Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms
RFC 4513
Document | Type | RFC - Proposed Standard (June 2006; No errata) | |
---|---|---|---|
Author | Roger Harrison | ||
Last updated | 2018-12-20 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4513 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Ted Hardie | ||
Send notices to | (None) |
Network Working Group R. Harrison, Ed. Request for Comments: 4513 Novell, Inc. Obsoletes: 2251, 2829, 2830 June 2006 Category: Standards Track Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes authentication methods and security mechanisms of the Lightweight Directory Access Protocol (LDAP). This document details establishment of Transport Layer Security (TLS) using the StartTLS operation. This document details the simple Bind authentication method including anonymous, unauthenticated, and name/password mechanisms and the Simple Authentication and Security Layer (SASL) Bind authentication method including the EXTERNAL mechanism. This document discusses various authentication and authorization states through which a session to an LDAP server may pass and the actions that trigger these state changes. This document, together with other documents in the LDAP Technical Specification (see Section 1 of the specification's road map), obsoletes RFC 2251, RFC 2829, and RFC 2830. Harrison Standards Track [Page 1] RFC 4513 LDAP Authentication Methods June 2006 Table of Contents 1. Introduction ....................................................4 1.1. Relationship to Other Documents ............................6 1.2. Conventions ................................................6 2. Implementation Requirements .....................................7 3. StartTLS Operation ..............................................8 3.1. TLS Establishment Procedures ..............................8 3.1.1. StartTLS Request Sequencing .........................8 3.1.2. Client Certificate ..................................9 3.1.3. Server Identity Check ...............................9 3.1.3.1. Comparison of DNS Names ...................10 3.1.3.2. Comparison of IP Addresses ................11 3.1.3.3. Comparison of Other subjectName Types .....11 3.1.4. Discovery of Resultant Security Level ..............11 3.1.5. Refresh of Server Capabilities Information .........11 3.2. Effect of TLS on Authorization State .....................12 3.3. TLS Ciphersuites ..........................................12 4. Authorization State ............................................13 5. Bind Operation .................................................14 5.1. Simple Authentication Method ..............................14 5.1.1. Anonymous Authentication Mechanism of Simple Bind ..14 5.1.2. Unauthenticated Authentication Mechanism of Simple Bind ........................................14 5.1.3. Name/Password Authentication Mechanism of Simple Bind ........................................15 5.2. SASL Authentication Method ................................16 5.2.1. SASL Protocol Profile ..............................16 5.2.1.1. SASL Service Name for LDAP ................16 5.2.1.2. SASL Authentication Initiation and Protocol Exchange .........................16 5.2.1.3. Optional Fields ...........................17 5.2.1.4. Octet Where Negotiated Security Layers Take Effect ........................18 5.2.1.5. Determination of Supported SASL Mechanisms ................................18 5.2.1.6. Rules for Using SASL Layers ...............19 5.2.1.7. Support for Multiple Authentications ......19 5.2.1.8. SASL Authorization Identities .............19 5.2.2. SASL Semantics within LDAP .........................20 5.2.3. SASL EXTERNAL Authentication Mechanism .............20 5.2.3.1. Implicit Assertion ........................21 5.2.3.2. Explicit Assertion ........................21 6. Security Considerations ........................................21 6.1. General LDAP Security Considerations ......................21 6.2. StartTLS Security Considerations ..........................22Show full document text