rfc4531.txt

samba最新软件

                  +----------------------+ < data
                  |      SASL layer      |
                  +----------------------+ > SASL-protected data
                  +----------------------+ < data
                  |       TLS layer      |
      Application +----------------------+ > TLS-protected data
      ------------+----------------------+ < data
        Transport | transport connection |
                  +----------------------+

   This extension does not alter this relationship, nor does it remove
   the general restriction against multiple TLS layers, nor does it
   remove the general restriction against multiple SASL layers.

   As specified in [RFC4511], the StartTLS operation is used to initiate
   negotiation of a TLS layer.  If a TLS is already installed, the
   StartTLS operation must fail.  Upon establishment of the TLS layer,
   regardless of which peer issued the request to start TLS, the peer
   that initiated the LDAP session (the original client) performs the
   "server identity check", as described in Section 3.1.5 of [RFC4513],
   treating itself as the "client" and its peer as the "server".

   As specified in [RFC4422], a newly negotiated SASL security layer
   replaces the installed SASL security layer.  Though the client/server



Zeilenga                      Experimental                      [Page 5]

RFC 4531                  LDAP Turn Operation                  June 2006


   roles in LDAP, and hence SASL, may be reversed in subsequent
   exchanges, only one SASL security layer may be installed at any
   instance.

5.  Security Considerations

   Implementors should be aware that the reversing of client/server
   roles and/or allowing both peers to act as client and server likely
   introduces security considerations not foreseen by the authors of
   this document.  In particular, the security implications of the
   design choices made in the authentication and data security models
   for this extension (discussed in Sections 3 and 4, respectively) are
   not fully studied.  It is hoped that experimentation with this
   extension will lead to better understanding of the security
   implications of these models and other aspects of this extension, and
   that appropriate considerations will be documented in a future
   document.  The following security considerations are apparent at this
   time.

   Implementors should take special care to process LDAP, SASL, TLS, and
   other events in the appropriate roles for the peers.  Note that while
   the Turn reverses the client/server roles with LDAP, and in SASL
   authentication exchanges, it does not reverse the roles within the
   TLS layer or the transport connection.

   The responding server (the original server) should restrict use of
   this operation to authorized clients.  Client knowledge of a valid
   identifier should not be the sole factor in determining authorization
   to turn.

   Where the peers except to establish TLS, TLS should be started prior
   to the Turn and any request to authenticate via the Bind operation.

   LDAP security considerations [RFC4511][RFC4513] generally apply to
   this extension.

6.  IANA Considerations

   The following values [RFC4520] have been registered by the IANA.

6.1.  Object Identifier

   The IANA has assigned an LDAP Object Identifier to identify the LDAP
   Turn Operation, as defined in this document.







Zeilenga                      Experimental                      [Page 6]

RFC 4531                  LDAP Turn Operation                  June 2006


       Subject: Request for LDAP Object Identifier Registration
       Person & email address to contact for further information:
            Kurt Zeilenga <kurt@OpenLDAP.org>
       Specification: RFC 4531
       Author/Change Controller: Author
       Comments:
            Identifies the LDAP Turn Operation

6.2.  LDAP Protocol Mechanism

   The IANA has registered the LDAP Protocol Mechanism described in this
   document.

       Subject: Request for LDAP Protocol Mechanism Registration
       Object Identifier: 1.3.6.1.1.19
       Description: LDAP Turn Operation
       Person & email address to contact for further information:
            Kurt Zeilenga <kurt@openldap.org>
       Usage: Extended Operation
       Specification: RFC 4531
       Author/Change Controller: Author
       Comments: none

7.  References

7.1.  Normative References

   [RFC4346]     Dierks, T. and, E. Rescorla, "The Transport Layer
                 Security (TLS) Protocol Version 1.1", RFC 4346, April
                 2006.

   [RFC4422]     Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
                 Authentication and Security Layer (SASL)", RFC 4422,
                 June 2006.

   [RFC4510]     Zeilenga, K., Ed., "Lightweight Directory Access
                 Protocol (LDAP): Technical Specification Road Map", RFC
                 4510, June 2006.

   [RFC4511]     Sermersheim, J., Ed., "Lightweight Directory Access
                 Protocol (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4513]     Harrison, R., Ed., "Lightweight Directory Access
                 Protocol (LDAP): Authentication Methods and Security
                 Mechanisms", RFC 4513, June 2006.






Zeilenga                      Experimental                      [Page 7]

RFC 4531                  LDAP Turn Operation                  June 2006


   [X.680]       International Telecommunication Union -
                 Telecommunication Standardization Sector, "Abstract
                 Syntax Notation One (ASN.1) - Specification of Basic
                 Notation", X.680(2002) (also ISO/IEC 8824-1:2002).

   [X.690]       International Telecommunication Union -
                 Telecommunication Standardization Sector,
                 "Specification of ASN.1 encoding rules: Basic Encoding
                 Rules (BER), Canonical Encoding Rules (CER), and
                 Distinguished Encoding Rules (DER)", X.690(2002) (also
                 ISO/IEC 8825-1:2002).

7.2.  Informative References

   [RFC4520]     Zeilenga, K., "Internet Assigned Numbers Authority
                 (IANA) Considerations for the Lightweight Directory
                 Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

   [SASL-K5]     Melnikov, A., Ed., "The Kerberos V5 ("GSSAPI") SASL
                 Mechanism", Work in Progress, May 2006.

Author's Address

   Kurt D. Zeilenga
   OpenLDAP Foundation

   EMail: Kurt@OpenLDAP.org
























Zeilenga                      Experimental                      [Page 8]

RFC 4531                  LDAP Turn Operation                  June 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).







Zeilenga                      Experimental                      [Page 9]