From 3faab3e6dd2c804ae81a910275339f6ce8237e77 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 22 Jul 2006 19:26:52 +0000 Subject: r17189: Add the new LDAP rfc series (This used to be commit d3f8b813b33d1338e62f099017a1d4a32745e7a2) --- source4/ldap_server/devdocs/rfc4513.txt | 1907 +++++++++++++++++++++++++++++++ 1 file changed, 1907 insertions(+) create mode 100644 source4/ldap_server/devdocs/rfc4513.txt (limited to 'source4/ldap_server/devdocs/rfc4513.txt') diff --git a/source4/ldap_server/devdocs/rfc4513.txt b/source4/ldap_server/devdocs/rfc4513.txt new file mode 100644 index 0000000000..7e6e7eb4bd --- /dev/null +++ b/source4/ldap_server/devdocs/rfc4513.txt @@ -0,0 +1,1907 @@ + + + + + + +Network Working Group R. Harrison, Ed. +Request for Comments: 4513 Novell, Inc. +Obsoletes: 2251, 2829, 2830 June 2006 +Category: Standards Track + + + Lightweight Directory Access Protocol (LDAP): + Authentication Methods and Security Mechanisms + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes authentication methods and security + mechanisms of the Lightweight Directory Access Protocol (LDAP). This + document details establishment of Transport Layer Security (TLS) + using the StartTLS operation. + + This document details the simple Bind authentication method including + anonymous, unauthenticated, and name/password mechanisms and the + Simple Authentication and Security Layer (SASL) Bind authentication + method including the EXTERNAL mechanism. + + This document discusses various authentication and authorization + states through which a session to an LDAP server may pass and the + actions that trigger these state changes. + + This document, together with other documents in the LDAP Technical + Specification (see Section 1 of the specification's road map), + obsoletes RFC 2251, RFC 2829, and RFC 2830. + + + + + + + + + + + +Harrison Standards Track [Page 1] + +RFC 4513 LDAP Authentication Methods June 2006 + + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Relationship to Other Documents ............................6 + 1.2. Conventions ................................................6 + 2. Implementation Requirements .....................................7 + 3. StartTLS Operation ..............................................8 + 3.1. TLS Establishment Procedures ..............................8 + 3.1.1. StartTLS Request Sequencing .........................8 + 3.1.2. Client Certificate ..................................9 + 3.1.3. Server Identity Check ...............................9 + 3.1.3.1. Comparison of DNS Names ...................10 + 3.1.3.2. Comparison of IP Addresses ................11 + 3.1.3.3. Comparison of Other subjectName Types .....11 + 3.1.4. Discovery of Resultant Security Level ..............11 + 3.1.5. Refresh of Server Capabilities Information .........11 + 3.2. Effect of TLS on Authorization State .....................12 + 3.3. TLS Ciphersuites ..........................................12 + 4. Authorization State ............................................13 + 5. Bind Operation .................................................14 + 5.1. Simple Authentication Method ..............................14 + 5.1.1. Anonymous Authentication Mechanism of Simple Bind ..14 + 5.1.2. Unauthenticated Authentication Mechanism of + Simple Bind ........................................14 + 5.1.3. Name/Password Authentication Mechanism of + Simple Bind ........................................15 + 5.2. SASL Authentication Method ................................16 + 5.2.1. SASL Protocol Profile ..............................16 + 5.2.1.1. SASL Service Name for LDAP ................16 + 5.2.1.2. SASL Authentication Initiation and + Protocol Exchange .........................16 + 5.2.1.3. Optional Fields ...........................17 + 5.2.1.4. Octet Where Negotiated Security + Layers Take Effect ........................18 + 5.2.1.5. Determination of Supported SASL + Mechanisms ................................18 + 5.2.1.6. Rules for Using SASL Layers ...............19 + 5.2.1.7. Support for Multiple Authentications ......19 + 5.2.1.8. SASL Authorization Identities .............19 + 5.2.2. SASL Semantics within LDAP .........................20 + 5.2.3. SASL EXTERNAL Authentication Mechanism .............20 + 5.2.3.1. Implicit Assertion ........................21 + 5.2.3.2. Explicit Assertion ........................21 + 6. Security Considerations ........................................21 + 6.1. General LDAP Security Considerations ......................21 + 6.2. StartTLS Security Considerations ..........................22 + 6.3. Bind Operation Security Considerations ....................23 + 6.3.1. Unauthenticated Mechanism Security Considerations ..23 + + + +Harrison Standards Track [Page 2] + +RFC 4513 LDAP Authentication Methods June 2006 + + + 6.3.2. Name/Password Mechanism Security Considerations ....23 + 6.3.3. Password-Related Security Considerations ...........23 + 6.3.4. Hashed Password Security Considerations ............24 + 6.4. SASL Security Considerations ..............................24 + 6.5. Related Security Considerations ...........................25 + 7. IANA Considerations ............................................25 + 8. Acknowledgements ...............................................25 + 9. Normative References ...........................................26 + 10. Informative References ........................................27 + Appendix A. Authentication and Authorization Concepts .............28 + A.1. Access Control Policy .....................................28 + A.2. Access Control Factors ....................................28 + A.3. Authentication, Credentials, Identity .....................28 + A.4. Authorization Identity ....................................29 + Appendix B. Summary of Changes ....................................29 + B.1. Changes Made to RFC 2251 ..................................30 + B.1.1. Section 4.2.1 ("Sequencing of the Bind Request") ...30 + B.1.2. Section 4.2.2 ("Authentication and Other Security + Services") .........................................30 + B.2. Changes Made to RFC 2829 ..................................30 + B.2.1. Section 4 ("Required security mechanisms") .........30 + B.2.2. Section 5.1 ("Anonymous authentication + procedure") ........................................31 + B.2.3. Section 6 ("Password-based authentication") ........31 + B.2.4. Section 6.1 ("Digest authentication") ..............31 + B.2.5. Section 6.2 ("'simple' authentication choice under + TLS encryption") ...................................31 + B.2.6. Section 6.3 ("Other authentication choices with + TLS") ..............................................31 + B.2.7. Section 7.1 ("Certificate-based authentication + with TLS") .........................................31 + B.2.8. Section 8 ("Other mechanisms") .....................32 + B.2.9. Section 9 ("Authorization Identity") ...............32 + B.2.10. Section 10 ("TLS Ciphersuites") ...................32 + B.3. Changes Made to RFC 2830 ..................................32 + B.3.1. Section 3.6 ("Server Identity Check") ..............32 + B.3.2. Section 3.7 ("Refresh of Server Capabilities + Information") ......................................33 + B.3.3. Section 5 ("Effects of TLS on a Client's + Authorization Identity") ...........................33 + B.3.4. Section 5.2 ("TLS Connection Closure Effects") .....33 + + + + + + + + + + +Harrison Standards Track [Page 3] + +RFC 4513 LDAP Authentication Methods June 2006 + + +1. Introduction + + The Lightweight Directory Access Protocol (LDAP) [RFC4510] is a + powerful protocol for accessing directories. It offers means of + searching, retrieving, and manipulating directory content and ways to + access a rich set of security functions. + + It is vital that these security functions be interoperable among all + LDAP clients and servers on the Internet; therefore there has to be a + minimum subset of security functions that is common to all + implementations that claim LDAP conformance. + + Basic threats to an LDAP directory service include (but are not + limited to): + + (1) Unauthorized access to directory data via data-retrieval + operations. + + (2) Unauthorized access to directory data by monitoring access of + others. + + (3) Unauthorized access to reusable client authentication information + by monitoring access of others. + + (4) Unauthorized modification of directory data. + + (5) Unauthorized modification of configuration information. + + (6) Denial of Service: Use of resources (commonly in excess) in a + manner intended to deny service to others. + + (7) Spoofing: Tricking a user or client into believing that + information came from the directory when in fact it did not, + either by modifying data in transit or misdirecting the client's + transport connection. Tricking a user or client into sending + privileged information to a hostile entity that appears to be the + directory server but is not. Tricking a directory server into + believing that information came from a particular client when in + fact it came from a hostile entity. + + (8) Hijacking: An attacker seizes control of an established protocol + session. + + Threats (1), (4), (5), (6), (7), and (8) are active attacks. Threats + (2) and (3) are passive attacks. + + + + + + +Harrison Standards Track [Page 4] + +RFC 4513 LDAP Authentication Methods June 2006 + + + Threats (1), (4), (5), and (6) are due to hostile clients. Threats + (2), (3), (7), and (8) are due to hostile agents on the path between + client and server or hostile agents posing as a server, e.g., IP + spoofing. + + LDAP offers the following security mechanisms: + + (1) Authentication by means of the Bind operation. The Bind + operation provides a simple method that supports anonymous, + unauthenticated, and name/password mechanisms, and the Simple + Authentication and Security Layer (SASL) method, which supports a + wide variety of authentication mechanisms. + + (2) Mechanisms to support vendor-specific access control facilities + (LDAP does not offer a standard access control facility). + + (3) Data integrity service by means of security layers in Transport + Layer Security (TLS) or SASL mechanisms. + + (4) Data confidentiality service by means of security layers in TLS + or SASL mechanisms. + + (5) Server resource usage limitation by means of administrative + limits configured on the server. + + (6) Server authentication by means of the TLS protocol or SASL + mechanisms. + + LDAP may also be protected by means outside the LDAP protocol, e.g., + with IP layer security [RFC4301]. + + Experience has shown that simply allowing implementations to pick and + choose the security mechanisms that will be implemented is not a + strategy that leads to interoperability. In the absence of mandates, + clients will continue to be written that do not support any security + function supported by the server, or worse, they will only support + mechanisms that provide inadequate security for most circumstances. + + It is desirable to allow clients to authenticate using a variety of + mechanisms including mechanisms where identities are represented as + distinguished names [X.501][RFC4512], in string form [RFC4514], or as + used in different systems (e.g., simple user names [RFC4013]). + Because some authentication mechanisms transmit credentials in plain + text form, and/or do not provide data security services and/or are + subject to passive attacks, it is necessary to ensure secure + interoperability by identifying a mandatory-to-implement mechanism + for establishing transport-layer security services. + + + + +Harrison Standards Track [Page 5] + +RFC 4513 LDAP Authentication Methods June 2006 + + + The set of security mechanisms provided in LDAP and described in this + document is intended to meet the security needs for a wide range of + deployment scenarios and still provide a high degree of + interoperability among various LDAP implementations and deployments. + +1.1. Relationship to Other Documents + + This document is an integral part of the LDAP Technical Specification + [RFC4510]. + + This document, together with [RFC4510], [RFC4511], and [RFC4512], + obsoletes RFC 2251 in its entirety. Sections 4.2.1 (portions) and + 4.2.2 of RFC 2251 are obsoleted by this document. Appendix B.1 + summarizes the substantive changes made to RFC 2251 by this document. + + This document obsoletes RFC 2829 in its entirety. Appendix B.2 + summarizes the substantive changes made to RFC 2829 by this document. + + Sections 2 and 4 of RFC 2830 are obsoleted by [RFC4511]. The + remainder of RFC 2830 is obsoleted by this document. Appendix B.3 + summarizes the substantive changes made to RFC 2830 by this document. + +1.2. Conventions + + The key words "MUST", "MUST NOT", "SHALL", "SHOULD", "SHOULD NOT", + "MAY", and "OPTIONAL" in this document are to be interpreted as + described in RFC 2119 [RFC2119]. + + The term "user" represents any human or application entity that is + accessing the directory using a directory client. A directory client + (or client) is also known as a directory user agent (DUA). + + The term "transport connection" refers to the underlying transport + services used to carry the protocol exchange, as well as associations + established by these services. + + The term "TLS layer" refers to TLS services used in providing + security services, as well as associations established by these + services. + + The term "SASL layer" refers to SASL services used in providing + security services, as well as associations established by these + services. + + The term "LDAP message layer" refers to the LDAP Message (PDU) + services used in providing directory services, as well as + associations established by these services. + + + + +Harrison Standards Track [Page 6] + +RFC 4513 LDAP Authentication Methods June 2006 + + + The term "LDAP session" refers to combined services (transport + connection, TLS layer, SASL layer, LDAP message layer) and their + associations. + + In general, security terms in this document are used consistently + with the definitions provided in [RFC2828]. In addition, several + terms and concepts relating to security, authentication, and + authorization are presented in Appendix A of this document. While + the formal definition of these terms and concepts is outside the + scope of this document, an understanding of them is prerequisite to + understanding much of the material in this document. Readers who are + unfamiliar with security-related concepts are encouraged to review + Appendix A before reading the remainder of this document. + +2. Implementation Requirements + + LDAP server implementations MUST support the anonymous authentication + mechanism of the simple Bind method (Section 5.1.1). + + LDAP implementations that support any authentication mechanism other + than the anonymous authentication mechanism of the simple Bind method + MUST support the name/password authentication mechanism of the simple + Bind method (Section 5.1.3) and MUST be capable of protecting this + name/password authentication using TLS as established by the StartTLS + operation (Section 3). + + Implementations SHOULD disallow the use of the name/password + authentication mechanism by default when suitable data security + services are not in place, and they MAY provide other suitable data + security services for use with this authentication mechanism. + + Implementations MAY support additional authentication mechanisms. + Some of these mechanisms are discussed below. + + LDAP server implementations SHOULD support client assertion of + authorization identity via the SASL EXTERNAL mechanism (Section + 5.2.3). + + LDAP server implementations that support no authentication mechanism + other than the anonymous mechanism of the simple bind method SHOULD + support use of TLS as established by the StartTLS operation (Section + 3). (Other servers MUST support TLS per the second paragraph of this + section.) + + + + + + + + +Harrison Standards Track [Page 7] + +RFC 4513 LDAP Authentication Methods June 2006 + + + Implementations supporting TLS MUST support the + TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite and SHOULD support the + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite. Support for the + latter ciphersuite is recommended to encourage interoperability with + implementations conforming to earlier LDAP StartTLS specifications. + +3. StartTLS Operation + + The Start Transport Layer Security (StartTLS) operation defined in + Section 4.14 of [RFC4511] provides the ability to establish TLS + [RFC4346] in an LDAP session. + + The goals of using the TLS protocol with LDAP are to ensure data + confidentiality and integrity, and to optionally provide for + authentication. TLS expressly provides these capabilities, although + the authentication services of TLS are available to LDAP only in + combination with the SASL EXTERNAL authentication method (see Section + 5.2.3), and then only if the SASL EXTERNAL implementation chooses to + make use of the TLS credentials. + +3.1. TLS Establishment Procedures + + This section describes the overall procedures clients and servers + must follow for TLS establishment. These procedures take into + consideration various aspects of the TLS layer including discovery of + resultant security level and assertion of the client's authorization + identity. + +3.1.1. StartTLS Request Sequencing + + A client may send the StartTLS extended request at any time after + establishing an LDAP session, except: + + - when TLS is currently established on the session, + - when a multi-stage SASL negotiation is in progress on the + session, or + - when there are outstanding responses for operation requests + previously issued on the session. + + As described in [RFC4511], Section 4.14.1, a (detected) violation of + any of these requirements results in a return of the operationsError + resultCode. + + Client implementers should ensure that they strictly follow these + operation sequencing requirements to prevent interoperability issues. + Operational experience has shown that violating these requirements + + + + + +Harrison Standards Track [Page 8] + +RFC 4513 LDAP Authentication Methods June 2006 + + + causes interoperability issues because there are race conditions that + prevent servers from detecting some violations of these