draft-ietf-ldapbis-authmeth-10.txt   draft-ietf-ldapbis-authmeth-11.txt 
INTERNET-DRAFT Editor: R. Harrison INTERNET-DRAFT Editor: R. Harrison
draft-ietf-ldapbis-authmeth-10.txt Novell, Inc. draft-ietf-ldapbis-authmeth-11.txt Novell, Inc.
Obsoletes: 2829, 2830 10 February 2003 Obsoletes: 2829, 2830 July, 2004
Intended Category: Draft Standard Intended Category: Draft Standard
LDAP: Authentication Methods LDAP: Authentication Methods
and and
Connection Level Security Mechanisms Connection Level Security Mechanisms
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
skipping to change at page 1, line 41 skipping to change at page 1, line 40
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet- http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-
Draft Shadow Directories can be accessed at Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
This document describes authentication methods and connection level This document describes authentication methods and connection level
security mechanisms of the Lightweight Directory Access Protocol security mechanisms of the Lightweight Directory Access Protocol
(LDAP). (LDAP).
This document also details establishment of TLS (Transport Layer This document details establishment of TLS (Transport Layer
Security) using the Start TLS operation. Security) using the Start TLS operation.
This document also details the simple Bind authentication method This document details the simple Bind authentication method
including anonymous, unauthenticated, and plain-text password including anonymous, unauthenticated, and plain-text password
methods and the SASL (Simple Authentication and Security Layer) Bind methods and the SASL (Simple Authentication and Security Layer) Bind
authentication method including the use of DIGEST-MD5 and EXTERNAL authentication method including the use of DIGEST-MD5 and EXTERNAL
mechanisms. mechanisms.
This document describes various authentication and authorization This document discusses various authentication and authorization
states through which a connection to an LDAP server may pass and the states through which a connection to an LDAP server may pass and the
actions that trigger these state changes. actions that trigger these state changes.
Table of Contents Table of Contents
1. Introduction................................................3 1. Introduction.....................................................3
1.1. Relationship to Other Documents...........................5 1.1. Relationship to Other Documents................................5
2. Conventions Used in this Document...........................5 1.2. Conventions Used in this Document..............................5
2.1. Glossary of Terms.........................................5 1.2.1. Glossary of Terms............................................5
2.2. Security Terms and Concepts...............................5 1.2.2. Security Terms and Concepts..................................6
2.3. Keywords..................................................6 1.2.3. Keywords.....................................................6
3. Start TLS Operation.........................................6 2. Implementation Requirements......................................6
3.1. Sequencing of the Start TLS Operation ....................6 3. Start TLS Operation..............................................7
3.1.1. Start TLS Request.......................................6 3.1. Sequencing of the Start TLS Operation..........................7
3.1.2. Start TLS Response......................................7 3.1.1. Start TLS Request ...........................................7
3.1.3. TLS Version Negotiation.................................7 3.1.2. Start TLS Response...........................................8
3.1.4. Discovery of Resultant Security Level...................7 3.1.3. TLS Version Negotiation......................................8
3.1.5. Server Identity Check...................................7 3.1.4. Client Certificate...........................................8
3.1.6. Refresh of Server Capabilities Information..............8 3.1.5. Discovery of Resultant Security Level........................8
3.2. Effects of TLS on a Client's Authorization Identity.......8 3.1.6. Server Identity Check........................................8
3.2.1. TLS Connection Establishment Effects....................9 3.1.7. Refresh of Server Capabilities Information...................9
3.2.2. Client Assertion of Authorization Identity..............9 3.2. Effects of TLS on a Client's Authorization Identity............9
3.2.3. TLS Connection Closure Effects..........................9 3.2.1. TLS Connection Establishment Effects........................10
4. Bind Operation..............................................9 3.2.2. Client Assertion of Authorization Identity..................10
4.1. Simple Authentication.....................................9 3.2.3. TLS Connection Closure Effects..............................10
4.2. SASL Authentication.......................................9 4. LDAP Associations...............................................10
5. Anonymous LDAP Association on Unbound Connections......... 10 4.1. Anonymous LDAP Association on Unbound Connections.............10
6. Anonymous Authentication ................................. 10 4.2 Anonymous LDAP Association After Failed Bind...................10
7. Simple Authentication..................................... 10 4.3. Invalidated Associations......................................11
8. SASL Authentication Profile............................... 11 5. Bind Operation .................................................11
8.1. SASL Service Name for LDAP.............................. 11 5.1. Simple Authentication Choice..................................11
8.2. SASL Authentication Initiation and Protocol Exchange.... 11 5.2. SASL Authentication Choice....................................11
8.3. Octet Where Negotiated Security Mechanisms Take Effect.. 12 6. Anonymous Authentication Mechanism of Simple Bind...............12
8.4. Determination of Supported SASL Mechanisms.............. 12 7. Unauthenticated Authentication Mechanism of Simple Bind.........12
8.5. Rules for Using SASL Security Layers.................... 13 8. Simple Authentication Mechanism of Simple Bind .................12
9. SASL EXTERNAL Mechanism................................... 13 9. SASL Protocol Profile...........................................13
9.1. Implicit Assertion...................................... 13 9.1. SASL Service Name for LDAP....................................13
9.2. Explicit Assertion...................................... 14 9.2. SASL Authentication Initiation and Protocol Exchange..........13
9.3. SASL Authorization Identity............................. 14 9.3. Octet Where Negotiated Security Mechanisms Take Effect........14
9.4 Authorization Identity Syntax............................ 14 9.4. Determination of Supported SASL Mechanisms....................15
10. SASL DIGEST-MD5 Mechanism................................ 15 9.5. Rules for Using SASL Security Layers..........................15
11. General Requirements for Password-based Authentication .. 15 9.6 Support for Multiple Authentications...........................15
12. Invalidated Associations................................. 16 10. SASL EXTERNAL Mechanism........................................15
13. TLS Ciphersuites......................................... 16 10.1. Implicit Assertion...........................................16
13.1. TLS Ciphersuites Recommendations....................... 17 10.2. Explicit Assertion...........................................16
14. Security Considerations ................................. 18 10.3. SASL Authorization Identity..................................16
14.1. Start TLS Security Considerations...................... 18 10.4. SASL Authorization Identity Syntax...........................16
15. IANA Considerations...................................... 19 11. SASL DIGEST-MD5 Mechanism......................................17
Acknowledgements............................................. 19 12. General Requirements for Password Handling.....................18
Normative References......................................... 19 13. TLS Ciphersuites...............................................18
Informative References....................................... 21 13.1. TLS Ciphersuites Recommendations.............................19
Author's Address............................................. 21 14. Security Considerations........................................20
Appendix A. LDAP Association State Transition Tables......... 21 14.1. Start TLS Security Considerations............................20
A.1. LDAP Association States................................. 21 15. IANA Considerations............................................21
A.2. Actions that Affect LDAP Association State.............. 22 Acknowledgments....................................................21
A.3. Decisions Used in Making LDAP Association State Changes. 22 Normative References...............................................22
A.4. LDAP Association State Transition Table................. 22 Informative References.............................................23
Appendix B. Example Deployment Scenarios..................... 23 Author's Address...................................................23
Appendix C. Authentication and Authorization Concepts........ 24 Appendix A. LDAP Association State Transition Tables...............23
C.1. Access Control Policy................................... 24 A.1. LDAP Association States.......................................23
C.2. Access Control Factors ................................. 24 A.2. Actions that Affect LDAP Association State....................24
C.3. Authentication, Credentials, Identity .................. 25 A.3. Decisions Used in Making LDAP Association State Changes.......24
C.4. Authorization Identity ................................. 25 A.4. LDAP Association State Transition Table.......................24
Appendix D. RFC 2829 Change History ......................... 25 Appendix B. Example Deployment Scenarios...........................25
Appendix E. RFC 2830 Change History ......................... 29 Appendix C. Authentication and Authorization Concepts..............26
Appendix F. RFC 2251 Change History ......................... 30 C.1. Access Control Policy.........................................26
Appendix G. Change History to Combined Document.............. 30 C.2. Access Control Factors........................................26
Appendix H. Issues to be Resolved............................ 41 C.3. Authentication, Credentials, Identity.........................26
C.4. Authorization Identity........................................27
Appendix D. RFC 2829 Change History................................27
Appendix E. RFC 2830 Change History................................31
Appendix F. RFC 2251 Change History................................32
Appendix G. Change History to Combined Document....................32
Appendix H. Issues to be Resolved..................................43
Intellectual Property Rights.......................................57
1. Introduction 1. Introduction
The Lightweight Directory Access Protocol (LDAP) [Protocol] is a The Lightweight Directory Access Protocol (LDAP) [Roadmap] is a
powerful access protocol for directories. It offers means of powerful protocol for accessing directories. It offers means of
searching, retrieving and manipulating directory content, and ways searching, retrieving and manipulating directory content, and ways
to access a rich set of security functions. to access a rich set of security functions.
It is vital that these security functions be interoperable among all It is vital that these security functions be interoperable among all
LDAP clients and servers on the Internet; therefore there has to be LDAP clients and servers on the Internet; therefore there has to be
a minimum subset of security functions that is common to all a minimum subset of security functions that is common to all
implementations that claim LDAP conformance. implementations that claim LDAP conformance.
Basic threats to an LDAP directory service include: Basic threats to an LDAP directory service include:
skipping to change at page 4, line 4 skipping to change at page 4, line 15
(1) Unauthorized access to directory data via data-retrieval (1) Unauthorized access to directory data via data-retrieval
operations, operations,
(2) Unauthorized access to directory data by monitoring others' (2) Unauthorized access to directory data by monitoring others'
access, access,
(3) Unauthorized access to reusable client authentication (3) Unauthorized access to reusable client authentication
information by monitoring others' access, information by monitoring others' access,
(4) Unauthorized modification of directory data, (4) Unauthorized modification of directory data,
(5) Unauthorized modification of configuration information, (5) Unauthorized modification of configuration information,
(6) Denial of Service: Use of resources (commonly in excess) in a (6) Denial of Service: Use of resources (commonly in excess) in a
manner intended to deny service to others. and manner intended to deny service to others,
(7) Spoofing: Tricking a user or client into believing that (7) Spoofing: Tricking a user or client into believing that
information came from the directory when in fact it did not, information came from the directory when in fact it did not,
either by modifying data in transit or misdirecting the client's either by modifying data in transit or misdirecting the client's
connection. Tricking a user or client into sending privileged connection. Tricking a user or client into sending privileged
information to a hostile entity that appears to be the directory information to a hostile entity that appears to be the directory
server but is not. Tricking a directory server into believing server but is not. Tricking a directory server into believing
that information came from a particular client when in fact it that information came from a particular client when in fact it
came from a hostile entity. came from a hostile entity, and
(8) Hijacking of prototocol sessions. (8) Hijacking: An attacker seizes control of an established protocol
session.
Threats (1), (4), (5), (6), (7) are (8) are active attacks. Threats
(2) and (3) are passive attacks.
Threats (1), (4), (5) and (6) are due to hostile clients. Threats Threats (1), (4), (5) and (6) are due to hostile clients. Threats
(2), (3) and (7) are due to hostile agents on the path between (2), (3), (7) and (8) are due to hostile agents on the path between
client and server or hostile agents posing as a server, e.g. IP client and server or hostile agents posing as a server, e.g. IP
spoofing. spoofing.
