rfc4531









Network Working Group                                        K. Zeilenga
Request for Comments: 4531                           OpenLDAP Foundation
Category: Experimental                                         June 2006


              Lightweight Directory Access Protocol (LDAP)
                             Turn Operation


Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This specification describes a Lightweight Directory Access Protocol
   (LDAP) extended operation to reverse (or "turn") the roles of client
   and server for subsequent protocol exchanges in the session, or to
   enable each peer to act as both client and server with respect to the
   other.

Table of Contents

   1. Background and Intent of Use ....................................2
      1.1. Terminology ................................................2
   2. Turn Operation ..................................................2
      2.1. Turn Request ...............................................3
      2.2. Turn Response ..............................................3
   3. Authentication ..................................................3
      3.1. Use with TLS and Simple Authentication .....................4
      3.2. Use with TLS and SASL EXTERNAL .............................4
      3.3. Use of Mutual Authentication and SASL EXTERNAL .............4
   4. TLS and SASL Security Layers ....................................5
   5. Security Considerations .........................................6
   6. IANA Considerations .............................................6
      6.1. Object Identifier ..........................................6
      6.2. LDAP Protocol Mechanism ....................................7
   7. References ......................................................7
      7.1. Normative References .......................................7
      7.2. Informative References .....................................8




Zeilenga                      Experimental                      [Page 1]

RFC 4531                  LDAP Turn Operation                  June 2006


1.  Background and Intent of Use

   The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511]
   is a client-server protocol that typically operates over reliable
   octet-stream transports, such as the Transport Control Protocol
   (TCP).  Generally, the client initiates the stream by connecting to
   the server's listener at some well-known address.

   There are cases where it is desirable for the server to initiate the
   stream.  Although it certainly is possible to write a technical
   specification detailing how to implement server-initiated LDAP
   sessions, this would require the design of new authentication and
   other security mechanisms to support server-initiated LDAP sessions.

   Instead, this document introduces an operation, the Turn operation,
   which may be used to reverse the client-server roles of the protocol
   peers.  This allows the initiating protocol peer to become the server
   (after the reversal).

   As an additional feature, the Turn operation may be used to allow
   both peers to act in both roles.  This is useful where both peers are
   directory servers that desire to request, as LDAP clients, that
   operations be performed by the other.  This may be useful in
   replicated and/or distributed environments.

   This operation is intended to be used between protocol peers that
   have established a mutual agreement, by means outside of the
   protocol, that requires reversal of client-server roles, or allows
   both peers to act both as client and server.

1.1.  Terminology

   Protocol elements are described using ASN.1 [X.680] with implicit
   tags.  The term "BER-encoded" means the element is to be encoded
   using the Basic Encoding Rules [X.690] under the restrictions
   detailed in Section 5.1 of [RFC4511].

2.  Turn Operation

   The Turn operation is defined as an LDAP-Extended Operation
   [Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID.  The
   function of the Turn Operation is to request that the client-server
   roles be reversed, or, optionally, to request that both protocol
   peers be able to act both as client and server in respect to the
   other.






Zeilenga                      Experimental                      [Page 2]

RFC 4531                  LDAP Turn Operation                  June 2006


2.1.  Turn Request

   The Turn request is an ExtendedRequest where the requestName field
   contains the 1.3.6.1.1.19 OID and the requestValue field is a BER-
   encoded turnValue:

        turnValue ::= SEQUENCE {
             mutual         BOOLEAN DEFAULT FALSE,
             identifier     LDAPString
        }

   A TRUE mutual field value indicates a request to allow both peers to
   act both as client and server.  A FALSE mutual field value indicates
   a request to reserve the client and server roles.

   The value of the identifier field is a locally defined policy
   identifier (typically associated with a mutual agreement for which
   this turn is be executed as part of).

2.2.  Turn Response

   A Turn response is an ExtendedResponse where the responseName and
   responseValue fields are absent.  A resultCode of success is returned
   if and only if the responder is willing and able to turn the session
   as requested.  Otherwise, a different resultCode is returned.

3.  Authentication

   This extension's authentication model assumes separate authentication
   of the peers in each of their roles.  A separate Bind exchange is
   expected between the peers in their new roles to establish identities
   in these roles.

   Upon completion of the Turn, the responding peer in its new client
   role has an anonymous association at the initiating peer in its new
   server role.  If the turn was mutual, the authentication association
   of the initiating peer in its pre-existing client role is left intact
   at the responding peer in its pre-existing server role.  If the turn
   was not mutual, this association is void.

