INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Experimental OpenLDAP Foundation
Expires: 12 Dec 2000 12 June 2000
OpenLDAP Root Service
An experimental LDAP referral service
<draft-zeilenga-ldap-root-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Experimental document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Extension Working Group
mailing list <ietf-ldapext@netscape.com>. Please send editorial
comments directly to the author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft
Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
Copyright 2000, The Internet Society. All Rights Reserved.
Please see the Copyright section near the end of this document for
more information.
Abstract
The OpenLDAP Project is operating an experimental LDAP [RFC2251]
referral service known as the "OpenLDAP Root Service." The automated
system generates referrals based upon service location information
published in DNS [RFC1034] SRV [RFC2782] resource records. This
document describes this service.
Zeilenga [Page 1]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
1. Background
LDAP [RFC2251] directories use a hierarchical naming scheme inherited
from X.500 [X500]. Traditionally, X.500 deployments have used a
geo-political naming scheme (e.g. cn=Jane Doe, ou=Engineering,
o=Example, st=CA, c=US). However, registration infrastructure and
location services in many portions of the naming hierarchical are
inadequate or nonexistent.
The construct of a global directory requires a robust registration
infrastructure and location service. Use of Internet domain-based
naming [RFC2247] (e.g. uid=jdoe, dc=eng, dc=example, dc=net) allows
LDAP directory services to leverage the existing DNS [RFC1034]
registration infrastructure and DNS SRV [RFC2782] resource records can
used to locate services.
1.1. The Glue
Most existing LDAP implementations do not support location of
directory services using DNS SRV resource records. However, most
servers support referral generation to "superior" server(s). This
service provides a "root" LDAP service which servers using domain
based naming may use as their superior referral service.
Client may also use the service directly to locate services associated
with an arbitrary Distinguished Name within the domain based
hierarchy.
Notice:
The mechanisms used by service are experimental. The descriptions
provided by this document should not be taken as being definitive.
Definitive mechanisms shall be published in a Standard Track
document(s).
2. Generating Referrals based upon DNS SRV RRs
This service returns referrals generated from DNS SRV resource records
[RFC2782].
2.1. DN to Domain Name Mapping
The service maps a DN [RFC2253] to a fully qualified domain name using
the following algorithm:
domain = null;
Zeilenga [Page 2]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
foreach RDN left-to-right /* [1] */
{
if not multi-valued RDN and
RDN.type == domainComponent
{
if ( domain == null || domain == "." )
{ // start
domain = "";
}
else
{ // append separator
domain .= ".";
}
if ( RDN.value == "." )
{ // root
domain = ".";
}
else
{ // append domainComponent
domain .= RDN.value;
}
continue;
}
domain = null;
}
Examples:
Distinguished Name Domain
------------------------------ ------------
dc=example,dc=net example.net
uid=jdoe,dc=example,dc=net example.net
dc=. . [2]
dc=example,dc=net,dc=. . [3]
dc=example,dc=.,dc=net net [4]
dc=example.net example.net [5]
cn=Jane Doe,o=example,c=us null
uid=jdoe,dc=example,c=us null
dc=example,o=example,dc=net net
dc=example+o=example,dc=net net
dc=example,o=us+dc=net null
Notes:
1) A later incarnation of this service may use a
right-to-left algorithm.
2) RFC 2247 does not state how one can map the domain
Zeilenga [Page 3]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
representing the root of the domain tree to a DN. We
suggest the root of the domain tree be mapped to the
DN "dc=." and that this be reversable.
3) RFC 2247 states that domain "example.net" should be
mapped to the DN "dc=example, dc=net", not to
"dc=example,dc=net,dc=.". It is not our intent to
introduce or support an alternative domain to DN mapping.
The algorithm ignores domainComponents to the right
of dc=.
4) RFC 2247 states that domain "example.net" should be
mapped to the DN "dc=example, dc=net", not to
"dc=example,dc=.,dc=net". It is not our intent to
introduce or support an alternative domain to DN mapping.
The algorithm ignores domainComponents to the right
of dc=. and dc=. if further domainComponents are found
to the left.
5) RFC 2247 states that value of an DC attribute type is
a domain component. It should not contain multiple
domain components. A later incarnation of this service
may map this domain to null or be coded to return
invalid domain.