LDAP offers the following security mechanisms: LDAP offers the following security mechanisms:
(1) Authentication by means of the Bind operation. The Bind (1) Authentication by means of the Bind operation. The Bind
operation provides a simple method which supports anonymous, operation provides a simple method which supports anonymous,
unauthenticated, and authenticated with password mechanisms, and unauthenticated, and authenticated with password mechanisms, and
the Secure Authentication and Security Layer (SASL) method which the Secure Authentication and Security Layer (SASL) method which
supports a wide variety of authentication mechanisms and which supports a wide variety of authentication mechanisms,
may be extended to support additional methods of authentication.
(2) Client authorization by means of access control based on the (2) Mechanisms to support vendor-specific access control facilities
requestor's authenticated identity, (LDAP does not offer a standard access control facility)
(3) Data integrity protection by means of TLS or SASL mechanisms (3) Data integrity protection by means of TLS or SASL mechanisms
with security layers that provide data integrity services, with security layers that provide data integrity protection,
(4) Data confidentiality protection against snooping by means of the
TLS protocol or SASL mechanisms that provide data
confidentiality services,
(4) Data confidentiality protection by means of the TLS protocol or
SASL mechanisms that provide data confidentiality protection,
(5) Server resource usage limitation by means of administrative (5) Server resource usage limitation by means of administrative
service limits configured on the server, and limits configured on the server, and
(6) Server authentication by means of the TLS protocol or SASL (6) Server authentication by means of the TLS protocol or SASL
mechanism. mechanism.
LDAP may also be protected by means outside the LDAP protocol, e.g.
with IP-level security [RFC2401].
At the moment, imposition of access controls is done by means At the moment, imposition of access controls is done by means
outside the scope of LDAP. outside the scope of LDAP.
It seems clear that allowing any implementation, faced with the It seems clear that allowing implementations, faced with the above
above requirements, to simply pick and choose among the possible requirements, to simply pick and choose among the possible
alternatives is not a strategy that is likely to lead to alternatives is not a strategy that is likely to lead to
interoperability. In the absence of mandates, clients will be interoperability. In the absence of mandates, clients will be
written that do not support any security function supported by the written that do not support any security function supported by the
server, or worse, they will support only clear text passwords that server, or worse, they will support only clear text passwords that
provide inadequate security for most circumstances. provide inadequate security for most circumstances.
Given the presence of the Directory, there is a strong desire to see It is desirable to allow clients to authenticate using a variety of
mechanisms where identities take the form of an LDAP distinguished mechanisms including mechanisms where identities are represented as
name [LDAPDN] and authentication data can be stored in the distinguished names [X.501] [Models] in string form [LDAPDN] or are
directory. This means that this data must be updated outside the used in different systems (e.g. user name in string form). Because
protocol or only updated in sessions well protected against these authentication mechanisms transmit credentials in plain text
snooping. It is also desirable to allow authentication methods to form and other authentication mechanisms do not provide data
carry identities not represented as LDAP DNs that are familiar to security services, it is desirable to ensure secure interopability
the user or that are used in other systems. by indentifying a mandatory-to-implement mechanism for establishing
transport-layer security services.
The set of security mechanisms provided in LDAP and described in The set of security mechanisms provided in LDAP and described in
this document is intended to meet the security needs for a wide this document is intended to meet the security needs for a wide
range of deployment scenarios and still provide a high degree of range of deployment scenarios and still provide a high degree of
interoperability among various LDAP implementations and deployments. interoperability among various LDAP implementations and deployments.
Appendix B contains example deployment scenarios that list the Appendix B contains example deployment scenarios that list the
mechanisms that might be used to achieve a reasonable level of mechanisms that might be used to achieve a reasonable level of
security in various circumstances. security in various circumstances.
1.1. Relationship to Other Documents 1.1. Relationship to Other Documents
This document is an integral part of the LDAP Technical This document is an integral part of the LDAP Technical
Specification [Roadmap]. Specification [Roadmap].
This document obsoletes RFC 2829. This document obsoletes RFC 2829.
Sections 2 and 4 of RFC 2830 are obsoleted by [Protocol]. The Sections 2 and 4 of RFC 2830 are obsoleted by [Protocol]. The
remainder of RFC 2830 is obsoleted by this document. remainder of RFC 2830 is obsoleted by this document.
2. Conventions Used in this Document 1.2. Conventions Used in this Document
2.1. Glossary of Terms 1.2.1. Glossary of Terms
The following terms are used in this document. To aid the reader, The following terms are used in this document. To aid the reader,
these terms are defined here. these terms are defined here.
- "user" represents any human or application entity which is - "user" represents any human or application entity which is
accessing the directory using a directory client. A directory accessing the directory using a directory client. A directory
client (or client) is also known as a directory user agent client (or client) is also known as a directory user agent (DUA).
(DUA).
- "connection" and "LDAP connection" both refer to the underlying - "connection" and "LDAP connection" both refer to the underlying
transport protocol connection between two protocol peers. transport protocol connection between two protocol peers.
- "TLS connection" refers to a TLS-protected [TLS] LDAP - "TLS connection" refers to a TLS-protected [TLS] LDAP
connection. connection.
- "association" and "LDAP association" both refer to the - "association" and "LDAP association" both refer to the
association of the LDAP connection and its current association of the LDAP connection and its current
authentication and authorization state. authentication and authorization state.
2.2. Security Terms and Concepts 1.2.2. Security Terms and Concepts
In general, security terms in this document are used consistently In general, security terms in this document are used consistently
with the definitions provided in [Glossary]. In addition, several with the definitions provided in [RFC2828]. In addition, several
terms and concepts relating to security, authentication, and terms and concepts relating to security, authentication, and
authorization are presented in Appendix C of this document. While authorization are presented in Appendix C of this document. While
the formal definition of these terms and concepts is outside the the formal definition of these terms and concepts is outside the
scope of this document, an understanding of them is prerequisite to scope of this document, an understanding of them is prerequisite to
understanding much of the material in this document. Readers who are understanding much of the material in this document. Readers who are
unfamiliar with security-related concepts are encouraged to review unfamiliar with security-related concepts are encouraged to review
Appendix C before reading the remainder of this document. Appendix C before reading the remainder of this document.
2.3. Keywords 1.2.3. Keywords
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [Keyword]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Implementation Requirements
LDAP server implementations MUST support the anonymous
authentication mechanism of simple bind (as discussed in Section 6).
LDAP implementations that support any authentication mechanism other
than the anonymous authentication mechanism of simple bind MUST
support the DIGEST-MD5 [DIGEST-MD5] mechanism of SASL bind (as
detailed in section 11). DIGEST-MD5 is a reasonably strong
authentication mechanism that provides (mandatory-to-implement) data
security (data integrity and data confidentiality) services.
LDAP impementations SHOULD support the simple (DN and password)
authentication mechanism of simple bind (as detailed in section 8).
Implementations that support this mechanism MUST be capable of
protecting it by establishment of TLS (as discussed in section 3) or
other suitable suitable data confidentiality and data integrity
protection (e.g. IPSec).
Implementations MAY support additional mechanisms of the simple and
SASL bind choices. Some of these mechanisms are discussed below.
LDAP server implementations SHOULD support client assertion of
authorization identity via the SASL EXTERNAL mechanism (sections
3.2.2 and 9).
3. Start TLS Operation 3. Start TLS Operation
The Start Transport Layer Security (Start TLS) operation defined in The Start Transport Layer Security (Start TLS) operation defined in
section 4.13 of [Protocol] provides the ability to establish [TLS] section 4.14 of [Protocol] provides the ability to establish TLS
on an LDAP connection. [TLS] on an LDAP connection.
3.1. Sequencing of the Start TLS Operation 3.1. Sequencing of the Start TLS Operation
This section describes the overall procedures clients and servers This section describes the overall procedures clients and servers
must follow for TLS establishment. These procedures take into must follow for TLS establishment. These procedures take into
consideration various aspects of the overall security of the LDAP consideration various aspects of the overall security of the LDAP
association including discovery of resultant security level and association including discovery of resultant security level and
assertion of the client's authorization identity. assertion of the client's authorization identity.
Note that the precise effects, on a client's authorization identity, Note that the precise effects, on a client's authorization identity,
skipping to change at page 6, line 46 skipping to change at page 7, line 38
section 3.2. section 3.2.
3.1.1. Start TLS Request 3.1.1. Start TLS Request
A client may send the Start TLS extended request at any time after A client may send the Start TLS extended request at any time after
establishing an LDAP connection, except: establishing an LDAP connection, except:
- when TLS is currently established on the connection, - when TLS is currently established on the connection,
- when a multi-stage SASL negotiation is in progress on the - when a multi-stage SASL negotiation is in progress on the
connection, or connection, or
- when there are outstanding LDAP operations on the connection. - when it has not yet received responses for all operation
requests previously issued on the connection.
The result of violating any of these requirements is a resultCode of As described in [Protocol] Section 4.14.2.2, a (detected) violation
operationsError, as described in [Protocol] section 4.13.2.2. Client of any of these requirements results in a return of the
implementers should note that it is possible to receive a resultCode operationsError resultCode.
of success for a Start TLS operation that is sent on a connection
with outstanding LDAP operations if the server has sufficient time
to process them prior to its receiving the Start TLS request.
Implementors of clients should ensure that they do not inadvertently
depend upon this race condition.
There is no requirement that the client have or have not already Client implementers should ensure that they strictly follow these
performed a Bind operation (section 4) before sending a Start TLS operation sequencing requirements to prevent interoperability
operation request. issues. Operational experience has shown that violating these
requirements causes interoperability issues because there are race
conditions that prevent servers from detecting some violations of
these requirements due to server hardware speed, network latencies,
etc.
If the client did not establish a TLS connection before sending some There is no general requirement that the client have or have not
other request, and the server requires the client to establish a TLS already performed a Bind operation (section 4) before sending a
connection before performing that request, the server MUST reject Start TLS operation request.
that request by sending a resultCode of confidentialityRequired or
strongAuthRequired.
An LDAP server which requests that clients provide their certificate If the client did not establish a TLS connection before sending a
during TLS negotiation MAY use a local security policy to determine request and the server requires the client to establish a TLS
whether to successfully complete TLS negotiation if the client did connection before performing that request, the server MUST reject
not present a certificate which could be validated. that request by sending a resultCode of confidentialityRequired.
3.1.2. Start TLS Response 3.1.2. Start TLS Response
The server will return an extended response with the resultCode of The server will return an extended response with the resultCode of
success if it is willing and able to negotiate TLS. It will return success if it is willing and able to negotiate TLS. It will return
other resultCode values (documented in [Protocol] section 4.13.2.2) resultCode other than success (documented in [Protocol] section
if it is unwilling or unable to do so. 4.13.2.2) if it is unwilling or unable to do so.
In the successful case, the client (which has ceased to transfer In the successful case, the client (which has ceased to transfer
LDAP requests on the connection) MUST either begin a TLS negotiation LDAP requests on the connection) MUST either begin a TLS negotiation
or close the connection. The client will send PDUs in the TLS Record or close the connection. The client will send PDUs in the TLS Record
Protocol directly over the underlying transport connection to the Protocol directly over the underlying transport connection to the
server to initiate [TLS] negotiation. server to initiate [TLS] negotiation.
3.1.3. TLS Version Negotiation 3.1.3. TLS Version Negotiation
Negotiating the version of TLS to be used is a part of the TLS Negotiating the version of TLS to be used is a part of the TLS
Handshake Protocol [TLS]. Please refer to that document for details. Handshake Protocol [TLS]. Please refer to that document for details.
