

INTERNET-DRAFT                                               Rob Weltman 
Intended Category: Standards Track         Netscape Communications Corp. 
                                                              May 2002 
    
                   LDAP Proxied Authorization Control 
                   draft-weltman-ldapv3-proxy-11.txt 
 
 
Status of this Memo 
 
   This document is an Internet-Draft and is in full conformance with 
   all provisions of Section 10 of RFC2026. 
    
   Internet-Drafts are working documents of the Internet Task Force 
   (IETF), its areas, and its working groups.  Note that other groups 
   may also distribute working documents as Internet-Drafts. 
    
   Internet-Drafts are draft documents valid for a maximum of six months 
   and may be updated, replaced, or obsoleted by other documents at any 
   time.  It is inappropriate to use Internet Drafts as reference 
   material or to cite them other than as "work in progress." 
    
   The list of current Internet-Drafts can be accessed at 
   http://www.ietf.org/ietf/1id-abstracts.txt 
    
   The list of Internet-Draft Shadow Directories can be accessed at 
   http://www.ietf.org/shadow.html. 
    
    
Abstract 
    
   This document defines the Lightweight Directory Access Protocol 
   (LDAP) Proxied Authorization Control. The Proxied Authorization 
   Control allows a client to request that an operation be processed 
   under a provided authorization identity [AUTH] instead of as the 
   current authorization identity associated with the connection. 
    
    
1. Introduction 
    
   This document defines support for proxied authorization using the 
   Control mechanism. LDAP [LDAPV3] supports the use of SASL [SASL] for 
   authentication and for supplying an authorization identity distinct 
   from the authentication identity, where the authorization identity 
   applies to the whole LDAP session. The proposed Proxied Authorization 
   Control provides a mechanism for specifying an authorization identity 
   on a per operation basis, benefiting clients that need to efficiently 
   perform operations on behalf of multiple users. 
    
   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY", and 
   "MAY NOT" used in this document  are  to be interpreted as described 
   in [KEYWORDS]. 
    
    
  
Expires November 2002                                         [Page 1] 

PROXIED AUTHORIZATION CONTROL                                 May 2002 
 
 
2. Publishing support for the Proxied Authorization Control 
    
   Support for the Proxied Authorization Control is indicated by the 
   presence of the OID "2.16.840.1.113730.3.4.18" in the 
   supportedControl attribute of a server's root DSE. 
    
    
3. Proxied Authorization Control 
    
   A single Proxied Authorization Control may be included in any search, 
   compare, modify, add, delete, modDN or extended operation request 
   message (with the exception of any extension that causes a change in 
   authentication, authorization, or data confidentiality [RFC 2828], 
   such as startTLS) as part of the controls field of the LDAPMessage, 
   as defined in [LDAPV3]. 
    
   The controlType of the proxied authorization control is 
   "2.16.840.1.113730.3.4.18". 
    
   The criticality MUST be present and MUST be TRUE. This requirement 
   protects clients from submitting a request that is executed with an 
   unintended authorization identity. 
    
   The controlValue is either an LDAPString [LDAPv3] containing an 
   authzId as defined in section 9 of [AUTH] to use as the authorization 
   identity for the request, or an empty value if the anonymous identity 
   is to be used. 
    
   The mechanism for determining proxy access rights is specific to the 
   server's access control policy. 
    
   If the requested authorization identity is recognized by the server, 
   and the client is authorized to adopt the requested authorization 
   identity, the request will be executed as if submitted by the proxied 
   authorization identity, otherwise the result code TBD is returned. 
   [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced 
   with an IANA assigned LDAP Result Code (see draft-ietf-ldapbis-iana-
   xx.txt, Section 3.5)] 
    
    
4. Implementation Considerations 
    
   The interaction of proxied authorization access control and normal 
   access control is illustrated here for the case of search requests. 
   During evaluation of a search request, an entry which would have been 
   returned for the search if submitted by the proxied authorization 
   identity directly may not be returned if the server finds that the 
   requester does not have the right to assume the requested identity 
   for searching the entry, even if the entry is within the scope of a 
   search request under a base DN which does imply such rights. This 
   means that fewer results, or no results, may be returned compared to 
   the case where the proxied authorization identity issued the request 
   directly. An example of such a case may be a system with fine-grained 
  
Expires November 2002                                         [Page 2] 

PROXIED AUTHORIZATION CONTROL                                 May 2002 
 
 
   access control, where the proxy right requester has proxy rights at 
   the top of a search tree, but not at or below a point or points 
   within the tree. 
    
    
5. Security Considerations 
    
   The Proxied Authorization Control method is subject to general LDAP 
   security considerations [LDAPV3] [AUTH] [LDAPTLS]. The control may be 
   passed over a secure as well as over an insecure channel. 
    
   The control allows for an additional authorization identity to be 
   passed. In some deployments, these identities may contain 
   confidential information which require privacy protection. 
    
   Note that the server is responsible for determining if a proxied 
   authorization request is to be honored. "Anonymous" users SHOULD NOT 
   be allowed to assume the identity of others. 
    