If the domain is null or ".", the service aborts further processing
and returns noSuchObject. Later incarnation of this service may place
abort processing if the resulting domain is a top-level domain.
2.2. Locating LDAP services
The root service locates services associated with a given fully
qualified domain name by querying the Domain Name System for LDAP SRV
resource records. For the domain example.net, the service would do a
issue a SRV query for the domain _ldap._tcp.example.net. A successful
query will return one or more resource records of form:
_ldap._tcp.example.net. IN SRV 0 0 389 ldap.example.net.
If no LDAP SRV resource records are returned or any DNS error occurs,
the service processing and returns noSuchObject. Later incarnations
of this service will better handle transient errors.
2.3. Constructing an LDAP Referrals
For each DNS SRV resource record returned for the domain, a LDAP URI
Zeilenga [Page 4]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
[RFC2255] is constructed. For the above resource record, the URI
would be:
ldap://ldap.example.net:389/
These URIs are then returned in the referral. The URI are currently
returned in resolver order. That is, the server itself does not make
use of priority or weight information in the SRV resource records. A
later incarnation of this service may.
3. Protocol Operations
This section describes how the service performs basic LDAP operations.
The service supports operations extended through certain controls as
described in a later section.
3.1. Basic Operations
Basic (add,compare,delete,modify,rename,search) operations return a
referral result if the target (or base) DN can be mapped to a set of
LDAP URIs as described above. Otherwise a noSuchObject response or
other appropriate response is returned.
3.2. Bind Operation
The service accepts "anonymous" bind specifying version 2 or version 3
of the protocol. All other bind requests will return a non-successful
resultCode. In particular, clients which submit clear text
credentials. will be sent an unwillingToPerform resultCode with a
cautionary text regarding providing passwords to strangers.
3.3. Unbind Operations
Upon receipt of an unbind request, the server abandons all outstanding
requests made by client and disconnects.
3.4. Abandon Operations
Upon receipt of an abandon request, the server abandons all
outstanding requests made by client.
3.5. Extended Operations
Zeilenga [Page 5]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
The service currently does recognize any extended operation. Later
incarnations of the service may support StartTLS and other operations.
4. Controls
The service supports the ManageDSAit control. Unsupported control are
serviced per RFC 2251.
4.1. ManageDSAit Control
The server recognizes and honors the ManageDSAit control [NAMEREF]
provided with operations.
If DNS location information is available for the base DN itself, the
service will return unwillingToPerform for non-search operations. For
search operations, a entry will be returned if within scope and entry
matches provided filter:
c: searchRequest {
base="dc=example,dc=net"
scope=base
filter=(objectclass=*)
ManageDSAit
}
s: searchEntry {
dn: dc=example, dc=net
objectclass: referral
objectclass: extensibleObject
dc: example
ref: ldap://ldap.example.net:389/
associatedDomain: example.net
}
s: searchResult {
success
}
If DNS location information is available for the DC portion of a
subordinate entry, the service will return noSuchObject with the
matchedDN set to the DC portion of the base for search and update
operations.
c: searchRequest {
base="cn=subordinate,dc=example,dc=net"
scope=base
filter=(objectclass=*)
ManageDSAit
Zeilenga [Page 6]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
}
s: searchResult {
noSuchObject
matchedDN="dc=example,dc=net"
}
7. Using the Service
Servers may be configured to refer superior requests to
<ldap://root.openldap.org:389>. This is commonly done via a
configuration directive such as:
default ldap://root.openldap.org:389
Though clients may use the service directly, this is not encouraged.
Clients should use a local service and only use this service when
chasing a referral to the service.
The service support LDAPv3 and LDAPv2+ [LDAPv2+] clients.
6. Lessons Learned
6.1. Scaling / Reliability
This service currently runs on a single host. This host and
associated network resources are not yet exhausted. We expect it will
be. We believe we can easily scale to meet the demand through common
distributed load balancing technics. The service can also easily be
duplicated locally.
6.2. Protocol interoperability
This service has able avoided known interoperability issues in support
variants of LDAP.
