1
2Internet Draft                                           J. Sermersheim
3Personal Submission                                         R. Harrison
4Intended Category: Standard Track                           Novell, Inc
5Document: draft-sermersheim-ldap-chaining-02.txt               Feb 2004
6
7
8
9               LDAP Control to Specify Chaining Behavior
10
11
12Status of this Memo
13
14   This document is an Internet-Draft and is in full conformance with
15   all provisions of Section 10 of RFC2026.
16
17   Internet-Drafts are working documents of the Internet Engineering
18   Task Force (IETF), its areas, and its working groups. Note that other
19   groups may also distribute working documents as Internet-Drafts.
20   Internet-Drafts are draft documents valid for a maximum of six months
21   and may be updated, replaced, or obsoleted by other documents at any
22   time. It is inappropriate to use Internet-Drafts as reference
23   material or to cite them other than as "work in progress."
24
25   The list of current Internet-Drafts can be accessed at
26   http://www.ietf.org/ietf/1id-abstracts.txt
27
28   The list of Internet-Draft Shadow Directories can be accessed at
29   http://www.ietf.org/shadow.html.
30
31   Distribution of this memo is unlimited. Technical discussion of this
32   document will take place on the IETF LDAP Extensions Working Group
33   mailing list <ldapext@ietf.org>. Editorial comments may be sent to
34   the author <jimse@novell.com>.
35
36
37Abstract
38
39   This document describes a Lightweight Directory Access Protocol
40   (LDAP) request control that allows specification of chaining behavior
41   for LDAP operations. By using the control with various LDAP
42   operations, a directory client (DUA), or directory server (DSA)
43   specifies whether or not a DSA or secondary DSA chains operations to
44   other DSAs or returns referrals and/or search result references to
45   the client.
46
47
481. Introduction
49
50   Many directory servers have the ability through the use of various
51   mechanisms to participate in a distributed directory model. A
52   distributed directory is one where the DIT is distributed over
53   multiple DSAs. One operation completion mechanism used by DSAs in a
54   distributed directory is chaining. Chaining is defined in [X.518],
55   and is the act of one DSA communicating a directory operation that
56
57Sermersheim, Harrison    Internet-Draft - Exp. Aug 2004         Page 1
58               LDAP Control to Specify Chaining Behavior
59
60   originated from a DUA to another DSA in a distributed directory.
61   Contrast this with the act of passing referrals (4.1.11 of [RFC2251])
62   and SearchResultReferences (4.5.2 of [RFC2251]) back to the client.
63   Chaining may happen during the name resolution part of an operation
64   or during other parts of operations like search which apply to a
65   number of entries in a subtree.
66
67   This document does not attempt to define the distributed directory
68   model, nor does it attempt to define the manner in which DSAs chain
69   requests. This document defines a request control that the client can
70   use to specify whether parts of an operation should or should not be
71   chained.
72
73
742. Conventions
75
76   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
77   used in this document carry the meanings described in [RFC2119].
78
79   The term chaining may apply to uni-chaining as well as multi-chaining
80   (see [X.518]) depending on the capabilities and configuration of the
81   DSAs.
82
83
843. The Control
85
86   Support for the control is advertised by the presence of its
87   controlType in the supportedControl attribute of a server's root DSE.
88
89   This control MAY be included in any LDAP request operation except
90   abandon, unbind, and StartTLS as part of the controls field of the
91   LDAPMessage, as defined in Section 4.1.12 of [RFC2251]:
92
93   The controlType is set to <IANA-ASSIGNED-OID.1>. The criticality MAY
94   be set to either TRUE or FALSE. The controlValue is an OCTET STRING,
95   whose value is the following ChainingBehavior type, BER encoded
96   following the rules in Section 5.1 of [RFC2251]:
97
98   ChainingBehavior ::= SEQUENCE {
99        resolveBehavior         Behavior OPTIONAL,
100        continuationBehavior    Behavior OPTIONAL }
101
102   Behavior :: = ENUMERATED {
103        chainingPreferred       (0),
104        chainingRequired        (1),
105        referralsPreferred      (2),
106        referralsRequired       (3) }
107
108   resolveBehavior instructs the DSA what to do when a referral is
109   encountered during the local name resolution part of an operation. If
110   this field is not specified, other policy dictates the DSA's
111   behavior.
112
113
114
115Sermersheim, Harrison    Internet-Draft - Exp. Aug 2004         Page 2
116               LDAP Control to Specify Chaining Behavior
117
118   continuationBehavior instructs the DSA what to do when a referral is
119   encountered after the name resolution part of an operation has
120   completed. This scenario occurs during search operations, and may
121   occur during yet to be defined future operations. If this field is
122   not specified, other policy dictates the DSA's behavior.
