Network Working Group M. Wahl Internet-Draft Informed Control Inc. Intended status: Standards Track February 25, 2007 Expires: August 29, 2007 LDAP Session Tracking Control draft-wahl-ldap-session-02 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 29, 2007. Copyright Notice Copyright (C) The IETF Trust (2007). Wahl Expires August 29, 2007 [Page 1] Internet-Draft LDAP Session Tracking Control February 2007 Abstract Many network devices, application servers, and middleware components of a enterprise software infrastructure generate some form of session tracking identifiers, which are useful when analyzing activity and accounting logs to group activity relating to a particular session. This document discusses how Lightweight Directory Access Protocol version 3 (LDAP) clients can include session tracking identifiers with their LDAP requests. This information is provided through controls in the requests the clients send to LDAP servers. The LDAP server receiving these controls can include the session tracking identifiers in the log messages it writes, enabling LDAP requests in the LDAP server's logs to be correlated with activity in logs of other components in the infrastructure. The control also enables session tracking information to be generated by LDAP servers and returned to clients and other servers. Three formats of session tracking identifiers are defined in this document. Wahl Expires August 29, 2007 [Page 2] Internet-Draft LDAP Session Tracking Control February 2007 1. Introduction The majority of directory server implementations produce access logs detailing each request they receive. These logs can be read using log parsing tools or specialized log viewer applications. Typically it will be possible, for each request logged by a directory server, to determine the bind DN (or possibly another form of authentication identity) of the client which sent the request to the server, and many servers also log the IP address of the client that sent the request. In the original OSI architecture, it was envisaged that users might interact with a directory service through specialized applications, known as Directory User Agents, which were the clients of the Directory Access Protocol. Similarly, in early Internet directory deployments, a majority of LDAP clients were desktop applications, that used the LDAP protocol to search an enterprise directory for address book/contact information. Today, the majority of LDAP clients are embedded within middleware and server applications. Legacy address book protocols might be gatewayed into LDAP, or a server might consult an LDAP server in order to check a user's password or obtain their preferences. While the LDAP requests might result from a user's activity somewhere on the network, it is rare for the user to be 'driving' the LDAP client, and in most cases the user performing the activity is unaware that LDAP requests are being generated on their behalf. However, this information is important to directory system administrators and auditors. They may wish to determine who is making use of the directory service, or track the source of unusual requests. When a directory server administrator reviews a log file produced by a directory server that has been accessed only by clients that are themselves middleware, where the end user does not interact with the middleware directly, only through other kinds of servers (e.g. application servers or remote access servers), it will be difficult to correlate between the directory server's log and the logs of the servers which made use of this directory to determine why the LDAP requests were made and who were responsible for causing them. Reasons for this include: o Directory servers are capable of performing many hundreds of requests per second or more, and even with time synchronization between the systems on which the directory server and middleware are deployed, times of requests might not be logged accurately Wahl Expires August 29, 2007 [Page 3] Internet-Draft LDAP Session Tracking Control February 2007 enough to be able to correlate based on time: the server's logs might be only to 1-second resolution. o A single function on a middleware server, such as "authenticate a user", may result in multiple LDAP requests being generated in order to perform that request. o Many high performance middleware servers implement connection pooling, managing a set of persistent connections to each directory server and multiplexing operations across the connections. Each connection will have the same source IP address and bind DN. If a particular activity causes multiple LDAP requests to be generated, each LDAP request might be sent on a different connection. Also, as LDAP is an asynchronous protocol, middleware servers may have more than one request in progress on each connection, asynchronously sending requests to the directory server on each connection and processing the responses in whatever order they are received. This document defines a new control for use in LDAPv3 [1] operation requests. This control contains session tracking information that can be used to correlate log information present in the directory server's log with the logs of other middleware servers. The words "MUST", "SHOULD" and "MAY" are used as defined in RFC 2119 [2]. Please send comments to the author