requirements + due to factors such as server hardware speed and network latencies. + + There is no general requirement that the client have or have not + already performed a Bind operation (Section 5) before sending a + StartTLS operation request; however, where a client intends to + perform both a Bind operation and a StartTLS operation, it SHOULD + first perform the StartTLS operation so that the Bind request and + response messages are protected by the data security services + established by the StartTLS operation. + +3.1.2. Client Certificate + + If an LDAP server requests or demands that a client provide a user + certificate during TLS negotiation and the client does not present a + suitable user certificate (e.g., one that can be validated), the + server may use a local security policy to determine whether to + successfully complete TLS negotiation. + + If a client that has provided a suitable certificate subsequently + performs a Bind operation using the SASL EXTERNAL authentication + mechanism (Section 5.2.3), information in the certificate may be used + by the server to identify and authenticate the client. + +3.1.3. Server Identity Check + + In order to prevent man-in-the-middle attacks, the client MUST verify + the server's identity (as presented in the server's Certificate + message). In this section, the client's understanding of the + server's identity (typically the identity used to establish the + transport connection) is called the "reference identity". + + The client determines the type (e.g., DNS name or IP address) of the + reference identity and performs a comparison between the reference + identity and each subjectAltName value of the corresponding type + until a match is produced. Once a match is produced, the server's + identity has been verified, and the server identity check is + complete. Different subjectAltName types are matched in different + ways. Sections 3.1.3.1 - 3.1.3.3 explain how to compare values of + various subjectAltName types. + + The client may map the reference identity to a different type prior + to performing a comparison. Mappings may be performed for all + available subjectAltName types to which the reference identity can be + mapped; however, the reference identity should only be mapped to + types for which the mapping is either inherently secure (e.g., + extracting the DNS name from a URI to compare with a subjectAltName + + + +Harrison Standards Track [Page 9] + +RFC 4513 LDAP Authentication Methods June 2006 + + + of type dNSName) or for which the mapping is performed in a secure + manner (e.g., using DNSSEC, or using user- or admin-configured host- + to-address/address-to-host lookup tables). + + The server's identity may also be verified by comparing the reference + identity to the Common Name (CN) [RFC4519] value in the leaf Relative + Distinguished Name (RDN) of the subjectName field of the server's + certificate. This comparison is performed using the rules for + comparison of DNS names in Section 3.1.3.1, below, with the exception + that no wildcard matching is allowed. Although the use of the Common + Name value is existing practice, it is deprecated, and Certification + Authorities are encouraged to provide subjectAltName values instead. + Note that the TLS implementation may represent DNs in certificates + according to X.500 or other conventions. For example, some X.500 + implementations order the RDNs in a DN using a left-to-right (most + significant to least significant) convention instead of LDAP's + right-to-left convention. + + If the server identity check fails, user-oriented clients SHOULD + either notify the user (clients may give the user the opportunity to + continue with the LDAP session in this case) or close the transport + connection and indicate that the server's identity is suspect. + Automated clients SHOULD close the transport connection and then + return or log an error indicating that the server's identity is + suspect or both. + + Beyond the server identity check described in this section, clients + should be prepared to do further checking to ensure that the server + is authorized to provide the service it is requested to provide. The + client may need to make use of local policy information in making + this determination. + +3.1.3.1. Comparison of DNS Names + + If the reference identity is an internationalized domain name, + conforming implementations MUST convert it to the ASCII Compatible + Encoding (ACE) format as specified in Section 4 of RFC 3490 [RFC3490] + before comparison with subjectAltName values of type dNSName. + Specifically, conforming implementations MUST perform the conversion + operation specified in Section 4 of RFC 3490 as follows: + + * in step 1, the domain name SHALL be considered a "stored + string"; + * in step 3, set the flag called "UseSTD3ASCIIRules"; + * in step 4, process each label with the "ToASCII" operation; and + * in step 5, change all label separators to U+002E (full stop). + + + + + +Harrison Standards Track [Page 10] + +RFC 4513 LDAP Authentication Methods June 2006 + + + After performing the "to-ASCII" conversion, the DNS labels and names + MUST be compared for equality according to the rules specified in + Section 3 of RFC3490. + + The '*' (ASCII 42) wildcard character is allowed in subjectAltName + values of type dNSName, and then only as the left-most (least + significant) DNS label in that value. This wildcard matches any + left-most DNS label in the server name. That is, the subject + *.example.com matches the server names a.example.com and + b.example.com, but does not match example.com or a.b.example.com. + +3.1.3.2. Comparison of IP Addresses + + When the reference identity is an IP address, the identity MUST be + converted to the "network byte order" octet string representation + [RFC791][RFC2460]. For IP Version 4, as specified in RFC 791, the + octet string will contain exactly four octets. For IP Version 6, as + specified in RFC 2460, the octet string will contain exactly sixteen + octets. This octet string is then compared against subjectAltName + values of type iPAddress. A match occurs if the reference identity + octet string and value octet strings are identical. + +3.1.3.3. Comparison of Other subjectName Types + + Client implementations MAY support matching against subjectAltName + values of other types as described in other documents. + +3.1.4. Discovery of Resultant Security Level + + After a TLS layer is established in an LDAP session, both parties are + to each independently decide whether or not to continue based on + local policy and the security level achieved. If either party + decides that the security level is inadequate for it to continue, it + SHOULD remove the TLS layer immediately after the TLS (re)negotiation + has completed (see [RFC4511], Section 4.14.3, and Section 3.2 below). + Implementations may reevaluate the security level at any time and, + upon finding it inadequate, should remove the TLS layer. + +3.1.5. Refresh of Server Capabilities Information + + After a TLS layer is established in an LDAP session, the client + SHOULD discard or refresh all information about the server that it + obtained prior to the initiation of the TLS negotiation and that it + did not obtain through secure mechanisms. This protects against + man-in-the-middle attacks that may have altered any server + capabilities information retrieved prior to TLS layer installation. + + + + + +Harrison Standards Track [Page 11] + +RFC 4513 LDAP Authentication Methods June 2006 + + + The server may advertise different capabilities after installing a + TLS layer. In particular, the value of 'supportedSASLMechanisms' may + be different after a TLS layer has been installed (specifically, the + EXTERNAL and PLAIN [PLAIN] mechanisms are likely to be listed only + after a TLS layer has been installed). + +3.2. Effect of TLS on Authorization State + + The establishment, change, and/or closure of TLS may cause the + authorization state to move to a new state. This is discussed + further in Section 4. + +3.3. TLS Ciphersuites + + Several issues should be considered when selecting TLS ciphersuites + that are appropriate for use in a given circumstance. These issues + include the following: + + - The ciphersuite's ability to provide adequate confidentiality + protection for passwords and other data sent over the transport + connection. Client and server implementers should recognize + that some TLS ciphersuites provide no confidentiality + protection, while other ciphersuites that do provide + confidentiality protection may be vulnerable to being cracked + using brute force methods, especially in light of ever- + increasing CPU speeds that reduce the time needed to + successfully mount such attacks. + + - Client and server implementers should carefully consider the + value of the password or data being protected versus the level + of confidentiality protection provided by the ciphersuite to + ensure that the level of protection afforded by the ciphersuite + is appropriate. + + - The ciphersuite's vulnerability (or lack thereof) to man-in-the- + middle attacks. Ciphersuites vulnerable to man-in-the-middle + attacks SHOULD NOT be used to