Skip to main content

Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control
RFC 4370

Revision differences

Document history

Date Rev. By Action
2015-10-14
13 (System) Notify list changed from  to (None)
2012-08-22
13 (System) post-migration administrative database adjustment to the Abstain position for Steven Bellovin
2012-08-22
13 (System) post-migration administrative database adjustment to the No Objection position for Russ Housley
2006-02-14
13 Amy Vezza State Changes to RFC Published from RFC Ed Queue by Amy Vezza
2006-02-14
13 Amy Vezza [Note]: 'RFC 4370' added by Amy Vezza
2006-02-10
13 (System) RFC published
2005-11-05
13 Amy Vezza State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza
2005-10-31
13 Amy Vezza IESG state changed to Approved-announcement sent
2005-10-31
13 Amy Vezza IESG has approved the document
2005-10-31
13 Amy Vezza Closed "Approve" ballot
2005-10-31
13 Ted Hardie State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Ted Hardie
2005-10-21
13 Russ Housley [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley
2005-09-14
13 Russ Housley
[Ballot discuss]
This document says:
  >
  > The criticality MUST be present and MUST be TRUE. This requirement
  > protects clients from …
[Ballot discuss]
This document says:
  >
  > The criticality MUST be present and MUST be TRUE. This requirement
  > protects clients from submitting a request that is executed with an
  > unintended authorization identity.
  >
  > Clients MUST include the criticality flag and MUST set it to TRUE.
  > Servers MUST reject any request containing a Proxy Authorization
  > Control without a criticality flag or with the flag set to FALSE with
  > a protocolError error.  These requirements protect clients from
  > submitting a request that is executed with an unintended
  > authorization identity.
  >
  I think the author intended to delete the first paragraph when the
  second one was added to resolve the concerns raised bu Ned Freed.
2005-06-09
13 (System) Sub state has been changed to AD Follow up from New Id Needed
2005-06-09
13 (System) New version available: draft-weltman-ldapv3-proxy-13.txt
2004-11-11
13 Ted Hardie [Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005' added by Ted Hardie
2004-11-11
13 Ted Hardie
[Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005 if no revision seen by …
[Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005 if no revision seen by them.' added by Ted Hardie
2004-11-11
13 Ted Hardie [Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005' added by Ted Hardie
2004-03-19
13 Amy Vezza State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation - Defer by Amy Vezza
2004-03-18
13 Steven Bellovin [Ballot Position Update] Position for Steve Bellovin has been changed to Abstain from Discuss by Steve Bellovin
2004-03-18
13 Steven Bellovin
[Ballot comment]
I'm very confused by this document -- what, precisely, does it define?
Is its whole purpose the definition of the OID?  Proxies done …
[Ballot comment]
I'm very confused by this document -- what, precisely, does it define?
Is its whole purpose the definition of the OID?  Proxies done properly
are typically bound to the principal to whom some access right is being
delegated, and often contain a set of restrictions as well.  This seems
to give carte blanche to anyone who has the magic string to do anything
at all.
2004-03-18
13 Bill Fenner [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner
2004-03-18
13 Margaret Cullen [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman
2004-03-18
13 Bert Wijnen [Ballot Position Update] Position for Bert Wijnen has been changed to No Objection from Undefined by Bert Wijnen
2004-03-18
13 Bert Wijnen
[Ballot comment]
Mmmm.. I see reference:

  [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
        Requirement Levels", draft-bradner-key-words-03.txt …
[Ballot comment]
Mmmm.. I see reference:

  [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
        Requirement Levels", draft-bradner-key-words-03.txt, January,
        1997.

I guess that should just be RFC2119 !!
2004-03-18
13 Bert Wijnen [Ballot Position Update] New position, Undefined, has been recorded for Bert Wijnen by Bert Wijnen
2004-03-18
13 Jon Peterson [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson
2004-03-17
13 Allison Mankin
[Ballot comment]
My no-objection is based on a lack of time to review the preceding work on LDAP
authentication and authorization that seems to be …
[Ballot comment]
My no-objection is based on a lack of time to review the preceding work on LDAP
authentication and authorization that seems to be presumed here.  It would be a
good idea if there some delineation of these dependencies, even if brief.  (I'm
not requiring a change, must making the comment).
2004-03-17
13 Allison Mankin [Ballot Position Update] New position, No Objection, has been recorded for Allison Mankin by Allison Mankin
2004-03-17
13 David Kessens [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens
2004-03-17
13 Harald Alvestrand
[Ballot comment]
Spencer Dawkins, Gen-ART reviewer, has made some editorial comments.
To save space on the evaluation form, I've recorded these in the tracker log. …
[Ballot comment]
Spencer Dawkins, Gen-ART reviewer, has made some editorial comments.
To save space on the evaluation form, I've recorded these in the tracker log.
They are also at
2004-03-17
13 Scott Hollenbeck [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck
2004-03-13
13 Harald Alvestrand
Comments from Spencer Dawkins, Gen-ART reviewer

3. Proxy Authorization Control

  A single Proxy Authorization Control may be included in any search, compare, modify, add, …
Comments from Spencer Dawkins, Gen-ART reviewer

3. Proxy Authorization Control

  A single Proxy Authorization Control may be included in any search, compare, modify, add, delete, modify DN or extended operation request message with the exception of any extension that causes a change in  authentication, authorization, or data confidentiality [RFC 2829], such as Start TLS [LDAPTLS] as part of the controls field of the LDAPMessage, as defined in [RFC 2251].