   The responding peer may establish its identity in its client role by
   requesting and successfully completing a Bind operation.

   The remainder of this section discusses some authentication
   scenarios.  In the protocol exchange illustrations, A refers to the
   initiating peer (the original client) and B refers to the responding
   peer (the original server).




Zeilenga                      Experimental                      [Page 3]

RFC 4531                  LDAP Turn Operation                  June 2006


3.1.  Use with TLS and Simple Authentication

       A->B: StartTLS Request
       B->A: StartTLS(success) Response
       A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
       B->A: Bind(success) Response
       A->B: Turn(TRUE,"XXYYZ") Request
       B->A: Turn(success) Response
       B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
       A->B: Bind(success) Response

   In this scenario, TLS (Transport Layer Security) [RFC4346] is started
   and the initiating peer (the original client) establishes its
   identity with the responding peer prior to the Turn using the
   DN/password mechanism of the Simple method of the Bind operation.
   After the turn, the responding peer, in its new client role,
   establishes its identity with the initiating peer in its new server
   role.

3.2.  Use with TLS and SASL EXTERNAL

       A->B: StartTLS Request
       B->A: StartTLS(success) Response
       A->B: Bind(SASL(EXTERNAL)) Request
       B->A: Bind(success) Response
       A->B: Turn(TRUE,"XXYYZ") Request
       B->A: Turn(success) Response
       B->A: Bind(SASL(EXTERNAL)) Request
       A->B: Bind(success) Response

   In this scenario, TLS is started (with each peer providing a valid
   certificate), and the initiating peer (the original client)
   establishes its identity through the use of the EXTERNAL mechanism of
   the SASL (Simple Authentication and Security Layer) [RFC4422] method
   of the Bind operation prior to the Turn.  After the turn, the
   responding peer, in its new client role, establishes its identity
   with the initiating peer in its new server role.

3.3.  Use of Mutual Authentication and SASL EXTERNAL

   A number of SASL mechanisms, such as GSSAPI [SASL-K5], support mutual
   authentication.  The initiating peer, in its new server role, may use
   the identity of the responding peer, established by a prior
   authentication exchange, as its source for "external" identity in
   subsequent EXTERNAL exchange.

       A->B: Bind(SASL(GSSAPI)) Request
       <intermediate messages>



Zeilenga                      Experimental                      [Page 4]

RFC 4531                  LDAP Turn Operation                  June 2006


       B->A: Bind(success) Response
       A->B: Turn(TRUE,"XXYYZ") Request
       B->A: Turn(success) Response
       B->A: Bind(SASL(EXTERNAL)) Request
       A->B: Bind(success) Response

   In this scenario, a GSSAPI mutual-authentication exchange is
   completed between the initiating peer (the original client) and the
   responding server (the original server) prior to the turn.  After the
   turn, the responding peer, in its new client role, requests that the
   initiating peer utilize an "external" identity to establish its LDAP
   authorization identity.

4.  TLS and SASL Security Layers

   As described in [RFC4511], LDAP supports both Transport Layer
   Security (TLS) [RFC4346] and Simple Authentication and Security Layer
   (SASL) [RFC4422] security frameworks.  The following table
   illustrates the relationship between the LDAP message layer, SASL
   layer, TLS layer, and transport connection within an LDAP session.

                  +----------------------+
                  |  LDAP message layer  |
                  +----------------------+ > LDAP PDUs
                  +----------------------+ < data
                  |      SASL layer      |
                  +----------------------+ > SASL-protected data
                  +----------------------+ < data
                  |       TLS layer      |
      Application +----------------------+ > TLS-protected data
      ------------+----------------------+ < data
        Transport | transport connection |
                  +----------------------+

   This extension does not alter this relationship, nor does it remove
   the general restriction against multiple TLS layers, nor does it
   remove the general restriction against multiple SASL layers.

   As specified in [RFC4511], the StartTLS operation is used to initiate
   negotiation of a TLS layer.  If a TLS is already installed, the
   StartTLS operation must fail.  Upon establishment of the TLS layer,
   regardless of which peer issued the request to start TLS, the peer
   that initiated the LDAP session (the original client) performs the
   "server identity check", as described in Section 3.1.5 of [RFC4513],
   treating itself as the "client" and its peer as the "server".

   As specified in [RFC4422], a newly negotiated SASL security layer
   replaces the installed SASL security layer.  Though the client/server



Zeilenga                      Experimental                      [Page 5]

RFC 4531                  LDAP Turn Operation                  June 2006


   roles in LDAP, and hence SASL, may be reversed in subsequent
   exchanges, only one SASL security layer may be installed at any
   instance.

