1 2 3 4Network Working Group M. Wahl 5Internet-Draft Informed Control Inc. 6Intended status: Standards Track May 9, 2007 7Expires: November 10, 2007 8 9 10 LDAP Session Tracking Control 11 draft-wahl-ldap-session-03 12 13Status of this Memo 14 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 24 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 29 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 32 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 35 36 This Internet-Draft will expire on November 10, 2007. 37 38Copyright Notice 39 40 Copyright (C) The IETF Trust (2007). 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55Wahl Expires November 10, 2007 [Page 1] 56 57Internet-Draft LDAP Session Tracking Control May 2007 58 59 60Abstract 61 62 Many network devices, application servers, and middleware components 63 of a enterprise software infrastructure generate some form of session 64 tracking identifiers, which are useful when analyzing activity and 65 accounting logs to group activity relating to a particular session. 66 This document discusses how Lightweight Directory Access Protocol 67 version 3 (LDAP) clients can include session tracking identifiers 68 with their LDAP requests. This information is provided through 69 controls in the requests the clients send to LDAP servers. The LDAP 70 server receiving these controls can include the session tracking 71 identifiers in the log messages it writes, enabling LDAP requests in 72 the LDAP server's logs to be correlated with activity in logs of 73 other components in the infrastructure. The control also enables 74 session tracking information to be generated by LDAP servers and 75 returned to clients and other servers. Three formats of session 76 tracking identifiers are defined in this document. 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111Wahl Expires November 10, 2007 [Page 2] 112 113Internet-Draft LDAP Session Tracking Control May 2007 114 115 1161. Introduction 117 118 The majority of directory server implementations produce access logs 119 detailing each request they receive. These logs can be read using 120 log parsing tools or specialized log viewer applications. Typically 121 it will be possible, for each request logged by a directory server, 122 to determine the bind DN (or possibly another form of authentication 123 identity) of the client which sent the request to the server, and 124 many servers also log the IP address of the client that sent the 125 request. 126 127 In the original OSI architecture, it was envisaged that users might 128 interact with a directory service through specialized applications, 129 known as Directory User Agents, which were the clients of the 130 Directory Access Protocol. Similarly, in early Internet directory 131 deployments, a majority of LDAP clients were desktop applications, 132 that used the LDAP protocol to search an enterprise directory for 133 address book/contact information. 134 135 Today, the majority of LDAP clients are embedded within middleware 136 and server applications. Legacy address book protocols might be 137 gatewayed into LDAP, or a server might consult an LDAP server in 138 order to check a user's password or obtain their preferences. While 139 the LDAP requests might result from a user's activity somewhere on 140 the network, it is rare for the user to be 'driving' the LDAP client, 141 and in most cases the user performing the activity is unaware that 142 LDAP requests are being generated on their behalf. 143 144 However, this information is important to directory system 145 administrators and auditors. They may wish to determine who is 146 making use of the directory service, or track the source of unusual 147 requests. 148 149 When a directory server administrator reviews a log file produced by 150 a directory server that has been accessed only by clients that are 151 themselves middleware, where the end user does not interact with the 152 middleware directly, only through other kinds of servers (e.g. 153 application servers or remote access servers), it will be difficult 154 to correlate between the directory server's log and the logs of the 155 servers which made use of this directory to determine why the LDAP 156 requests were made and who were responsible for causing them. 157 158 Reasons for this include: 159 160 o Directory servers are capable of performing many hundreds of 161 requests per second or more, and even with time synchronization 162 between the systems on which the directory server and middleware 163 are deployed, times of requests might not be logged accurately 164 165 166 167Wahl Expires November 10, 2007 [Page 3] 168 169Internet-Draft LDAP Session Tracking Control May 2007 170 171 172 enough to be able to correlate based on time: the server's logs 173 might be only to 1-second resolution. 