Spencer: I know it's an editorial nit, but "as part of" completes a phrase that left off SIX COMMAS earlier. Suggest alternative text as

"A single Proxy Authorization Control may be included in any search, compare, modify, add, delete, modify DN or extended operation request message as part of the controls field of the LDAPMessage, as defined
in [RFC 2251], with the exception of any extension that causes a change in authentication, authorization, or data confidentiality [RFC 2829], such as Start TLS [LDAPTLS]."
...

  The controlValue SHALL be present and contain either an authzId [AUTH] representing the authorization identity for the request or

Spencer: "or SHALL be empty..."

  empty if an anonymous association is to be used.

Spencer: "anonymous authorization identity"?
...

  If the requested authorization identity is recognized by the server, and the client is authorized to adopt the requested authorization identity, the request will be executed as if submitted by the proxy authorization identity, otherwise the result code TBD is returned.

Spencer: I'm new to the world of IANA LDAP result codes, but wouldn't you expect to see a proposed name for this result code in this document?
Also in IANA Considerations section later on...

  [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced with an IANA assigned LDAP Result Code (see RFC 3383 section 3.6]
...

5. Security Considerations
...

  Note that the server is responsible for determining if a proxy authorization request is to be honored. "Anonymous" users SHOULD NOT be allowed to assume the identity of others.

Spencer: It seems like this restriction should appear a lot earlier in the specification - it's an implementation consideration, not ("just")
a security consideration...
...

8. Normative References

  [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement Levels", draft-bradner-key-words-03.txt, January, 1997.

Spencer: Scott says this wins the plaid bunny award for most outdated reference in an ID this year - should be "RFC 2119", right?
2004-03-13
13 Harald Alvestrand [Ballot comment]
Spencer Dawkins, Gen-ART reviewer, has made some editorial comments.
To save space on the evaluation form, I've recorded these in the tracker log.
2004-03-13
13 Harald Alvestrand [Ballot Position Update] New position, No Objection, has been recorded for Harald Alvestrand by Harald Alvestrand
2004-02-20
13 (System) Removed from agenda for telechat - 2004-02-19
2004-02-18
13 Harald Alvestrand State Changes to IESG Evaluation - Defer from IESG Evaluation by Harald Alvestrand
2004-02-18
13 Steven Bellovin
[Ballot discuss]
I'm very confused by this document -- what, precisely, does it define? 
Is its whole purpose the definition of the OID?  Proxies done …
[Ballot discuss]
I'm very confused by this document -- what, precisely, does it define? 
Is its whole purpose the definition of the OID?  Proxies done properly
are typically bound to the principal to whom some access right is being
delegated, and often contain a set of restrictions as well.  This seems
to give carte blanche to anyone who has the magic string to do anything
at all.  The security considerations section doesn't even mandate that
this magic string be kept confidential -- and its more powerful than
plaintext passwords, which we bar.
2004-02-18
13 Steven Bellovin [Ballot Position Update] New position, Discuss, has been recorded for Steve Bellovin by Steve Bellovin
2004-02-18
13 Alex Zinin [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin
2004-02-17
13 Russ Housley
[Ballot discuss]
This document says:
  >
  > The criticality MUST be present and MUST be TRUE. This requirement
  > protects clients from …
[Ballot discuss]
This document says:
  >
  > The criticality MUST be present and MUST be TRUE. This requirement
  > protects clients from submitting a request that is executed with an
  > unintended authorization identity.
  >
  I agree with all of the comments made by Ned Freed.  Specifying
  the behavior of both the client and the server is very important.
  Ned suggests the following:
  >
  > Clients MUST include the criticality flag and MUST set it to TRUE.
  > Servers MUST reject any request containing a Proxy Authorization
  > Control without a criticality flag or with the flag set to FALSE
  > with a {?} error.  These requirements protects clients from
  > submitting a request that is executed with an unintended
  > authorization identity.
2004-02-17
13 Russ Housley
[Ballot comment]
No one is happy with the current situation regarding access control
  in LDAP.  Leaving the determination of proxy access rights as an …
[Ballot comment]
No one is happy with the current situation regarding access control
  in LDAP.  Leaving the determination of proxy access rights as an
  implementation detail is not going to improve the situation, and it
  will probably make it worse.  However, I have no guidance to offer.
2004-02-17
13 Russ Housley [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley
2004-02-12
13 Ned Freed
[Ballot discuss]
This document says:

  The criticality MUST be present and MUST be TRUE. This requirement
  protects clients from submitting a request that …
[Ballot discuss]
This document says:

  The criticality MUST be present and MUST be TRUE. This requirement
  protects clients from submitting a request that is executed with an
  unintended authorization identity.
   