protect passwords or sensitive + data, unless the network configuration is such that the danger + of a man-in-the-middle attack is negligible. + + - After a TLS negotiation (either initial or subsequent) is + completed, both protocol peers should independently verify that + the security services provided by the negotiated ciphersuite are + adequate for the intended use of the LDAP session. If they are + not, the TLS layer should be closed. + + + + + + +Harrison Standards Track [Page 12] + +RFC 4513 LDAP Authentication Methods June 2006 + + +4. Authorization State + + Every LDAP session has an associated authorization state. This state + is comprised of numerous factors such as what (if any) authentication + state has been established, how it was established, and what security + services are in place. Some factors may be determined and/or + affected by protocol events (e.g., Bind, StartTLS, or TLS closure), + and some factors may be determined by external events (e.g., time of + day or server load). + + While it is often convenient to view authorization state in + simplistic terms (as we often do in this technical specification) + such as "an anonymous state", it is noted that authorization systems + in LDAP implementations commonly involve many factors that + interrelate in complex manners. + + Authorization in LDAP is a local matter. One of the key factors in + making authorization decisions is authorization identity. The Bind + operation (defined in Section 4.2 of [RFC4511] and discussed further + in Section 5 below) allows information to be exchanged between the + client and server to establish an authorization identity for the LDAP + session. The Bind operation may also be used to move the LDAP + session to an anonymous authorization state (see Section 5.1.1). + + Upon initial establishment of the LDAP session, the session has an + anonymous authorization identity. Among other things this implies + that the client need not send a BindRequest in the first PDU of the + LDAP message layer. The client may send any operation request prior + to performing a Bind operation, and the server MUST treat it as if it + had been performed after an anonymous Bind operation (Section 5.1.1). + + Upon receipt of a Bind request, the server immediately moves the + session to an anonymous authorization state. If the Bind request is + successful, the session is moved to the requested authentication + state with its associated authorization state. Otherwise, the + session remains in an anonymous state. + + It is noted that other events both internal and external to LDAP may + result in the authentication and authorization states being moved to + an anonymous one. For instance, the establishment, change, or + closure of data security services may result in a move to an + anonymous state, or the user's credential information (e.g., + certificate) may have expired. The former is an example of an event + internal to LDAP, whereas the latter is an example of an event + external to LDAP. + + + + + + +Harrison Standards Track [Page 13] + +RFC 4513 LDAP Authentication Methods June 2006 + + +5. Bind Operation + + The Bind operation ([RFC4511], Section 4.2) allows authentication + information to be exchanged between the client and server to + establish a new authorization state. + + The Bind request typically specifies the desired authentication + identity. Some Bind mechanisms also allow the client to specify the + authorization identity. If the authorization identity is not + specified, the server derives it from the authentication identity in + an implementation-specific manner. + + If the authorization identity is specified, the server MUST verify + that the client's authentication identity is permitted to assume + (e.g., proxy for) the asserted authorization identity. The server + MUST reject the Bind operation with an invalidCredentials resultCode + in the Bind response if the client is not so authorized. + +5.1. Simple Authentication Method + + The simple authentication method of the Bind Operation provides three + authentication mechanisms: + + - An anonymous authentication mechanism (Section 5.1.1). + + - An unauthenticated authentication mechanism (Section 5.1.2). + + - A name/password authentication mechanism using credentials + consisting of a name (in the form of an LDAP distinguished name + [RFC4514]) and a password (Section 5.1.3). + +5.1.1. Anonymous Authentication Mechanism of Simple Bind + + An LDAP client may use the anonymous authentication mechanism of the + simple Bind method to explicitly establish an anonymous authorization + state by sending a Bind request with a name value of zero length and + specifying the simple authentication choice containing a password + value of zero length. + +5.1.2. Unauthenticated Authentication Mechanism of Simple Bind + + An LDAP client may use the unauthenticated authentication mechanism + of the simple Bind method to establish an anonymous authorization + state by sending a Bind request with a name value (a distinguished + name in LDAP string form [RFC4514] of non-zero length) and specifying + the simple authentication choice containing a password value of zero + length. + + + + +Harrison Standards Track [Page 14] + +RFC 4513 LDAP Authentication Methods June 2006 + + + The distinguished name value provided by the client is intended to be + used for trace (e.g., logging) purposes only. The value is not to be + authenticated or otherwise validated (including verification that the + DN refers to an existing directory object). The value is not to be + used (directly or indirectly) for authorization purposes. + + Unauthenticated Bind operations can have significant security issues + (see Section 6.3.1). In particular, users intending to perform + Name/Password Authentication may inadvertently provide an empty + password and thus cause poorly implemented clients to request + Unauthenticated access. Clients SHOULD be implemented to require + user selection of the Unauthenticated Authentication Mechanism by + means other than user input of an empty password. Clients SHOULD + disallow an empty password input to a Name/Password Authentication + user interface. Additionally, Servers SHOULD by default fail + Unauthenticated Bind requests with a resultCode of + unwillingToPerform. + +5.1.3. Name/Password Authentication Mechanism of Simple Bind + + An LDAP client may use the name/password authentication mechanism of + the simple Bind method to establish an authenticated authorization + state by sending a Bind request with a name value (a distinguished + name in LDAP string form [RFC4514] of non-zero length) and specifying + the simple authentication choice containing an OCTET STRING password + value of non-zero length. + + Servers that map the DN sent in the Bind request to a directory entry + with an associated set of one or more passwords used with this + mechanism will compare the presented password to that set of + passwords. The presented password is considered valid if it matches + any member of this set. + + A resultCode of invalidDNSyntax indicates that the DN sent in the + name value is syntactically invalid. A resultCode of + invalidCredentials indicates that the DN is syntactically correct but + not valid for purposes of authentication, that the password is not + valid for the DN, or that the server otherwise considers the + credentials invalid. A resultCode of success indicates that the + credentials are valid and that the server is willing to provide + service to the entity these credentials identify. + + Server behavior is undefined for Bind requests specifying the + name/password authentication mechanism with a zero-length name value + and a password value of non-zero length. + + + + + + +Harrison Standards Track [Page 15] + +RFC 4513 LDAP Authentication Methods June 2006 + + + The name/password authentication mechanism of the simple Bind method + is not suitable for authentication in environments without + confidentiality protection. + +5.2. SASL Authentication Method + + The sasl authentication method of the Bind Operation provides + facilities for using any SASL mechanism including authentication + mechanisms and other services (e.g., data security services). + +5.2.1. SASL Protocol Profile + + LDAP allows authentication via any SASL mechanism [RFC4422]. As LDAP + includes native anonymous and name/password (plain text) + authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN] + SASL mechanisms are typically not used with LDAP. + + Each protocol that utilizes SASL services is required to supply + certain information profiling the way they are exposed through the + protocol ([RFC4422], Section 4). This section explains how each of + these profiling requirements is met by LDAP. + +5.2.1.1. SASL Service Name for LDAP + + The SASL service name for LDAP is "ldap", which has been registered + with the IANA as a SASL service name. + +5.2.1.2. SASL Authentication Initiation and Protocol Exchange + + SASL authentication is initiated via a BindRequest message + ([RFC4511], Section 4.2) with the following parameters: + + - The version is 3. + - The AuthenticationChoice is sasl. + - The mechanism element of the SaslCredentials