174 175 o A single function on a middleware server, such as "authenticate a 176 user", may result in multiple LDAP requests being generated in 177 order to perform that request. 178 179 o Many high performance middleware servers implement connection 180 pooling, managing a set of persistent connections to each 181 directory server and multiplexing operations across the 182 connections. Each connection will have the same source IP address 183 and bind DN. If a particular activity causes multiple LDAP 184 requests to be generated, each LDAP request might be sent on a 185 different connection. Also, as LDAP is an asynchronous protocol, 186 middleware servers may have more than one request in progress on 187 each connection, asynchronously sending requests to the directory 188 server on each connection and processing the responses in whatever 189 order they are received. 190 191 This document defines a new control for use in LDAPv3 [1] operation 192 requests. This control contains session tracking information that 193 can be used to correlate log information present in the directory 194 server's log with the logs of other middleware servers. 195 196 The words "MUST", "SHOULD" and "MAY" are used as defined in RFC 2119 197 [2]. 198 1991.1. Motivation for session tracking 200 201 A typical enterprise deployment with an application indirectly 202 relying upon the directory might resemble: 203 204 205 +------+ +--------+ +----------+ +--------+ 206 | User | | Appli- | | Auth./ | LDAP | LDAP | 207 | +-----+ cation +-------+ Identity +------+ Server | 208 | | | Server | | Provider | | | 209 | A | | B | | C | | D | 210 +------+ +--------+ +----------+ +--------+ 211 212 213 In this diagram, a user (A) makes some request of an application 214 server (B). The application server might rely on an integrated or 215 external authentication provider in order to check the user's 216 authentication credentials, or might use an identity provider to 217 obtain profile information about the user. This request might be 218 made through an API or a protocol other than LDAP, e.g. RADIUS, 219 Kerberos, SMB, etc. The authentication/identity provider (C) would 220 221 222 223Wahl Expires November 10, 2007 [Page 4] 224 225Internet-Draft LDAP Session Tracking Control May 2007 226 227 228 generate one or more LDAP requests and send them to an LDAP server 229 (D). 230 231 The LDAP server has the following information already available to it 232 through the LDAP protocol: the IP address and authentication 233 credentials of the authentication/identity provider (C). If the 234 provider has included the Proxy Authorization Control [11], then the 235 LDAP server might also receive the Distinguished Name or 236 authorization identity of either the user (A) or the application 237 server (B), depending on how the authentication/identity provider (C) 238 uses the directory. In order to obtain this distinguished name 239 however, the authentication/identity provider (C) might need to 240 perform one or more LDAP search or bind requests. If there is no 241 entry in the directory corresponding to the identity of the user (A) 242 or the application server (B), then there is no way in the base LDAP 243 specification or the Proxy Authorization Control for the 244 authentication/identity provider (C) to describe the user (A) or the 245 application server (B) to the LDAP server (D). 246 247 If either the application server (B) or the authentication/identity 248 provider (C) have generated a session identifier for tracking the 249 interactions of the user (A) for a particular session, then it is 250 useful to include this information with the requests made to the 251 directory server, so that this session identifier will show up in the 252 directory server's logs. That is the purpose of the control defined 253 in the next section. 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279Wahl Expires November 10, 2007 [Page 5] 280 281Internet-Draft LDAP Session Tracking Control May 2007 282 283 2842. Control definition 285 286 There is currently no standard way of describing a session: there are 287 many different formats for a session identifier, and each application 288 that tracks sessions typically has its own semantics for what a 289 session means. Thus, a control is defined using an extensible model, 290 in order to incorporate many different application's concepts and 291 formats of a session tracking identifier. 292 293 The value of the session identifier control encapsulates the 294 following four pieces of information: sessionSourceIp, 295 sessionSourceName, formatOID and sessionTrackingIdentifier. 