3.1.4. Discovery of Resultant Security Level 3.1.4. Client Certificate
In an LDAP server requests a client to provide its certificate
during TLS negotiation and the client does not present a suitablle
certifcate (e.g. one that can be validated), the server MAY use a
local security policy to determine whether to successfully complete
TLS negotiation.
If the client provides a certificate that can be validated,
information in the certificate may be used by the server in
establishing the client's authorization identity by use of the SASL
external mechanism as discussed in Section 9.
3.1.5. Discovery of Resultant Security Level
After a TLS connection is established on an LDAP connection, both After a TLS connection is established on an LDAP connection, both
parties must individually decide whether or not to continue based on parties must individually decide whether or not to continue based on
the security level achieved. Ascertaining the TLS connection's the security level achieved. The procedure for ascertaining the TLS
security level is implementation dependent and accomplished by connection's security level is implementation dependent.
communicating with one's respective local TLS implementation.
If the client or server decides that the level of authentication or If the client or server decides that the security level is not high
security is not high enough for it to continue, it SHOULD gracefully enough for it to continue, it SHOULD gracefully close the TLS
close the TLS connection immediately after the TLS negotiation has connection immediately after the TLS negotiation has completed (see
completed (see [Protocol] section 4.13.3.1 and section 3.2.3 below). [Protocol] section 4.13.3.1 and section 3.2.3 below). The client
If the client decides to continue, it may gracefully close the TLS may then close the connection, attempt to Start TLS again, send an
connection and attempt to Start TLS again, it may send an unbind unbind request, or send any other LDAP request.
request, or it may send any other LDAP request.
3.1.5. Server Identity Check 3.1.6. Server Identity Check
The client MUST check its understanding of the server's hostname The client MUST check its understanding of the server's hostname
against the server's identity as presented in the server's against the server's identity as presented in the server's
Certificate message in order to prevent man-in-the-middle attacks. Certificate message in order to prevent man-in-the-middle attacks.
Matching is performed according to these rules: Matching is performed according to these rules:
- The client MUST use the server provided by the user (or other - The client MUST use the server name provided by the user (or
trusted entity) as the value to compare against the server name other trusted entity) as the value to compare against the server
as expressed in the server's certificate. A hostname derived name as expressed in the server's certificate. A hostname
from the user input is to be considered provided by the user derived from the user input is to be considered provided by the
only if derived in a secure fashion (e.g., DNSSEC). user only if derived in a secure fashion (e.g., DNSSEC).
- If a subjectAltName extension of type dNSName is present in the - If a subjectAltName extension of type dNSName is present in the
certificate, it SHOULD be used as the source of the server's certificate, it SHOULD be used as the source of the server's
identity. identity.
- Matching is case-insensitive. - Matching is case-insensitive.
- The "*" wildcard character is allowed. If present, it applies - The "*" wildcard character is allowed. If present, it applies
only to the left-most name component. only to the left-most name component.
skipping to change at page 8, line 42 skipping to change at page 9, line 42
connection and indicate that the server's identity is suspect. connection and indicate that the server's identity is suspect.
Automated clients SHOULD close the connection, returning and/or Automated clients SHOULD close the connection, returning and/or
logging an error indicating that the server's identity is suspect. logging an error indicating that the server's identity is suspect.
Beyond the server identity checks described in this section, clients Beyond the server identity checks described in this section, clients
SHOULD be prepared to do further checking to ensure that the server SHOULD be prepared to do further checking to ensure that the server
is authorized to provide the service it is observed to provide. The is authorized to provide the service it is observed to provide. The
client may need to make use of local policy information in making client may need to make use of local policy information in making
this determination. this determination.
3.1.6. Refresh of Server Capabilities Information 3.1.7. Refresh of Server Capabilities Information
Upon TLS session establishment, the client SHOULD discard or refresh Upon TLS session establishment, the client SHOULD discard or refresh
all information about the server it obtained prior to the initiation all information about the server it obtained prior to the initiation
of the TLS negotiation and not obtained through secure mechanisms. of the TLS negotiation and not obtained through secure mechanisms.
This protects against active-intermediary attacks that may have This protects against man-in-the-middle attacks that may have
altered any server capabilities information retrieved prior to TLS altered any server capabilities information retrieved prior to TLS
establishment. establishment.
The server may advertise different capabilities after TLS The server may advertise different capabilities after TLS
establishment. In particular, the value of supportedSASLMechanisms establishment. In particular, the value of supportedSASLMechanisms
may be different after TLS has been negotiated (specifically, the may be different after TLS has been negotiated (specifically, the
EXTERNAL and PLAIN [PLAIN] mechanisms are likely to be listed only EXTERNAL and PLAIN [PLAIN] mechanisms are likely to be listed only
after a TLS negotiation has been performed). after a TLS negotiation has been performed).
3.2. Effects of TLS on a Client's Authorization Identity 3.2. Effects of TLS on a Client's Authorization Identity
skipping to change at page 9, line 16 skipping to change at page 10, line 16
The default effects are described first, and next the facilities for The default effects are described first, and next the facilities for
client assertion of authorization identity are discussed including client assertion of authorization identity are discussed including
error conditions. Finally, the effects of closing the TLS connection error conditions. Finally, the effects of closing the TLS connection
are described. are described.
Authorization identities and related concepts are described in Authorization identities and related concepts are described in
Appendix C. Appendix C.
3.2.1. TLS Connection Establishment Effects 3.2.1. TLS Connection Establishment Effects
The decision to keep or invalidate the established authentication The decision to keep or invalidate the established LDAP association
and authorization identities in place after TLS closure is a matter (section 12) after TLS connection establishment is a matter of local
of local server policy. server policy.
3.2.2. Client Assertion of Authorization Identity 3.2.2. Client Assertion of Authorization Identity
After successfully establishing a TLS session, a client may request After successfully establishing a TLS session, a client may request
that its credentials exchanged during the TLS establishment be that its certificate exchanged during the TLS establishment be
utilized to authenticate the LDAP association and thus determine the utilized to determine the authorization identity of the LDAP
client's authorization status. The client accomplishes this via an association. The client accomplishes this via an LDAP Bind request
LDAP Bind request specifying a SASL mechanism of EXTERNAL [SASL] specifying a SASL mechanism of EXTERNAL [SASL] (section 9).
(section 9). LDAP server implementations SHOULD support this
authentication method.
3.2.3. TLS Connection Closure Effects 3.2.3. TLS Connection Closure Effects
The decision to keep or invalidate the established authentication The decision to keep or invalidate the established LDAP association
and authorization identities in place after TLS closure is a matter after TLS closure is a matter of local server policy.
of local server policy.
4. Bind Operation 4. LDAP Associations
The Bind operation defined in section 4.2 of [Protocol] allows Every LDAP connection has an associated authentication and
authentication information to be exchanged between the client and authorization state referred to as the "LDAP association". The Bind
server to establish a new LDAP association. operation defined in section 4.2 of [Protocol] and discussed further
in section 5 below allows authentication information to be exchanged
between the client and server to set the authentication and
authorization state and thus establish a new LDAP association.
4.1. Anonymous LDAP Association on Unbound Connections
Prior to the successful completion of a Bind operation and during
any subsequent authentication exchange, the session has an anonymous
LDAP association. Among other things this implies that the client
need not send a Bind Request in the first PDU of the connection. The
client may send any operation request prior to binding, and the
server MUST treat it as if it had been performed after an anonymous
bind operation (section 6). This authentication state on an LDAP
association is sometimes referred to as an implied anonymous bind.
4.2 Anonymous LDAP Association After Failed Bind
Upon receipt of a Bind request, the LDAP association is moved to an Upon receipt of a Bind request, the LDAP association is moved to an
anonymous state and only upon successful completion of the anonymous state and only upon successful completion of the
authentication exchange (and the Bind operation) is the association authentication exchange (and the Bind operation) is the association
moved to an authenticated state. moved to an authenticated state. Thus, a failed Bind operation
produces an anonymous LDAP association on the session.
4.1. Simple Authentication 4.3. Invalidated Associations
The server may invalidate the LDAP association at any time, e.g. if
the established security association between the client and server
has unexpectedly failed or been compromised. The association
remains invalidated until the next bind request. While the
association is invalidated, the server may reject any operation
request other than Bind, Unbind, and Start TLS by responding with a
resultCode of strongAuthRequired to indicate that the client needs
to bind to reestablish its authentication state before the server
will attempt to perform the requested operation. This behavior is
explained here to help client implementers properly understand and
react to this situation.
5. Bind Operation
The Bind operation ([Protocol] section 4.2) allows authentication
information to be exchanged between the client and server to
establish a new LDAP association.
The Bind request typically specifies the desired authentication
identity. Some Bind mechanisms also allow the client to specify the
authorization identity. If the authorization identity is not
specified, the server derives it from the authentication identity in
an implementation-specific manner.
If the authorization identity is specified the server MUST verify
that the client's authentication identity is permitted to assume
(e.g. proxy for) the asserted authorization identity. The server
MUST reject the Bind operation with an invalidCredentials resultCode
in the Bind response if the client is not so authorized.
5.1. Simple Authentication Choice
The simple authentication choice of the Bind Operation provides The simple authentication choice of the Bind Operation provides
minimal facilities for establishing an anonymous association three authentication mechanisms:
(section 6) or for establishing an LDAP association based upon
credentials consisting of a name (in the form of an LDAP
distinguished name [LDAPDN]) and a password (section 7).
4.2. SASL Authentication 1. an anonymous authentication mechanism (section 6),
The sasl authentication choice of the Bind Operation provides
facilities for authenticating via SASL mechanisms (sections 8-10).
5. Anonymous LDAP Association on Unbound Connections 2. an unauthenticated authentication mechanism (section 7), and
Prior to the successful completion of a Bind operation and during 3. a simple authentication mechanism using credentials consisting
any subsequent authentication exchange, the session has an anonymous of a name (in the form of an LDAP distinguished name [LDAPDN])
LDAP association. Among other things this implies that the client and a password (section X).
need not send a Bind Request in the first PDU of the connection. The
client may send any operation request prior to binding, and the
server MUST treat it as if it had been performed after an anonymous
bind operation. This authentication state on an LDAP association is
sometimes referred to as an implied anonymous bind.
6. Anonymous Authentication 5.2. SASL Authentication Choice
Directory operations that modify entries or access protected The sasl authentication choice of the Bind Operation provides
attributes or entries generally require client authentication. facilities for using any SASL mechanism (sections 9-11) including
Clients that do not intend to perform any of these operations authentication mechanisms and other services (e.g. data security
typically use anonymous authentication. services).
An LDAP client may explicitly establish an anonymous association by 6. Anonymous Authentication Mechanism of Simple Bind
sending a Bind Request with the simple authentication choice
containing a value--construed as the password--of zero length. A An LDAP client may use the anonymous authentication mechanism of the
bind request where both the name and password are of zero length is simple Bind choice to explicitly establish an anonymous LDAP
said to be an anonymous bind. A bind request where the name, a DN, association by sending a Bind request with a name value of zero
is of non-zero length, and the password is of zero length is said to length and with the simple authentication choice containing a
be an unauthenticated bind. Both variations produce an anonymous password value of zero length.
association.
7. Unauthenticated Authentication Mechanism of Simple Bind
An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind choice to establish an anonymous LDAP association
by sending a Bind request with a name value, a distinguished name in
LDAP string form [LDAPDN], of non-zero length, and specifying the
the simple authentication choice containing a password value of zero
length.
