idnits 2.17.1 draft-weltman-ldapv3-proxy-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([AUTH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 69: '... The criticality MUST be included and ...' RFC 2119 keyword, line 79: '...uest is denied, the server MUST return...' Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 49 has weird spacing: '...ocument are...' == Line 126 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 2001) is 8198 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'AUTH' on line 151 looks like a reference -- Missing reference section? 'LDAPV3' on line 144 looks like a reference -- Missing reference section? 'KEYWORDS' on line 147 looks like a reference -- Missing reference section? 'LDAPv3' on line 71 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT Rob Weltman 3 Intended Category: Standards Track Netscape Communications Corp. 4 November 2001 6 LDAP Proxied Authorization Control 7 draft-weltman-ldapv3-proxy-08.txt 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Task Force 15 (IETF), its areas, and its working groups. Note that other groups 16 may also distribute working documents as Internet-Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet Drafts as reference 21 material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 Abstract 31 This document defines support for the Proxied Authorization Control. 32 Controls are an LDAP protocol version 3 extension, to allow passing 33 arbitrary control information along with a standard request to a 34 server, and to receive arbitrary information back with a standard 35 result. The Proxied Authorization Control allows a client to request 36 that an operation be processed under a provided authorization 37 identity [AUTH] instead of as the current authorization identity 38 associated with the connection. 40 1. Introduction 42 Version 3 of the LDAP protocol provides a means of supplying 43 arbitrary additional information along with a request to an LDAP 44 server, and receiving arbitrary additional response information. The 45 Control protocol extension is described in [LDAPV3], section 4.1.12. 46 This document defines support for proxied authorization using the 47 Control mechanism. 49 The key words "MUST", "SHOULD", and "MAY" used in this document are 50 to be interpreted as described in [KEYWORDS]. 52 PROXIED AUTHORIZATION CONTROL November 2001 54 2. Publishing support for the Proxied Authorization Control 56 Support for the Proxied Authorization Control is indicated by the 57 presence of the OID "2.16.840.1.113730.3.4.18" in the 58 supportedControl attribute of a server's root DSE. 60 3. Proxied Authorization Control 62 This control may be included in any search, compare, modify, add, 63 delete, modDN or extended operation request message as part of the 64 controls field of the LDAPMessage, as defined in [LDAPV3]. 66 The controlType of the proxied authorization control is 67 "2.16.840.1.113730.3.4.18". 69 The criticality MUST be included and MUST be TRUE. 71 The control value is an LDAPString [LDAPv3] containing an authzId as 72 defined in section 9 of [AUTH]. This is the authorization identity to 73 use for the request. 75 4. Permission to execute as proxy 77 An LDAP server supporting the Proxied Authorization Control may 78 choose to honor or not honor a particular request. If the control is 79 supported but a particular request is denied, the server MUST return 80 the error code insufficientAccessRights. 82 A typical implementation will evaluate if the requester has proxy 83 access rights at the base DN of the request. If the requester has 84 proxy access rights, and if the authorization identity is recognized 85 by the server, the request will be honored. If the request is 86 honored, it will be executed as if submitted by the proxy identity. 88 During evaluation of a search request, an entry which would have been 89 returned for the search if submitted by the proxy identity directly 90 may not be returned if the server finds that the requester does not 91 have proxy rights to the entry, even if the entry is within the scope 92 of a search request under a base DN which does imply such rights. 93 This means that fewer results, or no results, may be returned 94 compared to the case where the proxy identity issued the request 95 directly. An example of such a case may be a system with fine-grained 96 access control, where the proxy right requester has proxy rights at 97 the top of a search tree, but not at or below a point or points 98 within the tree. 100 5. Security Considerations 101 PROXIED AUTHORIZATION CONTROL November 2001 103 The Proxied Authorization Control method is subject to standard LDAP 104 security considerations. The control may be passed over a secure as 105 well as over an insecure channel. 107 The control allows for an additional authorization identity to be 108 passed. In some deployments, these identities may contain 109 confidential information which require privacy protection. 111 Note that the server is responsible for determining if a proxied 112 authorization request is to be honored. 114 6. Copyright 116 Copyright (C) The Internet Society (date). All Rights Reserved. 118 This document and translations of it may be copied and furnished to 119 others, and derivative works that comment on or otherwise explain it 120 or assist in its implementation may be prepared, copied, published 121 and distributed, in whole or in part, without restriction of any 122 kind, provided that the above copyright notice and this paragraph are 123 included on all such copies and derivative works. However, this 124 document itself may not be modified in any way, such as by removing 125 the copyright notice or references to the Internet Society or other 126 Internet organizations, except as needed for the purpose of 127 developing Internet standards in which case the procedures for 128 copyrights defined in the Internet Standards process must be 129 followed, or as required to translate it into languages other than 130 English. 132 The limited permissions granted above are perpetual and will not be 133 revoked by the Internet Society or its successors or assigns. 135 This document and the information contained herein is provided on an 136 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 137 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 138 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 139 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 140 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 142 7. Bibliography 144 [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access 145 Protocol (v3)", RFC 2251, December 1997. 147 [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate 148 Requirement Levels", draft-bradner-key-words-03.txt, January, 149 1997. 151 [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication 152 Methods for LDAP", RFC 2829, May 2000 154 PROXIED AUTHORIZATION CONTROL November 2001 156 8. Author's Address 158 Rob Weltman 159 Netscape Communications Corp. 160 466 Ellis Street 161 Mountain View, CA 94043 162 USA 163 +1 650 937-3194 164 rweltman@netscape.com 166 9. Acknowledgements 168 Mark Smith of Netscape Communications Corp., Mark Wahl of Sun 169 Microsystems, Inc, and Kurt Zeilenga of OpenLDAP Foundation have 170 contributed with reviews of this draft. 172 10. Changes from draft-weltman-ldapv3-proxy-07.txt 174 Proxied Authorization Control 176 Clarification: the content of the control is an LDAPString. 178 11. Changes from draft-weltman-ldapv3-proxy-06.txt 180 None 182 PROXIED AUTHORIZATION CONTROL November 2001 184 12. Changes from draft-weltman-ldapv3-proxy-05.txt 186 The control also applies to add and extended operations. 188 The control value is an authorization ID, not necessarily a DN. 190 Confidentiality concerns are mentioned. 192 13. Changes from draft-weltman-ldapv3-proxy-04.txt 194 The control does not apply to bind, unbind, or abandon operations. 196 The proxy DN is represented as a string in the control, rather than 197 embedded in a sequence. 199 Support for the control is published in the supportedControl 200 attribute of the root DSE, not in supportedExtensions. 202 The security section mentions confidentiality issues with exposing an 203 additional identity. 205 14. Changes from draft-weltman-ldapv3-proxy-03.txt 207 None 209 15. Changes from draft-weltman-ldapv3-proxy-02.txt 211 15.1 Renamed Control 213 The Control is now called Proxied Authorization Control, rather than 214 Proxied Authentication Control, to reflect that no authentication 215 occurs as a consequence of processing the Control. 217 15.2 Control envelope 219 Rather than containing an LDAPDN as the Control value, the Control 220 contains a Sequence (which contains an LDAPDN). This is to provide 221 for future extensions.