123
124   Behavior specifies whether the DSA should chain the operation or
125   return referrals when a target object is held by a remote service.
126
127        chainingPreferred indicates that the preference is that
128        chaining, rather than referrals, be used to provide the service.
129        When this value is set, the server attempts to chain the request
130        but if it can't it returns referrals.
131
132        chainingRequired indicates that chaining is to be used rather
133        than referrals to service the request. When this value is set,
134        the server MUST NOT return referrals. It either chains the
135        request or fails.
136
137        referralsPreferred indicates that the client wishes to receive
138        referrals rather than allow the server to chain the operation.
139        When this value is set, the server return referrals and search
140        references when possible, but may chain the operation otherwise.
141
142        referralsRequired indicates that chaining is prohibited. When
143        this value is set, the server MUST NOT chain the request to
144        other DSAs. Instead it returns referrals as necessary, or fails.
145
146   The following list assigns meanings to some of the result codes that
147   may occur due to this control being present:
148
149   - chainingRequired  (IANA-ASSIGNED-1)   Unable to process without
150                                           chaining.
151   - cannotChain       (IANA-ASSIGNED-2)   Unable to chain the request.
152
153
1544. Notes to Implementors
155
156   <todo: add some>
157
158
1594.1 Unbind and Abandon
160
161   Clients MUST NOT include the ChainingBehavior control with an Abandon
162   operation or an Unbind operation. Servers MUST ignore any chaining
163   control on the abandon and unbind requests. Servers that chain
164   operation are responsible to keep track of where an operation was
165   chained to for the purposes of unbind and abandon.
166
167
1684.2 StartTLS
169
170   This operation cannot be chained because the TLS handshake protocol
171   does not allow man-in-the-middle attacks.
172
173Sermersheim, Harrison    Internet-Draft - Exp. Aug 2004         Page 3
174               LDAP Control to Specify Chaining Behavior
175
176
177
1785. Relationship with other Extensions
179
180   This control MAY be used with other controls or with extended
181   operations. When it is used with other controls or with extended
182   operations not listed here, server behavior is undefined unless
183   otherwise specified.
184
185
1865.1 Relationship with ManageDsaIT
187
188   When this control is used along with the ManageDsaIT control, the
189   resolveBehavior value is evaluated. If resolveBehavior is such that
190   chaining is allowed, the DSA is allowed to chain the operation as
191   necessary until the last RDN is found.
192
193   For example: DSA1 holds the naming context <dc=net> and a subordinate
194   reference to <dc=example,dc=net>, DSA2 holds the naming context
195   <dc=example,dc=net> and a subordinate reference to
196   <dc=hostc,dc=example,dc=net>.
197
198   A modify operation accompanied by the ManageDsaIT control alone is
199   sent to DSA1. The base object of the modify operation is set to
200   <dc=hostc,dc=example,dc=net>. Since DSA1 does not hold the
201   <dc=hostc,dc=example,dc=net> IT DSE, a referral is returned for
202   <dc=example,dc=net>.
203
204   Next, the same modify operation is accompanied by both the
205   ManageDsaIT and the ChainingBehavior control where the
206   ChainingBehavior.resolveBehavior is set to chainingPreferred. In this
207   case, DSA1 chains to DSA2 when it encounters <dc=example,dc=net> and
208   DSA2 continues the operation. Since DSA2 holds the IT DSE
209   <dc=hostc,dc=example,dc=net>, the resolve portion completes, and the
210   rest of the operation proceeds.
211
212
2136. Security Considerations
214
215   Because this control directs a DSA to chain requests to other DSAs,
216   it may be used in a denial of service attack. Implementers should be
217   cognizant of this possibility.
218
219   This control may be used to allow access to hosts and portions of the
220   DIT not normally available to clients. Servers supporting this
221   control should provide sufficient policy to prevent unwanted
222   occurrences of this.
