LDAP
Click on the red underlined text to get to the source
...
The Lightweight Directory Access Protocol (LDAP) [RFC4510] is a
powerful protocol for accessing directories. It offers means of
...
... It is vital that these security functions be interoperable among all
LDAP clients and servers on the Internet; therefore there has to be a
minimum subset of security ...
... minimum subset of security functions that is common to all
implementations that claim LDAP conformance.
Basic threats to an LDAP directory ...
... LDAP conformance.
Basic threats to an LDAP directory service include (but are not
limited to):
...
... vendor-specific access control facilities
(LDAP does not offer a standard access control facility).
...
... mechanisms.
LDAP may also be protected by means outside the LDAP protocol, e.g.,
with IP layer ...
...
The set of security mechanisms provided in LDAP and described in this
document is intended to meet the security needs for a wide range ...
... deployment scenarios and still provide a high degree of
interoperability among various LDAP implementations and deployments.
...
...
LDAP server implementations MUST support the anonymous authentication
mechanism of the simple Bind method ...
... method (Section 5.1.1).
LDAP implementations that support any authentication mechanism other
than the anonymous authentication mechanism ...
... Some of these mechanisms are discussed below.
LDAP server implementations SHOULD support client assertion of
authorization identity ...
... 5.2.3).
LDAP server implementations that support no authentication mechanism
other than the anonymous mechanism ...
... ciphersuite is recommended to encourage interoperability with
implementations conforming to earlier LDAP StartTLS specifications.
...
...
The goals of using the TLS protocol with LDAP are to ensure data
confidentiality and integrity, and to optionally provide for
...
... the authentication services of TLS are available to LDAP only in
combination with the SASL EXTERNAL authentication method ...
... A client may send the StartTLS extended request at any time after
establishing an LDAP session, except:
...
... RDNs in a DN using a left-to-right (most
significant to least significant) convention instead of LDAP's
right-to-left convention.
...
... either notify the user (clients may give the user the opportunity to
continue with the LDAP session in this case) or close the transport
connection and indicate that the server's identity ...
... After a TLS layer is established in an LDAP session, both parties are
to each independently decide whether or not to continue based on
...
... security services provided by the negotiated ciphersuite are
adequate for the intended use of the LDAP session. If they are
not, the TLS ...
... state", it is noted that authorization systems
in LDAP implementations commonly involve many factors that
interrelate in complex manners.
...
...
Authorization in LDAP is a local matter. One of the key factors in
making authorization decisions is authorization identity ...
... client and server to establish an authorization identity for the LDAP
session. The Bind operation may also be used to move the LDAP ...
... LDAP
session. The Bind operation may also be used to move the LDAP
session to an anonymous authorization state ...
... authorization state (see Section 5.1.1).
Upon initial establishment of the LDAP session, the session has an
...
... client need not send a BindRequest in the first PDU of the
LDAP message layer. The client may send any operation request prior
...
... state.
It is noted that other events both internal and external to LDAP may
result in the authentication and authorization ...
... certificate) may have expired. The former is an example of an event
internal to LDAP, whereas the latter is an example of an event
external to LDAP.
...
... name/password authentication mechanism using credentials
consisting of a name (in the form of an LDAP distinguished name
[RFC4514 ...
... method to establish an anonymous authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
...
... authenticated authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
...
... authentication via any SASL mechanism [RFC4422]. As LDAP
includes native anonymous and name/password (plain text)
...
... RFC4422], Section 4). This section explains how each of
these profiling requirements is met by LDAP.
...
... authentication process.
To the LDAP message layer, these challenges and responses are opaque
...
... opaque
binary tokens of arbitrary length. LDAP servers use the
serverSaslCreds field (an OCTET STRING) in a BindResponse message to
transmit each challenge. LDAP clients ...
... LDAP servers use the
serverSaslCreds field (an OCTET STRING) in a BindResponse message to
transmit each challenge. LDAP clients use the credentials field (an
OCTET STRING) in the SaslCredentials sequence of a BindRequest
...
... message to transmit each response. Note that unlike some Internet
protocols where SASL is used, LDAP is not text based and does not
Base64-transform these challenge and response values.
...
...
As discussed above, LDAP provides an optional field for carrying an
initial response in the message initiating the SASL exchange and
...
... RFC4512], Section 5.1). The values of this
attribute, if any, list the mechanisms the server supports in the
current LDAP session state. LDAP servers ...
... LDAP session state. LDAP servers SHOULD allow all clients --
even those with an anonymous authorization ...
... SASL mechanisms allow clients to request a desired authorization
identity for the LDAP session ([RFC4422], Section 3.4). The decision
...
... specifications when handling data that has different semantics in the
LDAP protocol.
For example, the SASL ...
... username
[RFC4013] and realm values. These values are not LDAP DNs, and there
is no requirement that they be represented or treated as such.
...
... SASL EXTERNAL ([RFC4422], Appendix A) mechanism
to request the LDAP server to authenticate and establish a resulting
authorization identity ...
... SASL EXTERNAL Bind MUST fail with a
resultCode of inappropriateAuthentication. Although this situation
has the effect of leaving the LDAP session in an anonymous state
...
... unsurprising conclusion is that security is an integral and necessary
part of LDAP. This section discusses a number of LDAP-related
security considerations ...
... security is an integral and necessary
part of LDAP. This section discusses a number of LDAP-related
security considerations.
...
... General LDAP Security Considerations ...
...
LDAP itself provides no security or protection from accessing or
updating the directory by means other than through the LDAP ...
... LDAP itself provides no security or protection from accessing or
updating the directory by means other than through the LDAP protocol,
e.g., from inspection of server database files by database ...
... administrators.
Sensitive data may be carried in almost any LDAP message, and its
disclosure may be subject to privacy ...
... Client and server implementers SHOULD take
measures to protect sensitive data in the LDAP session from these
attacks ...
... authorization
information and data security services may change during the course
of the LDAP session, or even during the performance of a particular
...
... This section discusses several security considerations relevant to
LDAP authentication via the Bind operation.
...
... client program might
make a decision to grant access to non-directory information on the
basis of successfully completing a Bind operation. LDAP server
implementations may return a success response to an unauthenticated
Bind request. This may erroneously leave the client ...
...
LDAP allows multi-valued password attributes. In systems where
entries are expected to have one and only one password ...
... underlying transport service cannot guarantee confidentiality. LDAP
implementations SHOULD NOT by default support authentication methods
...
...
The IANA has updated the LDAP Protocol Mechanism registry to indicate
that this document and [RFC4511 ...
...
The IANA has updated the LDAP authzid prefixes registry to indicate
that this document provides the definitive technical specification ...
... 2829(-> 4513prop | 4510prop) and RFC 2830(-> 4513prop | 4511prop | 4510prop) were products of the LDAP Extensions (LDAPEXT)
Working Group ...
... Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510prop ...
... Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511prop, June 2006. ...
... Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512prop, June 2006. ...
... Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names", RFC 4514prop ...
... Legg, S., Ed., "Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules", RFC 4517prop, June 2006. ...
... Sciberras, A., Ed., "Lightweight Directory Access Protocol (LDAP): Schema for User Applications", RFC 4519prop, June 2006. ...
... Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006. ...
...
The authorization identity of an LDAP session is often semantically
the same as the authentication ...
...
- Changes were made throughout the text to align with definitions of
LDAP protocol layers and IETF security terminology.
...
... SASL DIGEST-MD5 mechanism as
LDAP's mandatory-to-implement password-based authentication
mechanism ...
...
- The use of TLS was generalized to align with definitions of LDAP
protocol layers. TLS establishment is now discussed as an
...
... SASL authentication mechanisms are explicitly allowed within
LDAP. Specifically, this means the SASL ANONYMOUS and SASL PLAIN
...
... authentication
and authorization state of the LDAP session based on local policy.
Specifically, this means that implementations are not required to
...