Proxied AuthZ (was: Re: [ldapext] Chained Operation (control, extended op, or op?))
"Jim Sermersheim" <jimse@novell.com> Fri, 25 June 2004 16:55 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA22401 for <ldapext-archive@lists.ietf.org>; Fri, 25 Jun 2004 12:55:28 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BdtKS-0007nb-DB; Fri, 25 Jun 2004 12:13:28 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bdt5E-0003KL-VB for ldapext@megatron.ietf.org; Fri, 25 Jun 2004 11:57:45 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15514 for <ldapext@ietf.org>; Fri, 25 Jun 2004 11:57:42 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1Bdt5E-0000zJ-6G for ldapext@ietf.org; Fri, 25 Jun 2004 11:57:44 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Bdt0Z-0007TS-00 for ldapext@ietf.org; Fri, 25 Jun 2004 11:52:56 -0400
Received: from sinclair.provo.novell.com ([137.65.81.169]) by ietf-mx with esmtp (Exim 4.12) id 1BdstV-0005iL-00 for ldapext@ietf.org; Fri, 25 Jun 2004 11:45:37 -0400
Received: from INET-PRV-MTA by sinclair.provo.novell.com with Novell_GroupWise; Fri, 25 Jun 2004 09:45:07 -0600
Message-Id: <s0dbf423.010@sinclair.provo.novell.com>
X-Mailer: Novell GroupWise Internet Agent 6.5.2 Beta
Date: Fri, 25 Jun 2004 09:42:34 -0600
From: Jim Sermersheim <jimse@novell.com>
To: mark.ennis@adacel.com, Ed Reed <EReed@novell.com>, Kurt@OpenLDAP.org
Subject: Proxied AuthZ (was: Re: [ldapext] Chained Operation (control, extended op, or op?))
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Cc: ldapext@ietf.org
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
Sender: ldapext-bounces@ietf.org
Errors-To: ldapext-bounces@ietf.org
Content-Transfer-Encoding: 7bit
One (albeit simple) mechanism for this has been around for a while (http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-12.txt). This seems to meet a few of the criteria that people want. It allows the sender to pass a control which says "use this identity for this operation". Though it doesn't say so, it seems able to be used between DSAs (it uses client and server terms). When used between DSAs, one would sasume the sending DSA has ensured that the sent identity has already authenticated somehow. Maybe this only meets some minimal requirements. I think the chained bind that Kurt is talking about is a little different. It allows the one DSA to forward some forms of a bind operation to a second DSA. Jim >>> Ed Reed 6/25/04 8:37:08 AM >>> I'd really love to see an extended, chained operation that: 1) relies on the chaining DSA to authenticate, using it's own identity and crendentials, to establish a secure connection (probably over SSL) over which the chaining DSA and the target DSA (the one who will receive the chained request) will communicate; 2) a chained, or perhaps alltogether new, operation that authenticates a user and their bind credentials, but doens't result in a separate authentication connection on the target DSA, but rather results in a "yeah, I'd accept that, perhaps with these limitations" result on which the chaining DSA (or other intermediary service speaking as though it were a trusted chaining DSA) could rely. This would allow a proxy, whether a web service, a firewall, or another directory, to open a single connection to each target DSA, and then utter "is this guy okay" requests, perhaps with multiple round trips so any challenge-response transactions used in the authentication mechanism used by the end users could be satisfied. Such a multiplexing of the single trusted connection would reduce resource consumption by the intermediary as well as the target DSAs. Doing this for SASL, generally, would seem like a good idea. Target DSAs could then be configured to allow or not allow such intermediary multiplexing connections, and if allow them rely on the strength and confidence in the authentication of the chaining server to guide its responses. In the most simple sense, if a simple compare of a presented password to a user's password attribute would satisfy the chaining DSA of the authentication of the user, there would be no need to lash up a whole connection with bind and SSL handshakes for the relying system to know the user is authenticated. SASL presents a more challenging design, but this notion of chaining, if done correctly, would seem to fit the bill. Or am I off in la-la-land, again? Ed >>>"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 06/25 9:49 am >>> At 11:47 PM 6/24/2004, Mark Ennis wrote: >Kurt D. Zeilenga wrote: >>BTW, I'd like to add support for chaining SASL bind exchanges. >>This will require some fields beyond those offered by the >>X.518 ChainingArguments/ChainingResults structures. > >I agree that a mechanism for chaining SASL bind exchanges would be useful, however, current chaining mechanisms (e.g. X.518 or LDAP referrals) depend on name resolution of a base object. The bind operation, particularly when using a SASL mechanism, does not have a base object for the name resolution process. This would mean special procedures for "chaining" this operation. > >Does this also require formalising some type of trust model between DSAs if we are going to delegate authentication operations to another server? Yes. >Is it possible to translate this SASL bind exchange into a LDAP operation the initiating DSA invokes, e.g. a search for the SASL "username" with a control used to transmit the SASL credentials and receive the SASL auth-response? Depending on mechanism, depending on assumptions, yes. >Such an operation may then be chained by the responding DSA(s) and authorization decisions will be done using the initiating DSA as the authorization identity? Possibly. I, however, was considering an approach where the initiating server would pass through the original request with some additional information so that the chained server can form the proper response, and return that response with some additional information needed by the chaining server to make use of the response. This may be an area better left to a separate document (and separate extended operation). If I have time in the next few weeks, I'll try to outline a proposal here in an I-D. Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext _______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext
- Proxied AuthZ (was: Re: [ldapext] Chained Operati… Jim Sermersheim
- Re: Proxied AuthZ (was: Re: [ldapext] Chained Ope… Kurt D. Zeilenga
- Re: Proxied AuthZ (was: Re: [ldapext] Chained Ope… Jim Sermersheim
- Re: Proxied AuthZ (was: Re: [ldapext] Chained Ope… John McMeeking