6.2.1. LDAPv3
Though the server does not fully implement LDAPv3 [RFC2251], it
implements all portions required to provide the service.
6.2.2. LDAPv2
LDAPv2 [RFC1777] does not support the referral results and hence may
Zeilenga [Page 7]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
not be referred to this service. Though a LDAPv2 client could
connect, it would treat any referral returned to it as an unknown
error.
6.2.3. LDAPv2+
LDAPv2+ [LDAPv2+] provides a number of extensions to LDAPv2, including
referrals. LDAPv2+, like LDAPv3, does not require a bind operation
before issuing of other operations. As the referral representation
differ between LDAPv2+ and LDAPv3, the service returns LDAPv3
referrals in this case. However, as commonly deployed LDAPv2+ clients
issue bind requests (for compatibility with LDAPv2 servers), this has
not generated any interoperability issues (yet).
7. Security Considerations
This service provides information to "anonymous" clients. This
information is derived from the public directories, namely the Domain
Name System.
The use of authentication would require clients to disclose
information to the service. This would be an unnecessary invasion of
privacy.
The lack of encryption allows eavesdropping upon client requests and
responses. A later incarnation of this service may support encryption
(such as via StartTLS).
Information integrity protection is not provided as the service. The
service is subject to varies forms of DNS spoofing and attacks. LDAP
session or operation integrity would provide false sense of security
concerning the integrity of DNS information. A later incarnation of
this service may support DNSSEC.
The service may be subject to a variety of denial of service attacks.
The service is capable of blocking accessing by a number of factors
(IP address, availability of reverse DNS information, etc.). These
capability have yet to be used and likely be ineffective in preventing
sophisticated attacks. Later incarnations of this service will likely
need more better protection from such attacks.
8. Conclusions
DNS is good glue. By leveraging of the Domain Name System, global
LDAP directories may be built without requiring a protocol specific
Zeilenga [Page 8]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
registration infrastructures.
In addition, use of DNS service location allows global directories to
be built "ad hoc". That is, anyone with a domain name can
participate. There is no requirement that the superior domain
participate.
9. Additional Information
Additional information about the OpenLDAP Project and the OpenLDAP
Root Service can be found at <http://www.openldap.org/>.
The author can be contacted at <kurt@openldap.org>.
10. Acknowledgments
Internet hosting for this experiment is hosted at the Internet
Software Consortium <http://www.isc.org/>. Computing resources were
provided by Net Boolean Incorporated <http://www.boolean.net/> This
experiment would not have been possible without the contributions of
the volunteers of the open source community.
References
[RFC1034] Mockapetris, P., " Domain Names - Concepts and Facilities,"
STD 13, RFC 1034, November 1987.
[RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill,
"Uniform Resource Locators (URL)", RFC 1738, December 1994.
[RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight
Directory Access Protocol", RFC 1777, March 1995.
[RFC2119] Bradner, S., "Key Words for use in RFCs to
Indicate Requirement Levels," RFC 2119, March 1997.
[RFC2247] Kille, S., et. al.,
"Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
January 1998.
[RFC2251] Wahl, M., Howes, T., and S. Kille,
"Lightweight Directory Access Protocol (v3)",
RFC 2251, December 1997.
[RFC2255] Howes, T., and M. Smith, "The LDAP URL Format",
Zeilenga [Page 9]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
RFC 2255, December 1997.
[RFC2782]
Gulbrandsen, A., Vixie, P. and L. Esibov,
"A DNS RR for specifying the location of services (DNS SRV)",
RFC 2782, February 2000.
[LOCATE] IETF LDAPext WG, "Discovering LDAP Services with DNS",
draft-ietf-ldapext-locate-xx.txt (work in progress).
[LDAPv2+] University of Michigan LDAP Team,
"Referrals within the LDAPv2 Protocol", August 1996.
[NAMEREF] IETF LDAPext, "Named Referrals in LDAP Directories"
draft-ietf-ldapext-namedref-xx.txt (work in progress)
[X500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
Models and Service", 1993.
COPYRIGHT NOTICE
Copyright 2000, The Internet Society. All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Zeilenga [Page 10]
INTERNET-DRAFT draft-zeilenga-ldap-root-00 12 June 2000
Zeilenga [Page 11]