draft-ietf-svrloc-ldap-scheme-00.txt   draft-ietf-svrloc-ldap-scheme-01.txt 
Service Location Working Group Jonathan Wood Service Location Working Group Jonathan Wood
INTERNET DRAFT Roberto Tam INTERNET DRAFT Roberto Tam
Sun Microsystems, Inc. Sun Microsystems, Inc.
22 December 1998 21 February 1998
The LDAP Service Type The LDAP Service Type
draft-ietf-svrloc-ldap-scheme-00.txt draft-ieft-svrloc-ldap-scheme-01.txt
Status of This Memo Status of This Memo
This document is a submission by the Service Location Working Group This document is a submission by the Service Location Working Group
of the Internet Engineering Task Force (IETF). Comments should be of the Internet Engineering Task Force (IETF). Comments should be
submitted to the srvloc@srvloc.org mailing list. submitted to the srvloc@srvloc.org mailing list.
This document is an Internet-Draft. Internet-Drafts are working Distribution of this memo is unlimited.
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at and may be updated, replaced, or obsoleted by other documents at
any time. It is inappropriate to use Internet- Drafts as reference any time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
To view the entire list of current Internet-Drafts, please check The list of current Internet-Drafts can be accessed at
the ``1id-abstracts.txt'' listing contained in the Internet-Drafts http://www.ietf.org/ietf/1id-abstracts.txt
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited. The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract Abstract
This document describes the LDAP service type. This service type This document describes the LDAP service type. This service type
defines the service: URL and attributes necessary for discovering defines the service: URL and attributes necessary for discovering
LDAP servers. LDAP servers.
1. Introduction 1. Introduction
This document describes a template providing a service: URL and This document describes a template providing a service: URL and
skipping to change at page 2, line 4 skipping to change at page 2, line 5
1. Introduction 1. Introduction
This document describes a template providing a service: URL and This document describes a template providing a service: URL and
attributes useful for dynamically discovering LDAP servers; this type attributes useful for dynamically discovering LDAP servers; this type
can be used with SLP [1]. Service templates and service: schemes are can be used with SLP [1]. Service templates and service: schemes are
defined in [2]. defined in [2].
LDAP (Lightweight Directory Access Protocol) [3] directories are LDAP (Lightweight Directory Access Protocol) [3] directories are
now being used as repositories for UNIX-style system information. now being used as repositories for UNIX-style system information.
As such, LDAP service is suitable to be included in the naming- As such, LDAP service is suitable to be included in the naming-
directory class. This type is intended to be used as a concrete directory class. This type is intended to be used as a concrete
portion of the abstract naming-directory type defined in [4]. The portion of the abstract naming-directory type defined in [4]. The
LDAP type includes all attributes from the naming-directory abstract LDAP type includes all attributes from the naming-directory abstract
type, and defines three new attributes, two pertaining to LDAP type, and defines new attributes pertaining to security and access
security, one to access protocols. protocols.
For usage examples, refer to [4]. For usage examples for non-LDAP specific scenarios, refer to [4].
2. The LDAP Service Type 2. Differentiating Servers by Authentication Mechanisms
Possible means of authenticating LDAP transactions are defined
in [5]. In order to agree on a particular authentication mechanism,
a client and server might need to go through a number of iterations
and levels of negotiation. Currently there are three levels of
mechanisms: The first level consists of the basic mechanisms,
anonymous, simple, and TLS. The second layer consists of the SASL
negotiation layer [6]. The third layer consists of GSSAPI [7]
mechanisms, and possible the GSS-SPNEGO negotiation sequence [8].
Thus it is possible that a client wishing to use the Kerberos V5
GSSAPI mechanism may need to negotiate its way through SASL and
GSS-SPNEGO before coming to an agreement with the server.
Since LDAP clients are already aware of what mechanisms they have
been configured to use when connecting to an LDAP server, the
attributes in this template have been designed to allow clients to
optimize both their search for servers and the following negotiation
sequence for authentication mechanisms. Clients may specify as
little or as much of their desired negotiation path. For example,
all of the following SLP [1] search filters are valid:
(security=sasl)
(&(security=sasl)(|(sasl-mechs=cram-md5)(sasl-mechs=external)))
(&(security=sasl)(sasl-mechs=GSSAPI)(gss-mechs=1.3.5.1.5.2))
The more fully a client specifies the negotiation path, the greater
the likelihood that the client will discover a server which
supports the same mechanisms as the client. If a server does not
support the required mechanisms, clients will need to move on to
other discovered servers, and repeat the negotiation process. This
can be a costly process. Additionally, clients should be able to
optimize the resulting negotiation, bypassing mechanisms which are
not acceptable to one of the parties.
The allowable values for the "security" attribute follows those
defined in [5].
The allowable values for the "sasl-mechs" and "gss-mechs"
attributes are meant to be fluid, following the decisions of their
respective working groups.
