Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control
RFC 4370

Document Type RFC - Proposed Standard (February 2006; No errata)
Was draft-weltman-ldapv3-proxy (individual in app area)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4370 (Proposed Standard)
Telechat date
Responsible AD Ted Hardie
Send notices to <rweltman@netscape.com>
Network Working Group                                         R. Weltman
Request for Comments: 4370                                  Yahoo!, Inc.
Category: Standards Track                                  February 2006

             Lightweight Directory Access Protocol (LDAP)
                     Proxied Authorization Control

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document defines the Lightweight Directory Access Protocol
   (LDAP) Proxy Authorization Control.  The Proxy Authorization Control
   allows a client to request that an operation be processed under a
   provided authorization identity instead of under the current
   authorization identity associated with the connection.

1.  Introduction

   Proxy authorization allows a client to request that an operation be
   processed under a provided authorization identity instead of under
   the current authorization identity associated with the connection.
   This document defines support for proxy authorization using the
   Control mechanism [RFC2251].  The Lightweight Directory Access
   Protocol [LDAPV3] supports the use of the Simple Authentication and
   Security Layer [SASL] for authentication and for supplying an
   authorization identity distinct from the authentication identity,
   where the authorization identity applies to the whole LDAP session.
   The Proxy Authorization Control provides a mechanism for specifying
   an authorization identity on a per-operation basis, benefiting
   clients that need to perform operations efficiently on behalf of
   multiple users.

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   used in this document are to be interpreted as described in
   [KEYWORDS].

Weltman                     Standards Track                     [Page 1]
RFC 4370           LDAP Proxied Authorization Control      February 2006

2.  Publishing Support for the Proxy Authorization Control

   Support for the Proxy Authorization Control is indicated by the
   presence of the Object Identifier (OID) "2.16.840.1.113730.3.4.18" in
   the supportedControl attribute [RFC2252] of a server's root
   DSA-specific Entry (DSE).

3.  Proxy Authorization Control

   A single Proxy Authorization Control may be included in any search,
   compare, modify, add, delete, or modify Distinguished Name (DN) or
   extended operation request message.  The exception is any extension
   that causes a change in authentication, authorization, or data
   confidentiality [RFC2829], such as Start TLS [LDAPTLS] as part of the
   controls field of the LDAPMessage, as defined in [RFC2251].

   The controlType of the proxy authorization control is
   "2.16.840.1.113730.3.4.18".

   The criticality MUST be present and MUST be TRUE.  This requirement
   protects clients from submitting a request that is executed with an
   unintended authorization identity.

   Clients MUST include the criticality flag and MUST set it to TRUE.
   Servers MUST reject any request containing a Proxy Authorization
   Control without a criticality flag or with the flag set to FALSE with
   a protocolError error.  These requirements protect clients from
   submitting a request that is executed with an unintended
   authorization identity.

   The controlValue SHALL be present and SHALL either contain an authzId
   [AUTH] representing the authorization identity for the request or be
   empty if an anonymous association is to be used.

   The mechanism for determining proxy access rights is specific to the
   server's proxy authorization policy.

   If the requested authorization identity is recognized by the server,
   and the client is authorized to adopt the requested authorization
   identity, the request will be executed as if submitted by the proxy
   authorization identity; otherwise, the result code 123 is returned.

4.  Implementation Considerations

   One possible interaction of proxy authorization and normal access
   control is illustrated here.  During evaluation of a search request,
   an entry that would have been returned for the search (if submitted
   by the proxy authorization identity directly) may not be returned if

Weltman                     Standards Track                     [Page 2]
RFC 4370           LDAP Proxied Authorization Control      February 2006
Show full document text