at mark.wahl@informed-control.com. 1.1. Example for session tracking A typical enterprise deployment with an application indirectly relying upon the directory might resemble: +------+ +--------+ +----------+ +--------+ | User | | Appli- | | Auth./ | LDAP | LDAP | | +-----+ cation +-------+ Identity +------+ Server | | | | Server | | Provider | | | | A | | B | | C | | D | +------+ +--------+ +----------+ +--------+ In this diagram, a user (A) makes some request of an application server (B). The application server might rely on an integrated or external authentication provider in order to check the user's authentication credentials, or might use an identity provider to obtain profile information about the user. This request might be Wahl Expires August 29, 2007 [Page 4] Internet-Draft LDAP Session Tracking Control February 2007 made through an API or a protocol other than LDAP, e.g. RADIUS, Kerberos, SMB, etc. The authentication/identity provider (C) would generate one or more LDAP requests and send them to an LDAP server (D). The LDAP server has the following information already available to it through the LDAP protocol: the IP address and authentication credentials of the authentication/identity provider (C). If the provider has included the Proxy Authorization Control [11], then the LDAP server might also receive the Distinguished Name or authorization identity of either the user (A) or the application server (B), depending on how the authentication/identity provider (C) uses the directory. In order to obtain this distinguished name however, the authentication/identity provider (C) might need to perform one or more LDAP search or bind requests. If there is no entry in the directory corresponding to the identity of the user (A) or the application server (B), then there is no way in the base LDAP specification or the Proxy Authorization Control for the authentication/identity provider (C) to describe the user (A) or the application server (B) to the LDAP server (D). If either the application server (B) or the authentication/identity provider (C) have generated a session identifier for tracking the interactions of the user (A) for a particular session, then it is useful to include this information with the requests made to the directory server, so that this session identifier will show up in the directory server's logs. That is the purpose of the control defined in the next section. Wahl Expires August 29, 2007 [Page 5] Internet-Draft LDAP Session Tracking Control February 2007 2. Control definition There is currently no standard way of describing a session: there are many different formats for a session identifier, and each application that tracks sessions typically has its own semantics for what a session means. Thus, a control is defined using an extensible model, in order to incorporate many different application's concepts and formats of a session tracking identifier. The value of the session identifier control encapsulates the following four pieces of information: sessionSourceIp, sessionSourceName, formatOID and sessionTrackingIdentifier. The sessionSourceIp field is a US-ASCII string encoding of an IPv4 or IPv6 [3] address of the component of the system which has generated a session tracking identifier. The purpose of this field is to enable the directory server administrator, even if they do not have a log parser that understands a particular session tracking identifier format, to at least be able to identify the server that manages the session. Note that there is no guarantee of IP-level connectivity between the directory server and the system which generated the tracking identifier, and if Network Address Translation is being used, the IP address in this field might be from a private use address range. The sessionSourceName field is a UTF-8 [4] encoded ISO 10646 [5] text string. This field describes the component of the system which has generated a session tracking identifier. The format of this field is determined by the formatOID (discussed below); examples of contents of a sessionSourceName field might be a hostname, a distinguished name, or a web service address. This contents of this field is not intended to identify an end user; instead it identifies the server using a name other than the server's IP address. The formatOID is a US-ASCII encoded dotted decimal representation of an OBJECT IDENTIFIER. The OBJECT IDENTIFIER indicates the scheme that is used to generate the sessionSourceName and sessionTrackingIdentifier fields. As there is currently no standard scheme for session information, it is expected that there will be many different formats carried within this control. The OBJECT IDENTIFIERs for three formats are presented in this document. The sessionTrackingIdentifier field is a UTF-8 encoded ISO 10646 string. The session identifier SHOULD be limited to whitespace and printable characters; non-printing and control characters SHOULD NOT be used, and byte sequences that are not legal UTF-8 MUST NOT be used. The syntax of the session identifier and its semantics (e.g., how values are compared for equality) are governed by the formatOID. Wahl Expires August 29, 2007 [Page 6] Internet-Draft LDAP Session Tracking Control February 2007 For example, the session identifier might be a simple string encoding of a decimal counter, a username, a timestamp, a fragment of XML, or it might be something else, depending on the format. 