296 297 The sessionSourceIp field is a US-ASCII string encoding of an IPv4 or 298 IPv6 [3] address of the component of the system which has generated a 299 session tracking identifier. The purpose of this field is to enable 300 the directory server administrator, even if they do not have a log 301 parser that understands a particular session tracking identifier 302 format, to at least be able to identify the server that manages the 303 session. Note that there is no guarantee of IP-level connectivity 304 between the directory server and the system which generated the 305 tracking identifier, and if Network Address Translation is being 306 used, the IP address in this field might be from a private use 307 address range. 308 309 The sessionSourceName field is a UTF-8 [4] encoded ISO 10646 [5] text 310 string. This field describes the component of the system which has 311 generated a session tracking identifier. The format of this field is 312 determined by the formatOID (discussed below); examples of contents 313 of a sessionSourceName field might be a hostname, a distinguished 314 name, or a web service address. This contents of this field is not 315 intended to identify an end user; instead it identifies the server 316 using a name other than the server's IP address. 317 318 The formatOID is a US-ASCII encoded dotted decimal representation of 319 an OBJECT IDENTIFIER. The OBJECT IDENTIFIER indicates the scheme 320 that is used to generate the sessionSourceName and 321 sessionTrackingIdentifier fields. As there is currently no standard 322 scheme for session information, it is expected that there will be 323 many different formats carried within this control. The OBJECT 324 IDENTIFIERs for three formats are presented in this document. 325 326 The sessionTrackingIdentifier field is a UTF-8 encoded ISO 10646 327 string. The session identifier SHOULD be limited to whitespace and 328 printable characters; non-printing and control characters SHOULD NOT 329 be used, and byte sequences that are not legal UTF-8 MUST NOT be 330 used. The syntax of the session identifier and its semantics (e.g., 331 how values are compared for equality) are governed by the formatOID. 332 333 334 335Wahl Expires November 10, 2007 [Page 6] 336 337Internet-Draft LDAP Session Tracking Control May 2007 338 339 340 For example, the session identifier might be a simple string encoding 341 of a decimal counter, a username, a timestamp, a fragment of XML, or 342 it might be something else, depending on the format. 343 3442.1. Formal definition 345 346 This document defines a single LDAP control. 347 348 The controlType is 1.3.6.1.4.1.21008.108.63.1, the criticality MUST 349 be either FALSE or absent, and the controlValue MUST be present. The 350 controlValue OCTET STRING is always present and contains the bytes of 351 the BER [6] encoding of a value of the ASN.1 data type 352 SessionIdentifierControlValue, defined as follows: 353 354 LDAP-Session-Identifier-Control 355 DEFINITIONS IMPLICIT TAGS ::= 356 BEGIN 357 358 LDAPString ::= OCTET STRING -- UTF-8 encoded 359 LDAPOID ::= OCTET STRING -- Constrained to numericoid 360 361 SessionIdentifierControlValue ::= SEQUENCE { 362 sessionSourceIp LDAPString, 363 sessionSourceName LDAPString, 364 formatOID LDAPOID, 365 sessionTrackingIdentifier LDAPString 366 } 367 368 END 369 370 The sessionSourceIp element SHOULD NOT be longer than 42 characters 371 (the length necessary for a string representation of an IPv6 372 address), and MUST NOT be longer than 128 characters. Each character 373 will be encoded into a single byte. If the IP address of the system 374 which generated the session tracking identifier is not known, the 375 sessionSourceIp element SHOULD be of zero length. 376 377 The sessionSourceName element SHOULD NOT be longer than 1024 378 characters, and MUST NOT be longer than 65536 bytes. Note that in 379 the UTF-8 encoding a character MAY be encoded into more than one 380 byte. If no other addressing information about that system is known 381 or relevant to the format, the sessionSourceName element SHOULD be of 382 zero length. 383 384 The formatOID element MUST contain only the US-ASCII encodings of the 385 ISO 10646 characters FULL STOP and DIGIT ZERO through DIGIT NINE 386 (0x2E, 0x30-0x39). The formatOID element MUST NOT be of zero length, 387 and SHOULD NOT be longer than 1024 characters. 388 389 390 391Wahl Expires November 10, 2007 [Page 7] 392 393Internet-Draft LDAP Session Tracking Control May 2007 394 395 396 The sessionTrackingIdentifier field MAY be of zero length (although 397 this might not be useful). There is no upper bound on the 398 sessionTrackingIdentifier, but it is suggested that values SHOULD NOT 399 be longer than 65536 characters without prior agreement with the 400 directory server administrator. Note that in the UTF-8 encoding a 401 character MAY be encoded into more than one byte. 402 4032.2. Use in LDAP 404 405 The control MAY be included in any LDAP operation. The control has 406 order-dependent semantics. 