223
224
2257. IANA Considerations
226
227   Registration of the following values is requested [RFC3383].
228
229
230
231Sermersheim, Harrison    Internet-Draft - Exp. Aug 2004         Page 4
232               LDAP Control to Specify Chaining Behavior
233
2347.1. Object Identifiers
235
236   It is requested that IANA register upon Standards Action an LDAP
237   Object Identifier in identifying the protocol elements defined in
238   this technical specification.  The following registration template is
239   suggested:
240
241        Subject: Request for LDAP OID Registration
242        Person & email address to contact for further information:
243                Jim Sermersheim
244                jimse@novell.com
245        Specification: RFCXXXX
246        Author/Change Controller: IESG
247        Comments:
248                One delegation will be made under the assigned OID:
249
250                IANA-ASSIGNED-OID.1 Chaining Behavior Request Control
251
252
2537.2. LDAP Protocol Mechanism
254
255   It is requested that IANA register upon Standards Action the LDAP
256   protocol mechanism described in this document.  The following
257   registration template is suggested:
258
259        Subject: Request for LDAP Protocol Mechanism Registration
260        Object Identifier: IANA-ASSIGNED-OID.1
261        Description: Chaining Behavior Request Control
262        Person & email address to contact for further information:
263                Jim Sermersheim
264                jimse@novell.com
265        Usage: Control
266        Specification: RFCXXXX
267        Author/Change Controller: IESG
268        Comments: none
269
270
2717.3. LDAP Result Codes
272
273   It is requested that IANA register upon Standards Action the LDAP
274   result codes:
275
276        chainingRequired        (IANA-ASSIGNED-1)
277        cannotChain             (IANA-ASSIGNED-2)
278
279        The following registration template is suggested:
280
281        Subject: LDAP Result Code Registration
282        Person & email address to contact for further information:
283                Jim Sermersheim
284                jimse@novell.com
285        Result Code Name: chainingRequired
286        Result Code Name: cannotChain
287        Specification: RFCXXXX
288
289Sermersheim, Harrison    Internet-Draft - Exp. Aug 2004         Page 5
290               LDAP Control to Specify Chaining Behavior
291
292        Author/Change Controller: IESG
293        Comments:  request consecutive result codes be assigned
294
295
2968. Normative References
297
298   [X.518]
299   ITU-T Rec. X.511, "The Directory: Abstract Service Definition", 1993.
300
301   [RFC2119]
302   Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement
303   Levels", Internet Draft, March 1997.
304   Available as RFC2119.
305
306   [RFC2251]
307   Wahl, M, S. Kille and T. Howes, "Lightweight Directory Access
308   Protocol (v3)", Internet Standard, December, 1997.
309   Available as RFC2251.
310
311
3129. Authors' Addresses
313
314   Jim Sermersheim
315   Novell, Inc.
316   1800 South Novell Place
317   Provo, Utah 84606, USA
318   jimse@novell.com
319   +1 801 861-3088
320
321   Roger Harrison
322   Novell, Inc.
323   1800 South Novell Place
324   Provo, Utah 84606, USA
325   rharrison@novell.com
326   +1 801 861-2642
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347Sermersheim, Harrison    Internet-Draft - Exp. Aug 2004         Page 6
348               LDAP Control to Specify Chaining Behavior
349
350Intellectual Property Rights
351
352     The IETF takes no position regarding the validity or scope of any
353     intellectual property or other rights that might be claimed to
354     pertain to the implementation or use of the technology described in
355     this document or the extent to which any license under such rights
356     might or might not be available; neither does it represent that it
357     has made any effort to identify any such rights. Information on the
358     IETF's procedures with respect to rights in standards-track and
359     standards-related documentation can be found in BCP-11. Copies of
360     claims of rights made available for publication and any assurances
361     of licenses to be made available, or the result of an attempt made
362     to obtain a general license or permission for the use of such
363     proprietary rights by implementors or users of this specification
364     can be obtained from the IETF Secretariat.
365
366     The IETF invites any interested party to bring to its attention any
367     copyrights, patents or patent applications, or other proprietary
368     rights which may cover technology that may be required to practice
369     this standard. Please address the information to the IETF Executive
370     Director.
371
372
373Full Copyright Statement
374
375     Copyright (C) The Internet Society (2004). All Rights Reserved.
376
377     This document and translations of it may be copied and furnished to
378     others, and derivative works that comment on or otherwise explain
379     it or assist in its implementation may be prepared, copied,
380     published and distributed, in whole or in part, without restriction
381     of any kind, provided that the above copyright notice and this
382     paragraph are included on all such copies and derivative works.
383     However, this document itself may not be modified in any way, such
384     as by removing the copyright notice or references to the Internet
385     Society or other Internet organizations, except as needed for the
386     purpose of developing Internet standards in which case the
387     procedures for copyrights defined in the Internet Standards process
388     must be followed, or as required to translate it into languages
389     other than English.
390
391     The limited permissions granted above are perpetual and will not be
392     revoked by the Internet Society or its successors or assigns.
393
394     This document and the information contained herein is provided on
395     an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
396     ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
397     IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
398     THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
399     WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
400
401
402
403
404
405Sermersheim, Harrison    Internet-Draft - Exp. Aug 2004         Page 7
406
407