Network Working Group Rob Weltman
INTERNET-DRAFT Netscape Communications Corp.
Tim Howes
Netscape Communications Corp.
July 14, 1998
LDAP Proxied Authentication Control
draft-weltman-ldapv3-proxy-01.txt
Status of this Memo
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a "working
draft" or "work in progress".
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ftp.ietf.org, nic.nordu.net, ftp.isi.edu, or
munnari.oz.au.
Copyright (C) The Internet Society (1997). All Rights Reserved.
Please see the Copyright section near the end of this document for
more information.
Abstract
This document defines support for the Proxied Authentication Control.
Controls are an LDAP protocol version 3 extension, to allow passing
arbitrary control information along with a standard request to a
server, and to receive arbitrary information back with a standard
result. The Proxied Authentication Control allows a connection with
sufficient privileges to assume the identity of another entry for the
duration of an LDAP request.
1. Introduction
Version 3 of the LDAP protocol provides a means of supplying
arbitrary additional information along with a request to an LDAP
server, and receiving arbitrary additional response information. The
Control protocol extension is described in [1], section 4.1.12. This
document defines support for proxied authentication using the Control
mechanism.
Expires 1/99 [Page 1]
PROXIED AUTHENTICATION CONTROL July, 1998
The key words "MUST", "SHOULD", and "MAY" used in this document are
to be interpreted as described in [2].
2. Publishing support for the Proxied Authentication Control
Support for the virtual list view extended operation is indicated by
the presence of the OID "2.16.840.1.113730.3.4.12" in the
supportedExtensions attribute of a server's root DSE.
3. Proxied Authentication Control
This control may be included in any search, modify, delete, or modrdn
request message as part of the controls field of the LDAPMessage,
as defined in [1].
proxyAuthControl ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.12,
criticality BOOLEAN DEFAULT FALSE,
controlValue proxyAuthValue
}
The criticality SHOULD be included and SHOULD be TRUE. If it is not
TRUE, and the requester is not authorized to use proxied
authentication within the target Directory tree, the requesterÆs own
authentication will be used to execute the request. The controlValue
is an OCTET STRING, whose value is the BER encoding of a value of the
following:
proxyAuthValue ::= LDAPDN
4. Permission to execute as proxy
An LDAP server supporting the proxied authentication control may
choose to honor or not honor a particular request. If the control is
supported but a particular request is denied, the server MUST return
the error code insufficientAccessRights. A typical implementation
will evaluate if the requester has proxy access rights at the base DN
of the request. If the requester has proxy access rights, and if the
proxy DN corresponds to a valid entry in the directory managed by the
server, the request will be honored. If the request is honored, it
will be executed as if submitted by the proxy identity.
5. Security Considerations
The proxied authentication control method is subject to standard LDAP
security considerations. The control may be passed over a secure as
Expires 1/99 [Page 2
PROXIED AUTHENTICATION CONTROL July, 1998
well as over an insecure channel. No additional confidential
information is passed in the control.
Note that the server is responsible for determining if a proxied
authentication request is to be honored.
6. Copyright
Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
7. Bibliography
[1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol (v3)", Internet Draft draft-ietf-asid-ldapv3-protocol-
06.txt, July 1997.
[2] Bradner, Scott, "Key Words for use in RFCs to Indicate
Requirement Levels", draft-bradner-key-words-03.txt, January,
1997.
Expires 1/99 [Page 3
PROXIED AUTHENTICATION CONTROL July, 1998
8. AuthorÆs Addresses
Rob Weltman
Netscape Communications Corp.
501 E. Middlefield Rd.
Mountain View, CA 94043
USA
+1 650 937-3301
rweltman@netscape.com
Tim Howes
Netscape Communications Corp.
501 E. Middlefield Rd.
Mountain View, CA 94043
USA
+1 650 937-3419
howes@netscape.com
Expires 1/99 [Page 4
