
identity with the responding peer prior to the Turn using the
|
||
DN/password mechanism of the Simple method of the Bind operation.
|
||
After the turn, the responding peer, in its new client role,
|
||
establishes its identity with the initiating peer in its new server
|
||
role.
|
||
|
||
3.2. Use with TLS and SASL EXTERNAL
|
||
|
||
A->B: StartTLS Request
|
||
B->A: StartTLS(success) Response
|
||
A->B: Bind(SASL(EXTERNAL)) Request
|
||
B->A: Bind(success) Response
|
||
A->B: Turn(TRUE,"XXYYZ") Request
|
||
B->A: Turn(success) Response
|
||
B->A: Bind(SASL(EXTERNAL)) Request
|
||
A->B: Bind(success) Response
|
||
|
||
In this scenario, TLS is started (with each peer providing a valid
|
||
certificate), and the initiating peer (the original client)
|
||
establishes its identity through the use of the EXTERNAL mechanism of
|
||
the SASL (Simple Authentication and Security Layer) [RFC4422] method
|
||
of the Bind operation prior to the Turn. After the turn, the
|
||
responding peer, in its new client role, establishes its identity
|
||
with the initiating peer in its new server role.
|
||
|
||
3.3. Use of Mutual Authentication and SASL EXTERNAL
|
||
|
||
A number of SASL mechanisms, such as GSSAPI [SASL-K5], support mutual
|
||
authentication. The initiating peer, in its new server role, may use
|
||
the identity of the responding peer, established by a prior
|
||
authentication exchange, as its source for "external" identity in
|
||
subsequent EXTERNAL exchange.
|
||
|
||
A->B: Bind(SASL(GSSAPI)) Request
|
||
<intermediate messages>
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 4]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
B->A: Bind(success) Response
|
||
A->B: Turn(TRUE,"XXYYZ") Request
|
||
B->A: Turn(success) Response
|
||
B->A: Bind(SASL(EXTERNAL)) Request
|
||
A->B: Bind(success) Response
|
||
|
||
In this scenario, a GSSAPI mutual-authentication exchange is
|
||
completed between the initiating peer (the original client) and the
|
||
responding server (the original server) prior to the turn. After the
|
||
turn, the responding peer, in its new client role, requests that the
|
||
initiating peer utilize an "external" identity to establish its LDAP
|
||
authorization identity.
|
||
|
||
4. TLS and SASL Security Layers
|
||
|
||
As described in [RFC4511], LDAP supports both Transport Layer
|
||
Security (TLS) [RFC4346] and Simple Authentication and Security Layer
|
||
(SASL) [RFC4422] security frameworks. The following table
|
||
illustrates the relationship between the LDAP message layer, SASL
|
||
layer, TLS layer, and transport connection within an LDAP session.
|
||
|
||
+----------------------+
|
||
| LDAP message layer |
|
||
+----------------------+ > LDAP PDUs
|
||
+----------------------+ < data
|
||
| SASL layer |
|
||
+----------------------+ > SASL-protected data
|
||
+----------------------+ < data
|
||
| TLS layer |
|
||
Application +----------------------+ > TLS-protected data
|
||
------------+----------------------+ < data
|
||
Transport | transport connection |
|
||
+----------------------+
|
||
|
||
This extension does not alter this relationship, nor does it remove
|
||
the general restriction against multiple TLS layers, nor does it
|
||
remove the general restriction against multiple SASL layers.
|
||
|
||
As specified in [RFC4511], the StartTLS operation is used to initiate
|
||
negotiation of a TLS layer. If a TLS is already installed, the
|
||
StartTLS operation must fail. Upon establishment of the TLS layer,
|
||
regardless of which peer issued the request to start TLS, the peer
|
||
that initiated the LDAP session (the original client) performs the
|
||
"server identity check", as described in Section 3.1.5 of [RFC4513],
|
||
treating itself as the "client" and its peer as the "server".
|
||
|
||
As specified in [RFC4422], a newly negotiated SASL security layer
|
||
replaces the installed SASL security layer. Though the client/server
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 5]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
roles in LDAP, and hence SASL, may be reversed in subsequent
|
||
exchanges, only one SASL security layer may be installed at any
|
||
instance.
