📄 rfc4513.txt
字号:
Network Working Group R. Harrison, Ed.Request for Comments: 4513 Novell, Inc.Obsoletes: 2251, 2829, 2830 June 2006Category: Standards Track Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security MechanismsStatus of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.Copyright Notice Copyright (C) The Internet Society (2006).Abstract This document describes authentication methods and security mechanisms of the Lightweight Directory Access Protocol (LDAP). This document details establishment of Transport Layer Security (TLS) using the StartTLS operation. This document details the simple Bind authentication method including anonymous, unauthenticated, and name/password mechanisms and the Simple Authentication and Security Layer (SASL) Bind authentication method including the EXTERNAL mechanism. This document discusses various authentication and authorization states through which a session to an LDAP server may pass and the actions that trigger these state changes. This document, together with other documents in the LDAP Technical Specification (see Section 1 of the specification's road map), obsoletes RFC 2251, RFC 2829, and RFC 2830.Harrison Standards Track [Page 1]
RFC 4513 LDAP Authentication Methods June 2006Table of Contents 1. Introduction ....................................................4 1.1. Relationship to Other Documents ............................6 1.2. Conventions ................................................6 2. Implementation Requirements .....................................7 3. StartTLS Operation ..............................................8 3.1. TLS Establishment Procedures ..............................8 3.1.1. StartTLS Request Sequencing .........................8 3.1.2. Client Certificate ..................................9 3.1.3. Server Identity Check ...............................9 3.1.3.1. Comparison of DNS Names ...................10 3.1.3.2. Comparison of IP Addresses ................11 3.1.3.3. Comparison of Other subjectName Types .....11 3.1.4. Discovery of Resultant Security Level ..............11 3.1.5. Refresh of Server Capabilities Information .........11 3.2. Effect of TLS on Authorization State .....................12 3.3. TLS Ciphersuites ..........................................12 4. Authorization State ............................................13 5. Bind Operation .................................................14 5.1. Simple Authentication Method ..............................14 5.1.1. Anonymous Authentication Mechanism of Simple Bind ..14 5.1.2. Unauthenticated Authentication Mechanism of Simple Bind ........................................14 5.1.3. Name/Password Authentication Mechanism of Simple Bind ........................................15 5.2. SASL Authentication Method ................................16 5.2.1. SASL Protocol Profile ..............................16 5.2.1.1. SASL Service Name for LDAP ................16 5.2.1.2. SASL Authentication Initiation and Protocol Exchange .........................16 5.2.1.3. Optional Fields ...........................17 5.2.1.4. Octet Where Negotiated Security Layers Take Effect ........................18 5.2.1.5. Determination of Supported SASL Mechanisms ................................18 5.2.1.6. Rules for Using SASL Layers ...............19 5.2.1.7. Support for Multiple Authentications ......19 5.2.1.8. SASL Authorization Identities .............19 5.2.2. SASL Semantics within LDAP .........................20 5.2.3. SASL EXTERNAL Authentication Mechanism .............20 5.2.3.1. Implicit Assertion ........................21 5.2.3.2. Explicit Assertion ........................21 6. Security Considerations ........................................21 6.1. General LDAP Security Considerations ......................21 6.2. StartTLS Security Considerations ..........................22 6.3. Bind Operation Security Considerations ....................23 6.3.1. Unauthenticated Mechanism Security Considerations ..23Harrison Standards Track [Page 2]
RFC 4513 LDAP Authentication Methods June 2006 6.3.2. Name/Password Mechanism Security Considerations ....23 6.3.3. Password-Related Security Considerations ...........23 6.3.4. Hashed Password Security Considerations ............24 6.4. SASL Security Considerations ..............................24 6.5. Related Security Considerations ...........................25 7. IANA Considerations ............................................25 8. Acknowledgements ...............................................25 9. Normative References ...........................................26 10. Informative References ........................................27 Appendix A. Authentication and Authorization Concepts .............28 A.1. Access Control Policy .....................................28 A.2. Access Control Factors ....................................28 A.3. Authentication, Credentials, Identity .....................28 A.4. Authorization Identity ....................................29 Appendix B. Summary of Changes ....................................29 B.1. Changes Made to RFC 2251 ..................................30 B.1.1. Section 4.2.1 ("Sequencing of the Bind Request") ...30 B.1.2. Section 4.2.2 ("Authentication and Other Security Services") .........................................30 B.2. Changes Made to RFC 2829 ..................................30 B.2.1. Section 4 ("Required security mechanisms") .........30 B.2.2. Section 5.1 ("Anonymous authentication procedure") ........................................31 B.2.3. Section 6 ("Password-based authentication") ........31 B.2.4. Section 6.1 ("Digest