HTTP/1.1 200 OK Date: Tue, 09 Apr 2002 12:08:15 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Fri, 14 Aug 1998 13:05:00 GMT ETag: "3ddbf8-1c15-35d435fc" Accept-Ranges: bytes Content-Length: 7189 Connection: close Content-Type: text/plain Network Working Group Rob Weltman INTERNET-DRAFT Netscape Communications Corp. Tim Howes Netscape Communications Corp. July 14, 1998 LDAP Proxied Authentication Control draft-weltman-ldapv3-proxy-01.txt Status of this Memo This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a "working draft" or "work in progress". To learn the current status of any Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet-Drafts Shadow Directories on ftp.ietf.org, nic.nordu.net, ftp.isi.edu, or munnari.oz.au. Copyright (C) The Internet Society (1997). All Rights Reserved. Please see the Copyright section near the end of this document for more information. Abstract This document defines support for the Proxied Authentication Control. Controls are an LDAP protocol version 3 extension, to allow passing arbitrary control information along with a standard request to a server, and to receive arbitrary information back with a standard result. The Proxied Authentication Control allows a connection with sufficient privileges to assume the identity of another entry for the duration of an LDAP request. 1. Introduction Version 3 of the LDAP protocol provides a means of supplying arbitrary additional information along with a request to an LDAP server, and receiving arbitrary additional response information. The Control protocol extension is described in [1], section 4.1.12. This document defines support for proxied authentication using the Control mechanism. Expires 1/99 [Page 1] PROXIED AUTHENTICATION CONTROL July, 1998 The key words "MUST", "SHOULD", and "MAY" used in this document are to be interpreted as described in [2]. 2. Publishing support for the Proxied Authentication Control Support for the virtual list view extended operation is indicated by the presence of the OID "2.16.840.1.113730.3.4.12" in the supportedExtensions attribute of a server's root DSE. 3. Proxied Authentication Control This control may be included in any search, modify, delete, or modrdn request message as part of the controls field of the LDAPMessage, as defined in [1]. proxyAuthControl ::= SEQUENCE { controlType 2.16.840.1.113730.3.4.12, criticality BOOLEAN DEFAULT FALSE, controlValue proxyAuthValue } The criticality SHOULD be included and SHOULD be TRUE. If it is not TRUE, and the requester is not authorized to use proxied authentication within the target Directory tree, the requesterĘs own authentication will be used to execute the request. The controlValue is an OCTET STRING, whose value is the BER encoding of a value of the following: proxyAuthValue ::= LDAPDN 4. Permission to execute as proxy An LDAP server supporting the proxied authentication control may choose to honor or not honor a particular request. If the control is supported but a particular request is denied, the server MUST return the error code insufficientAccessRights. A typical implementation will evaluate if the requester has proxy access rights at the base DN of the request. If the requester has proxy access rights, and if the proxy DN corresponds to a valid entry in the directory managed by the server, the request will be honored. If the request is honored, it will be executed as if submitted by the proxy identity. 5. Security Considerations The proxied authentication control method is subject to standard LDAP security considerations. The control may be passed over a secure as Expires 1/99 [Page 2 PROXIED AUTHENTICATION CONTROL July, 1998 well as over an insecure channel. No additional confidential information is passed in the control. Note that the server is responsible for determining if a proxied authentication request is to be honored. 6. Copyright Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 7. Bibliography [1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", Internet Draft draft-ietf-asid-ldapv3-protocol- 06.txt, July 1997. [2] Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement Levels", draft-bradner-key-words-03.txt, January, 1997. Expires 1/99 [Page 3 PROXIED AUTHENTICATION CONTROL July, 1998 8. AuthorĘs Addresses Rob Weltman Netscape Communications Corp. 501 E. Middlefield Rd. Mountain View, CA 94043 USA +1 650 937-3301 rweltman@netscape.com Tim Howes Netscape Communications Corp. 501 E. Middlefield Rd. Mountain View, CA 94043 USA +1 650 937-3419 howes@netscape.com Expires 1/99 [Page 4