407 408 A client might place the control on a message with a bindRequest, 409 searchRequest, modifyRequest, addRequest, delRequest, modDNRequest, 410 compareRequest or extendedReq. A client MAY include multiple 411 controls of this type in a single request. This enables the client 412 to incorporate multiple distinct session tracking identifiers with 413 different formats. 414 415 When a network service is proxying or chaining LDAP, in which the 416 service receives an incoming LDAP request from a client and from this 417 generates one or more requests to other LDAP servers, the service 418 SHOULD include any controls of this type that it received from 419 clients in requests it generates, without modification. A service 420 MAY silently remove a control if that control would violate security 421 policy. If the service has its own session state identifier, it 422 SHOULD include the session identifier control it generates in the 423 Controls SEQUENCE after any session identifier controls received by 424 clients. (If there are multiple proxies involved, each will add 425 their own session state to the end of the controls list). 426 427 A server might place the control on message with a bindResponse, 428 searchResDone, modifyResponse, addResponse, delResponse, 429 modDNResponse, compareResponse, extendedResp or intermediateResponse. 430 The server can include the control in the response regardless of 431 whether the client included a control in the request or not. (The 432 control in a response is unsolicited, and a client which does not 433 recognize the control or a session tracking format can safely ignore 434 the control, as discussed in the following section). A server MAY 435 include multiple controls of this type in a response. 436 4372.3. Extensibility considerations 438 439 The following section of this document defines 3 possible formats, 440 and it is expected that applications MAY define their own formats to 441 represent session tracking identifiers already implemented. 442 443 An application developer or server developer who wishes to transfer 444 445 446 447Wahl Expires November 10, 2007 [Page 8] 448 449Internet-Draft LDAP Session Tracking Control May 2007 450 451 452 their implementation's format for session tracking identifier within 453 an LDAP control MUST choose a new, unique, OBJECT IDENTIFIER to 454 represent this format. 455 456 The format determines the semantics of the sessionSourceName string, 457 and the sessionTrackingIdentifier string. 458 459 In general, when an LDAP server that has session tracking logging 460 enabled receives one or more of these controls with a request, the 461 server SHOULD include all fields of all of the controls with the 462 logging information for the request. 463 464 A LDAP server that supports third-party or extensible log parsing 465 tools SHOULD NOT reject or ignore a control if the formatOID value is 466 not recognized, as it is expected that applications may include 467 session tracking identifiers and want to make this information 468 available to log parsers for correlation purposes, even if the 469 directory server does not need to make any use of this information. 470 471 However, if the LDAP server does not recognize the control, the 472 control is not properly formatted, or the LDAP client is not 473 authorized to use this control, the LDAP server SHOULD ignore the 474 control and process the request as if the control had not been 475 included. 476 477 When an LDAP client receives a response that includes this control, 478 the behavior depends on the client implementation. Clients SHOULD 479 silently ignore controls with formats they do not recognize, and 480 process the response as if the control had not been included. 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503Wahl Expires November 10, 2007 [Page 9] 504 505Internet-Draft LDAP Session Tracking Control May 2007 506 507 5083. Session tracking format definitions 509 510 This section defines three session tracking formats that can be used 511 within the session tracking control: two for RADIUS accounting, and 512 one based on usernames. Other formats can be defined in other 513 documents. 514 5153.1. Formats for use with RADIUS accounting 516 517 This section defines two possible session tracking formats, that can 518 be used in LDAP clients that are part of or used by RADIUS servers 519 [7]. 520 521 With formatOID set to 1.3.6.1.4.1.21008.108.63.1.1 within the control 522 value, the sessionTrackingIdentifier SHOULD contain the value of the 523 Acct-Session-Id RADIUS attribute (type 44), as defined in RFC 2866 524 [8]. (RFC 2866 section 5.5 states that the Acct-Session-Id SHOULD 525 contain UTF-8 encoded ISO 10646 characters.) 