    
6. Copyright 
    
   Copyright (C) The Internet Society (date). All Rights Reserved. 
    
   This document and translations of it may be copied and furnished to 
   others, and derivative works that comment on or otherwise explain it 
   or assist in its implementation may be prepared, copied, published 
   and distributed, in whole or in part, without restriction of any 
   kind, provided that the above copyright notice and this paragraph are 
   included on all such copies and derivative works.  However, this 
   document itself may not be modified in any way, such as by removing 
   the copyright notice or references to the Internet Society or other 
   Internet organizations, except as needed for the  purpose of 
   developing Internet standards in which case the procedures for 
   copyrights defined in the Internet Standards process must be 
   followed, or as required to translate it into languages other than 
   English. 
    
   The limited permissions granted above are perpetual and will not be 
   revoked by the Internet Society or its successors or assigns. 
    
   This document and the information contained herein is provided on an 
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
    
    
7. References 
    
   [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access 
        Protocol (v3)", RFC 2251, December 1997. 
  
Expires November 2002                                         [Page 3] 

PROXIED AUTHORIZATION CONTROL                                 May 2002 
 
 
    
   [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate 
        Requirement Levels", draft-bradner-key-words-03.txt, January, 
        1997. 
    
    [SASL] J. Myers, "Simple Authentication and Security Layer (SASL)", 
        RFC 2222, October 1997 
    
   [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication 
        Methods for LDAP", RFC 2829, May 2000  
    
   [LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory 
        Access Protocol (v3): Extension for Transport Layer Security", 
        RFC 2830, May 2000 
    
   [RFC 2828] R. Shirey, "Internet Security Glossary", RFC 2828, May 
        2000 
    
8. Author's Address 
    
   Rob Weltman 
   Netscape Communications Corp. 
   466 Ellis Street 
   Mountain View, CA 94043 
   USA 
   +1 650 937-3194 
   rweltman@netscape.com 
    
    
9. Acknowledgements 
    
   Mark Smith of Netscape Communications Corp., Mark Wahl of Sun 
   Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim 
   Sermersheim of Novell, and Steven Legg of Adacel have contributed 
   with reviews of this draft. 
    
    
10. Revision History 

10.1 Changes from draft-weltman-ldapv3-proxy-10.txt 
 
   Clarified the interaction of proxy access rights and normal access 
   control evaluation. 
    

10.2 Changes from draft-weltman-ldapv3-proxy-09.txt 
 
   Removed description of Control mechanism from Abstract. 
    
   Added description of how this is different from SASL authz to the 
   Introduction. 

  
Expires November 2002                                         [Page 4] 

PROXIED AUTHORIZATION CONTROL                                 May 2002 
 
 
   Reworded description of the value of the control (no semantic 
   changes). 
   Added new result code TBD for failure to acquire proxy rights. 
    
   Added references to RFCs 2829 and 2830 in Security section. 
    

10.3 Changes from draft-weltman-ldapv3-proxy-08.txt 
 
   Proxied Authorization Control 
    
   Clarifications:  the control may not be submitted with a startTLS 
   request; an empty controlValue implies the anonymous identity; only 
   one control may be included with a request. 
    
   Permission to execute as proxy 
    
   Replaced "proxy identity" with "proxied authorization identity". 
    
    
   Security Considerations 
    
   Added statement that anonymous users should not be allowed to assume 
   the identity of others. 
    

10.4 Changes from draft-weltman-ldapv3-proxy-07.txt 
 
   Proxied Authorization Control 
    
   Clarification:  the content of the control is an LDAPString. 
    

10.5 Changes from draft-weltman-ldapv3-proxy-06.txt 
 
   None 
    















  
Expires November 2002                                         [Page 5] 

PROXIED AUTHORIZATION CONTROL                                 May 2002 
 
 
10.6 Changes from draft-weltman-ldapv3-proxy-05.txt 
    
   The control also applies to add and extended operations. 
    
   The control value is an authorization ID, not necessarily a DN. 
    
   Confidentiality concerns are mentioned. 
    

10.7 Changes from draft-weltman-ldapv3-proxy-04.txt 
    
   The control does not apply to bind, unbind, or abandon operations. 
    
   The proxy DN is represented as a string in the control, rather than 
   embedded in a sequence. 
    
   Support for the control is published in the supportedControl 
   attribute of the root DSE, not in supportedExtensions. 
    
   The security section mentions confidentiality issues with exposing an 
   additional identity. 
    

10.8 Changes from draft-weltman-ldapv3-proxy-03.txt 
    
   None 
    
    

10.9 Changes from draft-weltman-ldapv3-proxy-02.txt 
    
   The Control is now called Proxied Authorization Control, rather than 
   Proxied Authentication Control, to reflect that no authentication 
   occurs as a consequence of processing the Control. 
    
   Rather than containing an LDAPDN as the Control value, the Control 
   contains a Sequence (which contains an LDAPDN). This is to provide 
   for future extensions. 














  
Expires November 2002                                         [Page 6] 