Unauthenticated binds can have significant security issues (see Unauthenticated binds can have significant security issues (see
section 14). Servers SHOULD by default reject unauthenticated bind section 14). Servers SHOULD by default reject unauthenticated bind
requests with a resultCode of invalidCredentials, and clients may requests with a resultCode of invalidCredentials, and clients may
need to actively detect situations where they would make an need to actively detect situations where they would unintentionally
unauthenticated bind request. make an unauthenticated bind request.
An LDAP server may use other information about the client provided 8. Simple Authentication Mechanism of Simple Bind
by the lower layers or external means to grant or deny access even
to anonymously authenticated clients.
LDAP implementations MUST support anonymous authentication. An LDAP client may use the simple authentication mechanism of the
simple Bind choice to establish an authenticated LDAP association by
sending a Bind request with a name value, a distinguished name in
LDAP string form [LDAPDN], and specifying the simple authentication
choice containing an OCTET STRING password value of non-zero length.
7. Simple Authentication Servers that map the DN sent in the bind request to a directory
entry with an associated set of one or more passwords, will compare
the presented password to the set of passwords associated with that
entry. The presented password is considered valid if it matches any
member of this set.
An LDAP client may establish an LDAP association by sending a Bind If the DN is not valid, or the password is not valid for the DN, or
Request with a name value consisting of an LDAP distinguished name the server otherwise considers the credentials to be invalid, the
[LDAPDN] and specifying the simple authentication choice with a server is to return the invalidCredentials result code. The server
password value. is only to return success result code when the credentials are valid
and the server is willing to provide service to the entity these
credentials identify.
DSAs that map the DN sent in the bind request to a directory entry Server behavior is undefined for Bind requests with a zero-length
with an associated set of one or more passwords will compare the name value and specifying the simple authentication choice with a
presented password to the set of passwords associated with that value of non-zero length.
entry. If the presented password matches any member of that set,
then the server will respond with a success resultCode, otherwise
the server will respond with an invalidCredentials resultCode.
The simple authentication choice is not suitable for authentication The simple authentication mechanism of simple bind is not suitable
in environments where there is no network or transport layer for authentication in environments where there is no network or
confidentiality. LDAP implementations SHOULD support authentication transport layer confidentiality. LDAP implementations MUST be
with the "simple" authentication choice when the connection is capable of protecting it by establishment of TLS (as discussed in
protected against eavesdropping using TLS, as defined in section 4. section 3) or other suitable data confidentiality and data integrity
LDAP implementations SHOULD NOT support authentication with the protection(e.g. IPSec). LDAP implementations
"simple" authentication choice unless the data on the connection is SHOULD support authentication with the "simple" authentication
protected using TLS or other data confidentiality and data integrity choice when the connection is protected against eavesdropping using
protection. TLS, as defined in section 4. LDAP implementations SHOULD NOT
support authentication with the "simple" authentication choice
unless the data on the connection is protected using TLS or other
data confidentiality and data integrity protection.
8. SASL Authentication Profile 9. SASL Protocol Profile
LDAP allows authentication via any SASL mechanism [SASL]. As LDAP LDAP allows authentication via any SASL mechanism [SASL]. As LDAP
includes native anonymous and plaintext authentication methods, the includes native anonymous and simple (plain text) authentication
ANONYMOUS [ANONYMOUS] and PLAIN [PLAIN] SASL mechanisms are methods, the ANONYMOUS [ANONYMOUS] and PLAIN [PLAIN] SASL mechanisms
typically not used with LDAP. are typically not used with LDAP.
Each protocol that utilizes SASL services is required to supply Each protocol that utilizes SASL services is required to supply
certain information profiling the way they are exposed through the certain information profiling the way they are exposed through the
protocol ([SASL] section 5). This section explains how each of these protocol ([SASL] section 5). This section explains how each of these
profiling requirements are met by LDAP. profiling requirements are met by LDAP.
8.1. SASL Service Name for LDAP 9.1. SASL Service Name for LDAP
The SASL service name for LDAP is "ldap", which has been registered The SASL service name for LDAP is "ldap", which has been registered
with the IANA as a GSSAPI service name. with the IANA as a GSSAPI service name.
8.2. SASL Authentication Initiation and Protocol Exchange 9.2. SASL Authentication Initiation and Protocol Exchange
SASL authentication is initiated via an LDAP bind request SASL authentication is initiated via an LDAP bind request
([Protocol] section 4.2) with the following parameters: ([Protocol] section 4.2) with the following parameters:
- The version is 3. - The version is 3.
- The AuthenticationChoice is sasl. - The AuthenticationChoice is sasl.
- The mechanism element of the SaslCredentials sequence contains - The mechanism element of the SaslCredentials sequence contains
the value of the desired SASL mechanism. the value of the desired SASL mechanism.
- The optional credentials field of the SaslCredentials sequence - The optional credentials field of the SaslCredentials sequence
may be used to provide an initial client response for may be used to provide an initial client response for
skipping to change at page 12, line 5 skipping to change at page 14, line 5
series of server challenges and client responses, the contents of series of server challenges and client responses, the contents of
which are specific to and defined by the SASL mechanism. Thus for which are specific to and defined by the SASL mechanism. Thus for
some SASL authentication mechanisms, it may be necessary for the some SASL authentication mechanisms, it may be necessary for the
client to respond to one or more server challenges by invoking the client to respond to one or more server challenges by invoking the
BindRequest multiple times. A challenge is indicated by the server BindRequest multiple times. A challenge is indicated by the server
sending a BindResponse with the resultCode set to sending a BindResponse with the resultCode set to
saslBindInProgress. This indicates that the server requires the saslBindInProgress. This indicates that the server requires the
client to send a new bind request with the same sasl mechanism to client to send a new bind request with the same sasl mechanism to
continue the authentication process. continue the authentication process.
To the encapsulating protocol, these challenges and responses are To the LDAP protocol, these challenges and responses are opaque
opaque binary tokens of arbitrary length. LDAP servers use the binary tokens of arbitrary length. LDAP servers use the
serverSaslCreds field, an OCTET STRING, in a bind response message serverSaslCreds field, an OCTET STRING, in a bind response message
to transmit each challenge. LDAP clients use the credentials field, to transmit each challenge. LDAP clients use the credentials field,
an OCTET STRING, in the SaslCredentials sequence of a bind request an OCTET STRING, in the SaslCredentials sequence of a bind request
message to transmit each response. Note that unlike some Internet message to transmit each response. Note that unlike some Internet
protocols where SASL is used, LDAP is not text-based, thus no Base64 protocols where SASL is used, LDAP is not text-based, thus no Base64
transformations are performed on these challenge and response transformations are performed on these challenge and response
values. values.
Clients sending a bind request with the sasl choice selected SHOULD Clients sending a bind request with the sasl choice selected SHOULD
NOT send a value in the name field. Servers receiving a bind request send an zero-length value in the name field. Servers receiving a
with the sasl choice selected SHALL ignore any value in the name bind request with the sasl choice selected SHALL ignore any value in
field. the name field.
A client may abort a SASL bind negotiation by sending a BindRequest A client may abort a SASL bind negotiation by sending a BindRequest
with a different value in the mechanism field of SaslCredentials, or with a different value in the mechanism field of SaslCredentials, or
an AuthenticationChoice other than sasl. an AuthenticationChoice other than sasl.
If the client sends a BindRequest with the sasl mechanism field as If the client sends a BindRequest with the sasl mechanism field as
an empty string, the server MUST return a BindResponse with an empty string, the server MUST return a BindResponse with
authMethodNotSupported as the resultCode. This will allow clients to authMethodNotSupported as the resultCode. This will allow clients to
abort a negotiation if it wishes to try again with the same SASL abort a negotiation if it wishes to try again with the same SASL
mechanism. mechanism.
The server indicates completion of the SASL challenge-response The server indicates completion of the SASL challenge-response
exchange by responding with a bind response in which the resultCode exchange by responding with a bind response in which the resultCode
is either success, or an error indication. is either success, or an error indication.
The serverSaslCreds field in the bind response can be used to The serverSaslCreds field in the bind response can be used to
include an optional challenge with a success notification for include an optional challenge with a success notification for
mechanisms which are defined to have the server send additional data mechanisms which are defined to have the server send additional data
along with the indication of successful completion. along with the indication of successful completion.
8.3. Octet Where Negotiated Security Mechanisms Take Effect [[TODO: Some implementations send back a serverSaslCreds field with
zero length rather than just omitting it as part of the final bind
response. Some clients expect this present/zero-length behavior.
Need to provide clarification at this point of the document on what
behavior is expected and what servers and clients should do to
promote interoperability when unexpected behavior occurs. This issue
is being taken up with the SASL WG. Likely outcome: both approaches
will be declared equivalent, servers will be advised to send back
present, zero-length field, clients will be advised to accept
either.]]
9.3. Octet Where Negotiated Security Mechanisms Take Effect
SASL security layers take effect following the transmission by the SASL security layers take effect following the transmission by the
server and reception by the client of the final successful server and reception by the client of the final successful
BindResponse in the exchange. BindResponse in the exchange.
Once a SASL security layer providing integrity or confidentiality Once a SASL security layer providing integrity or confidentiality
services takes effect, the layer remains in effect until a new layer services takes effect, the layer remains in effect until a new layer
is installed (i.e. at the first octet following the final is installed (i.e. at the first octet following the final
BindResponse of the bind operation that caused the new layer to take BindResponse of the bind operation that caused the new layer to take
effect). effect). Thus, an established SASL security layer is not affected
by a failed or non-SASL Bind.
8.4. Determination of Supported SASL Mechanisms 9.4. Determination of Supported SASL Mechanisms
Clients may determine the SASL mechanisms a server supports by Clients may determine the SASL mechanisms a server supports by
reading the 'supportedSASLMechanisms ' attribute from the root DSE reading the supportedSASLMechanisms attribute from the root DSE
(DSA-Specific Entry) ([Models] section 5.1). The values of this (DSA-Specific Entry) ([Models] section 5.1). The values of this
attribute, if any, list the mechanisms the server supports in the attribute, if any, list the mechanisms the server supports in the
current LDAP session state. current LDAP session state. LDAP servers SHOULD allow an
anonymously-bound client to retrieve the supportedSASLMechanisms
attribute of the root DSE.
LDAP servers SHOULD allow an anonymously-bound client to retrieve Because SASL mechanisms provide critical security functions, clients
the supportedSASLMechanisms attribute of the root DSE. and servers should be configurable to specify what mechanisms are
acceptable and allow only those mechanisms to be used. Both clients
and servers must confirm that the negotiated security level meets
their requirements before proceeding to use the connection.
8.5. Rules for Using SASL Security Layers 9.5. Rules for Using SASL Security Layers
If a SASL security layer is negotiated, the client SHOULD discard If a SASL security layer is negotiated, the client SHOULD discard
information about the server it obtained prior to the initiation of information about the server it obtained prior to the initiation of
the SASL negotiation and not obtained through secure mechanisms. the SASL negotiation and not obtained through secure mechanisms.
If a lower level security layer (such as TLS) is negotiated, any If a lower level security layer (such as TLS) is negotiated, any
SASL security services SHALL be layered on top of such security SASL security services SHALL be layered on top of such security
layers regardless of the order of their negotiation. In all other layers regardless of the order of their negotiation. In all other
respects, SASL security services and other security layers act respects, SASL security services and other security layers act
independently, e.g. if both TLS and SASL security service are in independently, e.g. if both TLS and SASL security service are in
effect removing the SASL security service does not affect the effect then removing the SASL security service does not affect the
continuing service of TLS and vice versa. continuing service of TLS and vice versa.
Because SASL mechanisms provide critical security functions, clients 9.6 Support for Multiple Authentications
and servers should allow the user to specify what mechanisms are
acceptable and allow only those mechanisms to be used.