2.1. Formal definition This document defines a single LDAP control. The controlType is 1.3.6.1.4.1.21008.108.63.1, the criticality MUST be either FALSE or absent, and the controlValue MUST be present. The controlValue OCTET STRING is always present and contains the bytes of the BER [6] encoding of a value of the ASN.1 data type SessionIdentifierControlValue, defined as follows: LDAP-Session-Identifier-Control DEFINITIONS IMPLICIT TAGS ::= BEGIN SessionIdentifierControlValue ::= SEQUENCE { sessionSourceIp LDAPString, sessionSourceName LDAPString, formatOID LDAPOID, sessionTrackingIdentifier LDAPString } END The sessionSourceIp element SHOULD NOT be longer than 42 characters (necessary for a string representation of an IPv6 address), and MUST NOT be longer than 128 characters. Each character will be encoded into a single byte. If the IP address of the system which generated the session tracking identifier is not known, the sessionSourceIp element SHOULD be of zero length. The sessionSourceName element SHOULD NOT be longer than 1024 characters, and MUST NOT be longer than 65536 characters. Note that in the UTF-8 encoding a character MAY be encoded into more than one byte. If no other addressing information about that system is known or relevant to the format, the sessionSourceName element SHOULD be of zero length. The formatOID element MUST contain only the US-ASCII encodings of the ISO 10646 characters FULL STOP and DIGIT ZERO through DIGIT NINE (0x2E, 0x30-0x39). The formatOID element MUST NOT be of zero length, and SHOULD NOT be longer than 1024 characters. The sessionTrackingIdentifier field MAY be of zero length (although Wahl Expires August 29, 2007 [Page 7] Internet-Draft LDAP Session Tracking Control February 2007 this might not be useful). There is no upper bound on the sessionTrackingIdentifier, but it is suggested that values SHOULD NOT be longer than 65536 characters without prior agreement with the directory server administrator. Note that in the UTF-8 encoding a character MAY be encoded into more than one byte. 2.2. Use in LDAP The control MAY be included in any LDAP operation. The control has order-dependent semantics. A client might place the control on a message with a bindRequest, searchRequest, modifyRequest, addRequest, delRequest, modDNRequest, compareRequest or extendedReq. A client MAY include multiple controls of this type in a single request. This enables the client to incorporate multiple distinct session tracking identifiers with different formats. When a network service is proxying or chaining LDAP, in which the service receives an incoming LDAP request from a client and from this generates one or more requests to other LDAP servers, the service SHOULD include any controls of this type that it received from clients in requests it generates, without modification. A service MAY silently remove controls if the control would violate security policy. If the service has its own session state identifier, it SHOULD include the session identifier control it generates in the Controls SEQUENCE after any session identifier controls received by clients. (If there are multiple proxies involved, each will add their own session state to the end of the controls list). A server might place the control on message with a bindResponse, searchResDone, modifyResponse, addResponse, delResponse, modDNResponse, compareResponse, extendedResp or intermediateResponse. The server can include the control in the response regardless of whether the client included a control in the request or not. (The control in a response is unsolicited, and a client which does not recognize the control or a session tracking format can safely ignore the control, as discussed in the following section). A server MAY include multiple controls of this type in a response. 2.3. Extensibility considerations The following section of this document defines 3 possible formats, and it is expected that applications MAY define their own formats to represent session tracking identifiers already implemented. An application developer or server developer who wishes to transfer their implementation's format for session tracking identifier within Wahl Expires August 29, 2007 [Page 8] Internet-Draft LDAP Session Tracking Control February 2007 an LDAP control MUST choose a new, unique, OBJECT IDENTIFIER to represent this format. The format determines the semantics of the sessionSourceName string, and the sessionTrackingIdentifier string. In general, when an LDAP server that has session tracking logging enabled receives one or more of these controls with a request, the server SHOULD include all fields of all of the controls with the logging information for the request. A LDAP server that supports third-party or extensible log parsing tools SHOULD NOT reject or ignore a control if the formatOID value is not recognized, as it is expected that applications may include session tracking identifiers and want to make this information available to log parsers for correlation purposes, even if the directory server does not need to make any use of this information. However, if the LDAP server does not recognize the control, the control is not properly formatted, or the LDAP client is not authorized to use this control, the LDAP server SHOULD ignore the control and process the request as if the control had not been included. When an LDAP client receives a response that includes this control, the behavior depends on the client implementation. Clients SHOULD silently ignore controls with formats they do not recognize, and process the response as if the control had not been included. Wahl Expires August 29, 2007 [Page 9] Internet-Draft LDAP Session Tracking Control February 2007 3. Session tracking format definitions This section defines three session tracking formats that can be used within the session tracking control: two for RADIUS accounting, and one based on usernames. 