sequence contains + the value of the desired SASL mechanism. + - The optional credentials field of the SaslCredentials sequence + MAY be used to provide an initial client response for mechanisms + that are defined to have the client send data first (see + [RFC4422], Sections 3 and 5). + + In general, a SASL authentication protocol exchange consists of a + series of server challenges and client responses, the contents of + which are specific to and defined by the SASL mechanism. Thus, for + some SASL authentication mechanisms, it may be necessary for the + client to respond to one or more server challenges by sending + BindRequest messages multiple times. A challenge is indicated by the + server sending a BindResponse message with the resultCode set to + + + +Harrison Standards Track [Page 16] + +RFC 4513 LDAP Authentication Methods June 2006 + + + saslBindInProgress. This indicates that the server requires the + client to send a new BindRequest message with the same SASL mechanism + to continue the authentication process. + + To the LDAP message layer, these challenges and responses are opaque + binary tokens of arbitrary length. LDAP servers use the + serverSaslCreds field (an OCTET STRING) in a BindResponse message to + transmit each challenge. LDAP clients use the credentials field (an + OCTET STRING) in the SaslCredentials sequence of a BindRequest + message to transmit each response. Note that unlike some Internet + protocols where SASL is used, LDAP is not text based and does not + Base64-transform these challenge and response values. + + Clients sending a BindRequest message with the sasl choice selected + SHOULD send a zero-length value in the name field. Servers receiving + a BindRequest message with the sasl choice selected SHALL ignore any + value in the name field. + + A client may abort a SASL Bind negotiation by sending a BindRequest + message with a different value in the mechanism field of + SaslCredentials or with an AuthenticationChoice other than sasl. + + If the client sends a BindRequest with the sasl mechanism field as an + empty string, the server MUST return a BindResponse with a resultCode + of authMethodNotSupported. This will allow the client to abort a + negotiation if it wishes to try again with the same SASL mechanism. + + The server indicates completion of the SASL challenge-response + exchange by responding with a BindResponse in which the resultCode + value is not saslBindInProgress. + + The serverSaslCreds field in the BindResponse can be used to include + an optional challenge with a success notification for mechanisms that + are defined to have the server send additional data along with the + indication of successful completion. + +5.2.1.3. Optional Fields + + As discussed above, LDAP provides an optional field for carrying an + initial response in the message initiating the SASL exchange and + provides an optional field for carrying additional data in the + message indicating the outcome of the authentication exchange. As + the mechanism-specific content in these fields may be zero length, + SASL requires protocol specifications to detail how an empty field is + distinguished from an absent field. + + + + + + +Harrison Standards Track [Page 17] + +RFC 4513 LDAP Authentication Methods June 2006 + + + Zero-length initial response data is distinguished from no initial + response data in the initiating message, a BindRequest PDU, by the + presence of the SaslCredentials.credentials OCTET STRING (of length + zero) in that PDU. If the client does not intend to send an initial + response with the BindRequest initiating the SASL exchange, it MUST + omit the SaslCredentials.credentials OCTET STRING (rather than + include an zero-length OCTET STRING). + + Zero-length additional data is distinguished from no additional + response data in the outcome message, a BindResponse PDU, by the + presence of the serverSaslCreds OCTET STRING (of length zero) in that + PDU. If a server does not intend to send additional data in the + BindResponse message indicating outcome of the exchange, the server + SHALL omit the serverSaslCreds OCTET STRING (rather than including a + zero-length OCTET STRING). + +5.2.1.4. Octet Where Negotiated Security Layers Take Effect + + SASL layers take effect following the transmission by the server and + reception by the client of the final BindResponse in the SASL + exchange with a resultCode of success. + + Once a SASL layer providing data integrity or confidentiality + services takes effect, the layer remains in effect until a new layer + is installed (i.e., at the first octet following the final + BindResponse of the Bind operation that caused the new layer to take + effect). Thus, an established SASL layer is not affected by a failed + or non-SASL Bind. + +5.2.1.5. Determination of Supported SASL Mechanisms + + Clients may determine the SASL mechanisms a server supports by + reading the 'supportedSASLMechanisms' attribute from the root DSE + (DSA-Specific Entry) ([RFC4512], Section 5.1). The values of this + attribute, if any, list the mechanisms the server supports in the + current LDAP session state. LDAP servers SHOULD allow all clients -- + even those with an anonymous authorization -- to retrieve the + 'supportedSASLMechanisms' attribute of the root DSE both before and + after the SASL authentication exchange. The purpose of the latter is + to allow the client to detect possible downgrade attacks (see Section + 6.4 and [RFC4422], Section 6.1.2). + + Because SASL mechanisms provide critical security functions, clients + and servers should be configurable to specify what mechanisms are + acceptable and allow only those mechanisms to be used. Both clients + and servers must confirm that the negotiated security level meets + their requirements before proceeding to use the session. + + + + +Harrison Standards Track [Page 18] + +RFC 4513 LDAP Authentication Methods June 2006 + + +5.2.1.6. Rules for Using SASL Layers + + Upon installing a SASL layer, the client SHOULD discard or refresh + all information about the server that it obtained prior to the + initiation of the SASL negotiation and that it did not obtain through + secure mechanisms. + + If a lower-level security layer (such as TLS) is installed, any SASL + layer SHALL be layered on top of such security layers regardless of + the order of their negotiation. In all other respects, the SASL + layer and other security layers act independently, e.g., if both a + TLS layer and a SASL layer are in effect, then removing the TLS layer + does not affect the continuing service of the SASL layer. + +5.2.1.7. Support for Multiple Authentications + + LDAP supports multiple SASL authentications as defined in [RFC4422], + Section 4. + +5.2.1.8. SASL Authorization Identities + + Some SASL mechanisms allow clients to request a desired authorization + identity for the LDAP session ([RFC4422], Section 3.4). The decision + to allow or disallow the current authentication identity to have + access to the requested authorization identity is a matter of local + policy. The authorization identity is a string of UTF-8 [RFC3629] + encoded [Unicode] characters corresponding to the following Augmented + Backus-Naur Form (ABNF) [RFC4234] grammar: + + authzId = dnAuthzId / uAuthzId + + ; distinguished-name-based authz id + dnAuthzId = "dn:" distinguishedName + + ; unspecified authorization id, UTF-8 encoded + uAuthzId = "u:" userid + userid = *UTF8 ; syntax unspecified + + where the distinguishedName rule is defined in Section 3 of [RFC4514] + and the UTF8 rule is defined in Section 1.4 of [RFC4512]. + + The dnAuthzId choice is used to assert authorization identities in + the form of a distinguished name to be matched in accordance with the + distinguishedNameMatch matching rule ([RFC4517], Section 4.2.15). + There is no requirement that the asserted distinguishedName value be + that of an entry in the directory. + + + + + +Harrison Standards Track [Page 19] + +RFC 4513 LDAP Authentication Methods June 2006 + + + The uAuthzId choice allows clients to assert an authorization + identity that is not in distinguished name form. The format of + userid is defined only as a sequence of UTF-8 [RFC3629] encoded + [Unicode] characters, and any further interpretation is a local + matter. For example, the userid could identify a user of a specific + directory service, be a login name, or be an email address. A + uAuthzId SHOULD NOT be assumed to be globally unique. To compare + uAuthzId values, each uAuthzId value MUST be prepared as a "query" + string ([RFC3454], Section 7) using the SASLprep [RFC4013] algorithm, + and then the two values are compared octet-wise. + + The above grammar is extensible. The authzId production may be + extended to support additional forms of identities. Each form is + distinguished by its unique prefix (see Section 3.12 of [RFC4520] for + registration requirements). + +5.2.2. SASL Semantics within LDAP + + Implementers must take care to maintain the semantics of SASL + specifications when handling data that has different semantics in the + LDAP protocol. + + For example, the SASL DIGEST-MD5 authentication mechanism + [DIGEST-MD5] utilizes an authentication