3. The LDAP Service Type
Names of submitters: Jonathan Wood <jonathan.wood@eng.sun.com> Names of submitters: Jonathan Wood <jonathan.wood@eng.sun.com>
Roberto Tam <roberto.tam@eng.sun.com> Roberto Tam <roberto.tam@eng.sun.com>
Language of service template: en Language of service template: en
Security Considerations: Security Considerations:
This LDAP service type inherits the security considerations from the This LDAP service type inherits the security considerations from the
naming-directory service type [4]. naming-directory service type [4].
Template text: Template text:
-------------------------template begins here----------------------- -------------------------template begins here-----------------------
skipping to change at page 2, line 36 skipping to change at page 3, line 32
template-version=0.0 template-version=0.0
template-description= template-description=
This is a concrete type; the abstract type for this service This is a concrete type; the abstract type for this service
is naming-directory (described in [4]). This type is used is naming-directory (described in [4]). This type is used
by LDAP servers to advertise their services and LDAP clients by LDAP servers to advertise their services and LDAP clients
which wish to discover LDAP servers. which wish to discover LDAP servers.
template-url=syntax= template-url=syntax=
url-path = ldap URL as defined in [5] url-path = ldap URL as defined in [9]
security= string M security= string M
# security mechanisms supported by this server. # Security mechanisms supported by this server. Permitted values
none,simple,TLS,kerb5,sasl # are drawn from draft-ietf-ldapext-authmeth-03 (Authentication
# Methods for LDAP). If SASL is supported, clients may further
# differentiate servers with the sasl-mechs attribute.
anonymous,simple,tls,sasl
sasl-mechs=string M
# SASL mechanisms supported by this server. If the GSSAPI or GSS-SPNEGO
# mechanisms are supported, clients may further differentiate servers
# with the gss-mechs attribute. SASL mechanisms are registered with
# IANA; legal values of this attribute are the mechanism keywords
# registered with IANA. SASL is defined in RFC 2222.
gss-mechs=string M
# GSSAPI mechanisms supported by this server. The mechanisms are
# named by their object identifiers (OIDs). GSSAPI is defined
# in RFC 2078, and GSS-SPNEGO is defined in RFC 2478.
qop= string qop= string
# quality of protection. The refers to how strongly messages are # quality of protection. The refers to how strongly messages are
# protected. There are three possibilities: none, integrity # protected. There are three possibilities: none, integrity
# (meaning that the integrity and endpoints of the message can # (meaning that the integrity and endpoints of the message can
# be guaranteed), and privacy (meaning that the message is # be guaranteed), and privacy (meaning that the message is
# encrypted). # encrypted).
none,integrity,privacy none,integrity,privacy
transport= string transport= string
# the transport used to communicate with this server. Possible # the transport used to communicate with this server. Possible
# values are connection-oriented (cots) and connectionless # values are connection-oriented (cots) and connectionless
# (clts). # (clts).
cots,clts cots,clts
--------------------------template ends here------------------------ --------------------------template ends here------------------------
References: References:
[1] E. Guttman, C. Perkins, J. Veizades, M. Day. Service Location [1] E. Guttman, C. Perkins, J. Veizades, M. Day. Service Location
Protocol. draft-ietf-svrloc-protocol-v2-10.txt, July 1998 (work in Protocol. draft-ietf-svrloc-protocol-v2-12.txt, February 1999
progress). (work in progress)
[2] E. Guttman, C. Perkins, J. Kempf, Service Templates and service: [2] E. Guttman, C. Perkins, J. Kempf, Service Templates and service:
Schemes. draft-ietf-svrloc-service-scheme-12.txt Schemes. draft-ietf-svrloc-service-scheme-14.txt
March, 1998 (work in progress). February 1999 (work in progress)
[3] W. Yeong, T. Howes, S. Kille, Lightweight Directory Access [3] W. Yeong, T. Howes, S. Kille, Lightweight Directory Access
[4] J. Wood, R. Tam, The Naming and Directory Service Abstract Type. [4] J. Wood, R. Tam, The Naming and Directory Service Abstract Type.
draft-ietf-svrloc-naming-directory-00.txt, November 1998 (work in draft-ietf-svrloc-naming-directory-00.txt, November 1998 (work in
progress). progress)
[5] T. Howes, M. Smith, The LDAP URL Format, RFC 2255 December 1997 [5] M. Wahl, H. Alvestrand, J. Hodges, RL Morgan. Authentication
Methods for LDAP, draft-ietf-ldapext-authmeth-03.txt, November
1998 (work in progress)
[6] J. Meyers, Simple Authentication and Security Layer (SASL)
RFC 2222 October 1997
[7] J. Linn, Generic Security Service Application Program Interface,
Version 2, RFC 2078 January 1997
[8] E. Baize, D. Pinkas, The Simple and Protected GSS-API Negotiation
Mechanism, RFC 2478 December 1998
[9] T. Howes, M. Smith, The LDAP URL Format, RFC 2255 December 1997
 End of changes. 15 change blocks. 
22 lines changed or deleted 81 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/