3.1. Formats for use with RADIUS accounting This section defines two possible session tracking formats, that can be used in LDAP clients that are part of or used by RADIUS servers [7]. With formatOID set to 1.3.6.1.4.1.21008.108.63.1.1 within the control value, the sessionTrackingIdentifier SHOULD contain the value of the Acct-Session-Id RADIUS attribute (type 44), as defined in RFC 2866 [8]. (RFC 2866 section 5.5 states that the Acct-Session-Id SHOULD contain UTF-8 encoded 10646 characters.) With formatOID set to 1.3.6.1.4.1.21008.108.63.1.2 within the control value, the sessionTrackingIdentifier SHOULD contain the value of the Acct-Multi-Session-Id RADIUS attribute (type 50), as defined in RFC 2866 [8]. (RFC 2866 section 5.11 states that the Acct-Multi-Session-Id SHOULD contain UTF-8 encoded 10646 characters.) In both of these two formats, the value of the sessionSourceIp field SHOULD contain either a string encoding value of the IPv4 address from the NAS-IP-Address RADIUS attribute (type 4), or a string encoding of the IPv6 address from the value of the NAS-IPv6-Address RADIUS attribute (type 95) as defined in RFC 3162 [9]. The value of the sessionSourceName field SHOULD contain a string encoding the value of the NAS-Identifier RADIUS attribute (type 32), if present, or be of zero length if the NAS-Identifier RADIUS attribute was not provided or was not in a recognized format. 3.2. Format for username accounting This section defines another possible session tracking format that can be used in LDAP clients that are part of applications which identify users with simple string usernames. With formatOID set to 1.3.6.1.4.1.21008.108.63.1.3 within the control value, the sessionTrackingIdentifier SHOULD contain a username that has already been authenticated by the application that is generating the session. This format SHOULD NOT be used for purported names, where the application has not verified that the username is valid. The sessionSourceName field SHOULD contain the hostname where that application is running, or be of zero length if the hostname is not Wahl Expires August 29, 2007 [Page 10] Internet-Draft LDAP Session Tracking Control February 2007 known. The username SHOULD be a SASL authorization identity string, as described in section 3.4.1 of RFC 4422 [10]. It is expected that these usernames are not globally unique, but are only unique within the context of a particular application or particular enterprise. A username need not be a distinguished name, and an implementation receiving a control in this format MUST NOT assume that the contents of the sessionTrackingIdentifier can be parsed as a distinguished name. A control with this format differs from the Proxied Authorization Control as defined in RFC 4370 [11], as the presence of this session identifier control on a request SHOULD NOT influence the directory server's access control decision of whether or how to perform that request. Note that this format does not provide any information to differentiate between multiple sessions or periods of interaction by the same user. It is primarily intended for deployments which merely need to be able to tie each directory operation to they identity of the user whose activities caused the operation request to be generated, even if the user might not even be represented in the directory where the operations are being performed. For example, if an application server "app.example.com" with IPv4 address "192.0.2.1" had authenticated an user with name "bloggs", and then sent a search request to the LDAP directory in order to obtain some public information on service configuration intending to provide it to that user, the application might include a session identifier control, with controlType 1.3.6.1.4.1.21008.108.63.1, criticality FALSE, and the controlValue the BER encoding of the following ASN.1 value: { -- SEQUENCE "192.0.2.1", -- sessionSourceIp "app.example.com", -- sessionSourceName "1.3.6.1.4.1.21008.108.63.1.3", -- formatOID "bloggs" -- sessionTrackingIdentifier } Wahl Expires August 29, 2007 [Page 11] Internet-Draft LDAP Session Tracking Control February 2007 4. Security Considerations The session identifier controls used in this document are not intended as a security control or proxy authentication mechanism, and SHOULD NOT be used within a directory server to influence the operation processing behavior. Malicious clients might attempt to provide false or misleading information in directory server logs through the use of this control. LDAP servers SHOULD implement access checks which limit whether session identifier information provided by a client is logged. LDAP servers