[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 RFC 4370

Network Working Group                                        Rob Weltman
INTERNET-DRAFT                             Netscape Communications Corp.
                                                               Tim Howes
                                           Netscape Communications Corp.
                                                        October 24, 1998


                  LDAP Proxied Authentication Control
                   draft-weltman-ldapv3-proxy-02.txt


Status of this Memo

   This document is an Internet Draft.  Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its Areas,
   and its Working Groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six
   months.  Internet Drafts may be updated, replaced, or obsoleted by
   other documents at any time.  It is not appropriate to use Internet
   Drafts as reference material or to cite them other than as a "working
   draft" or "work in progress".

   To learn the current status of any Internet-Draft, please check the
   1id-abstracts.txt listing contained in the Internet-Drafts Shadow
   Directories ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
   ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

   Copyright (C) The Internet Society (1997). All Rights Reserved.

   Please see the Copyright section near the end of this document for
   more information.


Abstract

   This document defines support for the Proxied Authentication Control.
   Controls are an LDAP protocol version 3 extension, to allow passing
   arbitrary control information along with a standard request to a
   server, and to receive arbitrary information back with a standard
   result. The Proxied Authentication Control allows a connection with
   sufficient privileges to assume the identity of another entry for the
   duration of an LDAP request.


1. Introduction

   Version 3 of the LDAP protocol provides a means of supplying
   arbitrary additional information along with a request to an LDAP
   server, and receiving arbitrary additional response information. The
   Control protocol extension is described in [1], section 4.1.12. This
   document defines support for proxied authentication using the Control
   mechanism.

Expires 4/99                                                  [Page 1]

PROXIED AUTHENTICATION CONTROL                           October, 1998



   The key words "MUST", "SHOULD", and "MAY" used in this document  are
   to be interpreted as described in [2].


2. Publishing support for the Proxied Authentication Control

   Support for the proxied authentication control is indicated by the
   presence of the OID "2.16.840.1.113730.3.4.12" in the
   supportedExtensions attribute of a server's root DSE.


3. Proxied Authentication Control


   This control may be included in any search, modify, delete, or modrdn
   request message as  part of the controls  field  of the  LDAPMessage,
   as defined in [1].

   proxyAuthControl ::= SEQUENCE {
           controlType     2.16.840.1.113730.3.4.12,
           criticality     BOOLEAN DEFAULT FALSE,
           controlValue    proxyAuthValue
   }

   The criticality SHOULD be included and SHOULD be TRUE. If it is not
   TRUE, and the requester is not authorized to use proxied
   authentication within the target Directory tree, the requesterÂ’s own
   authentication will be used to execute the request. The controlValue
   is an OCTET STRING, whose value is the BER encoding of a value of the
   following:

   proxyAuthValue ::= LDAPDN


4. Permission to execute as proxy

   An LDAP server supporting the proxied authentication control may
   choose to honor or not honor a particular request. If the control is
   supported but a particular request is denied, the server MUST return
   the error code insufficientAccessRights. A typical implementation
   will evaluate if the requester has proxy access rights at the base DN
   of the request. If the requester has proxy access rights, and if the
   proxy DN corresponds to a valid entry in the directory managed by the
   server, the request will be honored. If the request is honored, it
   will be executed as if submitted by the proxy identity.


5. Security Considerations

   The proxied authentication control method is subject to standard LDAP
   security considerations. The control may be passed over a secure as


Expires 4/99                                                   [Page 2

PROXIED AUTHENTICATION CONTROL                           October, 1998


   well as over an insecure channel. No additional confidential
   information is passed in the control.

   Note that the server is responsible for determining if a proxied
   authentication request is to be honored.


6. Copyright

   Copyright (C) The Internet Society (date). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the  purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


7. Bibliography

   [1]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
        Protocol (v3)", Internet Draft draft-ietf-asid-ldapv3-protocol-
        06.txt, July 1997.

   [2]  Bradner, Scott, "Key Words for use in RFCs to Indicate
        Requirement Levels", draft-bradner-key-words-03.txt, January,
        1997.









Expires 4/99                                                   [Page 3

PROXIED AUTHENTICATION CONTROL                           October, 1998


8. AuthorÂ’s Addresses

   Rob Weltman
   Netscape Communications Corp.
   501 E. Middlefield Rd.
   Mountain View, CA 94043
   USA
   +1 650 937-3301
   rweltman@netscape.com

   Tim Howes
   Netscape Communications Corp.
   501 E. Middlefield Rd.
   Mountain View, CA 94043
   USA
   +1 650 937-3419
   howes@netscape.com





































Expires 4/99                                                   [Page 4


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/