5.  Security Considerations

   Implementors should be aware that the reversing of client/server
   roles and/or allowing both peers to act as client and server likely
   introduces security considerations not foreseen by the authors of
   this document.  In particular, the security implications of the
   design choices made in the authentication and data security models
   for this extension (discussed in Sections 3 and 4, respectively) are
   not fully studied.  It is hoped that experimentation with this
   extension will lead to better understanding of the security
   implications of these models and other aspects of this extension, and
   that appropriate considerations will be documented in a future
   document.  The following security considerations are apparent at this
   time.

   Implementors should take special care to process LDAP, SASL, TLS, and
   other events in the appropriate roles for the peers.  Note that while
   the Turn reverses the client/server roles with LDAP, and in SASL
   authentication exchanges, it does not reverse the roles within the
   TLS layer or the transport connection.

   The responding server (the original server) should restrict use of
   this operation to authorized clients.  Client knowledge of a valid
   identifier should not be the sole factor in determining authorization
   to turn.

   Where the peers except to establish TLS, TLS should be started prior
   to the Turn and any request to authenticate via the Bind operation.

   LDAP security considerations [RFC4511][RFC4513] generally apply to
   this extension.

6.  IANA Considerations

   The following values [RFC4520] have been registered by the IANA.

6.1.  Object Identifier

   The IANA has assigned an LDAP Object Identifier to identify the LDAP
   Turn Operation, as defined in this document.







Zeilenga                      Experimental                      [Page 6]

RFC 4531                  LDAP Turn Operation                  June 2006


       Subject: Request for LDAP Object Identifier Registration
       Person & email address to contact for further information:
            Kurt Zeilenga <kurt@OpenLDAP.org>
       Specification: RFC 4531
       Author/Change Controller: Author
       Comments:
            Identifies the LDAP Turn Operation

6.2.  LDAP Protocol Mechanism

   The IANA has registered the LDAP Protocol Mechanism described in this
   document.

       Subject: Request for LDAP Protocol Mechanism Registration
       Object Identifier: 1.3.6.1.1.19
       Description: LDAP Turn Operation
       Person & email address to contact for further information:
            Kurt Zeilenga <kurt@openldap.org>
       Usage: Extended Operation
       Specification: RFC 4531
       Author/Change Controller: Author
       Comments: none

7.  References

7.1.  Normative References

   [RFC4346]     Dierks, T. and, E. Rescorla, "The Transport Layer
                 Security (TLS) Protocol Version 1.1", RFC 4346, April
                 2006.

   [RFC4422]     Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
                 Authentication and Security Layer (SASL)", RFC 4422,
                 June 2006.

   [RFC4510]     Zeilenga, K., Ed., "Lightweight Directory Access
                 Protocol (LDAP): Technical Specification Road Map", RFC
                 4510, June 2006.

   [RFC4511]     Sermersheim, J., Ed., "Lightweight Directory Access
                 Protocol (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4513]     Harrison, R., Ed., "Lightweight Directory Access
                 Protocol (LDAP): Authentication Methods and Security
                 Mechanisms", RFC 4513, June 2006.






Zeilenga                      Experimental                      [Page 7]

RFC 4531                  LDAP Turn Operation                  June 2006


   [X.680]       International Telecommunication Union -
                 Telecommunication Standardization Sector, "Abstract
                 Syntax Notation One (ASN.1) - Specification of Basic
                 Notation", X.680(2002) (also ISO/IEC 8824-1:2002).

   [X.690]       International Telecommunication Union -
                 Telecommunication Standardization Sector,
                 "Specification of ASN.1 encoding rules: Basic Encoding
                 Rules (BER), Canonical Encoding Rules (CER), and
                 Distinguished Encoding Rules (DER)", X.690(2002) (also
                 ISO/IEC 8825-1:2002).

7.2.  Informative References

   [RFC4520]     Zeilenga, K., "Internet Assigned Numbers Authority
                 (IANA) Considerations for the Lightweight Directory
                 Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

   [SASL-K5]     Melnikov, A., Ed., "The Kerberos V5 ("GSSAPI") SASL
                 Mechanism", Work in Progress, May 2006.

Author's Address

   Kurt D. Zeilenga
   OpenLDAP Foundation

   EMail: Kurt@OpenLDAP.org
























Zeilenga                      Experimental                      [Page 8]

RFC 4531                  LDAP Turn Operation                  June 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).







Zeilenga                      Experimental                      [Page 9]



ERRATA