9. SASL EXTERNAL Mechanism LDAP supports multiple SASL authentications as defined in [SASL]
section 6.3.
10. SASL EXTERNAL Mechanism
A client can use the EXTERNAL SASL [SASL] mechanism to request the A client can use the EXTERNAL SASL [SASL] mechanism to request the
LDAP server to make use of security credentials exchanged by a lower LDAP server to authenticate and establish a resulting authorization
security layer (such as by TLS authentication or IP-level security identity using security credentials exchanged by a lower security
[SecArch]). layer (such as by TLS authentication or IP-level security
[RFC2401]).
If the client's authentication credentials have not been established The resulting authentication identity of the LDAP association is
at a lower security layer, the SASL EXTERNAL bind MUST fail with a derived from the security credentials in an implementation-specific
resultCode of inappropriateAuthentication. Any client manner. If the client's authentication credentials have not been
authentication and authorization state of the LDAP association is established at a lower security layer, the SASL EXTERNAL bind MUST
lost, so the LDAP association is in an anonymous state after the fail with a resultCode of inappropriateAuthentication. Although
failure (see [Protocol] section 4.2.1). In such a situation, the this situation has the effect of leaving the LDAP association in an
state of any established security layer is unaffected. anonymous state (section 5), the state of any established security
layer is unaffected.
A client may either implicitly request that its LDAP authorization A client may either implicitly request that its LDAP authorization
identity be derived from a lower layer or it may explicitly provide identity be derived from its authentication credentials exchanged at
an authorization identity and assert that it be used in combination a lower security layer or it may explicitly provide an authorization
with its authenticated TLS credentials. The former is known as an identity and assert that it be used in combination with those
implicit assertion, and the latter as an explicit assertion. authentication credentials. The former is known as an implicit
assertion, and the latter as an explicit assertion.
9.1. Implicit Assertion 10.1. Implicit Assertion
An implicit authorization identity assertion is performed by An implicit authorization identity assertion is performed by
invoking a Bind request of the SASL form using the EXTERNAL invoking a Bind request of the SASL form using the EXTERNAL
mechanism name that does not include the optional credentials octet mechanism name that does not include the optional credentials octet
string (found within the SaslCredentials sequence in the Bind string (found within the SaslCredentials sequence in the Bind
Request). The server will derive the client's authorization identity Request). The server will derive the client's authorization identity
from the authentication identity supplied by the security layer from the authentication identity supplied by the security layer
(e.g., a public key certificate used during TLS establishment) (e.g., a public key certificate used during TLS establishment)
according to local policy. The underlying mechanics of how this is according to local policy. The underlying mechanics of how this is
accomplished are implementation specific. accomplished are implementation specific.
9.2. Explicit Assertion 10.2. Explicit Assertion
An explicit authorization identity assertion is performed by An explicit authorization identity assertion is performed by
invoking a Bind request of the SASL form using the EXTERNAL invoking a Bind request of the SASL form using the EXTERNAL
mechanism name that includes the credentials octet string. This mechanism name that includes the credentials octet string. This
string MUST be constructed as documented in section 3.4.1. string MUST be constructed as documented in section 3.4.1.
The server MUST verify that the client's authentication identity as 10.3. SASL Authorization Identity
supplied in its TLS credentials is permitted to be mapped to the
asserted authorization identity. The server MUST reject the Bind
operation with an invalidCredentials resultCode in the Bind response
if the client is not so authorized.
9.3. SASL Authorization Identity
When the EXTERNAL SASL mechanism is being negotiated, if the When the EXTERNAL SASL mechanism is being negotiated, if the
SaslCredentials credentials field is present, it contains an SaslCredentials credentials field is present, it contains an
authorization identity. Other mechanisms define the location of the authorization identity. Other mechanisms define the location of the
authorization identity in the credentials field. In either case, the authorization identity in the credentials field. In either case, the
authorization identity is represented in the authzId form described authorization identity is represented in the authzId form described
below. below.
9.4 Authorization Identity Syntax 10.4. SASL Authorization Identity Syntax
The authorization identity is a string of [UTF-8] encoded [Unicode] The authorization identity is a string of UTF-8 [RFC3629] encoded
characters corresponding to the following [ABNF] grammar: [Unicode] characters corresponding to the following ABNF [RFC2234]
grammar:
authzId = dnAuthzId / uAuthzId authzId = dnAuthzId / uAuthzId
DNCOLON = %x64 %x6e %x3a ; "dn:" DNCOLON = %x64 %x6e %x3a ; "dn:"
UCOLON = %x75 %x3a ; "u:" UCOLON = %x75 %x3a ; "u:"
; distinguished-name-based authz id. ; distinguished-name-based authz id.
dnAuthzId = DNCOLON distinguishedName dnAuthzId = DNCOLON distinguishedName
; unspecified authorization id, UTF-8 encoded. ; unspecified authorization id, UTF-8 encoded.
uAuthzId = UCOLON userid uAuthzId = UCOLON userid
userid = *UTF8 ; syntax unspecified userid = *UTF8 ; syntax unspecified
where the <distinguishedName> production is defined in section 3 of where the <distinguishedName> production is defined in section 3 of
[LDAPDN] and <UTF8> production is defined in section 1.3 of [LDAPDN] and <UTF8> production is defined in section 1.3 of [Models].
[Models].
In order to support additional specific authorization identity In order to support additional specific authorization identity
forms, future updates to this specification may add new choices forms, future updates to this specification may add new choices
supporting other forms may be added to the authzId production. supporting other forms of the authzId production.
The dnAuthzId choice allows clients to assert authorization The dnAuthzId choice is used to assert authorization identities in
identities in the form of a distinguished name to be matched in the form of a distinguished name to be matched in accordance with
accordance with the distinguishedNameMatch matching rule [Syntaxes]. the distinguishedNameMatch matching rule [Syntaxes]. The decision to
The decision to allow or disallow an authentication identity to have allow or disallow an authentication identity to have access to the
access to the requested authorization identity is a matter of local requested authorization identity is a matter of local policy ([SASL]
policy ([SASL] section 4.2). For this reason there is no requirement section 4.2). For this reason there is no requirement that the
that the asserted dn be that of an entry in directory. asserted dn be that of an entry in the directory.
The uAuthzId choice allows for compatibility with clients that wish The uAuthzId choice allows for compatibility with clients that wish
to assert an authorization identity to a local directory but do not to assert an authorization identity to a directory but do not have
have that identity in distinguished name form. The value contained that identity in distinguished name form. The value contained within
within a uAuthzId MUST be prepared using [SASLPrep] before being a uAuthzId MUST be prepared using [SASLPrep] before being compared
compared octet-wise. The format of userid is defined as only a octet-wise. The format of userid is defined as only a sequence of
sequence of [UTF-8] encoded [Unicode] characters, and further UTF-8 [RFC3629] encoded [Unicode] characters, and further
interpretation is subject to prior agreement between the client and interpretation is subject to prior agreement between the client and
server. server.
For example, the userid could identify a user of a specific For example, the userid could identify a user of a specific
directory service or be a login name or the local-part of an RFC 822 directory service or be a login name or the local-part of an RFC 822
email address. A uAuthzId SHOULD NOT be assumed to be globally email address. A uAuthzId SHOULD NOT be assumed to be globally
unique. unique.
10. SASL DIGEST-MD5 Mechanism 11. SASL DIGEST-MD5 Mechanism
LDAP servers that implement any authentication method or mechanism LDAP servers that implement any authentication method or mechanism
other than simple anonymous bind MUST implement the SASL other than simple anonymous bind MUST implement the SASL
DIGEST-MD5 mechanism [DIGEST-MD5]. This provides client DIGEST-MD5 mechanism [DIGEST-MD5]. This provides client
authentication with protection against passive eavesdropping attacks authentication with protection against passive eavesdropping attacks
but does not provide protection against active intermediary attacks. but does not provide protection against man-in-the-middle attacks.
DIGEST-MD5 also provides data integrity and data confidentiality DIGEST-MD5 also provides data integrity and data confidentiality
capabilities. capabilities.
Support for subsequent authentication ([DIGEST-MD5] section 2.2) is Support for subsequent authentication ([DIGEST-MD5] section 2.2) is
OPTIONAL in clients and servers. OPTIONAL in clients and servers.
Implementers must take care to ensure that they maintain the Implementers must take care to ensure that they maintain the
semantics of the DIGEST-MD5 specification even when handling data semantics of the DIGEST-MD5 specification even when handling data
that has different semantics in the LDAP protocol. that has different semantics in the LDAP protocol.
For example, the SASL DIGEST-MD5 authentication mechanism utilizes For example, the SASL DIGEST-MD5 authentication mechanism utilizes
skipping to change at page 15, line 52 skipping to change at page 18, line 12
and realm values that look like LDAP DNs in form, e.g. <cn=bob, and realm values that look like LDAP DNs in form, e.g. <cn=bob,
dc=example,dc=com>, are syntactically allowed, however DIGEST-MD5 dc=example,dc=com>, are syntactically allowed, however DIGEST-MD5
treats them as simple strings for comparison purposes. To illustrate treats them as simple strings for comparison purposes. To illustrate
further, the two DNs <cn=Bob,dc=example,dc=com> (upper case "B") and further, the two DNs <cn=Bob,dc=example,dc=com> (upper case "B") and
<cn=bob,dc=example,dc=com> (lower case "b") are equivalent when <cn=bob,dc=example,dc=com> (lower case "b") are equivalent when
being compared semantically as LDAP DNs because the cn attribute is being compared semantically as LDAP DNs because the cn attribute is
defined to be case insensitive, however the two values are not defined to be case insensitive, however the two values are not
equivalent if they represent username values in DIGEST-MD5 because equivalent if they represent username values in DIGEST-MD5 because
[SASLPrep] semantics are used by DIGEST-MD5. [SASLPrep] semantics are used by DIGEST-MD5.
11. General Requirements for Password-based Authentication 12. General Requirements for Password Handling
The transmission of passwords in the clear--typically for The transmission of passwords in the clear--typically for
authentication or modification--poses a significant security risk. authentication or modification--poses a significant security risk.
This risk can be avoided by using SASL authentication [SASL] This risk can be avoided by using SASL authentication [SASL]
mechanisms that do not transmit passwords in the clear or by mechanisms that do not transmit passwords in the clear or by
negotiating transport or session layer confidentiality services negotiating transport or session layer confidentiality services
before transmitting password values. before transmitting password values.
To mitigate the security risks associated with the use of passwords, To mitigate the security risks associated with the use of passwords,
a server implementation MUST implement a configuration that at the a server implementation that supports any password-based
authentication mechanism MUST implement a configuration that at the
time of authentication or password modification, requires: time of authentication or password modification, requires:
1) A Start TLS encryption layer has been successfully negotiated. 1) A Start TLS encryption layer has been successfully negotiated.
OR OR
2) Some other confidentiality mechanism that protects the password 2) Some other confidentiality mechanism that protects the password
value from snooping has been provided. value from snooping has been provided.
OR OR
3) The server returns a resultCode of confidentialityRequired for 3) The server returns a resultCode of confidentialityRequired for
the operation (i.e. simple bind with password value, SASL bind the operation (i.e. simple bind with password value, SASL bind
transmitting a password value in the clear, add or modify transmitting a password value in the clear, add or modify
including a userPassword value, etc.), even if the password including a userPassword value, etc.), even if the password
value is correct. value is correct.
