1 2 3 4 5 6 7Internet Engineering Task Force (IETF) K. Zeilenga 8Request for Comments: 6171 Isode Limited 9Category: Standards Track March 2011 10ISSN: 2070-1721 11 12 13The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control 14 15Abstract 16 17 This document defines the Lightweight Directory Access Protocol 18 (LDAP) Don't Use Copy control extension, which allows a client to 19 specify that copied information should not be used in providing 20 service. This control is based upon the X.511 dontUseCopy service 21 control option. 22 23Status of This Memo 24 25 This is an Internet Standards Track document. 26 27 This document is a product of the Internet Engineering Task Force 28 (IETF). It represents the consensus of the IETF community. It has 29 received public review and has been approved for publication by the 30 Internet Engineering Steering Group (IESG). Further information on 31 Internet Standards is available in Section 2 of RFC 5741. 32 33 Information about the current status of this document, any errata, 34 and how to provide feedback on it may be obtained at 35 http://www.rfc-editor.org/info/rfc6171. 36 37Copyright Notice 38 39 Copyright (c) 2011 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 41 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 51 52 53 54 55 56 57 58Zeilenga Standards Track [Page 1] 59 60RFC 6171 LDAP Don't Use Copy Control March 2011 61 62 63 This document may contain material from IETF Documents or IETF 64 Contributions published or made publicly available before November 65 10, 2008. The person(s) controlling the copyright in some of this 66 material may not have granted the IETF Trust the right to allow 67 modifications of such material outside the IETF Standards Process. 68 Without obtaining an adequate license from the person(s) controlling 69 the copyright in such materials, this document may not be modified 70 outside the IETF Standards Process, and derivative works of it may 71 not be created outside the IETF Standards Process, except to format 72 it for publication as an RFC or to translate it into languages other 73 than English. 74 751. Background and Intended Usage 76 77 This document defines the Lightweight Directory Access Protocol 78 (LDAP) [RFC4510] Don't Use Copy control extension. The control may 79 be attached to request messages to indicate that copied (replicated 80 or cached) information [X.500] is not be used in providing service. 81 This control is based upon the X.511 [X.511] dontUseCopy service 82 control option. 83 84 The Don't Use Copy control is intended to be used where the client 85 requires the service be provided using original (master) information 86 [X.500]. In absence of this control, the server is free to make use 87 of copied (i.e., non-authoritative) information in providing the 88 requested service. 89 90 For instance, a client might desire to have an authoritative answer 91 to a question of whether or not a particular user is a member of a 92 group. To ask this question of a server, the client might issue a 93 compare request [RFC4511], with the Don't Use Copy control, where the 94 entry parameter is the Distinguished Name (DN) of the group, the 95 ava.attributeDesc is 'member', and the ava.assertionValue is the DN 96 of the user in question. If the server has access to the original 97 (master) information directly or through chaining, it performs the 98 operation against the original (master) information and returns 99 compareTrue or compareFalse (or an error). If the server does not 100 have access to the original information, the server is obligated to 101 either return a referral or an error. 102 103 It is not intended that this control be used generally (e.g., for all 104 LDAP interrogation operations) but only as required to ensure proper 105 directory application behavior. In general, directory applications 106 ought to designed to use copied information well. 107 108 109 110 111 112 113 114Zeilenga Standards Track [Page 2] 115 116RFC 6171 LDAP Don't Use Copy Control March 2011 117 118 1192. Terminology 120 121 DSA stands for Directory System Agent (or server). 122 DSE stands for DSA-Specific Entry. 123 124 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 125 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 126 document are to be interpreted as described in RFC 2119 [RFC2119]. 127 1283. The Don't Use Copy Control 129 130 The Don't Use Copy control is an LDAP Control [RFC4511] whose 131 controlType is 1.3.6.1.1.22 and controlValue is absent. The 132 criticality MUST be TRUE. There is no corresponding response 133 control. 134 135 The control is appropriate for LDAP interrogation operations, 136 including Compare and Search operations [RFC4511]. It is 137 inappropriate for all other operations, including Abandon, Bind, 138 Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511]. 139 140 When the control is attached to an LDAP request, the requested 141 operation MUST NOT be performed on copied information. That is, the 142 requested operation MUST be performed on original information. 