which implement this control SHOULD permit the administrator of the directory server to configure that this control is ignored unless the request containing the control was received from a client that authenticated. LDAP servers which implement this control SHOULD permit the administrator of the directory server to configure that this control is ignored unless the client is authorized to use this or related controls, such as the Proxied Authorization Control [11]. Session identifier information from clients which do not meet the server's access check requirement SHOULD be silently discarded. In some formats, session tracking identifiers may contain personal- identifiable information, such as usernames or client IP addresses. Unless data link, network or transport level encryption is being used, this information might be visible to attackers monitoring the network segments across which this information is being transmitted. Implementations of LDAP clients which include this control in requests sent to directory servers SHOULD support the use of underlying security services that provide connection confidentiality, such as a SASL mechanism that negotiates a security layer, or the Start TLS operation. Correlation of activities across multiple servers can enable administrators and monitoring tools to construct a more accurate picture of user behavior. In particular, this tracking control could be used to determine the set of applications and services with which a particular user has had interactions. Thus, this control would not be appropriate to deployments intending to anonymize directory requests. Session formats containing personal identifiable information SHOULD NOT be used between systems in different organizations where there is no existing agreement between those organizations on privacy protection. A value of the session tracking control might contain internal IP addresses, hostnames and other identifiers that reveal the structure of an enterprise network. A network service that generates its own sessions SHOULD NOT send a session tracking control to a directory server that is under different administration or in a different Wahl Expires August 29, 2007 [Page 12] Internet-Draft LDAP Session Tracking Control February 2007 security enclave from itself. A network service that is an LDAP client and also either receives requests over another protocol that contains session tracking identifiers or is proxying incoming LDAP requests SHOULD NOT forward received session tracking identifiers to a directory server that is under different administration or in a different security enclave from itself. A packet inspecting firewall that permits outgoing LDAP requests from an enterprise network SHOULD silently remove any session tracking controls from requests that are being sent to directory servers outside of the enterprise network for which there is not a preexisting policy configured to allow the session tracking control to be sent to that directory server. Wahl Expires August 29, 2007 [Page 13] Internet-Draft LDAP Session Tracking Control February 2007 5. IANA Considerations This control will be registered as follows: Subject: Request for LDAP Protocol Mechanism Registration Object Identifier: 1.3.6.1.4.1.21008.108.63.1 Description: Session Tracking Identifier Person & email address to contact for further information: Mark Wahl Usage: Control Specification: (I-D) RFC XXXX Author/Change Controller: Mark Wahl The OBJECT IDENTIFIER for particular session identifier formats defined for other applications need not be registered with IANA. Wahl Expires August 29, 2007 [Page 14] Internet-Draft LDAP Session Tracking Control February 2007 6. Acknowledgments This control was inspired by conversations with Greg Lavender. Neil Wilson provided useful feedback on this document. Wahl Expires August 29, 2007 [Page 15] Internet-Draft LDAP Session Tracking Control February 2007 7. References 7.1. Normative References [1] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997. [3] Hinden, R., "IP Version 6 Addressing Architecture", RFC 1884, January 1996. [4] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 3629, November 2003. [5] "Universal Multiple-Octet Coded Character Set (UCS) - Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993". [6] "ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", 2002.". [7] Rigney, C., "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [8] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [9] Aboba, B., "RADIUS and IPv6", RFC 3162, August 2001. [10] Melnikov, A., "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006. 7.2. Informative References [11] Weltman, R., "Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control", RFC 4370, February 2006. Wahl Expires August 29, 2007 [Page 16] Internet-Draft LDAP Session Tracking Control February 2007 Appendix A. Copyright Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Wahl Expires August 29, 2007 [Page 17] Internet-Draft LDAP Session Tracking Control February 2007 Author's Address Mark Wahl Informed Control Inc. PO Box 90626 Austin, TX 78709 US Email: mark.wahl@informed-control.com Wahl Expires August 29, 2007 [Page 18] Internet-Draft LDAP Session Tracking Control February 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Wahl Expires August 29, 2007 [Page 19]