|
||
|
||
5. Security Considerations
|
||
|
||
Implementors should be aware that the reversing of client/server
|
||
roles and/or allowing both peers to act as client and server likely
|
||
introduces security considerations not foreseen by the authors of
|
||
this document. In particular, the security implications of the
|
||
design choices made in the authentication and data security models
|
||
for this extension (discussed in Sections 3 and 4, respectively) are
|
||
not fully studied. It is hoped that experimentation with this
|
||
extension will lead to better understanding of the security
|
||
implications of these models and other aspects of this extension, and
|
||
that appropriate considerations will be documented in a future
|
||
document. The following security considerations are apparent at this
|
||
time.
|
||
|
||
Implementors should take special care to process LDAP, SASL, TLS, and
|
||
other events in the appropriate roles for the peers. Note that while
|
||
the Turn reverses the client/server roles with LDAP, and in SASL
|
||
authentication exchanges, it does not reverse the roles within the
|
||
TLS layer or the transport connection.
|
||
|
||
The responding server (the original server) should restrict use of
|
||
this operation to authorized clients. Client knowledge of a valid
|
||
identifier should not be the sole factor in determining authorization
|
||
to turn.
|
||
|
||
Where the peers except to establish TLS, TLS should be started prior
|
||
to the Turn and any request to authenticate via the Bind operation.
|
||
|
||
LDAP security considerations [RFC4511][RFC4513] generally apply to
|
||
this extension.
|
||
|
||
6. IANA Considerations
|
||
|
||
The following values [RFC4520] have been registered by the IANA.
|
||
|
||
6.1. Object Identifier
|
||
|
||
The IANA has assigned an LDAP Object Identifier to identify the LDAP
|
||
Turn Operation, as defined in this document.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 6]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
Subject: Request for LDAP Object Identifier Registration
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@OpenLDAP.org>
|
||
Specification: RFC 4531
|
||
Author/Change Controller: Author
|
||
Comments:
|
||
Identifies the LDAP Turn Operation
|
||
|
||
6.2. LDAP Protocol Mechanism
|
||
|
||
The IANA has registered the LDAP Protocol Mechanism described in this
|
||
document.
|
||
|
||
Subject: Request for LDAP Protocol Mechanism Registration
|
||
Object Identifier: 1.3.6.1.1.19
|
||
Description: LDAP Turn Operation
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@openldap.org>
|
||
Usage: Extended Operation
|
||
Specification: RFC 4531
|
||
Author/Change Controller: Author
|
||
Comments: none
|
||
|
||
7. References
|
||
|
||
7.1. Normative References
|
||
|
||
[RFC4346] Dierks, T. and, E. Rescorla, "The Transport Layer
|
||
Security (TLS) Protocol Version 1.1", RFC 4346, April
|
||
2006.
|
||
|
||
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
|
||
Authentication and Security Layer (SASL)", RFC 4422,
|
||
June 2006.
|
||
|
||
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
|
||
Protocol (LDAP): Technical Specification Road Map", RFC
|
||
4510, June 2006.
|
||
|
||
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
|
||
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
|
||
|
||
[RFC4513] Harrison, R., Ed., "Lightweight Directory Access
|
||
Protocol (LDAP): Authentication Methods and Security
|
||
Mechanisms", RFC 4513, June 2006.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 7]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
[X.680] International Telecommunication Union -
|
||
Telecommunication Standardization Sector, "Abstract
|
||
Syntax Notation One (ASN.1) - Specification of Basic
|
||
Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
|
||
|
||
[X.690] International Telecommunication Union -
|
||
Telecommunication Standardization Sector,
|
||
"Specification of ASN.1 encoding rules: Basic Encoding
|
||
Rules (BER), Canonical Encoding Rules (CER), and
|
||
Distinguished Encoding Rules (DER)", X.690(2002) (also
|
||
ISO/IEC 8825-1:2002).
|
||
|
||
7.2. Informative References
|
||
|
||
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
|
||
(IANA) Considerations for the Lightweight Directory
|
||
Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
|
||
|
||
[SASL-K5] Melnikov, A., Ed., "The Kerberos V5 ("GSSAPI") SASL
|
||
Mechanism", Work in Progress, May 2006.
|
||
|
||
Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
|
||
EMail: Kurt@OpenLDAP.org
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 8]
|
||
|
||
RFC 4531 LDAP Turn Operation June 2006
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is provided by the IETF
|
||
Administrative Support Activity (IASA).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Experimental [Page 9]
|
||
|