rfc4531.txt

samba最新软件

Network Working Group                                        K. Zeilenga
Request for Comments: 4531                           OpenLDAP Foundation
Category: Experimental                                         June 2006


              Lightweight Directory Access Protocol (LDAP)
                             Turn Operation


Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This specification describes a Lightweight Directory Access Protocol
   (LDAP) extended operation to reverse (or "turn") the roles of client
   and server for subsequent protocol exchanges in the session, or to
   enable each peer to act as both client and server with respect to the
   other.

Table of Contents

   1. Background and Intent of Use ....................................2
      1.1. Terminology ................................................2
   2. Turn Operation ..................................................2
      2.1. Turn Request ...............................................3
      2.2. Turn Response ..............................................3
   3. Authentication ..................................................3
      3.1. Use with TLS and Simple Authentication .....................4
      3.2. Use with TLS and SASL EXTERNAL .............................4
      3.3. Use of Mutual Authentication and SASL EXTERNAL .............4
   4. TLS and SASL Security Layers ....................................5
   5. Security Considerations .........................................6
   6. IANA Considerations .............................................6
      6.1. Object Identifier ..........................................6
      6.2. LDAP Protocol Mechanism ....................................7
   7. References ......................................................7
      7.1. Normative References .......................................7
      7.2. Informative References .....................................8




Zeilenga                      Experimental                      [Page 1]

RFC 4531                  LDAP Turn Operation                  June 2006


1.  Background and Intent of Use

   The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511]
   is a client-server protocol that typically operates over reliable
   octet-stream transports, such as the Transport Control Protocol
   (TCP).  Generally, the client initiates the stream by connecting to
   the server's listener at some well-known address.

   There are cases where it is desirable for the server to initiate the
   stream.  Although it certainly is possible to write a technical
   specification detailing how to implement server-initiated LDAP
   sessions, this would require the design of new authentication and
   other security mechanisms to support server-initiated LDAP sessions.

   Instead, this document introduces an operation, the Turn operation,
   which may be used to reverse the client-server roles of the protocol
   peers.  This allows the initiating protocol peer to become the server
   (after the reversal).

   As an additional feature, the Turn operation may be used to allow
   both peers to act in both roles.  This is useful where both peers are
   directory servers that desire to request, as LDAP clients, that
   operations be performed by the other.  This may be useful in
   replicated and/or distributed environments.

   This operation is intended to be used between protocol peers that
   have established a mutual agreement, by means outside of the
   protocol, that requires reversal of client-server roles, or allows
   both peers to act both as client and server.

1.1.  Terminology

   Protocol elements are described using ASN.1 [X.680] with implicit
   tags.  The term "BER-encoded" means the element is to be encoded
   using the Basic Encoding Rules [X.690] under the restrictions
   detailed in Section 5.1 of [RFC4511].

2.  Turn Operation

   The Turn operation is defined as an LDAP-Extended Operation
   [Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID.  The
   function of the Turn Operation is to request that the client-server
   roles be reversed, or, optionally, to request that both protocol
   peers be able to act both as client and server in respect to the
   other.






Zeilenga                      Experimental                      [Page 2]

RFC 4531                  LDAP Turn Operation                  June 2006


2.1.  Turn Request

   The Turn request is an ExtendedRequest where the requestName field
   contains the 1.3.6.1.1.19 OID and the requestValue field is a BER-
   encoded turnValue:

        turnValue ::= SEQUENCE {
             mutual         BOOLEAN DEFAULT FALSE,
             identifier     LDAPString
        }

   A TRUE mutual field value indicates a request to allow both peers to
   act both as client and server.  A FALSE mutual field value indicates
   a request to reserve the client and server roles.

   The value of the identifier field is a locally defined policy
   identifier (typically associated with a mutual agreement for which
   this turn is be executed as part of).

2.2.  Turn Response

   A Turn response is an ExtendedResponse where the responseName and
   responseValue fields are absent.  A resultCode of success is returned
   if and only if the responder is willing and able to turn the session
   as requested.  Otherwise, a different resultCode is returned.