526 527 With formatOID set to 1.3.6.1.4.1.21008.108.63.1.2 within the control 528 value, the sessionTrackingIdentifier SHOULD contain the value of the 529 Acct-Multi-Session-Id RADIUS attribute (type 50), as defined in RFC 530 2866 [8]. (RFC 2866 section 5.11 states that the 531 Acct-Multi-Session-Id SHOULD contain UTF-8 encoded ISO 10646 532 characters.) 533 534 In both of these two formats, the value of the sessionSourceIp field 535 SHOULD contain either a string encoding value of the IPv4 address 536 from the NAS-IP-Address RADIUS attribute (type 4), or a string 537 encoding of the IPv6 address from the value of the NAS-IPv6-Address 538 RADIUS attribute (type 95) as defined in RFC 3162 [9]. The value of 539 the sessionSourceName field SHOULD contain a string encoding the 540 value of the NAS-Identifier RADIUS attribute (type 32), if present, 541 or be of zero length if the NAS-Identifier RADIUS attribute was not 542 provided or was not in a recognized format. 543 5443.2. Format for username accounting 545 546 This section defines another possible session tracking format that 547 can be used in LDAP clients that are part of applications which 548 identify users with simple string usernames. 549 550 With formatOID set to 1.3.6.1.4.1.21008.108.63.1.3 within the control 551 value, the sessionTrackingIdentifier SHOULD contain a username that 552 has already been authenticated by the application that is generating 553 the session. This format SHOULD NOT be used for purported names, 554 where the application has not verified that the username is valid. 555 556 557 558 559Wahl Expires November 10, 2007 [Page 10] 560 561Internet-Draft LDAP Session Tracking Control May 2007 562 563 564 The sessionSourceName field SHOULD contain the hostname where that 565 application is running, or be of zero length if the hostname is not 566 known. 567 568 The username SHOULD be a SASL authorization identity string, as 569 described in section 3.4.1 of RFC 4422 [10]. It is expected that 570 these usernames are not globally unique, but are only unique within 571 the context of a particular application or particular enterprise. A 572 username need not be a distinguished name, and an implementation 573 receiving a control in this format MUST NOT assume that the contents 574 of the sessionTrackingIdentifier can be parsed as a distinguished 575 name. 576 577 A control with this format differs from the Proxied Authorization 578 Control as defined in RFC 4370 [11], as the presence of this session 579 identifier control on a request SHOULD NOT influence the directory 580 server's access control decision of whether or how to perform that 581 request. 582 583 Note that this format does not provide any information to 584 differentiate between multiple sessions or periods of interaction by 585 the same user. It is primarily intended for deployments which merely 586 need to be able to tie each directory operation to they identity of 587 the user whose activities caused the operation request to be 588 generated, even if the user might not even be represented in the 589 directory where the operations are being performed. 590 5913.2.1. Example 592 593 For example, if an application server "app.example.com" with IPv4 594 address "192.0.2.1" had authenticated an user with name "bloggs", and 595 then sent a search request to the LDAP directory in order to obtain 596 some public information on service configuration intending to provide 597 it to that user, the application might include a session identifier 598 control. The SessionIdentifierControlValue would have the following 599 ASN.1 value prior to encoding: 600 601 602 { -- SEQUENCE 603 "192.0.2.1", -- sessionSourceIp 604 "app.example.com", -- sessionSourceName 605 "1.3.6.1.4.1.21008.108.63.1.3", -- formatOID 606 "bloggs" -- sessionTrackingIdentifier 607 } 608 609 610 611 612 613 614 615Wahl Expires November 10, 2007 [Page 11] 616 617Internet-Draft LDAP Session Tracking Control May 2007 618 619 620 The session identifier control would be sent with controlType 621 1.3.6.1.4.1.21008.108.63.1, criticality FALSE, and the controlValue 622 the BER encoding of the SessionIdentifierControlValue. The control 623 included with the LDAP request would resemble: 624 625 626 { -- SEQUENCE 627 "1.3.6.1.4.1.21008.108.63.1", -- controlType 628 FALSE, -- criticality 629 '304204093139322e302e322e31040f6170702e6578616d706c652e636f6d 630 041c312e332e362e312e342e312e32313030382e3130382e36332e312e33 631 0406626c6f676773'H -- controlValue 632 } 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671Wahl Expires November 10, 2007 [Page 12] 672 673Internet-Draft LDAP Session Tracking Control May 2007 674 675 6764. Security Considerations 677 678 The session identifier controls used in this document are not 679 intended as a security control or proxy authentication mechanism, and 680 SHOULD NOT be used within a directory server to influence the 681 operation processing behavior. 