143 144 If original (master) information for the target or base object of the 145 operation is not available (either locally or through chaining), the 146 server MUST either return a referral directing the client to a server 147 believed to be better able to service the request or return an 148 appropriate result code (e.g., unwillingToPerform). 149 150 It is noted that a referral, if returned, is not necessarily to the 151 server holding the original (master) information. It is also noted 152 that an authoritative answer to the question might not be available 153 to the client for any number of reasons. 154 155 Where the client chases a referral to a server (as referenced by an 156 LDAP URL) in the server response in order to obtain an authoritative 157 response, the client MUST provide the dontUseCopy control with the 158 interrogation request it makes to the referred to server. While LDAP 159 allows return of other kinds of URIs, the syntax and semantics of 160 other kinds of URIs are left to future specifications. The 161 particulars of how to act upon other kinds of URIs are also left to 162 future specifications. 163 164 165 166 167 168 169 170Zeilenga Standards Track [Page 3] 171 172RFC 6171 LDAP Don't Use Copy Control March 2011 173 174 175 Servers implementing this technical specification SHOULD publish the 176 object identifier 1.3.6.1.1.22 as a value of the 'supportedControl' 177 attribute [RFC4512] in their root DSE. A server MAY choose to 178 advertise this extension only when the client is authorized to use 179 it. 180 1814. Security Considerations 182 183 This control is intended to be provided where providing service using 184 copied information might lead to unexpected application behavior. 185 186 Use of the Don't Use Copy control may permit an attacker to perform 187 or amplify a denial-of-service attack by causing additional server 188 resources to be employed, such as when the server chooses to chain 189 the request instead of returning a referral. Servers capable of such 190 chaining can mitigate this threat by limiting chaining to a 191 particular group of authenticated entities. 192 193 LDAP is frequently used for storage and distribution of security- 194 sensitive information, including access control and security policy 195 information. Failure to use the Don't Use Copy control may thus 196 permit an attacker to gain unauthorized access by allowing reliance 197 on stale data. 198 1995. IANA Considerations 200 2015.1. Object Identifier 202 203 IANA has assigned an LDAP Object Identifier [RFC4520] to identify the 204 LDAP Don't Use Copy Control defined in this document. 205 206 Subject: Request for LDAP Object Identifier Registration 207 Person & email address to contact for further information: 208 Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> 209 Specification: RFC 6171 210 Author/Change Controller: IESG 211 Comments: 212 Identifies the LDAP Don't Use Copy Control 213 214 215 216 217 218 219 220 221 222 223 224 225 226Zeilenga Standards Track [Page 4] 227 228RFC 6171 LDAP Don't Use Copy Control March 2011 229 230 2315.2. LDAP Protocol Mechanism 232 233 IANA has registered this protocol mechanism [RFC4520] as follows. 234 235 Subject: Request for LDAP Protocol Mechanism Registration 236 Object Identifier: 1.3.6.1.1.22 237 Description: Don't Use Copy Control 238 Person & email address to contact for further information: 239 Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> 240 Usage: Control 241 Specification: RFC 6171 242 Author/Change Controller: IESG 243 Comments: none 244 2456. Acknowledgements 246 247 The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie 248 for providing review and specific suggestions. 249 2507. References 251 2527.1. Normative References 253 254 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 255 Requirement Levels", BCP 14, RFC 2119, March 1997. 256 257 [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 258 (LDAP): Technical Specification Road Map", RFC 4510, June 259 2006. 260 261 [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access 262 Protocol (LDAP): The Protocol", RFC 4511, June 2006. 263 264 [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 265 (LDAP): Directory Information Models", RFC 4512, June 266 2006. 267 2687.2. Informative References 269 270 [X.500] International Telecommunication Union - Telecommunication 271 Standardization Sector, "The Directory -- Overview of 272 concepts, models and services," X.500(1993) (also ISO/IEC 273 9594-1:1994). 274 275 [X.511] International Telecommunication Union - Telecommunication 276 Standardization Sector, "The Directory: Abstract Service 277 Definition", X.511(1993) (also ISO/IEC 9594-3:1993). 278 279 280 281 282Zeilenga Standards Track [Page 5] 283 284RFC 6171 LDAP Don't Use Copy Control March 2011 285 286 287 [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) 288 Considerations for the Lightweight Directory Access 289 Protocol (LDAP)", BCP 64, RFC 4520, June 2006. 290 291Author's Address 292 293 Kurt D. Zeilenga 294 Isode Limited 295 296 EMail: Kurt.Zeilenga@Isode.COM 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338Zeilenga Standards Track [Page 6] 339 340