Client requirements like this only protect clients that follow the rules.
A server requirement, on the other hand, protects against broken clients.
Given the likihood of security violations and screwy behavior if this
isn't enforced, I suggest changing this to read something like this:

  Clients MUST include the criticality flag and MUST set it to TRUE.
  Servers MUST reject any request containing a Proxy Authorization
  Control without a criticality flag or with the flag set to FALSE
  with a  error. These requirements protects clients from
  submitting a request that is executed with an unintended
  authorization identity.

I'm not wild about leaving the determination of proxy access rights
as an implementation detail, but given the situation surrounding
access control in LDAP in general I suppose we can do no better
at this time.

Nit: (date) in copyright field
2004-02-12
13 Ned Freed
[Ballot discuss]
This document says:

  The criticality MUST be present and MUST be TRUE. This requirement
  protects clients from submitting a request that …
[Ballot discuss]
This document says:

  The criticality MUST be present and MUST be TRUE. This requirement
  protects clients from submitting a request that is executed with an
  unintended authorization identity.
   
Client requirements like this only protect clients that follow the rules.
A server requirement, on the other hand, protects against broken clients.
Given the likihood of security violations and screwy behavior if this
isn't enforced, I suggest changing this to read something like this:

  Clients MUST include the criticality flag and MUST set it to TRUE.
  Servers MUST reject any request containing a Proxy Authorization
  Control without a criticality flag or with the flag set to FALSE
  with a  error. These requirements protects clients from
  submitting a request that is executed with an unintended
  authorization identity.

I'm not wild about leaving the determination of proxy access rights
as an implementation detail, but given the situation surrounding
access control in LDAP in general I suppose we can do no better
at this time.

Nit: (date) in copyright field
2004-02-12
13 Ted Hardie State Changes to IESG Evaluation from Waiting for Writeup by Ted Hardie
2004-02-12
13 Ned Freed [Ballot Position Update] New position, Discuss, has been recorded for Ned Freed by Ned Freed
2004-02-12
13 Ted Hardie Placed on agenda for telechat - 2004-02-19 by Ted Hardie
2004-02-12
13 Ted Hardie [Ballot Position Update] New position, Yes, has been recorded for Ted Hardie
2004-02-12
13 Ted Hardie Ballot has been issued by Ted Hardie
2004-02-12
13 Ted Hardie Created "Approve" ballot
2004-01-30
13 Harald Alvestrand State Changes to Waiting for Writeup from In Last Call by Harald Alvestrand
2004-01-30
13 Harald Alvestrand This one seems to have gotten stuck in Last Call state. Last Call was supposed to have ended on 2003-09-09.
2003-08-12
13 Michael Lee Last call sent
2003-08-12
13 Michael Lee State Changes to In Last Call from Publication Requested by Michael Lee
2003-08-11
13 Ted Hardie State Changes to Publication Requested from Last Call Requested by Ted Hardie
2003-08-11
13 Ted Hardie State Changes to Last Call Requested from Expert Review by Ted Hardie
2003-08-11
13 Ted Hardie Last Call was requested by Ted Hardie
2003-08-11
13 (System) Ballot writeup text was added
2003-08-11
13 (System) Last call text was added
2003-08-11
13 (System) Ballot approval text was added
2003-04-23
12 (System) New version available: draft-weltman-ldapv3-proxy-12.txt
2003-04-08
13 Ted Hardie Sent to ldap directorate for review April 8, 2003
2003-04-08
13 Ted Hardie State Changes to Expert Review from Publication Requested by Hardie, Ted
2003-04-08
13 Ted Hardie Intended Status has been changed to Proposed Standard from Request
2003-03-24
13 Ted Hardie Shepherding AD has been changed to Hardie, Ted from Faltstrom, Patrik
2002-05-08
13 Jacqueline Hargest Assigned to has been changed to paf from members
by jhargest
2002-05-03
11 (System) New version available: draft-weltman-ldapv3-proxy-11.txt
2002-04-29
10 (System) New version available: draft-weltman-ldapv3-proxy-10.txt
2001-12-17
09 (System) New version available: draft-weltman-ldapv3-proxy-09.txt
2001-11-12
08 (System) New version available: draft-weltman-ldapv3-proxy-08.txt
2001-10-16
07 (System) New version available: draft-weltman-ldapv3-proxy-07.txt
2000-11-06
06 (System) New version available: draft-weltman-ldapv3-proxy-06.txt
2000-10-16
05 (System) New version available: draft-weltman-ldapv3-proxy-05.txt
2000-02-07
04 (System) New version available: draft-weltman-ldapv3-proxy-04.txt
1999-04-26
03 (System) New version available: draft-weltman-ldapv3-proxy-03.txt
1998-10-26
02 (System) New version available: draft-weltman-ldapv3-proxy-02.txt
1998-08-14
01 (System) New version available: draft-weltman-ldapv3-proxy-01.txt
1998-04-27
00 (System) New version available: draft-weltman-ldapv3-proxy-00.txt