682 683 Malicious clients might attempt to provide false or misleading 684 information in directory server logs through the use of this control. 685 LDAP servers SHOULD implement access checks which limit whether 686 session identifier information provided by a client is logged. LDAP 687 servers which implement this control SHOULD permit the administrator 688 of the directory server to configure that this control is ignored 689 unless the request containing the control was received from a client 690 that been authenticated. LDAP servers which implement this control 691 SHOULD permit the administrator of the directory server to configure 692 that this control is ignored unless the client is authorized to use 693 this or related controls, such as the Proxied Authorization Control 694 [11]. Session identifier information from clients which do not meet 695 the server's access check requirement SHOULD be silently discarded. 696 697 In some formats, session tracking identifiers may contain personal- 698 identifiable information, such as usernames or client IP addresses. 699 Unless data link, network or transport level encryption is being 700 used, this information might be visible to attackers monitoring the 701 network segments across which this information is being transmitted. 702 Implementations of LDAP clients which include this control in 703 requests sent to directory servers SHOULD support the use of 704 underlying security services that establish connection 705 confidentiality before the control is sent, such as a SASL mechanism 706 that negotiates a security layer, or the Start TLS operation. 707 708 Correlation of activities across multiple servers can enable 709 administrators and monitoring tools to construct a more accurate 710 picture of user behavior. In particular, this tracking control could 711 be used to determine the set of applications and services with which 712 a particular user has had interactions. Thus, this control would not 713 be appropriate to deployments intending to anonymize directory 714 requests. Session formats containing personal identifiable 715 information SHOULD NOT be used between systems in different 716 organizations where there is no existing agreement between those 717 organizations on privacy protection. 718 719 A value of the session tracking control might contain internal IP 720 addresses, hostnames and other identifiers that reveal the structure 721 of an enterprise network. A network service that generates its own 722 sessions SHOULD NOT send a session tracking control to a directory 723 server that is under different administration or in a different 724 725 726 727Wahl Expires November 10, 2007 [Page 13] 728 729Internet-Draft LDAP Session Tracking Control May 2007 730 731 732 security enclave from itself. A network service that is an LDAP 733 client and also either receives requests over another protocol that 734 contains session tracking identifiers or is proxying incoming LDAP 735 requests SHOULD NOT forward received session tracking identifiers to 736 a directory server that is under different administration or in a 737 different security enclave from itself. A packet inspecting firewall 738 that permits outgoing LDAP requests from an enterprise network SHOULD 739 silently remove any session tracking controls from requests that are 740 being sent to directory servers outside of the enterprise network for 741 which there is not a preexisting policy configured to allow the 742 session tracking control to be sent to that directory server. 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783Wahl Expires November 10, 2007 [Page 14] 784 785Internet-Draft LDAP Session Tracking Control May 2007 786 787 7885. IANA Considerations 789 790 This control will be registered as follows: 791 792 Subject: Request for LDAP Protocol Mechanism Registration 793 794 Object Identifier: 1.3.6.1.4.1.21008.108.63.1 795 796 Description: Session Tracking Identifier 797 798 Person & email address to contact for further information: 799 Mark Wahl <Mark.Wahl@informed-control.com> 800 801 Usage: Control 802 803 Specification: (I-D) RFC XXXX 804 805 Author/Change Controller: Mark Wahl 806 807 808 The OBJECT IDENTIFIER for particular session identifier formats 809 defined for other applications need not be registered with IANA. 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839Wahl Expires November 10, 2007 [Page 15] 840 841Internet-Draft LDAP Session Tracking Control May 2007 842 843 8446. Acknowledgments 845 846 This control was inspired by conversations with Greg Lavender. Neil 847 Wilson provided useful feedback on this document. 