1. Introduction

   The Lightweight Directory Access Protocol (LDAP) [RFC4510] is a
   powerful protocol for accessing directories.  It offers means of
   searching, retrieving, and manipulating directory content and ways to
   access a rich set of security functions.

   It is vital that these security functions be interoperable among all
   LDAP clients and servers on the Internet; therefore there has to be a
   minimum subset of security functions that is common to all
   implementations that claim LDAP conformance.

   Basic threats to an LDAP directory service include (but are not
   limited to):

   (1) Unauthorized access to directory data via data-retrieval
       operations.

   (2) Unauthorized access to directory data by monitoring access of
       others.

   (3) Unauthorized access to reusable client authentication information
       by monitoring access of others.

   (4) Unauthorized modification of directory data.

   (5) Unauthorized modification of configuration information.

   (6) Denial of Service: Use of resources (commonly in excess) in a
       manner intended to deny service to others.

   (7) Spoofing: Tricking a user or client into believing that
       information came from the directory when in fact it did not,
       either by modifying data in transit or misdirecting the client's
       transport connection.  Tricking a user or client into sending
       privileged information to a hostile entity that appears to be the
       directory server but is not.  Tricking a directory server into
       believing that information came from a particular client when in
       fact it came from a hostile entity.

   (8) Hijacking: An attacker seizes control of an established protocol
       session.

   Threats (1), (4), (5), (6), (7), and (8) are active attacks.  Threats
   (2) and (3) are passive attacks.

   Threats (1), (4), (5), and (6) are due to hostile clients.  Threats
   (2), (3), (7), and (8) are due to hostile agents on the path between
   client and server or hostile agents posing as a server, e.g., IP
   spoofing.

   LDAP offers the following security mechanisms:

   (1) Authentication by means of the Bind operation.  The Bind
       operation provides a simple method that supports anonymous,
       unauthenticated, and name/password mechanisms, and the Simple
       Authentication and Security Layer (SASL) method, which supports a
       wide variety of authentication mechanisms.

   (2) Mechanisms to support vendor-specific access control facilities
       (LDAP does not offer a standard access control facility).

   (3) Data integrity service by means of security layers in Transport
       Layer Security (TLS) or SASL mechanisms.

   (4) Data confidentiality service by means of security layers in TLS
       or SASL mechanisms.

   (5) Server resource usage limitation by means of administrative
       limits configured on the server.

   (6) Server authentication by means of the TLS protocol or SASL
       mechanisms.

   LDAP may also be protected by means outside the LDAP protocol, e.g.,
   with IP layer security [RFC4301].

   Experience has shown that simply allowing implementations to pick and
   choose the security mechanisms that will be implemented is not a
   strategy that leads to interoperability.  In the absence of mandates,
   clients will continue to be written that do not support any security
   function supported by the server, or worse, they will only support
   mechanisms that provide inadequate security for most circumstances.

   It is desirable to allow clients to authenticate using a variety of
   mechanisms including mechanisms where identities are represented as
   distinguished names [X.501][RFC4512], in string form [RFC4514], or as
   used in different systems (e.g., simple user names [RFC4013]).
   Because some authentication mechanisms transmit credentials in plain
   text form, and/or do not provide data security services and/or are
   subject to passive attacks, it is necessary to ensure secure
   interoperability by identifying a mandatory-to-implement mechanism
   for establishing transport-layer security services.

   The set of security mechanisms provided in LDAP and described in this
   document is intended to meet the security needs for a wide range of
   deployment scenarios and still provide a high degree of
   interoperability among various LDAP implementations and deployments.

1.1. Relationship to Other Documents

   This document is an integral part of the LDAP Technical Specification
   [RFC4510].

   This document, together with [RFC4510], [RFC4511], and [RFC4512],
   obsoletes RFC 2251prop(-> 4513prop | 4512prop | 4511prop | 4510prop) in its entirety.  Sections 4.2.1 (portions) and
   4.2.2 of RFC 2251prop(-> 4513prop | 4512prop | 4511prop | 4510prop) are obsoleted by this document.  Appendix B.1
   summarizes the substantive changes made to RFC 2251prop(-> 4513prop | 4512prop | 4511prop | 4510prop) by this document.

   This document obsoletes RFC 2829(-> 4513prop | 4510prop) in its entirety.  Appendix B.2
   summarizes the substantive changes made to RFC 2829(-> 4513prop | 4510prop) by this document.

   Sections 2 and 4 of RFC 2830(-> 4513prop | 4511prop | 4510prop) are obsoleted by [RFC4511].  The
   remainder of RFC 2830(-> 4513prop | 4511prop | 4510prop) is obsoleted by this document.  Appendix B.3
   summarizes the substantive changes made to RFC 2830(-> 4513prop | 4511prop | 4510prop) by this document.

1.2. Conventions

   The key words "MUST", "MUST NOT", "SHALL", "SHOULD", "SHOULD NOT",
   "MAY", and "OPTIONAL" in this document are to be interpreted as
   described in RFC 2119 [RFC2119].

   The term "user" represents any human or application entity that is
   accessing the directory using a directory client.  A directory client
   (or client) is also known as a directory user agent (DUA).

   The term "transport connection" refers to the underlying transport
   services used to carry the protocol exchange, as well as associations
   established by these services.

   The term "TLS layer" refers to TLS services used in providing
   security services, as well as associations established by these
   services.

   The term "SASL layer" refers to SASL services used in providing
   security services, as well as associations established by these
   services.

   The term "LDAP message layer" refers to the LDAP Message (PDU)
   services used in providing directory services, as well as
   associations established by these services.

   The term "LDAP session" refers to combined services (transport
   connection, TLS layer, SASL layer, LDAP message layer) and their
   associations.

   In general, security terms in this document are used consistently
   with the definitions provided in [RFC2828].  In addition, several
   terms and concepts relating to security, authentication, and
   authorization are presented in Appendix A of this document.  While
   the formal definition of these terms and concepts is outside the
   scope of this document, an understanding of them is prerequisite to
   understanding much of the material in this document.  Readers who are
   unfamiliar with security-related concepts are encouraged to review
   Appendix A before reading the remainder of this document.