Lightweight Directory Access Protocol (LDAP) Turn Operation
RFC 4531

 
Document Type RFC - Experimental (June 2006; No errata)
Was draft-zeilenga-ldap-turn (individual in app area)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4531 (Experimental)
Telechat date
Responsible AD Ted Hardie
Send notices to kurt@openLDAP.org
Network Working Group                                        K. Zeilenga
Request for Comments: 4531                           OpenLDAP Foundation
Category: Experimental                                         June 2006

              Lightweight Directory Access Protocol (LDAP)
                             Turn Operation

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This specification describes a Lightweight Directory Access Protocol
   (LDAP) extended operation to reverse (or "turn") the roles of client
   and server for subsequent protocol exchanges in the session, or to
   enable each peer to act as both client and server with respect to the
   other.

Table of Contents

   1. Background and Intent of Use ....................................2
      1.1. Terminology ................................................2
   2. Turn Operation ..................................................2
      2.1. Turn Request ...............................................3
      2.2. Turn Response ..............................................3
   3. Authentication ..................................................3
      3.1. Use with TLS and Simple Authentication .....................4
      3.2. Use with TLS and SASL EXTERNAL .............................4
      3.3. Use of Mutual Authentication and SASL EXTERNAL .............4
   4. TLS and SASL Security Layers ....................................5
   5. Security Considerations .........................................6
   6. IANA Considerations .............................................6
      6.1. Object Identifier ..........................................6
      6.2. LDAP Protocol Mechanism ....................................7
   7. References ......................................................7
      7.1. Normative References .......................................7
      7.2. Informative References .....................................8

Zeilenga                      Experimental                      [Page 1]
RFC 4531                  LDAP Turn Operation                  June 2006

1.  Background and Intent of Use

   The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511]
   is a client-server protocol that typically operates over reliable
   octet-stream transports, such as the Transport Control Protocol
   (TCP).  Generally, the client initiates the stream by connecting to
   the server's listener at some well-known address.

   There are cases where it is desirable for the server to initiate the
   stream.  Although it certainly is possible to write a technical
   specification detailing how to implement server-initiated LDAP
   sessions, this would require the design of new authentication and
   other security mechanisms to support server-initiated LDAP sessions.

   Instead, this document introduces an operation, the Turn operation,
   which may be used to reverse the client-server roles of the protocol
   peers.  This allows the initiating protocol peer to become the server
   (after the reversal).

   As an additional feature, the Turn operation may be used to allow
   both peers to act in both roles.  This is useful where both peers are
   directory servers that desire to request, as LDAP clients, that
   operations be performed by the other.  This may be useful in
   replicated and/or distributed environments.

   This operation is intended to be used between protocol peers that
   have established a mutual agreement, by means outside of the
   protocol, that requires reversal of client-server roles, or allows
   both peers to act both as client and server.

1.1.  Terminology

   Protocol elements are described using ASN.1 [X.680] with implicit
   tags.  The term "BER-encoded" means the element is to be encoded
   using the Basic Encoding Rules [X.690] under the restrictions
   detailed in Section 5.1 of [RFC4511].

2.  Turn Operation

   The Turn operation is defined as an LDAP-Extended Operation
   [Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID.  The
   function of the Turn Operation is to request that the client-server
   roles be reversed, or, optionally, to request that both protocol
   peers be able to act both as client and server in respect to the
   other.

Zeilenga                      Experimental                      [Page 2]
RFC 4531                  LDAP Turn Operation                  June 2006

2.1.  Turn Request
Show full document text