Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms
RFC 4513

• Document
• IESG evaluation record
• IESG writeups
• Email expansions
• History

• Versions
• 19

Document	Type		RFC - Proposed Standard (June 2006; No errata) Obsoletes RFC 2251, RFC 2829, RFC 2830 Was draft-ietf-ldapbis-authmeth (ldapbis WG)
	Last updated		2015-10-14
	Stream		IETF
	Formats		plain text pdf html bibtex
Stream	WG state		(None)
	Document shepherd		No shepherd assigned
IESG	IESG state		RFC 4513 (Proposed Standard)
	Consensus Boilerplate		Unknown
	Telechat date
	Responsible AD		Ted Hardie
	Send notices to		(None)

Network Working Group                                   R. Harrison, Ed.
Request for Comments: 4513                                  Novell, Inc.
Obsoletes: 2251, 2829, 2830                                    June 2006
Category: Standards Track

             Lightweight Directory Access Protocol (LDAP):
             Authentication Methods and Security Mechanisms

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes authentication methods and security
   mechanisms of the Lightweight Directory Access Protocol (LDAP).  This
   document details establishment of Transport Layer Security (TLS)
   using the StartTLS operation.

   This document details the simple Bind authentication method including
   anonymous, unauthenticated, and name/password mechanisms and the
   Simple Authentication and Security Layer (SASL) Bind authentication
   method including the EXTERNAL mechanism.

   This document discusses various authentication and authorization
   states through which a session to an LDAP server may pass and the
   actions that trigger these state changes.

   This document, together with other documents in the LDAP Technical
   Specification (see Section 1 of the specification's road map),
   obsoletes RFC 2251, RFC 2829, and RFC 2830.

Harrison                    Standards Track                     [Page 1]
RFC 4513              LDAP Authentication Methods              June 2006

Table of Contents

   1. Introduction ....................................................4
      1.1. Relationship to Other Documents ............................6
      1.2. Conventions ................................................6
   2. Implementation Requirements .....................................7
   3. StartTLS Operation ..............................................8
      3.1.  TLS Establishment Procedures ..............................8
           3.1.1. StartTLS Request Sequencing .........................8
           3.1.2. Client Certificate ..................................9
           3.1.3. Server Identity Check ...............................9
                  3.1.3.1. Comparison of DNS Names ...................10
                  3.1.3.2. Comparison of IP Addresses ................11
                  3.1.3.3. Comparison of Other subjectName Types .....11
           3.1.4. Discovery of Resultant Security Level ..............11
           3.1.5. Refresh of Server Capabilities Information .........11
      3.2.  Effect of TLS on Authorization State .....................12
      3.3. TLS Ciphersuites ..........................................12
   4. Authorization State ............................................13
   5. Bind Operation .................................................14
      5.1. Simple Authentication Method ..............................14
           5.1.1. Anonymous Authentication Mechanism of Simple Bind ..14
           5.1.2. Unauthenticated Authentication Mechanism of
                  Simple Bind ........................................14
           5.1.3. Name/Password Authentication Mechanism of
                  Simple Bind ........................................15
      5.2. SASL Authentication Method ................................16
           5.2.1. SASL Protocol Profile ..............................16
                  5.2.1.1. SASL Service Name for LDAP ................16
                  5.2.1.2. SASL Authentication Initiation and
                           Protocol Exchange .........................16
                  5.2.1.3. Optional Fields ...........................17
                  5.2.1.4. Octet Where Negotiated Security
                           Layers Take Effect ........................18
                  5.2.1.5. Determination of Supported SASL
                           Mechanisms ................................18
                  5.2.1.6. Rules for Using SASL Layers ...............19
                  5.2.1.7. Support for Multiple Authentications ......19
                  5.2.1.8. SASL Authorization Identities .............19
           5.2.2. SASL Semantics within LDAP .........................20
           5.2.3. SASL EXTERNAL Authentication Mechanism .............20
                  5.2.3.1. Implicit Assertion ........................21
                  5.2.3.2. Explicit Assertion ........................21
   6. Security Considerations ........................................21

Show full document text