Network Working Group K. Zeilenga Request for Comments: 4531 OpenLDAP Foundation Category: Experimental June 2006 Lightweight Directory Access Protocol (LDAP) Turn Operation Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This specification describes a Lightweight Directory Access Protocol (LDAP) extended operation to reverse (or "turn") the roles of client and server for subsequent protocol exchanges in the session, or to enable each peer to act as both client and server with respect to the other. Table of Contents 1. Background and Intent of Use ....................................2 1.1. Terminology ................................................2 2. Turn Operation ..................................................2 2.1. Turn Request ...............................................3 2.2. Turn Response ..............................................3 3. Authentication ..................................................3 3.1. Use with TLS and Simple Authentication .....................4 3.2. Use with TLS and SASL EXTERNAL .............................4 3.3. Use of Mutual Authentication and SASL EXTERNAL .............4 4. TLS and SASL Security Layers ....................................5 5. Security Considerations .........................................6 6. IANA Considerations .............................................6 6.1. Object Identifier ..........................................6 6.2. LDAP Protocol Mechanism ....................................7 7. References ......................................................7 7.1. Normative References .......................................7 7.2. Informative References .....................................8 Zeilenga Experimental [Page 1] RFC 4531 LDAP Turn Operation June 2006 1. Background and Intent of Use The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511] is a client-server protocol that typically operates over reliable octet-stream transports, such as the Transport Control Protocol (TCP). Generally, the client initiates the stream by connecting to the server's listener at some well-known address. There are cases where it is desirable for the server to initiate the stream. Although it certainly is possible to write a technical specification detailing how to implement server-initiated LDAP sessions, this would require the design of new authentication and other security mechanisms to support server-initiated LDAP sessions. Instead, this document introduces an operation, the Turn operation, which may be used to reverse the client-server roles of the protocol peers. This allows the initiating protocol peer to become the server (after the reversal). As an additional feature, the Turn operation may be used to allow both peers to act in both roles. This is useful where both peers are directory servers that desire to request, as LDAP clients, that operations be performed by the other. This may be useful in replicated and/or distributed environments. This operation is intended to be used between protocol peers that have established a mutual agreement, by means outside of the protocol, that requires reversal of client-server roles, or allows both peers to act both as client and server. 1.1. Terminology Protocol elements are described using ASN.1 [X.680] with implicit tags. The term "BER-encoded" means the element is to be encoded using the Basic Encoding Rules [X.690] under the restrictions detailed in Section 5.1 of [RFC4511]. 2. Turn Operation The Turn operation is defined as an LDAP-Extended Operation [Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID. The function of the Turn Operation is to request that the client-server roles be reversed, or, optionally, to request that both protocol peers be able to act both as client and server in respect to the other. Zeilenga Experimental [Page 2] RFC 4531 LDAP Turn Operation June 2006 2.1. Turn Request The Turn request is an ExtendedRequest where the requestName field contains the 1.3.6.1.1.19 OID and the requestValue field is a BER- encoded turnValue: turnValue ::= SEQUENCE { mutual BOOLEAN DEFAULT FALSE, identifier LDAPString } A TRUE mutual field value indicates a request to allow both peers to act both as client and server. A FALSE mutual field value indicates a request to reserve the client and server roles. The value of the identifier field is a locally defined policy identifier (typically associated with a mutual agreement for which this turn is be executed as part of). 2.2. Turn Response A Turn response is an ExtendedResponse where the responseName and responseValue fields are absent. A resultCode of success is returned if and only if the responder is willing and able to turn the session as requested. Otherwise, a different resultCode is returned. 3. Authentication This extension's authentication model assumes separate authentication of the peers in each of their roles. A separate Bind exchange is expected between the peers in their new roles to establish identities in these roles. Upon completion of the Turn, the responding peer in its new client role has an anonymous association at the initiating peer in its new server role. If the turn was mutual, the authentication association of the initiating peer in its pre-existing client role is left intact at the responding peer in its pre-existing server role. If the turn was not mutual, this association is void. The responding peer may establish its identity in its client role by requesting and successfully completing a Bind operation. The remainder of this section discusses some authentication scenarios. In the protocol exchange illustrations, A refers to the initiating peer (the original client) and B refers to the responding peer (the original server). Zeilenga Experimental [Page 3] RFC 4531 LDAP Turn Operation June 2006 3.1. Use with TLS and Simple Authentication A->B: StartTLS Request B->A: StartTLS(success) Response A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request B->A: Bind(success) Response A->B: Turn(TRUE,"XXYYZ") Request B->A: Turn(success) Response B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request A->B: Bind(success) Response In this scenario, TLS (Transport Layer Security) [RFC4346] is started and the initiating peer (the original client) establishes its identity with the responding peer prior to the Turn using the DN/password mechanism of the Simple method of the Bind operation. After the turn, the responding peer, in its new client role, establishes its identity with the initiating peer in its new server role. 3.2. Use with TLS and SASL EXTERNAL A->B: StartTLS Request B->A: StartTLS(success) Response A->B: Bind(SASL(EXTERNAL)) Request B->A: Bind(success) Response A->B: Turn(TRUE,"XXYYZ") Request B->A: Turn(success) Response B->A: Bind(SASL(EXTERNAL)) Request A->B: Bind(success) Response In this