Network Working Group A. Melnikov Internet Draft Isode Limited Document: draft-melnikov-ldap-krb-authzid-00.txt May 2004 Expires in six months Additional authorization identity syntax for Kerberos-aware Directories Status of this Memo This document is an Internet Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as ``work in progress''. The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. A revised version of this draft document will be submitted to the RFC editor as a Draft Standard for the Internet Community. Discussion and suggestions for improvement are requested. Distribution of this draft is unlimited. A. Melnikov FORMFEED[Page i] Internet DRAFT SASL 16 May 2004 Abstract This document defines new LDAP authorization identity syntax for Kerberos-aware Directories. 1. Conventions used in this document The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as defined in "Key words for use in RFCs to Indicate Requirement Levels" [KEYWORDS]. 2. Authorization Identity Syntax for Kerberos This document defines a new LDAP [LDAP] authorization identity syntax for Directories that support Kerberos V5 [KERBEROS]. For example, an LDAP server that implements SASL GSSAPI [SASL-GSSAPI] mechanism may also support the new syntax defined below. The following syntax specification uses the augmented Backus-Naur Form (BNF) notation as specified in [ABNF]. Non-terminals referenced but not defined below are as defined by [AUTHMECH], [KERBEROS] and [UTF-8]. authzId =/ krbAuthzId KRBCOLON = %x6B %x72 %x62 %x3a ; "krb:" krbAuthzId = KRBCOLON krbPrincipal ; kerberos-principal-name-based authorization id. krbRealmDelimiter = %x40 ; '@' krbComponentDelimiter = %x2F ; '/' krbPrincipal = krbNameComponents [krbRealmDelimiter krbRealm] krbNameComponents = krbNameComponent *(krbComponentDelimiter krbNameComponent) krbNameComponent = KerberosString ; *UTF8 ; This corresponds to individual "name-string" of ; "PrincipalName" as defined in [KERBEROS]. ; ; '/', '\' and '@' characters must be escaped by A. Melnikov FORMFEED[Page 2] Internet DRAFT SASL 16 May 2004 ; prefixing with \, i.e. "\@" krbRealm = KerberosString ; *UTF8 ; This corresponds to "Realm" as defined in [KERBEROS] ; The syntax is constrained as described in section 6 ; of [KERBEROS] ; ; '/', '\' and '@' characters must be escaped by ; prefixing with \, i.e. "\@" The krbAuthzId choice allows a client to assert an authorization identity of a Kerberos principal when the client doesn't know a corresponding distinguished name for the asserted identity. A krbAuthzId is prefixed with a unique prefix "krb:" which is followed by a Kerberos principal (krbPrincipal). krbPrincipal consists of one or more components (components of "name-string" [KERBEROS]) that form a principal name followed by an optional Kerberos realm (krbRealm). <> Before constructing a krbPrincipal each principal name component and the realm MUST be prepared using the "SASLPrep" profile [SASLPrep] of the "stringprep" algorithm [RFC3454]. <> All the krbNameComponent elements are delimited by the '/' character. The principal name components are separated from the realm by the '@' character. Because of the special meaning of the '/' and the '@' as the delimiters, they are not allowed to be unescaped if used inside of krbNameComponent (see Section 6.2 of [KERBEROS] for an example) or krbRealm. The '\' character is used as the escape character. The '\' itself has to be escaped. Note that it is a typical for Kerberos/GSSAPI implementations to use <> A. Melnikov FORMFEED[Page 3] Internet DRAFT SASL 16 May 2004 <> Note, that name-type element of PrincipalName [KERBEROS] is not being used in krbPrincipal. This document doesn't mandate how an LDAP server performs internal mapping of a krbPrincipal to the corresponding distinguished name. For example, an implementation may choose to do an algorithmic mapping ("user1@EXAMPLE.COM" ==> "cn=user1, dc=EXAMPLE, dc=COM"), or perform a search based mapping. The client may use LDAP "Who am I?" Extended Operation [WHO-AM-I] to discover the resulting distinguished name. 3. Security considerations <> 4. References 4.1. Normative References [KEYWORDS] Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997 [KERBEROS] Neuman, C., Yu, T., Hartman, S. and K. Raeburn, "The Kerberos Network Authentication Service (V5)", work in progress, draft-ietf-krb-wg-kerberos-clarifications-xx.txt. [LDAP-AUTHMECH] Harrison, R. (Editor), "LDAP: Authentication Methods and Connection Level Security Mechanisms", work in progress, draft- ietf-ldapbis-authmeth-xx.txt [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997. [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 3629, STD 63, November 2003. [RFC3454] P. Hoffman, M. Blanchet, "Preparation of Internationalized Strings ("stringprep")," RFC 3454, December 2002. A. Melnikov FORMFEED[Page 4] Internet DRAFT SASL 16 May 2004 [SASLPrep] Zeilenga, K., "SASLprep: Stringprep profile for user names and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt. 4.2. Informative References [SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", draft-ietf- sasl-gssapi, work in progress. [WHO-AM-I] Zeilenga, K., "LDAP "Who am I?" Operation", draft- zeilenga-ldap-authzid-xx.txt, work in progress. 5. Author's Address Alexey Melnikov Isode Limited 5 Castle Business Village 36 Station Road Hampton, Middlesex TW12 2BX, United Kingdom Email: Alexey.Melnikov@isode.com URI: http://www.melnikov.ca/ 6. Acknowledgments Thanks to Chris Ridd for providing useful feedback and suggestions. 7. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than A. Melnikov FORMFEED[Page 5] Internet DRAFT SASL 16 May 2004 English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. 8. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. A. Melnikov FORMFEED[Page 6] Internet DRAFT SASL 16 May 2004 Status of this Memo .......................................... i Abstract ..................................................... 2 1. Conventions used in this document ......................... 2 2. Authorization Identity Syntax for Kerberos ................ 2 3. Security considerations ................................... 4 4. References ................................................ 4 4.1. Normative References .................................... 4 4.2. Informative References .................................. 5 5. Author's Address .......................................... 5 6. Acknowledgments ........................................... 5 7. Full Copyright Statement .................................. 5 8. Intellectual Property ..................................... 6 A. Melnikov FORMFEED[Page ii]