idnits 2.17.1 draft-weltman-ldapv3-proxy-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([AUTH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 69: '... The criticality MUST be included and ...' RFC 2119 keyword, line 78: '...uest is denied, the server MUST return...' Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 49 has weird spacing: '...ocument are...' == Line 125 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 2001) is 8229 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'AUTH' on line 150 looks like a reference -- Missing reference section? 'LDAPV3' on line 143 looks like a reference -- Missing reference section? 'KEYWORDS' on line 146 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Rob Weltman 3 INTERNET-DRAFT Netscape Communications Corp. 4 Intended Category: Standards Track October 2001 6 LDAP Proxied Authorization Control 7 draft-weltman-ldapv3-proxy-07.txt 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Task Force 15 (IETF), its areas, and its working groups. Note that other groups 16 may also distribute working documents as Internet-Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet Drafts as reference 21 material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 Abstract 31 This document defines support for the Proxied Authorization Control. 32 Controls are an LDAP protocol version 3 extension, to allow passing 33 arbitrary control information along with a standard request to a 34 server, and to receive arbitrary information back with a standard 35 result. The Proxied Authorization Control allows a client to request 36 that an operation be processed under a provided authorization 37 identity [AUTH] instead of as the current authorization identity 38 associated with the connection. 40 1. Introduction 42 Version 3 of the LDAP protocol provides a means of supplying 43 arbitrary additional information along with a request to an LDAP 44 server, and receiving arbitrary additional response information. The 45 Control protocol extension is described in [LDAPV3], section 4.1.12. 46 This document defines support for proxied authorization using the 47 Control mechanism. 49 The key words "MUST", "SHOULD", and "MAY" used in this document are 50 to be interpreted as described in [KEYWORDS]. 52 PROXIED AUTHORIZATION CONTROL October 2001 54 2. Publishing support for the Proxied Authorization Control 56 Support for the Proxied Authorization Control is indicated by the 57 presence of the OID "2.16.840.1.113730.3.4.18" in the 58 supportedControl attribute of a server's root DSE. 60 3. Proxied Authorization Control 62 This control may be included in any search, compare, modify, add, 63 delete, modDN or extended operation request message as part of the 64 controls field of the LDAPMessage, as defined in [LDAPV3]. 66 The controlType of the proxied authorization control is 67 "2.16.840.1.113730.3.4.18". 69 The criticality MUST be included and MUST be TRUE. 71 The control value is the BER encoded authorization identity to use 72 for the request. 74 4. Permission to execute as proxy 76 An LDAP server supporting the Proxied Authorization Control may 77 choose to honor or not honor a particular request. If the control is 78 supported but a particular request is denied, the server MUST return 79 the error code insufficientAccessRights. 81 A typical implementation will evaluate if the requester has proxy 82 access rights at the base DN of the request. If the requester has 83 proxy access rights, and if the authorization identity is recognized 84 by the server, the request will be honored. If the request is 85 honored, it will be executed as if submitted by the proxy identity. 87 During evaluation of a search request, an entry which would have been 88 returned for the search if submitted by the proxy identity directly 89 may not be returned if the server finds that the requester does not 90 have proxy rights to the entry, even if the entry is within the scope 91 of a search request under a base DN which does imply such rights. 92 This means that fewer results, or no results, may be returned 93 compared to the case where the proxy identity issued the request 94 directly. An example of such a case may be a system with fine-grained 95 access control, where the proxy right requester has proxy rights at 96 the top of a search tree, but not at or below a point or points 97 within the tree. 99 5. Security Considerations 100 PROXIED AUTHORIZATION CONTROL October 2001 102 The Proxied Authorization Control method is subject to standard LDAP 103 security considerations. The control may be passed over a secure as 104 well as over an insecure channel. 106 The control allows for an additional authorization identity to be 107 passed. In some deployments, these identities may contain 108 confidential information which require privacy protection. 110 Note that the server is responsible for determining if a proxied 111 authorization request is to be honored. 113 6. Copyright 115 Copyright (C) The Internet Society (date). All Rights Reserved. 117 This document and translations of it may be copied and furnished to 118 others, and derivative works that comment on or otherwise explain it 119 or assist in its implementation may be prepared, copied, published 120 and distributed, in whole or in part, without restriction of any 121 kind, provided that the above copyright notice and this paragraph are 122 included on all such copies and derivative works. However, this 123 document itself may not be modified in any way, such as by removing 124 the copyright notice or references to the Internet Society or other 125 Internet organizations, except as needed for the purpose of 126 developing Internet standards in which case the procedures for 127 copyrights defined in the Internet Standards process must be 128 followed, or as required to translate it into languages other than 129 English. 131 The limited permissions granted above are perpetual and will not be 132 revoked by the Internet Society or its successors or assigns. 134 This document and the information contained herein is provided on an 135 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 136 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 137 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 138 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 139 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 141 7. Bibliography 143 [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access 144 Protocol (v3)", RFC 2251, December 1997. 146 [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate 147 Requirement Levels", draft-bradner-key-words-03.txt, January, 148 1997. 150 [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication 151 Methods for LDAP", RFC 2829, May 2000 153 PROXIED AUTHORIZATION CONTROL October 2001 155 8. Author's Address 157 Rob Weltman 158 Netscape Communications Corp. 159 466 Ellis Street 160 Mountain View, CA 94043 161 USA 162 +1 650 937-3194 163 rweltman@netscape.com 165 9. Acknowledgements 167 Mark Smith of Netscape Communications Corp., Mark Wahl of Sun 168 Microsystems, Inc, and Kurt Zeilenga of OpenLDAP Foundation have 169 contributed with reviews of this draft. 171 10. Changes from draft-weltman-ldapv3-proxy-05.txt 173 The control also applies to add and extended operations. 175 The control value is an authorization ID, not necessarily a DN. 177 Confidentiality concerns are mentioned. 179 11. Changes from draft-weltman-ldapv3-proxy-04.txt 181 The control does not apply to bind, unbind, or abandon operations. 183 The proxy DN is represented as a string in the control, rather than 184 embedded in a sequence. 186 Support for the control is published in the supportedControl 187 attribute of the root DSE, not in supportedExtensions. 189 The security section mentions confidentiality issues with exposing an 190 additional identity. 192 12. Changes from draft-weltman-ldapv3-proxy-03.txt 194 None 196 13. Changes from draft-weltman-ldapv3-proxy-02.txt 198 13.1 Renamed Control 199 PROXIED AUTHORIZATION CONTROL October 2001 201 The Control is now called Proxied Authorization Control, rather than 202 Proxied Authentication Control, to reflect that no authentication 203 occurs as a consequence of processing the Control. 205 13.2 Control envelope 207 Rather than containing an LDAPDN as the Control value, the Control 208 contains a Sequence (which contains an LDAPDN). This is to provide 209 for future extensions.