scenario, TLS is started (with each peer providing a valid certificate), and the initiating peer (the original client) establishes its identity through the use of the EXTERNAL mechanism of the SASL (Simple Authentication and Security Layer) [RFC4422] method of the Bind operation prior to the Turn. After the turn, the responding peer, in its new client role, establishes its identity with the initiating peer in its new server role. 3.3. Use of Mutual Authentication and SASL EXTERNAL A number of SASL mechanisms, such as GSSAPI [SASL-K5], support mutual authentication. The initiating peer, in its new server role, may use the identity of the responding peer, established by a prior authentication exchange, as its source for "external" identity in subsequent EXTERNAL exchange. A->B: Bind(SASL(GSSAPI)) Request Zeilenga Experimental [Page 4] RFC 4531 LDAP Turn Operation June 2006 B->A: Bind(success) Response A->B: Turn(TRUE,"XXYYZ") Request B->A: Turn(success) Response B->A: Bind(SASL(EXTERNAL)) Request A->B: Bind(success) Response In this scenario, a GSSAPI mutual-authentication exchange is completed between the initiating peer (the original client) and the responding server (the original server) prior to the turn. After the turn, the responding peer, in its new client role, requests that the initiating peer utilize an "external" identity to establish its LDAP authorization identity. 4. TLS and SASL Security Layers As described in [RFC4511], LDAP supports both Transport Layer Security (TLS) [RFC4346] and Simple Authentication and Security Layer (SASL) [RFC4422] security frameworks. The following table illustrates the relationship between the LDAP message layer, SASL layer, TLS layer, and transport connection within an LDAP session. +----------------------+ | LDAP message layer | +----------------------+ > LDAP PDUs +----------------------+ < data | SASL layer | +----------------------+ > SASL-protected data +----------------------+ < data | TLS layer | Application +----------------------+ > TLS-protected data ------------+----------------------+ < data Transport | transport connection | +----------------------+ This extension does not alter this relationship, nor does it remove the general restriction against multiple TLS layers, nor does it remove the general restriction against multiple SASL layers. As specified in [RFC4511], the StartTLS operation is used to initiate negotiation of a TLS layer. If a TLS is already installed, the StartTLS operation must fail. Upon establishment of the TLS layer, regardless of which peer issued the request to start TLS, the peer that initiated the LDAP session (the original client) performs the "server identity check", as described in Section 3.1.5 of [RFC4513], treating itself as the "client" and its peer as the "server". As specified in [RFC4422], a newly negotiated SASL security layer replaces the installed SASL security layer. Though the client/server Zeilenga Experimental [Page 5] RFC 4531 LDAP Turn Operation June 2006 roles in LDAP, and hence SASL, may be reversed in subsequent exchanges, only one SASL security layer may be installed at any instance. 5. Security Considerations Implementors should be aware that the reversing of client/server roles and/or allowing both peers to act as client and server likely introduces security considerations not foreseen by the authors of this document. In particular, the security implications of the design choices made in the authentication and data security models for this extension (discussed in Sections 3 and 4, respectively) are not fully studied. It is hoped that experimentation with this extension will lead to better understanding of the security implications of these models and other aspects of this extension, and that appropriate considerations will be documented in a future document. The following security considerations are apparent at this time. Implementors should take special care to process LDAP, SASL, TLS, and other events in the appropriate roles for the peers. Note that while the Turn reverses the client/server roles with LDAP, and in SASL authentication exchanges, it does not reverse the roles within the TLS layer or the transport connection. The responding server (the original server) should restrict use of this operation to authorized clients. Client knowledge of a valid identifier should not be the sole factor in determining authorization to turn. Where the peers except to establish TLS, TLS should be started prior to the Turn and any request to authenticate via the Bind operation. LDAP security considerations [RFC4511][RFC4513] generally apply to this extension. 6. IANA Considerations The following values [RFC4520] have been registered by the IANA. 6.1. Object Identifier The IANA has assigned an LDAP Object Identifier to identify the LDAP Turn Operation, as defined in this document. Zeilenga Experimental [Page 6] RFC 4531 LDAP Turn Operation June 2006 Subject: Request for LDAP Object Identifier Registration Person & email address to contact for further information: Kurt Zeilenga Specification: RFC 4531 Author/Change Controller: Author Comments: Identifies the LDAP Turn Operation 6.2. LDAP Protocol Mechanism The IANA has registered the LDAP Protocol Mechanism described in this document. Subject: Request for LDAP Protocol Mechanism Registration Object Identifier: 1.3.6.1.1.19 Description: LDAP Turn Operation Person & email address to contact for further information: Kurt Zeilenga Usage: Extended Operation Specification: RFC 4531 Author/Change Controller: Author Comments: none 7. References 7.1. Normative References [RFC4346] Dierks, T. and, E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006. [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006. [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, June 2006. [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms", RFC 4513, June 2006. Zeilenga Experimental [Page 7] RFC 4531 LDAP Turn Operation June 2006 [X.680] International Telecommunication Union - Telecommunication Standardization Sector, "Abstract Syntax Notation One (ASN.1) - Specification of Basic Notation", X.680(2002) (also ISO/IEC 8824-1:2002). [X.690] International Telecommunication Union - Telecommunication Standardization Sector, "Specification of ASN.1 encoding rules: Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER)", X.690(2002) (also ISO/IEC 8825-1:2002). 7.2. Informative References [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006. [SASL-K5] Melnikov, A., Ed., "The Kerberos V5 ("GSSAPI") SASL Mechanism", Work in Progress, May 2006. Author's Address Kurt D. Zeilenga OpenLDAP Foundation EMail: Kurt@OpenLDAP.org Zeilenga Experimental [Page 8] RFC 4531 LDAP Turn Operation June 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Zeilenga Experimental [Page 9]