12. Invalidated Associations
The server may, at any time, invalidate the association, e.g. if the
established security association between the client and server has
unexpectedly failed or been compromised. The association remains
invalidated until the next successful bind request. While the
association is invalidated, the server may reject any operation
request other than Bind, Unbind, and Start TLS by responding with a
resultCode of strongAuthRequired to indicate that the client needs
to bind to reestablish its authentication state before performing
the requested operation.
13. TLS Ciphersuites 13. TLS Ciphersuites
A client or server that supports TLS MUST support A client or server implementation that supports TLS MUST support
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. Servers SHOULD NOT support TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. Servers SHOULD NOT support weaker
weaker ciphersuites unless other data integrity and ciphersuites unless other data integrity and confidentiality
confidentiality protection (such as a SASL security layer) is protection (such as a SASL security layer) is in place.
in place
Several issues should be considered when selecting TLS ciphersuites Several issues should be considered when selecting TLS ciphersuites
that are appropriate for use in a given circumstance. These issues that are appropriate for use in a given circumstance. These issues
include the following: include the following:
- The ciphersuite's ability to provide adequate confidentiality - The ciphersuite's ability to provide adequate confidentiality
protection for passwords and other data sent over the LDAP protection for passwords and other data sent over the LDAP
connection. Client and server implementers should recognize that connection. Client and server implementers should recognize that
some TLS ciphersuites provide no confidentiality protection some TLS ciphersuites provide no confidentiality protection
while other ciphersuites that do provide confidentiality while other ciphersuites that do provide confidentiality
skipping to change at page 18, line 30 skipping to change at page 20, line 30
Operational experience shows that clients can (and frequently do) Operational experience shows that clients can (and frequently do)
misuse unauthenticated bind (see section 5.1). For example, a misuse unauthenticated bind (see section 5.1). For example, a
client program might make a decision to grant access to non- client program might make a decision to grant access to non-
directory information on the basis of completing a successful bind directory information on the basis of completing a successful bind
operation. Some LDAP server implementations will return a success operation. Some LDAP server implementations will return a success
response to an unauthenticated bind thus leaving the client with the response to an unauthenticated bind thus leaving the client with the
impression that the server has successfully authenticated the impression that the server has successfully authenticated the
identity represented by the user name, when in effect, an anonymous identity represented by the user name, when in effect, an anonymous
LDAP association has been created. Clients that use the results from LDAP association has been created. Clients that use the results from
a simple bind operation to make authorization decisions should a simple bind operation to make authorization decisions should
actively detect unauthenticated bind requests (via the empty actively detect unauthenticated bind requests (by verifying that the
password value) and react appropriately. supplied password is not empty) and react appropriately.
Access control SHOULD always be applied when reading sensitive Access control SHOULD always be applied when reading sensitive
information or updating directory information. information or updating directory information.
A connection on which the client has not established connection A connection on which the client has not established connection
integrity and privacy services (e.g via Start TLS, IPSec or a integrity and privacy services (e.g via Start TLS, IPSec or a
suitable SASL mechanism) is subject to man-in-the-middle attacks to suitable SASL mechanism) is subject to man-in-the-middle attacks to
view and modify information in transit. view and modify information in transit.
LDAP itself provides no security or protection from accessing or
updating the directory by other means than through the LDAP
protocol, e.g. from inspection by database administrators.
Client and server implementors SHOULD take measures to protect
credentials and other confidential data by using data protection
services as discussed in this document.
Additional security considerations relating to the various
authentication methods and mechanisms discussed in this document
apply and can be found in [DIGEST-MD5], [SASL], [SASLPrep],
[StringPrep], [TLS] and [RFC3629].
14.1. Start TLS Security Considerations 14.1. Start TLS Security Considerations
The goals of using the TLS protocol with LDAP are to ensure The goals of using the TLS [TLS] protocol with LDAP are to ensure
connection confidentiality and integrity, and to optionally provide connection confidentiality and integrity, and to optionally provide
for authentication. [TLS] expressly provides these capabilities. for authentication. TLS expressly provides these capabilities
(although the authentication services of TLS are available to LDAP
only in combination with the SASL EXTERNAL authentication method,
and then only if the SASL EXTERNAL implementation chooses to make
use of the TLS credentials).
All security gained via use of the Start TLS operation is gained by All security gained via use of the Start TLS operation is gained by
the use of TLS itself. The Start TLS operation, on its own, does not the use of TLS itself. The Start TLS operation, on its own, does not
provide any additional security. provide any additional security.
Once established, TLS only provides for and ensures confidentiality
and integrity of the operations and data in transit over the LDAP
connection--and only if the implementations on the client and server
support and negotiate it. The use of TLS does not provide or ensure
for confidentiality and/or non-repudiation of the data housed by an
LDAP-based directory server. Nor does it secure the data from
inspection by the server administrators.
The level of security provided though the use of TLS depends The level of security provided though the use of TLS depends
directly on both the quality of the TLS implementation used and the directly on both the quality of the TLS implementation used and the
style of usage of that implementation. Additionally, an active- style of usage of that implementation. Additionally, an man-in-the-
intermediary attacker can remove the Start TLS extended operation middle attacker can remove the Start TLS extended operation from the
from the supported attribute of the root DSE. Therefore, both supportedExtension attribute of the root DSE. Both parties SHOULD
parties SHOULD independently ascertain and consent to the security independently ascertain and consent to the security level achieved
level achieved once TLS is established and before beginning use of once TLS is established and before beginning use of the TLS
the TLS connection. For example, the security level of the TLS connection. For example, the security level of the TLS connection
connection might have been negotiated down to plaintext. might have been negotiated down to plaintext.
Clients SHOULD either warn the user when the security level achieved Clients SHOULD either warn the user when the security level achieved
does not provide data confidentiality and/or integrity protection, does not provide data confidentiality and/or integrity protection,
or be configurable to refuse to proceed without an acceptable level or be configurable to refuse to proceed without an acceptable level
of security. of security.
Client and server implementors SHOULD take measures to ensure proper
protection of credentials and other confidential data where such
measures are not otherwise provided by the TLS implementation.
Server implementors SHOULD allow for server administrators to elect Server implementors SHOULD allow for server administrators to elect
whether and when connection confidentiality and/or integrity is whether and when connection confidentiality and/or integrity is
required, as well as elect whether and when client authentication required, as well as elect whether and when client authentication
via TLS is required. via TLS is required.
Additional security considerations relating to the EXTERNAL Implementers should be aware of and understand TLS security
mechanism to negotiate TLS can be found in [SASL] and [TLS]. considerations as discussed in the TLS specification [TLS].
15. IANA Considerations 15. IANA Considerations
The following IANA considerations apply to this document: The following IANA considerations apply to this document:
Please update the GSSAPI service name registry to point to [Roadmap] Please update the GSSAPI service name registry to point to [Roadmap]
and this document. and this document.
[To be completed] [To be completed]
Acknowledgements Acknowledgments
This document combines information originally contained in RFC 2829 This document combines information originally contained in RFC 2829
and RFC 2830. The editor acknowledges the work of Harald Tveit and RFC 2830. The editor acknowledges the work of Harald Tveit
Alvestrand, Jeff Hodges, Tim Howes, Steve Kille, RL "Bob" Morgan , Alvestrand, Jeff Hodges, Tim Howes, Steve Kille, RL "Bob" Morgan ,
and Mark Wahl, each of whom authored one or more of these documents. and Mark Wahl, each of whom authored one or more of these documents.
This document is based upon input of the IETF LDAP Revision working This document is based upon input of the IETF LDAP Revision working
group. The contributions and suggestions made by its members in group. The contributions and suggestions made by its members in
shaping the contents and technical accuracy of this document is shaping the contents and technical accuracy of this document is
greatly appreciated. greatly appreciated.
Normative References Normative References
[ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for
[[Note to the RFC Editor: please replace the citation tags used in
referencing Internet-Drafts with tags of the form RFCnnnn.]]
[RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", RFC 2234, November 1997. Syntax Specifications: ABNF", RFC 2234, November 1997.
[DIGEST-MD5] Leach, P. C. Newman, and A. Melnikov, "Using Digest [DIGEST-MD5] Leach, P. C. Newman, and A. Melnikov, "Using Digest
Authentication as a SASL Mechanism", draft-ietf-sasl- Authentication as a SASL Mechanism", draft-ietf-sasl-
rfc2831bis-xx.txt, a work in progress. rfc2831bis-xx.txt, a work in progress.
[Keyword] Bradner, S., "Key Words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[LDAPDN] Zeilenga, Kurt D. (editor), "LDAP: String [LDAPDN] Zeilenga, Kurt D. (editor), "LDAP: String
Representation of Distinguished Names", draft-ietf- Representation of Distinguished Names", draft-ietf-
ldapbis-dn-xx.txt, a work in progress. ldapbis-dn-xx.txt, a work in progress.
[Models] Zeilenga, Kurt D. (editor), "LDAP: Directory [Models] Zeilenga, Kurt D. (editor), "LDAP: Directory
Information Models", draft-ietf-ldapbis-models-xx.txt, Information Models", draft-ietf-ldapbis-models-xx.txt,
a work in progress. a work in progress.
skipping to change at page 20, line 47 skipping to change at page 22, line 55
Internationalized Strings ('stringprep')", draft- Internationalized Strings ('stringprep')", draft-
hoffman-rfc3454bis-xx.txt, a work in progress. hoffman-rfc3454bis-xx.txt, a work in progress.
[Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules", [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress. draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
[TLS] Dierks, T. and C. Allen. "The TLS Protocol Version [TLS] Dierks, T. and C. Allen. "The TLS Protocol Version
1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in 1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in
progress. progress.
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 3629, STD 63, November 2003. 10646", RFC 3629, STD 63, November 2003.
[Unicode] The Unicode Consortium, "The Unicode Standard, Version [Unicode] The Unicode Consortium, "The Unicode Standard, Version
3.2.0" is defined by "The Unicode Standard, Version 3.2.0" is defined by "The Unicode Standard, Version
3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201- 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
61633-5), as amended by the "Unicode Standard Annex 61633-5), as amended by the "Unicode Standard Annex
#27: Unicode 3.1" #27: Unicode 3.1"
(http://www.unicode.org/reports/tr27/) and by the (http://www.unicode.org/reports/tr27/) and by the
"Unicode Standard Annex #28: Unicode 3.2" "Unicode Standard Annex #28: Unicode 3.2"
(http://www.unicode.org/reports/tr28/). (http://www.unicode.org/reports/tr28/).
Informative References Informative References
[ANONYMOUS] Zeilenga, K.,"Anonymous SASL Mechanism", draft- [ANONYMOUS] Zeilenga, K.,"Anonymous SASL Mechanism", draft-
zeilenga-sasl-anon-xx.txt, a work in progress. zeilenga-sasl-anon-xx.txt, a work in progress.
[Glossary] Shirey, R., "Internet Security Glossary", RFC 2828, May [RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May
2000. 2000.
[PLAIN] Zeilenga, K.,"Plain SASL Mechanism", draft-zeilenga- [PLAIN] Zeilenga, K.,"Plain SASL Mechanism", draft-zeilenga-
sasl-plain-xx.txt, a work in progress. sasl-plain-xx.txt, a work in progress.
[SecArch] Kent, S. and R. Atkinson, "Security Architecture for [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998. the Internet Protocol", RFC 2401, November 1998.
Author's Address Author's Address
Roger Harrison Roger Harrison
Novell, Inc. Novell, Inc.