identity and a realm that are + syntactically simple strings and semantically simple username + [RFC4013] and realm values. These values are not LDAP DNs, and there + is no requirement that they be represented or treated as such. + +5.2.3. SASL EXTERNAL Authentication Mechanism + + A client can use the SASL EXTERNAL ([RFC4422], Appendix A) mechanism + to request the LDAP server to authenticate and establish a resulting + authorization identity using security credentials exchanged by a + lower security layer (such as by TLS authentication). If the + client's authentication credentials have not been established at a + lower security layer, the SASL EXTERNAL Bind MUST fail with a + resultCode of inappropriateAuthentication. Although this situation + has the effect of leaving the LDAP session in an anonymous state + (Section 4), the state of any installed security layer is unaffected. + + A client may either request that its authorization identity be + automatically derived from its authentication credentials exchanged + at a lower security layer, or it may explicitly provide a desired + authorization identity. The former is known as an implicit + assertion, and the latter as an explicit assertion. + + + + + + +Harrison Standards Track [Page 20] + +RFC 4513 LDAP Authentication Methods June 2006 + + +5.2.3.1. Implicit Assertion + + An implicit authorization identity assertion is performed by invoking + a Bind request of the SASL form using the EXTERNAL mechanism name + that does not include the optional credentials field (found within + the SaslCredentials sequence in the BindRequest). The server will + derive the client's authorization identity from the authentication + identity supplied by a security layer (e.g., a public key certificate + used during TLS layer installation) according to local policy. The + underlying mechanics of how this is accomplished are implementation + specific. + +5.2.3.2. Explicit Assertion + + An explicit authorization identity assertion is performed by invoking + a Bind request of the SASL form using the EXTERNAL mechanism name + that includes the credentials field (found within the SaslCredentials + sequence in the BindRequest). The value of the credentials field (an + OCTET STRING) is the asserted authorization identity and MUST be + constructed as documented in Section 5.2.1.8. + +6. Security Considerations + + Security issues are discussed throughout this document. The + unsurprising conclusion is that security is an integral and necessary + part of LDAP. This section discusses a number of LDAP-related + security considerations. + +6.1. General LDAP Security Considerations + + LDAP itself provides no security or protection from accessing or + updating the directory by means other than through the LDAP protocol, + e.g., from inspection of server database files by database + administrators. + + Sensitive data may be carried in almost any LDAP message, and its + disclosure may be subject to privacy laws or other legal regulation + in many countries. Implementers should take appropriate measures to + protect sensitive data from disclosure to unauthorized entities. + + A session on which the client has not established data integrity and + privacy services (e.g., via StartTLS, IPsec, or a suitable SASL + mechanism) is subject to man-in-the-middle attacks to view and modify + information in transit. Client and server implementers SHOULD take + measures to protect sensitive data in the LDAP session from these + attacks by using data protection services as discussed in this + document. Clients and servers should provide the ability to be + configured to require these protections. A resultCode of + + + +Harrison Standards Track [Page 21] + +RFC 4513 LDAP Authentication Methods June 2006 + + + confidentialityRequired indicates that the server requires + establishment of (stronger) data confidentiality protection in order + to perform the requested operation. + + Access control should always be applied when reading sensitive + information or updating directory information. + + Various security factors, including authentication and authorization + information and data security services may change during the course + of the LDAP session, or even during the performance of a particular + operation. Implementations should be robust in the handling of + changing security factors. + +6.2. StartTLS Security Considerations + + All security gained via use of the StartTLS operation is gained by + the use of TLS itself. The StartTLS operation, on its own, does not + provide any additional security. + + The level of security provided through the use of TLS depends + directly on both the quality of the TLS implementation used and the + style of usage of that implementation. Additionally, a man-in-the- + middle attacker can remove the StartTLS extended operation from the + 'supportedExtension' attribute of the root DSE. Both parties SHOULD + independently ascertain and consent to the security level achieved + once TLS is established and before beginning use of the TLS- + protected session. For example, the security level of the TLS layer + might have been negotiated down to plaintext. + + Clients MUST either warn the user when the security level achieved + does not provide an acceptable level of data confidentiality and/or + data integrity protection, or be configurable to refuse to proceed + without an acceptable level of security. + + As stated in Section 3.1.2, a server may use a local security policy + to determine whether to successfully complete TLS negotiation. + Information in the user's certificate that is originated or verified + by the certification authority should be used by the policy + administrator when configuring the identification and authorization + policy. + + Server implementers SHOULD allow server administrators to elect + whether and when data confidentiality and integrity are required, as + well as elect whether authentication of the client during the TLS + handshake is required. + + Implementers should be aware of and understand TLS security + considerations as discussed in the TLS specification [RFC4346]. + + + +Harrison Standards Track [Page 22] + +RFC 4513 LDAP Authentication Methods June 2006 + + +6.3. Bind Operation Security Considerations + + This section discusses several security considerations relevant to + LDAP authentication via the Bind operation. + +6.3.1. Unauthenticated Mechanism Security Considerations + + Operational experience shows that clients can (and frequently do) + misuse the unauthenticated authentication mechanism of the simple + Bind method (see Section 5.1.2). For example, a client program might + make a decision to grant access to non-directory information on the + basis of successfully completing a Bind operation. LDAP server + implementations may return a success response to an unauthenticated + Bind request. This may erroneously leave the client with the + impression that the server has successfully authenticated the + identity represented by the distinguished name when in reality, an + anonymous authorization state has been established. Clients that use + the results from a simple Bind operation to make authorization + decisions should actively detect unauthenticated Bind requests (by + verifying that the supplied password is not empty) and react + appropriately. + +6.3.2. Name/Password Mechanism Security Considerations + + The name/password authentication mechanism of the simple Bind method + discloses the password to the server, which is an inherent security + risk. There are other mechanisms, such as SASL DIGEST-MD5 + [DIGEST-MD5], that do not disclose the password to the server. + +6.3.3. Password-Related Security Considerations + + LDAP allows multi-valued password attributes. In systems where + entries are expected to have one and only one password, + administrative controls should be provided to enforce this behavior. + + The use of clear text passwords and other unprotected authentication + credentials is strongly discouraged over open networks when the + underlying transport service cannot guarantee confidentiality. LDAP + implementations SHOULD NOT by default support authentication methods + using clear text passwords and other unprotected authentication + credentials unless the data on the session is protected using TLS or + other data confidentiality and data integrity protection. + + The transmission of passwords in the clear -- typically for + authentication or modification -- poses a significant security risk. + This risk can be avoided by using SASL authentication [RFC4422] + + + + + +Harrison Standards Track [Page 23] + +RFC 4513 LDAP Authentication Methods June 2006 + + + mechanisms that do not transmit passwords in the clear or by + negotiating transport or session layer data confidentiality services + before transmitting password values. + + To mitigate the security risks associated with the transfer of + passwords, a server implementation that supports any password-based + authentication mechanism that transmits passwords in the clear MUST + support a policy mechanism that at the time of authentication or + password modification, requires that: + + A TLS layer has been successfully installed. + + OR + + Some other data confidentiality mechanism that protects the + password value from eavesdropping has been provided. + + OR + + The server returns a resultCode of confidentialityRequired for + the operation (i.e., name/password Bind with password value, + SASL Bind transmitting a password value in the clear, add or + modify including a userPassword value, etc.), even if the + password value is correct. + + Server implementations may also want to provide policy mechanisms to + invalidate or otherwise protect accounts in situations where a server + detects that a password for an account has been transmitted in the + clear. + +6.3.4. Hashed Password Security Considerations + + Some authentication mechanisms (e.g., DIGEST-MD5) transmit a hash of + the password value that may be vulnerable to offline dictionary + attacks. Implementers should take care to protect such hashed + password values during transmission using TLS or other + confidentiality mechanisms. + +6.4. SASL Security Considerations + + Until data integrity service is installed on an LDAP session, an + attacker can modify the transmitted values of the + 'supportedSASLMechanisms' attribute response and thus downgrade the + list of available SASL mechanisms to include only the least secure + mechanism. To detect this type of attack, the client may retrieve + the SASL mechanisms the server makes available both before and after + data integrity service is installed on an LDAP session. If the + client finds that the integrity-protected list (the list obtained + + + +Harrison Standards Track [Page 24] + +RFC 4513 LDAP Authentication Methods June 2006 + + + after data integrity service was installed) contains a stronger + mechanism than those in the previously obtained list, the client + should assume the previously obtained list was modified by an + attacker. In this circumstance it is recommended that the client + close the underlying transport connection and then reconnect to + reestablish the session. + +6.5. Related Security Considerations + + Additional security considerations relating to the various + authentication methods and mechanisms discussed in this document + apply and can be found in [RFC4422], [RFC4013], [RFC3454], and + [RFC3629]. + +7. IANA Considerations + + The IANA has updated the LDAP Protocol Mechanism registry to indicate + that this document and [RFC4511] provide the definitive technical + specification for the StartTLS (1.3.6.1.4.1.1466.20037) extended + operation. + + The IANA has updated the LDAP LDAPMessage types registry to indicate + that this document and [RFC4511] provide the definitive technical + specification for the bindRequest (0) and bindResponse (1) message + types. + + The IANA has updated the LDAP Bind Authentication Method registry to + indicate that this document and [RFC4511] provide the definitive + technical specification for the simple (0) and sasl (3) bind + authentication methods. + + The IANA has updated the LDAP authzid prefixes registry to indicate + that this document provides the definitive technical specification + for the dnAuthzId (dn:) and uAuthzId (u:) authzid prefixes. + +8. Acknowledgements + + This document combines information originally contained in RFC 2251, + RFC 2829, and RFC 2830. RFC 2251 was a product of the Access, + Searching, and Indexing of Directories (ASID) Working Group. RFC + 2829 and RFC 2830 were products of the LDAP Extensions (LDAPEXT) + Working Group. + + This document is a product of the IETF LDAP Revision (LDAPBIS) + working group. + + + + + + +Harrison Standards Track [Page 25] + +RFC 4513 LDAP Authentication Methods June 2006 + + +9. Normative References + + [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, December 1998. + + [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of + Internationalized Strings ("stringprep")", RFC 3454, + December 2002. + + [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, + "Internationalizing Domain Names in Applications + (IDNA)", RFC 3490, March 2003. + + [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", STD 63, RFC 3629, November 2003. + + [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User + Names and Passwords", RFC 4013, February 2005. + + [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", RFC 4234, October 2005. + + [RFC4346] Dierks, T. and E. Rescorla, "The TLS Protocol Version + 1.1", RFC 4346, March 2006. + + [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple + Authentication and Security Layer (SASL)", RFC 4422, + June 2006. + + [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access + Protocol (LDAP): Technical Specification Road Map", RFC + 4510, June 2006. + + [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access + Protocol (LDAP): The Protocol", RFC 4511, June 2006. + + [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol + (LDAP): Directory Information Models", RFC 4512, June + 2006. + + + + + + +Harrison Standards Track [Page 26] + +RFC 4513 LDAP Authentication Methods June 2006 + + + [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access + Protocol (LDAP): String Representation of Distinguished + Names", RFC 4514, June 2006. + + [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol + (LDAP): Syntaxes and Matching Rules", RFC 4517, June + 2006. + + [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access + Protocol (LDAP): Schema for User Applications", RFC + 4519, June 2006. + + [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority + (IANA) Considerations for the Lightweight Directory + Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006. + + [Unicode] The Unicode Consortium, "The Unicode Standard, Version + 3.2.0" is defined by "The Unicode Standard, Version 3.0" + (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633- + 5), as amended by the "Unicode Standard Annex #27: + Unicode 3.1" (http://www.unicode.org/reports/tr27/) and + by the "Unicode Standard Annex #28: Unicode 3.2" + (http://www.unicode.org/reports/tr28/). + + [X.501] ITU-T Rec. X.501, "The Directory: Models", 1993. + +10. Informative References + + [DIGEST-MD5] Leach, P., Newman, C., and A. Melnikov, "Using Digest + Authentication as a SASL Mechanism", Work in Progress, + March 2006. + + [PLAIN] Zeilenga, K., "The Plain SASL Mechanism", Work in + Progress, March 2005. + + [RFC2828] Shirey, R., "Internet Security Glossary", FYI 36, RFC + 2828, May 2000. + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, December 2005. + + [RFC4505] Zeilenga, K., "The Anonymous SASL Mechanism", RFC 4505, + June 2006. + + + + + + + + +Harrison Standards Track [Page 27] + +RFC 4513 LDAP Authentication Methods June 2006 + + +Appendix A. Authentication and Authorization Concepts + + This appendix is non-normative. + + This appendix defines basic terms, concepts, and interrelationships + regarding authentication, authorization, credentials, and identity. + These concepts are used in describing how various security approaches + are utilized in client authentication and authorization. + +A.1. Access Control Policy + + An access control policy is a set of rules defining the protection of + resources, generally in terms of the capabilities of persons or other + entities accessing those resources. Security objects and mechanisms, + such as those described here, enable the expression of access control + policies and their enforcement. + +A.2. Access Control Factors + + A request, when it is being processed by a server, may be associated + with a wide variety of security-related factors. The server uses + these factors to determine whether and how to process the request. + These are called access control factors (ACFs). They might include + source IP address, encryption strength, the type of operation being + requested, time of day, etc.. Some factors may be specific to the + request itself; others may be associated with the transport + connection via which the request is transmitted; and others (e.g., + time of day) may be "environmental". + + Access control policies are expressed in terms of access control + factors; for example, "a request having ACFs i,j,k can perform + operation Y on resource Z". The set of ACFs that a server makes + available for such expressions is implementation specific. + +A.3. Authentication, Credentials, Identity + + Authentication credentials are the evidence supplied by one party to + another, asserting the identity of the supplying party (e.g., a user) + who is attempting to establish a new authorization state with the + other party (typically a server). Authentication is the process of + generating, transmitting, and verifying these credentials and thus + the identity they assert. An authentication identity is the name + presented in a credential. + + There are many forms of authentication credentials. The form used + depends upon the particular authentication mechanism negotiated by + the parties. X.509 certificates, Kerberos tickets, and simple + identity and password pairs are all examples of authentication + + + +Harrison Standards Track [Page 28] + +RFC 4513 LDAP Authentication Methods June 2006 + + + credential forms. Note that an authentication mechanism