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895Wahl Expires November 10, 2007 [Page 16] 896 897Internet-Draft LDAP Session Tracking Control May 2007 898 899 9007. References 901 9027.1. Normative References 903 904 [1] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): 905 Technical Specification Road Map", RFC 4510, June 2006. 906 907 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 908 Levels", RFC 2119, BCP 14, March 1997. 909 910 [3] Hinden, R., "IP Version 6 Addressing Architecture", RFC 1884, 911 January 1996. 912 913 [4] Yergeau, F., "UTF-8, a transformation format of ISO 10646", 914 RFC 3629, November 2003. 915 916 [5] "Universal Multiple-Octet Coded Character Set (UCS) - 917 Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 918 1993". 919 920 [6] "ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002, "Information 921 technology - ASN.1 encoding rules: Specification of Basic 922 Encoding Rules (BER), Canonical Encoding Rules (CER) and 923 Distinguished Encoding Rules (DER)", 2002.". 924 925 [7] Rigney, C., "Remote Authentication Dial In User Service 926 (RADIUS)", RFC 2865, June 2000. 927 928 [8] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 929 930 [9] Aboba, B., "RADIUS and IPv6", RFC 3162, August 2001. 931 932 [10] Melnikov, A., "Simple Authentication and Security Layer 933 (SASL)", RFC 4422, June 2006. 934 9357.2. Informative References 936 937 [11] Weltman, R., "Lightweight Directory Access Protocol (LDAP) 938 Proxied Authorization Control", RFC 4370, February 2006. 939 940 941 942 943 944 945 946 947 948 949 950 951Wahl Expires November 10, 2007 [Page 17] 952 953Internet-Draft LDAP Session Tracking Control May 2007 954 955 956Appendix A. Copyright 957 958 Copyright (C) The IETF Trust (2007). This document is subject to the 959 rights, licenses and restrictions contained in BCP 78, and except as 960 set forth therein, the authors retain all their rights. This 961 document and the information contained herein are provided on an "AS 962 IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR 963 IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 964 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 965 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 966 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 967 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007Wahl Expires November 10, 2007 [Page 18] 1008 1009Internet-Draft LDAP Session Tracking Control May 2007 1010 1011 1012Author's Address 1013 1014 Mark Wahl 1015 Informed Control Inc. 1016 PO Box 90626 1017 Austin, TX 78709 1018 US 1019 1020 Email: mark.wahl@informed-control.com 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063Wahl Expires November 10, 2007 [Page 19] 1064 1065Internet-Draft LDAP Session Tracking Control May 2007 1066 1067 1068Full Copyright Statement 1069 1070 Copyright (C) The IETF Trust (2007). 1071 1072 This document is subject to the rights, licenses and restrictions 1073 contained in BCP 78, and except as set forth therein, the authors 1074 retain all their rights. 1075 1076 This document and the information contained herein are provided on an 1077 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1078 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1079 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1080 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1081 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1082 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1083 1084 1085Intellectual Property 1086 1087 The IETF takes no position regarding the validity or scope of any 1088 Intellectual Property Rights or other rights that might be claimed to 1089 pertain to the implementation or use of the technology described in 1090 this document or the extent to which any license under such rights 1091 might or might not be available; nor does it represent that it has 1092 made any independent effort to identify any such rights. Information 1093 on the procedures with respect to rights in RFC documents can be 1094 found in BCP 78 and BCP 79. 1095 1096 Copies of IPR disclosures made to the IETF Secretariat and any 1097 assurances of licenses to be made available, or the result of an 1098 attempt made to obtain a general license or permission for the use of 1099 such proprietary rights by implementers or users of this 1100 specification can be obtained from the IETF on-line IPR repository at 1101 http://www.ietf.org/ipr. 1102 1103 The IETF invites any interested party to bring to its attention any 1104 copyrights, patents or patent applications, or other proprietary 1105 rights that may cover technology that may be required to implement 1106 this standard. Please address the information to the IETF at 1107 ietf-ipr@ietf.org. 1108 1109 1110Acknowledgment 1111 1112 Funding for the RFC Editor function is provided by the IETF 1113 Administrative Support Activity (IASA). 1114 1115 1116 1117 1118 1119Wahl Expires November 10, 2007 [Page 20] 1120 1121