1800 S. Novell Place 1800 S. Novell Place
Provo, UT 84606 Provo, UT 84606
USA USA
+1 801 861 2642 +1 801 861 2642
skipping to change at page 22, line 6 skipping to change at page 24, line 14
-- -------------------------------------------------------------- -- --------------------------------------------------------------
S1 Anonymous S1 Anonymous
no Authentication ID is associated with the LDAP connection no Authentication ID is associated with the LDAP connection
no Authorization ID is in force no Authorization ID is in force
S2 Authenticated S2 Authenticated
Authentication ID = I Authentication ID = I
Authorization ID = X Authorization ID = X
S3 Authenticated SASL EXTERNAL, implicit authorization ID S3 Authenticated SASL EXTERNAL, implicit authorization ID
Authentication ID = J Authentication ID = J
Authorization ID = Y Authorization ID = Y
S4 Authenticated SASL EXTERNAL, explicit authorization ID S4 Authenticated SASL EXTERNAL, explicit authorization ID Z
Authentication ID = J Authentication ID = J
Authorization ID = Z Authorization ID = Z
A.2. Actions that Affect LDAP Association State A.2. Actions that Affect LDAP Association State
The following table lists the actions that can affect the The following table lists the actions that can affect the
authentication and authorization state of an LDAP association. The authentication and authorization state of an LDAP association. The
ID for each action is used in the state transition table in section ID for each action is used in the state transition table in section
A.4. A.4.
ID Action ID Action
-- -------------------------------------------------------------- -- --------------------------------------------------------------
A1 Client bind request fails A1 Client bind request fails
A2 Client successfully performs anonymous simple bind A2 Client successfully performs anonymous simple bind
A3 Client successfully performs unauthenticated simple bind A3 Client successfully performs unauthenticated simple bind
A4 Client successfully performs simple bind with name and A4 Client successfully performs simple bind with name and password
password OR SASL bind with any mechanism except EXTERNAL using OR SASL bind with any mechanism except EXTERNAL using an
an authentication ID = I that maps to authorization ID X authentication ID = I that maps to authorization ID X
A5 Client Binds SASL EXTERNAL with implicit assertion of A5 Client Binds SASL EXTERNAL with implicit assertion of
authorization ID (section 3.3.6.1)]. The current authorization ID (section 9.1)]. The current authentication ID
authentication ID maps to authorization ID = Y. maps to authorization ID = Y.
A6 Client Binds SASL EXTERNAL with explicit assertion of A6 Client Binds SASL EXTERNAL with explicit assertion of
authorization ID = Z (section 3.3.6.2)] authorization ID = Z (section 9.2)]
A7 Client abandons a bind operation, and server processes the A7 Client Start TLS request fails
abandon A8 Client Start TLS request succeeds
A8 Client abandons a bind operation, and server does not process A9 Client or Server: graceful TLS removal
the abandon
A9 Client Start TLS request fails
A10 Client Start TLS request succeeds
A11 Client or Server: graceful TLS closure ([Protocol] section
4.13.3.1.)
A.3. Decisions Used in Making LDAP Association State Changes A.3. Decisions Used in Making LDAP Association State Changes
Certain changes in the authentication and authorization state of an Certain changes in the authentication and authorization state of an
LDAP association are only allowed if the server can affirmatively LDAP association are only allowed if the server can affirmatively
answer a question. These questions are applied as part of the answer a question. These questions are applied as part of the
criteria for allowing or disallowing a state transition in the state criteria for allowing or disallowing a state transition in the state
transition table in section A.4. transition table in section A.4.
ID Decision Question ID Decision Question
-- -------------------------------------------------------------- -- --------------------------------------------------------------
D1 Are lower-layer credentials available? D1 Are lower-layer credentials available?
D2 Can lower-layer credentials for Auth ID "K" be mapped to D2 Can lower-layer credentials for Auth ID "K" be mapped to
asserted AuthZID "L"? asserted AuthZID "L"?
A.4. LDAP Association State Transition Table A.4. LDAP Association State Transition Table
The LDAP Association table below lists the the actions that could
The LDAP Association table below lists the valid authentication and affect authentication and authorization state of an LDAP association
authorization states for an LDAP association and the actions that and the resulting state of an LDAP association after a given action
could affect them. For any given row in the table, the Current State occurs.
column gives the state of an LDAP association, the Action column
gives an action that could affect the state of an LDAP assocation,
and the Next State column gives the resulting state of an LDAP
association after the action occurs.
S1, the initial state for the state machine described in this table, S1, the initial state for the state machine described in this table,
is the authentication state when an LDAP connection is initially is the authentication state when an LDAP connection is initially
established. established.
Current Next Next
State Action State Comment Action State Comment
------- ------- ----- --------------------------------------- ------- ----- -------------------------------------------------
Any A1 S1 [Protocol] section 4.2.1 A1 S1 Section 4
Any A2 S1 Section 6 A2 S1 Section 6
Any A3 S1 Section 6 A3 S1 Section 7
Any A4 S2 Sections 6.1, 6.2 A4 S2 Sections 8, 9
Any A5, S1 Failed bind, section 3.3.6 A5, S1 Failed bind, section 10.1
D1=no D1=no
Any A5, S3 A5, S3
D1=yes D1=yes
Any A6, S1 failed bind, section 3.3.6 A6, S1 Failed bind, section 10.2
D1=no D1=no
Any A6, S1 failed bind, section 3.3.6.2 A6, S1 Failed bind, section 10.2
D1=yes, D1=yes,
D2=no D2=no
Any A6, S4 A6, S4
D1=yes, D1=yes,
D2=yes D2=yes
Any A7 S1 [Protocol] section 4.2.1. Clients A7 no [Protocol] section 4.14.2.2
cannot detect this state.
Any A8 no [Protocol] section 4.2.1. Clients
change cannot detect this state.
Any A9 no [Protocol] section 4.13.2.2
change change
Any A10 no Section 4.2.1 A8 no [Protocol] section 4.14.2.1
change change
Any A11 S1 Section 4.2.3 A9 S1 [Protocol] section 4.14.3.1
Appendix B. Example Deployment Scenarios Appendix B. Example Deployment Scenarios
The following scenarios are typical for LDAP directories on the The following scenarios are typical for LDAP directories on the
Internet, and have different security requirements. (In the Internet, and have different security requirements. (In the
following discussion, "sensitive data" refers to information whose following discussion, "sensitive data" refers to information whose
disclosure, alteration, destruction, or loss would adversely affect disclosure, alteration, destruction, or loss would adversely affect
the interests or business of its owner or user. Also note that there the interests or business of its owner or user. Also note that there
may be data that is protected but not sensitive.) This is not may be data that is protected but not sensitive.) This is not
intended to be a comprehensive list; other scenarios are possible, intended to be a comprehensive list; other scenarios are possible,
especially on physically protected networks. especially on physically protected networks.
(1) A read-only directory, containing no sensitive data, accessible (1) A read-only directory, containing no sensitive data, accessible
skipping to change at page 31, line 26 skipping to change at page 33, line 19
Section 4.4. Section 4.4.
- Added stipulation that sasl choice allows for any SASL mechanism - Added stipulation that sasl choice allows for any SASL mechanism
not prohibited by this document. (Resolved conflict between this not prohibited by this document. (Resolved conflict between this
statement and one that prohibited use of ANONYMOUS and PLAIN statement and one that prohibited use of ANONYMOUS and PLAIN
SASL mechanisms.) SASL mechanisms.)
Section 5.3.6 Section 5.3.6
- Added a.x.bar.com to wildcard matching example on hostname - Added a.x.bar.com to wildcard matching example on hostname check.
check.
Section 6 Section 6
- Added LDAP Association State Transition Tables to show the - Added LDAP Association State Transition Tables to show the
various states through which an LDAP association may pass along various states through which an LDAP association may pass along
with the actions and decisions required to traverse from state with the actions and decisions required to traverse from state
to state. to state.
Appendix A Appendix A
skipping to change at page 39, line 19 skipping to change at page 41, line 11
- Added an IANA consideration to update GSSAPI service name - Added an IANA consideration to update GSSAPI service name
registry to point to [Roadmap] and [Authmeth] registry to point to [Roadmap] and [Authmeth]
G.8. Changes for draft-ldap-bis-authmeth-09 G.8. Changes for draft-ldap-bis-authmeth-09
General General
- Updated section references within document - Updated section references within document
- Changed reference tags to match other docs in LDAP TS - Changed reference tags to match other docs in LDAP TS
- Used non-quoted names for all SAL mechanisms - Used non-quoted names for all SASL mechanisms
Abstract Abstract
- Inspected keyword usage and removed several improper usages. - Inspected keyword usage and removed several improper usages.
- Removed sentence saying DIGEST-MD5 is LDAP's mandatory-to- - Removed sentence saying DIGEST-MD5 is LDAP's mandatory-to-
implement mechanism. This is covered elsewhere in document. implement mechanism. This is covered elsewhere in document.
- Moved section 5, authentication state table, of -08 draft to - Moved section 5, authentication state table, of -08 draft to
section 8 of -09 and completely rewrote it. section 8 of -09 and completely rewrote it.
Section 1 Section 1
- Reworded sentence beginning, "It is also desireable to allow - Reworded sentence beginning, "It is also desirable to allow
authentication methods to carry identities based on existing¨ authentication methods to carry identities based on existing¨
non-LDAP DN-forms..." non-LDAP DN-forms..."
- Clarified relationship of this document to other documents in - Clarified relationship of this document to other documents in
the LDAP TS. the LDAP TS.
Section 3.3.5 Section 3.3.5
- Removed paragraph beginning,"If the client is configured to - Removed paragraph beginning,"If the client is configured to
support multiple SASL mechanisms..." because the actions support multiple SASL mechanisms..." because the actions
specified in the paragraph do not provide the protections specified in the paragraph do not provide the protections
skipping to change at page 40, line 52 skipping to change at page 42, line 43
Section 10 Section 10
- Updated consideration on use of cleartext passwords to include - Updated consideration on use of cleartext passwords to include
other unprotected authentication credentials other unprotected authentication credentials
- Substantial rework of consideration on misuse of unauthenticated - Substantial rework of consideration on misuse of unauthenticated
bind. bind.
G.9. Changes for draft-ldap-bis-authmeth-10 G.9. Changes for draft-ldap-bis-authmeth-10
- Reorganized content of sections 3-9 to improve document flow and General
reduce redundancy.
- Resolved issue of effect of Start TLS and TLS closure on LDAP
association state.
- Made numerous minor wording changes based on WG feedback.
- Updated list of threats for Section 1.
- Recommendation that servers should not support weaker TLS - Many editorial changes throughout to clarify wording and better
ciphersuites unless other protection is in place. express intent, primarily based on suggestions from WG mail
- Moved authentication state table to appendix and relettered list.
appendices. - More standard naming of authentication mechanisms throughout
document, e.g. "Anonymous Authentication Mechanism of the Simple
Bind Choice".
Section 1
- Editorial changes to add clarity.
- Moved section 2 of authmeth -09 into section 1
Section 2
- New section outlining implementation requirements.
Section 3.1.1
- Editorial clarification on need for following operation
sequencing requirements.
Section 3.1.4
- New section added to describe use of client certificates with
Start TLS. Incorporates material moved from other sections of
authmeth -09.
Section 4
- New section added to discuss LDAP Associations. Related material
was moved from various other sections of authmeth -09 and
incorporated into this new section.
Section 5
- Added several paragraphs regarding transmission and derivation
of authentication and authorization identities using the Bind
operation.
Section 8
- Clarified rules for determining valid credentials and situations
where invalidCredentials result is to be returned.
Section 14
- Added three security considerations based on WG feedback.