may + constrain the form of authentication identities used with it. + +A.4. Authorization Identity + + An authorization identity is one kind of access control factor. It + is the name of the user or other entity that requests that operations + be performed. Access control policies are often expressed in terms + of authorization identities; for example, "entity X can perform + operation Y on resource Z". + + The authorization identity of an LDAP session is often semantically + the same as the authentication identity presented by the client, but + it may be different. SASL allows clients to specify an authorization + identity distinct from the authentication identity asserted by the + client's credentials. This permits agents such as proxy servers to + authenticate using their own credentials, yet request the access + privileges of the identity for which they are proxying [RFC4422]. + Also, the form of authentication identity supplied by a service like + TLS may not correspond to the authorization identities used to + express a server's access control policy, thus requiring a server- + specific mapping to be done. The method by which a server composes + and validates an authorization identity from the authentication + credentials supplied by a client is implementation specific. + +Appendix B. Summary of Changes + + This appendix is non-normative. + + This appendix summarizes substantive changes made to RFC 2251, RFC + 2829 and RFC 2830. In addition to the specific changes detailed + below, the reader of this document should be aware that numerous + general editorial changes have been made to the original content from + the source documents. These changes include the following: + + - The material originally found in RFC 2251 Sections 4.2.1 and 4.2.2, + RFC 2829 (all sections except Sections 2 and 4), and RFC 2830 was + combined into a single document. + + - The combined material was substantially reorganized and edited to + group related subjects, improve the document flow, and clarify + intent. + + - Changes were made throughout the text to align with definitions of + LDAP protocol layers and IETF security terminology. + + + + + + +Harrison Standards Track [Page 29] + +RFC 4513 LDAP Authentication Methods June 2006 + + + - Substantial updates and additions were made to security + considerations from both documents based on current operational + experience. + +B.1. Changes Made to RFC 2251 + + This section summarizes the substantive changes made to Sections + 4.2.1 and 4.2.2 of RFC 2251 by this document. Additional substantive + changes to Section 4.2.1 of RFC 2251 are also documented in + [RFC4511]. + +B.1.1. Section 4.2.1 ("Sequencing of the Bind Request") + + - Paragraph 1: Removed the sentence, "If at any stage the client + wishes to abort the bind process it MAY unbind and then drop the + underlying connection". The Unbind operation still permits this + behavior, but it is not documented explicitly. + + - Clarified that the session is moved to an anonymous state upon + receipt of the BindRequest PDU and that it is only moved to a non- + anonymous state if and when the Bind request is successful. + +B.1.2. Section 4.2.2 ("Authentication and Other Security Services") + + - RFC 2251 states that anonymous authentication MUST be performed + using the simple bind method. This specification defines the + anonymous authentication mechanism of the simple bind method and + requires all conforming implementations to support it. Other + authentication mechanisms producing anonymous authentication and + authorization state may also be implemented and used by conforming + implementations. + +B.2. Changes Made to RFC 2829 + + This section summarizes the substantive changes made to RFC 2829. + +B.2.1. Section 4 ("Required security mechanisms") + + - The name/password authentication mechanism (see Section B.2.5 + below) protected by TLS replaces the SASL DIGEST-MD5 mechanism as + LDAP's mandatory-to-implement password-based authentication + mechanism. Implementations are encouraged to continue supporting + SASL DIGEST-MD5 [DIGEST-MD5]. + + + + + + + + +Harrison Standards Track [Page 30] + +RFC 4513 LDAP Authentication Methods June 2006 + + +B.2.2. Section 5.1 ("Anonymous authentication procedure") + + - Clarified that anonymous authentication involves a name value of + zero length and a password value of zero length. The + unauthenticated authentication mechanism was added to handle simple + Bind requests involving a name value with a non-zero length and a + password value of zero length. + +B.2.3. Section 6 ("Password-based authentication") + + - See Section B.2.1. + +B.2.4. Section 6.1 ("Digest authentication") + + - As the SASL-DIGEST-MD5 mechanism is no longer mandatory to + implement, this section is now historical and was not included in + this document. RFC 2829, Section 6.1, continues to document the + SASL DIGEST-MD5 authentication mechanism. + +B.2.5. Section 6.2 ("'simple' authentication choice under TLS + encryption") + + - Renamed the "simple" authentication mechanism to the name/password + authentication mechanism to better describe it. + + - The use of TLS was generalized to align with definitions of LDAP + protocol layers. TLS establishment is now discussed as an + independent subject and is generalized for use with all + authentication mechanisms and other security layers. + + - Removed the implication that the userPassword attribute is the sole + location for storage of password values to be used in + authentication. There is no longer any implied requirement for how + or where passwords are stored at the server for use in + authentication. + +B.2.6. Section 6.3 ("Other authentication choices with TLS") + + - See Section B.2.5. + +B.2.7. Section 7.1 ("Certificate-based authentication with TLS") + + - See Section B.2.5. + + + + + + + + +Harrison Standards Track [Page 31] + +RFC 4513 LDAP Authentication Methods June 2006 + + +B.2.8. Section 8 ("Other mechanisms") + + - All SASL authentication mechanisms are explicitly allowed within + LDAP. Specifically, this means the SASL ANONYMOUS and SASL PLAIN + mechanisms are no longer precluded from use within LDAP. + +B.2.9. Section 9 ("Authorization Identity") + + - Specified matching rules for dnAuthzId and uAuthzId values. In + particular, the DN value in the dnAuthzId form must be matched + using DN matching rules, and the uAuthzId value MUST be prepared + using SASLprep rules before being compared octet-wise. + + - Clarified that uAuthzId values should not be assumed to be globally + unique. + +B.2.10. Section 10 ("TLS Ciphersuites") + + - TLS ciphersuite recommendations are no longer included in this + specification. Implementations must now support the + TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite and should continue to + support the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite. + + - Clarified that anonymous authentication involves a name value of + zero length and a password value of zero length. The + unauthenticated authentication mechanism was added to handle simple + Bind requests involving a name value with a non-zero length and a + password value of zero length. + +B.3. Changes Made to RFC 2830 + + This section summarizes the substantive changes made to Sections 3 + and 5 of RFC 2830. Readers should consult [RFC4511] for summaries of + changes to other sections. + +B.3.1. Section 3.6 ("Server Identity Check") + + - Substantially updated the server identity check algorithm to ensure + that it is complete and robust. In particular, the use of all + relevant values in the subjectAltName and the subjectName fields + are covered by the algorithm and matching rules are specified for + each type of value. Mapped (derived) forms of the server identity + may now be used when the mapping is performed in a secure fashion. + + + + + + + + +Harrison Standards Track [Page 32] + +RFC 4513 LDAP Authentication Methods June 2006 + + +B.3.2. Section 3.7 ("Refresh of Server Capabilities Information") + + - Clients are no longer required to always refresh information about + server capabilities following TLS establishment. This is to allow + for situations where this information was obtained through a secure + mechanism. + +B.3.3. Section 5 ("Effects of TLS on a Client's Authorization + Identity") + + - Establishing a TLS layer on an LDAP session may now cause the + authorization state of the LDAP session to change. + +B.3.4. Section 5.2 ("TLS Connection Closure Effects") + + - Closing a TLS layer on an LDAP session changes the authentication + and authorization state of the LDAP session based on local policy. + Specifically, this means that implementations are not required to + change the authentication and authorization states to anonymous + upon TLS closure. + + - Replaced references to RFC 2401 with RFC 4301. + +Author's Address + + Roger Harrison + Novell, Inc. + 1800 S. Novell Place + Provo, UT 84606 + USA + + Phone: +1 801 861 2642 + EMail: roger_harrison@novell.com + + + + + + + + + + + + + + + + + + +Harrison Standards Track [Page 33] + +RFC 4513 LDAP Authentication Methods June 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Harrison Standards Track [Page 34] + -- cgit