3.  Authentication

   This extension's authentication model assumes separate authentication
   of the peers in each of their roles.  A separate Bind exchange is
   expected between the peers in their new roles to establish identities
   in these roles.

   Upon completion of the Turn, the responding peer in its new client
   role has an anonymous association at the initiating peer in its new
   server role.  If the turn was mutual, the authentication association
   of the initiating peer in its pre-existing client role is left intact
   at the responding peer in its pre-existing server role.  If the turn
   was not mutual, this association is void.

   The responding peer may establish its identity in its client role by
   requesting and successfully completing a Bind operation.

   The remainder of this section discusses some authentication
   scenarios.  In the protocol exchange illustrations, A refers to the
   initiating peer (the original client) and B refers to the responding
   peer (the original server).




Zeilenga                      Experimental                      [Page 3]

RFC 4531                  LDAP Turn Operation                  June 2006


3.1.  Use with TLS and Simple Authentication

       A->B: StartTLS Request
       B->A: StartTLS(success) Response
       A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
       B->A: Bind(success) Response
       A->B: Turn(TRUE,"XXYYZ") Request
       B->A: Turn(success) Response
       B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
       A->B: Bind(success) Response

   In this scenario, TLS (Transport Layer Security) [RFC4346] is started
   and the initiating peer (the original client) establishes its
   identity with the responding peer prior to the Turn using the
   DN/password mechanism of the Simple method of the Bind operation.
   After the turn, the responding peer, in its new client role,
   establishes its identity with the initiating peer in its new server
   role.

3.2.  Use with TLS and SASL EXTERNAL

       A->B: StartTLS Request
       B->A: StartTLS(success) Response
       A->B: Bind(SASL(EXTERNAL)) Request
       B->A: Bind(success) Response
       A->B: Turn(TRUE,"XXYYZ") Request
       B->A: Turn(success) Response
       B->A: Bind(SASL(EXTERNAL)) Request
       A->B: Bind(success) Response

   In this scenario, TLS is started (with each peer providing a valid
   certificate), and the initiating peer (the original client)
   establishes its identity through the use of the EXTERNAL mechanism of
   the SASL (Simple Authentication and Security Layer) [RFC4422] method
   of the Bind operation prior to the Turn.  After the turn, the
   responding peer, in its new client role, establishes its identity
   with the initiating peer in its new server role.

3.3.  Use of Mutual Authentication and SASL EXTERNAL

   A number of SASL mechanisms, such as GSSAPI [SASL-K5], support mutual
   authentication.  The initiating peer, in its new server role, may use
   the identity of the responding peer, established by a prior
   authentication exchange, as its source for "external" identity in
   subsequent EXTERNAL exchange.

       A->B: Bind(SASL(GSSAPI)) Request
       <intermediate messages>



Zeilenga                      Experimental                      [Page 4]

RFC 4531                  LDAP Turn Operation                  June 2006


       B->A: Bind(success) Response
       A->B: Turn(TRUE,"XXYYZ") Request
       B->A: Turn(success) Response
       B->A: Bind(SASL(EXTERNAL)) Request
       A->B: Bind(success) Response

   In this scenario, a GSSAPI mutual-authentication exchange is
   completed between the initiating peer (the original client) and the
   responding server (the original server) prior to the turn.  After the
   turn, the responding peer, in its new client role, requests that the
   initiating peer utilize an "external" identity to establish its LDAP
   authorization identity.

4.  TLS and SASL Security Layers

   As described in [RFC4511], LDAP supports both Transport Layer
   Security (TLS) [RFC4346] and Simple Authentication and Security Layer
   (SASL) [RFC4422] security frameworks.  The following table
   illustrates the relationship between the LDAP message layer, SASL
   layer, TLS layer, and transport connection within an LDAP session.

                  +----------------------+
                  |  LDAP message layer  |
                  +----------------------+ > LDAP PDUs