Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls
RFC 3829

 
Document Type RFC - Informational (July 2004; Errata)
Was draft-weltman-ldapv3-auth-response (individual in app area)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 3829 (Informational)
Telechat date
Responsible AD Ted Hardie
Send notices to <mcs@netscape.com>, <Mark.Wahl@sun.com>, <rweltman@netscape.com>
Network Working Group                                         R. Weltman
Request for Comments: 3829                                America Online
Category: Informational                                         M. Smith
                                                     Pearl Crescent, LLC
                                                                 M. Wahl
                                                               July 2004

             Lightweight Directory Access Protocol (LDAP)
         Authorization Identity Request and Response Controls

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   This document extends the Lightweight Directory Access Protocol
   (LDAP) bind operation with a mechanism for requesting and returning
   the authorization identity it establishes.  Specifically, this
   document defines the Authorization Identity Request and Response
   controls for use with the Bind operation.

1.  Introduction

   This document defines support for the Authorization Identity Request
   Control and the Authorization Identity Response Control for
   requesting and returning the authorization established in a bind
   operation.  The Authorization Identity Request Control may be
   submitted by a client in a bind request if authenticating with
   version 3 of the Lightweight Directory Access Protocol (LDAP)
   protocol [LDAPv3].  In the LDAP server's bind response, it may then
   include an Authorization Identity Response Control.  The response
   control contains the identity assumed by the client.  This is useful
   when there is a mapping step or other indirection during the bind, so
   that the client can be told what LDAP identity was granted.  Client
   authentication with certificates is the primary situation where this
   applies.  Also, some Simple Authentication and Security Layer [SASL]
   authentication mechanisms may not involve the client explicitly
   providing a DN, or may result in an authorization identity which is
   different from the authentication identity provided by the client
   [AUTH].

Weltman, et al.              Informational                      [Page 1]
RFC 3829          Authorization Identity Bind Control          July 2004

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   used in this document are to be interpreted as described in
   [RFCKeyWords].

2.  Publishing support for the Authorization Identity Request Control
    and the Authorization Identity Response Control

   Support for the Authorization Identity Request Control and the
   Authorization Identity Response Control is indicated by the presence
   of the Object Identifiers (OIDs) 2.16.840.1.113730.3.4.16 and
   2.16.840.1.113730.3.4.15, respectively, in the supportedControl
   attribute [LDAPATTRS] of a server's root DSA-specific Entry (DSE).

3.  Authorization Identity Request Control

   This control MAY be included in any bind request which specifies
   protocol version 3, as part of the controls field of the LDAPMessage
   as defined in [LDAPPROT].  In a multi-step bind operation, the client
   MUST provide the control with each bind request.

   The controlType is "2.16.840.1.113730.3.4.16" and the controlValue is
   absent.

4.  Authorization Identity Response Control

   This control MAY be included in any final bind response where the
   first bind request of the bind operation included an Authorization
   Identity Request Control as part of the controls field of the
   LDAPMessage as defined in [LDAPPROT].

   The controlType is "2.16.840.1.113730.3.4.15".  If the bind request
   succeeded and resulted in an identity (not anonymous), the
   controlValue contains the authorization identity (authzId), as
   defined in [AUTH] section 9, granted to the requestor.  If the bind
   request resulted in an anonymous association, the controlValue field
   is a string of zero length.  If the bind request resulted in more
   than one authzId, the primary authzId is returned in the controlValue
   field.

   The control is only included in a bind response if the resultCode for
   the bind operation is success.

   If the server requires confidentiality protections to be in place
   prior to use of this control (see Security Considerations), the
   server reports failure to have adequate confidentiality protections
   in place by returning the confidentialityRequired result code.

Weltman, et al.              Informational                      [Page 2]
RFC 3829          Authorization Identity Bind Control          July 2004
Show full document text