RFC 4513:Lightweight Directory Access Protocol (LD...
RFC-Ref

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

authorization

Click on the red underlined text to get to the source

1. Introduction
... security, authentication, and authorization are presented in Appendix A of this document. While the formal definition of these terms and concepts is outside the scope of this document, an understanding of them is prerequisite to ...


2. Implementation Requirements
... LDAP server implementations SHOULD support client assertion of authorization identity via the SASL EXTERNAL mechanism (Section 5.2.3). ...


3. StartTLS Operation
... resultant security level and assertion of the client's authorization identity. ...
... Effect of TLS on Authorization State ...
... The establishment, change, and/or closure of TLS may cause the authorization state to move to a new state. This is discussed further in Section 4. ...


4. Authorization State
... Authorization State ...
... Every LDAP session has an associated authorization state. This state is comprised of numerous factors such as what (if any) authentication ...
... day or server load). While it is often convenient to view authorization state in simplistic terms (as we often do in this technical specification) ...
... technical specification) such as "an anonymous state", it is noted that authorization systems in LDAP implementations commonly involve many factors that ...
... interrelate in complex manners. Authorization in LDAP is a local matter. One of the key factors in making authorization ...
... Authorization in LDAP is a local matter. One of the key factors in making authorization decisions is authorization identity. The Bind operation (defined in Section 4.2 of [RFC4511 ...
... LDAP is a local matter. One of the key factors in making authorization decisions is authorization identity. The Bind operation (defined in Section 4.2 of [RFC4511] and discussed further ...
... in Section 5 below) allows information to be exchanged between the client and server to establish an authorization identity for the LDAP session ...
... LDAP session to an anonymous authorization state (see Section 5.1.1). Upon initial establishment of the LDAP ...
... session, the session has an anonymous authorization identity. Among other things this implies that the client need not send a BindRequest in the first PDU ...
... Upon receipt of a Bind request, the server immediately moves the session to an anonymous authorization state. If the Bind request is successful, the session is moved to the requested authentication ...
... authentication state with its associated authorization state. Otherwise, the session remains in an anonymous state ...
... LDAP may result in the authentication and authorization states being moved to an anonymous one. For instance, the establishment, change, or closure of data security services ...


5. Bind Operation
... authentication information to be exchanged between the client and server to establish a new authorization state. The Bind request typically specifies the desired authentication ...
... identity. Some Bind mechanisms also allow the client to specify the authorization identity. If the authorization identity is not specified, the server derives it from the authentication ...
... client to specify the authorization identity. If the authorization identity is not specified, the server derives it from the authentication identity ...
... an implementation-specific manner. If the authorization identity is specified, the server MUST verify that the client's authentication ...
... identity is permitted to assume (e.g., proxy for) the asserted authorization identity. The server MUST reject the Bind operation with an invalidCredentials resultCode in the Bind response if the client ...
... simple Bind method to explicitly establish an anonymous authorization state by sending a Bind request with a name value of zero length and specifying the simple authentication choice containing a password ...
... of the simple Bind method to establish an anonymous authorization state by sending a Bind request with a name value (a distinguished name in LDAP string form [RFC4514 ...
... DN refers to an existing directory object). The value is not to be used (directly or indirectly) for authorization purposes. Unauthenticated Bind operations can have significant security issues ...
... simple Bind method to establish an authenticated authorization state by sending a Bind request with a name value (a distinguished name in LDAP string form [RFC4514 ...
... LDAP servers SHOULD allow all clients -- even those with an anonymous authorization -- to retrieve the 'supportedSASLMechanisms' attribute of the root DSE ...
... SASL Authorization Identities ...
... Some SASL mechanisms allow clients to request a desired authorization identity for the LDAP session ([RFC4422 ...
... authentication identity to have access to the requested authorization identity is a matter of local policy. The authorization identity is a string of UTF-8 ...
... access to the requested authorization identity is a matter of local policy. The authorization identity is a string of UTF-8 [RFC3629] ...
... distinguishedName ; unspecified authorization id, UTF-8 encoded uAuthzId = "u:" userid ...
... RFC4512]. The dnAuthzId choice is used to assert authorization identities in the form of a distinguished name to be matched in accordance with the ...
... The uAuthzId choice allows clients to assert an authorization identity that is not in distinguished name form. The format of userid is defined only as a sequence of UTF-8 ...
... LDAP server to authenticate and establish a resulting authorization identity using security credentials exchanged by a ...
... A client may either request that its authorization identity be automatically derived from its authentication credentials ...
... at a lower security layer, or it may explicitly provide a desired authorization identity. The former is known as an implicit assertion, and the latter as an explicit assertion. ...
... An implicit authorization identity assertion is performed by invoking a Bind request of the SASL form using the EXTERNAL mechanism name ...
... the SaslCredentials sequence in the BindRequest). The server will derive the client's authorization identity from the authentication identity ...
... An explicit authorization identity assertion is performed by invoking a Bind request of the SASL form using the EXTERNAL mechanism name ...
... sequence in the BindRequest). The value of the credentials field (an OCTET STRING) is the asserted authorization identity and MUST be constructed as documented in Section 5.2.1.8. ...


6. Security Considerations
... Various security factors, including authentication and authorization information and data security services may change during the course of the LDAP ...
... certification authority should be used by the policy administrator when configuring the identification and authorization policy. Server implementers ...
... identity represented by the distinguished name when in reality, an anonymous authorization state has been established. Clients that use the results from a simple Bind ...
... Clients that use the results from a simple Bind operation to make authorization decisions should actively detect unauthenticated Bind requests (by verifying that the supplied password ...


11. Appendix A. Authentication and Authorization Concepts
... Appendix A. Authentication and Authorization Concepts ...
... This appendix defines basic terms, concepts, and interrelationships regarding authentication, authorization, credentials, and identity. ...
... security approaches are utilized in client authentication and authorization. ...
... another, asserting the identity of the supplying party (e.g., a user) who is attempting to establish a new authorization state with the other party (typically a server). Authentication is the process of ...
... A.4. Authorization Identity ...
... An authorization identity is one kind of access control factor. It is the name of the user or other entity ...
... be performed. Access control policies are often expressed in terms of authorization identities; for example, "entity X can perform operation Y on resource Z". ...
... operation Y on resource Z". The authorization identity of an LDAP session is often semantically ...
... it may be different. SASL allows clients to specify an authorization identity distinct from the authentication identity asserted by the client ...
... service like TLS may not correspond to the authorization identities used to express a server's access control policy, thus requiring a server- ...
... method by which a server composes and validates an authorization identity from the authentication credentials ...


12. Appendix B. Summary of Changes
... authentication mechanisms producing anonymous authentication and authorization state may also be implemented and used by conforming implementations. ...
... B.2.9. Section 9 ("Authorization Identity") ...
... B.3.3. Section 5 ("Effects of TLS on a Client's Authorization ...
... LDAP session may now cause the authorization state of the LDAP session to change. ...
... session changes the authentication and authorization state of the LDAP session based on local policy. ...
... Specifically, this means that implementations are not required to change the authentication and authorization states to anonymous upon TLS closure. ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org