authentication") ..............31 B.2.5. Section 6.2 ("'simple' authentication choice under TLS encryption") ...................................31 B.2.6. Section 6.3 ("Other authentication choices with TLS") ..............................................31 B.2.7. Section 7.1 ("Certificate-based authentication with TLS") .........................................31 B.2.8. Section 8 ("Other mechanisms") .....................32 B.2.9. Section 9 ("Authorization Identity") ...............32 B.2.10. Section 10 ("TLS Ciphersuites") ...................32 B.3. Changes Made to RFC 2830 ..................................32 B.3.1. Section 3.6 ("Server Identity Check") ..............32 B.3.2. Section 3.7 ("Refresh of Server Capabilities Information") ......................................33 B.3.3. Section 5 ("Effects of TLS on a Client's Authorization Identity") ...........................33 B.3.4. Section 5.2 ("TLS Connection Closure Effects") .....33Harrison Standards Track [Page 3]
RFC 4513 LDAP Authentication Methods June 20061. Introduction The Lightweight Directory Access Protocol (LDAP) [RFC4510] is a powerful protocol for accessing directories. It offers means of searching, retrieving, and manipulating directory content and ways to access a rich set of security functions. It is vital that these security functions be interoperable among all LDAP clients and servers on the Internet; therefore there has to be a minimum subset of security functions that is common to all implementations that claim LDAP conformance. Basic threats to an LDAP directory service include (but are not limited to): (1) Unauthorized access to directory data via data-retrieval operations. (2) Unauthorized access to directory data by monitoring access of others. (3) Unauthorized access to reusable client authentication information by monitoring access of others. (4) Unauthorized modification of directory data. (5) Unauthorized modification of configuration information. (6) Denial of Service: Use of resources (commonly in excess) in a manner intended to deny service to others. (7) Spoofing: Tricking a user or client into believing that information came from the directory when in fact it did not, either by modifying data in transit or misdirecting the client's transport connection. Tricking a user or client into sending privileged information to a hostile entity that appears to be the directory server but is not. Tricking a directory server into believing that information came from a particular client when in fact it came from a hostile entity. (8) Hijacking: An attacker seizes control of an established protocol session. Threats (1), (4), (5), (6), (7), and (8) are active attacks. Threats (2) and (3) are passive attacks.Harrison Standards Track [Page 4]
RFC 4513 LDAP Authentication Methods June 2006 Threats (1), (4), (5), and (6) are due to hostile clients. Threats (2), (3), (7), and (8) are due to hostile agents on the path between client and server or hostile agents posing as a server, e.g., IP spoofing. LDAP offers the following security mechanisms: (1) Authentication by means of the Bind operation. The Bind operation provides a simple method that supports anonymous, unauthenticated, and name/password mechanisms, and the Simple Authentication and Security Layer (SASL) method, which supports a wide variety of authentication mechanisms. (2) Mechanisms to support vendor-specific access control facilities (LDAP does not offer a standard access control facility). (3) Data integrity service by means of security layers in Transport Layer Security (TLS) or SASL mechanisms. (4) Data confidentiality service by means of security layers in TLS or SASL mechanisms. (5) Server resource usage limitation by means of administrative limits configured on the server. (6) Server authentication by means of the TLS protocol or SASL mechanisms. LDAP may also be protected by means outside the LDAP protocol, e.g., with IP layer security [RFC4301]. Experience has shown that simply allowing implementations to pick and choose the security mechanisms that will be implemented is not a strategy that leads to interoperability. In the absence of mandates, clients will continue to be written that do not support any security function supported by the server, or worse, they will only support mechanisms that provide inadequate security for most circumstances. It is desirable to allow clients to authenticate using a variety of mechanisms including mechanisms where identities are represented as distinguished names [X.501][RFC4512], in string form [RFC4514], or as used in different systems (e.g., simple user names [RFC4013]). Because some authentication mechanisms transmit credentials in plain text form, and/or do not provide data security services and/or are subject to passive attacks, it is necessary to ensure secure interoperability by identifying a mandatory-to-implement mechanism for establishing transport-layer security services.Harrison Standards Track [Page 5]
RFC 4513 LDAP Authentication Methods June 2006 The set of security mechanisms provided in LDAP and described in this document is intended to meet the security needs for a wide range of deployment scenarios and still provide a high degree of interoperability among various LDAP implementations and deployments.1.1. Relationship to Other Documents This document is an integral part of the LDAP Technical Specification [RFC4510]. This document, together with [RFC4510], [RFC4511], and [RFC4512], obsoletes RFC 2251 in its entirety. Sections 4.2.1 (portions) and 4.2.2 of RFC 2251 are obsoleted by this document. Appendix B.1⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -