| Author |
Topic: LDAP Proxied Authorization Control -- RFC 4370 |
|
SteveHB
member
offline  |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
 |
|
|
| LDAP Proxied Authorization Control -- RFC 4370 |
http://www.ietf.org/rfc/rfc4370
The Proxy Authorization Control allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection.
|
|
|
|
|
|
|
SteveHB
member
offline  |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Proxy Authorization Control |
A single Proxy Authorization Control may be included in any search,
compare, modify, add, delete, or modifyDN or
extended operation request message. The exception is any extension
that causes a change in authentication, authorization, or data
confidentiality [RFC2829], such as Start TLS [LDAPTLS] as part of the
controls field of the LDAPMessage, as defined in [RFC2251].
This control is included in the searchRequest and searchResultDone
messages as part of the controls field of the LDAPMessage, as defined
in Section 4.1.12 of [LDAPv3]. The structure of this control is as
follows:
ProxiedAuthorizationControl ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.18,
criticality BOOLEAN DEFAULT FALSE,
controlValue proxiedAuthorizationControlValue optional
}
Clients MUST include the criticality flag and MUST set it to TRUE.
Servers MUST reject any request containing a Proxy Authorization
Control without a criticality flag or with the flag set to FALSE with
a protocolError error. These requirements protect clients from
submitting a request that is executed with an unintended
authorization identity.
The controlValue SHALL be present and SHALL either contain an authzId
[AUTH] representing the authorization identity for the request or be
empty if an anonymous association is to be used.
proxiedAuthorizationControlValue ::= LDAPString
The mechanism for determining proxy access rights is specific to the
server's proxy authorization policy.
If the requested authorization identity is recognized by the server,
and the client is authorized to adopt the requested authorization
identity, the request will be executed as if submitted by the proxy
authorization identity; otherwise, the result code 123 is returned.
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Implementation & Security Considerations |
During evaluation of a search request, an entry that would have been returned for the search (if submitted by the proxy authorization identity directly) may not be returned if the server finds that the requester does not have the right to assume the requested identity for searching the entry. This means that fewer results, or no results, may be returned than would be if the proxy authorization identity issued the request directly.
On the other hand, an authenticated user (even anonymous user) may request results which require higher privileges by passing the assumed authorization identity. Note that it is server's sole responsibility to determine if a proxy authorization request is to be honored. Usually, "anonymous" users SHOULD NOT be allowed to assume the identity of others.
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 02/26/2007 03:37:48 PM
Edit
Quote
Report
Profile
Reply