LDAPv3 Security Parameters

Document Type Expired Internet-Draft (individual)
Author Vesna Hassler 
Last updated 1998-03-05
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Two security services that are required in many applications but have not been addressed by LDAPv3 [ldapv3] in a satisfactory manner yet are integrity and non-repudiation. According to the latest LDAPv3 security draft [ldapv3-auth] integrity can be achieved within a secure association only. Non-repudiation, and by this we mean digital signing of operations, is mentioned in [ldapv3] as an example of the use of the LDAPv3 extended operation mechanism. A disadvantage of this approach is that it would be necessary to define a new Extended Request/Response pair for each basic operation that should be signed. This document defines an LDAP control called LDAPSecurityParameters for transferring security parameters with LDAP operations. With this control it is possible to append digital signature to LDAP operations and in this way provide for message authenticity, message integrity, non-repudiation of message origin and message freshness.


Vesna Hassler (hassler@infosys.tuwien.ac.at)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)