Appendix A
- Simplfied state tables by removing two unnecessary actions from
the actions table, and removing the current state column of the
state transition table. Updated references to authmeth and
[Protocol].
Appendix H. Issues to be Resolved Appendix H. Issues to be Resolved
This appendix lists open questions and issues that need to be This appendix lists open questions and issues that need to be
resolved before work on this document is deemed complete. resolved before work on this document is deemed complete.
H.1. H.1.
Section 1 lists 6 security mechanisms that can be used by LDAP Section 1 lists 6 security mechanisms that can be used by LDAP
servers. I'm not sure what mechanism 5, "Resource limitation by servers. I'm not sure what mechanism 5, "Resource limitation by
skipping to change at page 45, line 4 skipping to change at page 47, line 36
H.15. Include a Start TLS state transition table H.15. Include a Start TLS state transition table
The pictoral representation it is nominally based on is here (URL The pictoral representation it is nominally based on is here (URL
possibly folded): possibly folded):
http://www.stanford.edu/~hodges/doc/LDAPAssociationStateDiagram- http://www.stanford.edu/~hodges/doc/LDAPAssociationStateDiagram-
1999-12-14.html 1999-12-14.html
(Source: Jeff Hodges) (Source: Jeff Hodges)
Status: Resolved. Status: Resolved.
Table provided in -03. Review of content for accuracy in -04. Table provided in -03. Review of content for accuracy in -04.
Additional review is needed, plus comments from WG members indicate Additional review is needed, plus comments from WG members indicate
that additional description of each state's meaning would be that additional description of each state's meaning would be helpful.
helpful.
Did a significant revision of state transition table in -09. Changes Did a significant revision of state transition table in -09. Changes
were based on suggestions from WG and greatly simplified overall were based on suggestions from WG and greatly simplified overall
table. table.
H.16. Empty sasl credentials question H.16. Empty sasl credentials question
I spent some more time looking microscopically at ldap-auth-methods I spent some more time looking microscopically at ldap-auth-methods
and ldap-ext-tls drafts. The drafts say that the credential must and ldap-ext-tls drafts. The drafts say that the credential must
have the form dn:xxx or u:xxx or be absent, and although they don't have the form dn:xxx or u:xxx or be absent, and although they don't
skipping to change at page 45, line 37 skipping to change at page 48, line 14
Status: resolved. Kurt Zeilenga indicated during ldapbis WG Status: resolved. Kurt Zeilenga indicated during ldapbis WG
discussion at IETF 52 that SASL AuthzID credentials empty and absent discussion at IETF 52 that SASL AuthzID credentials empty and absent
are equivalent in the latest SASL ID. This resolves the issue. are equivalent in the latest SASL ID. This resolves the issue.
H.17. Hostname check from MUST to SHOULD? H.17. Hostname check from MUST to SHOULD?
I am uneasy about the hostname check. My experience from PKI with I am uneasy about the hostname check. My experience from PKI with
HTTP probably is a contributing factor; we have people using the HTTP probably is a contributing factor; we have people using the
short hostname to get to a server which naturally has the FQDN in short hostname to get to a server which naturally has the FQDN in
the certificate, no end of problems. I have a certificate on my the certificate, no end of problems. I have a certificate on my
laptop which has the FQDN for the casse when the system is on our laptop which has the FQDN for the case when the system is on our
Columbia network with a fixed IP; when I dial in however, I have Columbia network with a fixed IP; when I dial in however, I have
some horrible dialup name, and using the local https server becomes some horrible dialup name, and using the local https server becomes
annoying. Issuing a certificate in the name 'localhost' is not a annoying. Issuing a certificate in the name 'localhost' is not a
solution! Wildcard match does not solve this problem. For these solution! Wildcard match does not solve this problem. For these
reasons I am inclined to argue for 'SHOULD' instead of reasons I am inclined to argue for 'SHOULD' instead of
'MUST' in paragraph... 'MUST' in paragraph...
Also, The hostname check against the name in the certificate is a Also, The hostname check against the name in the certificate is a
very weak means of preventing man-in-the-middle attacks; the proper very weak means of preventing man-in-the-middle attacks; the proper
solution is not here yet (SecureDNS or some equivalent). Faking out solution is not here yet (SecureDNS or some equivalent). Faking out
skipping to change at page 47, line 22 skipping to change at page 49, line 53
H.22. Need to move Start TLS protocol information to [Protocol] H.22. Need to move Start TLS protocol information to [Protocol]
Status: Resolved. Removed Sections 5.1, 5.2, and 5.4 for -04 and Status: Resolved. Removed Sections 5.1, 5.2, and 5.4 for -04 and
they are [Protocol] -11. they are [Protocol] -11.
H.23. Split Normative and Non-normative references into separate H.23. Split Normative and Non-normative references into separate
sections. sections.
Status: Resolved. Changes made in -04 Status: Resolved. Changes made in -04
H.24. What is the authentication state if a Bind operation is H.24. What is the authentication state if a Bind operation is abandoned?
abandoned?
Status: Resolved. Status: Resolved.
(3/24/03) This following text appears in section 4.2.1 of [Protocol] (3/24/03) This following text appears in section 4.2.1 of [Protocol]
revision -13 to cover what happens if a bind operation is abandoned: revision -13 to cover what happens if a bind operation is abandoned:
A failed or abandoned Bind Operation has the effect of leaving the A failed or abandoned Bind Operation has the effect of leaving the
connection in an anonymous state. To arrive at a known connection in an anonymous state. To arrive at a known
authentication state after abandoning a bind operation, clients may authentication state after abandoning a bind operation, clients may
unbind, rebind, or make use of the BindResponse. unbind, rebind, or make use of the BindResponse.
skipping to change at page 48, line 40 skipping to change at page 51, line 19
this with Section 4.5.2 (section 5.2 of RFC2830) that says that the this with Section 4.5.2 (section 5.2 of RFC2830) that says that the
closure of the TLS connection MUST cause the LDAP association to closure of the TLS connection MUST cause the LDAP association to
move to an anonymous authentication. move to an anonymous authentication.
Status: Resolved. (11/12/02) This is actually a [Protocol] issue Status: Resolved. (11/12/02) This is actually a [Protocol] issue
because these sections have now been moved to [Protocol] -11. I have because these sections have now been moved to [Protocol] -11. I have
proposed the following text for Section 4.4.1 of [AuthMeth] -03 proposed the following text for Section 4.4.1 of [AuthMeth] -03
(section 4.13.3.1 of [Protocol]) to resolve this apparent (section 4.13.3.1 of [Protocol]) to resolve this apparent
discrepancy: discrepancy:
"Either the client or server MAY terminate the TLS connection on an "
Either the client or server MAY terminate the TLS connection on an
LDAP association by sending a TLS closure alert. The LDAP LDAP association by sending a TLS closure alert. The LDAP
connection remains open for further communication after TLS closure connection remains open for further communication after TLS closure
occurs although the authentication state of the LDAP connection is occurs although the authentication state of the LDAP connection is
affected (see [AuthMeth] section 4.2.2). affected (see [AuthMeth] section 4.2.2).
(11/21/02): resolution to this is expected in [Protocol] -12 (11/21/02): resolution to this is expected in [Protocol] -12
(06/28/03): [Protocol]-15 clarifies that a TLS closure alert (06/28/03): [Protocol]-15 clarifies that a TLS closure alert
terminates the TLS connection while leaving the LDAP connection terminates the TLS connection while leaving the LDAP connection
intact. The authentication state table in [AuthMeth] specifies the intact. The authentication state table in [AuthMeth] specifies the
skipping to change at page 53, line 24 skipping to change at page 55, line 55
to be constructed and used in the protocol and MAY further restrict to be constructed and used in the protocol and MAY further restrict
its syntax and protocol-specific semantics." its syntax and protocol-specific semantics."
I don't believe that any such guidance exists within the LDAP TS. I don't believe that any such guidance exists within the LDAP TS.
The most likely place for this to reside is in the authmeth draft. The most likely place for this to reside is in the authmeth draft.
Related email from Alexey Melnikov (8/4/2003 1:08:40 PM): Related email from Alexey Melnikov (8/4/2003 1:08:40 PM):
"The problem I have with the document is that it references realm "The problem I have with the document is that it references realm
without explaining what it is (or at least some examples of valid without explaining what it is (or at least some examples of valid
values). For LDAP, some recommendations should be given. For values). For LDAP, some recommendations should be given. For example:
example:
1). Use a hardcoded string as the realm (one of the implementations 1). Use a hardcoded string as the realm (one of the implementations
I worked on was doing that) I worked on was doing that)
2). Use hostname (realm==host) or domain/cluster name (realm 2). Use hostname (realm==host) or domain/cluster name (realm
includes multiple hosts). includes multiple hosts).
3). Use a node in DIT above user entry, for example for "cn=Barbara 3). Use a node in DIT above user entry, for example for "cn=Barbara
Jensen, ou=Accounting, o=Ace Industry, c=US" Jensen, ou=Accounting, o=Ace Industry, c=US"
and "cn=John Doe, ou=Accounting, o=Ace Industry, c=US" realm can be and "cn=John Doe, ou=Accounting, o=Ace Industry, c=US" realm can be
"ou=Accounting, o=Ace Industry, c=US" "ou=Accounting, o=Ace Industry, c=US"
(or "o=Ace Industry, c=US"); for "cn=Gern Jensen, ou=Product (or "o=Ace Industry, c=US"); for "cn=Gern Jensen, ou=Product
Testing,o=Ace Industry, c=US" realm can be "ou=Product Testing, Testing,o=Ace Industry, c=US" realm can be "ou=Product Testing,
skipping to change at page 54, line 47 skipping to change at page 57, line 23
username for DIGEST-MD5. username for DIGEST-MD5.
Status: Resolved. Status: Resolved.
Based on WG list discussion, Kurt Zeilenga has gaged a lack of WG Based on WG list discussion, Kurt Zeilenga has gaged a lack of WG
consensus that Simple+TLS should be mandatory to implement. No consensus that Simple+TLS should be mandatory to implement. No
further discussion is necessary. further discussion is necessary.
Intellectual Property Rights Intellectual Property Rights
By submitting this Internet-Draft, I accept the provisions of
Section 3 of RFC 3667.
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance
with RFC 3668.
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed
pertain to the implementation or use of the technology described in to pertain to the implementation or use of the technology described
this document or the extent to which any license under such rights in this document or the extent to which any license under such
might or might not be available; neither does it represent that it rights might or might not be available; nor does it represent that
has made any effort to identify any such rights. Information on the it has made any independent effort to identify any such rights.
IETF's procedures with respect to rights in standards-track and Information on the procedures with respect to rights in RFC
standards-related documentation can be found in BCP-11. Copies of documents can be found in BCP 78 and BCP 79.
claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made Copies of IPR disclosures made to the IETF Secretariat and any
to obtain a general license or permission for the use of such assurances of licenses to be made available, or the result of an
proprietary rights by implementors or users of this specification attempt made to obtain a general license or permission for the use
can be obtained from the IETF Secretariat. of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF at ietf-
Director. ipr@ietf.org.
Full Copyright
Copyright (C) The Internet Society (2003). All Rights Reserved. Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and translations of it may be copied and furnished to This document and the information contained herein are provided on
others, and derivative works that comment on or otherwise explain it an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
or assist in its implementation may be prepared, copied, published REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
and distributed, in whole or in part, without restriction of any INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
kind, provided that the above copyright notice and this paragraph IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
are included on all such copies and derivative works. However, this THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
document itself may not be modified in any way, such as by removing WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/