INTERNET-DRAFT Kurt D. Zeilenga Intended Category: Experimental OpenLDAP Foundation Expires: 13 May 2002 13 November 2001 LDAPv3 Proxy Group Status of Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. This document is intended to be, after appropriate review and revision, submitted to the RFC Editor as an Experimental document. Distribution of this memo is unlimited. Technical discussion of this document will take place on the IETF LDAP Extension Working Group mailing list . Please send editorial comments directly to the author . Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at . The list of Internet-Draft Shadow Directories can be accessed at . Copyright 2001, The Internet Society. All Rights Reserved. Please see the Copyright section near the end of this document for more information. Abstract This document details a proxy authorization mechanism for LDAPv3 [RFC2251] which allows an authenticated client to concurrently issue operations on behalf of multiple entities. The mechanism utilizes the LDAPv3 Grouping of Related Operations [GROUPING] framework. Zeilenga LDAP Proxy Group [Page 1] INTERNET-DRAFT draft-zeilenga-ldap-proxy-grp-00 13 November 2001 1. Background and Intended Use LDAP supports a means for a client to request authorization as an identity different from that of authenticated user as part of a SASL [RFC2222] Bind operation [RFC2829]. This authorization, if accepted by the server, applies to all operations which are issued by the client until another Bind request is issued. However, it is often desirable for a client to concurrently issue operations on behalf of multiple entities. This document provides a mechanism to allow clients to group [GROUPING] related operations by the authorization identity which the client wishes them to be processed under. The createGrouping operation is used to assert an authorization identity. The resulting group cookie is then used to identify operations which are to be processed under this authorization. The endGrouping operation is used to inform the server that group is no longer needed. This document is a ''work in progress.'' This specification will likely be significantly enhanced before it progressed. The key words "SHALL", "SHALL NOT", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" and "MAY NOT" used in this document are to be interpreted as described in BCP 14 [RFC2119]. 2. Specification of a Proxy Group Servers implementing this specification SHOULD publish the proxyGroupingType as a value of the supportedGroupingTypes attribute contained within the Root DSE. proxyGroupingType ::= 1.1.1 ;; fictious A client wishing to preform operations as authorized by an identity other than their authentication identity issue a createGroupingRequest with a createGroupType of proxyGroupingType and createGroupValue containing the authzId [RFC2829] representing the identy they would like to assume. A server which is willing and able to allow the client to assume this identity SHALL return a createGroupingResponse with a success result code, createGroupCookie, and no createGroupValue. Otherwise the server SHALL return a non-success result code, no createGroupCookie, and no createGroupValue. The client MAY then attach a GroupingControl to subsequent operations to indicate that they are to be processed under the assumed authorization identity. The server then performs the operation under the assumed identity. Zeilenga LDAP Proxy Group [Page 2] INTERNET-DRAFT draft-zeilenga-ldap-proxy-grp-00 13 November 2001 If the server becomes unwilling or unable to allow the client to continue issuing operations under the assumed authorization identity, the server SHOULD issue a endGroupNotice. Any future use of cookie by the client SHALL result in a response containing a non-success result code. Upon receipt of a endGroupingNotice, the client SHOULD discontinue all use of the grouping cookie. The client SHOULD NOT issue an endGroupingRequest for the grouping cookie as the grouping is null and void. If the client no longer wishes to issue operations under the assumed operation, it SHOULD issue an endGroupingRequest where the groupCookie is the group cookie associated with the assumed authorization identity and no endGroupValue is provided. Upon receipt of this request, the server SHALL dissaociate the group cookie from the authorization identity and return an appropriate result code. Regardless of the result code, the client SHALL refrain from further use of the groupCookie. 4. Security Considerations Proxies often have have access to a great deal of information, they are frequent targets of attack. The client SHALL establish adequate protections. The server SHALL disallow creation of a proxy grouping when inadequate protections are in place. 4.1. Permission to assume an identity It is the sole responsibility of the LDAP server to determine whether or not it will allow an authenticated client to assume the identity of another entity. In general, server implementations use have one proxy authorization policy which applies to this mechanism, SASL proxy authorization [RFC2222][RFC2829], and proxy authorization mechcanims. Servers SHALL NOT allow an anonymously bound client to assume the identity of any user. 4.2. Confidential of Identity Information This mechanism allows for additional identity information to be transferred. This information may contain sensitive information and SHOULD be protected using data confidentiality services [RFC2829][RFC2830]. Zeilenga LDAP Proxy Group [Page 3] INTERNET-DRAFT draft-zeilenga-ldap-proxy-grp-00 13 November 2001 4.2. Data Confidential If the client's authentication identity or any authorization identity it may assume has access to sensitive information, the client SHOULD be protected using data confidential services [RFC2829][RFC2830]. 4.4. Hijack the Proxying Session To protect against man-in-the-middle and hijacking attacks, these mechanisms SHALL only be used when integrity protections are in place. 5. Acknowledgments This document borrows from prior work in this area including the "LDAP Proxied Authorization Control" [PROXYCTL] by Rob Weltman. 6. Additional Information The author may be contacted as follows: Kurt D. Zeilenga OpenLDAP Foundation References [RFC2119] S. Bradner, "Key Words for use in RFCs to Indicate Requirement Levels", Harvard University, BCP 14 (also RFC 2119), March 1997. [RFC2222] J. Myers, "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. [RFC2251] M. Wahl, S. Kille, T. Howes, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [RFC2829] M. Wahl, H. Alvestrand, J. Hodges, RL "Bob" Morgan, "Authentication Methods for LDAP", RFC 2829, June 2000. [RFC2830] J. Hodges, R. Morgan, and M. Wahl, "Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000. [GROUPING] K. Zeilenga, "LDAPv3: Grouping of Related Operations", draft-zeilenga-ldap-grouping-xx.txt, a work in progress. Zeilenga LDAP Proxy Group [Page 4] INTERNET-DRAFT draft-zeilenga-ldap-proxy-grp-00 13 November 2001 [AUTHZID] K. Zeilenga, "LDAP AuthzId Operation", draft-zeilenga-ldap-authzid-xx.txt, a work in progress. [PROXYCTL] R. Weltman, "LDAP Proxied Authorization Control", draft-weltman-ldapv3-proxy-xx.txt, a work in progress. Copyright 2001, The Internet Society. All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Zeilenga LDAP Proxy Group [Page 5]