Network Working Group                                        K. Zeilenga
Request for Comments: 3062                           OpenLDAP Foundation
Category: Standards Track                                  February 2001
        
Network Working Group                                        K. Zeilenga
Request for Comments: 3062                           OpenLDAP Foundation
Category: Standards Track                                  February 2001
        

LDAP Password Modify Extended Operation

LDAP密码修改扩展操作

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

Abstract

摘要

The integration of the Lightweight Directory Access Protocol (LDAP) and external authentication services has introduced non-DN authentication identities and allowed for non-directory storage of passwords. As such, mechanisms which update the directory (e.g., Modify) cannot be used to change a user's password. This document describes an LDAP extended operation to allow modification of user passwords which is not dependent upon the form of the authentication identity nor the password storage mechanism used.

轻量级目录访问协议(LDAP)和外部身份验证服务的集成引入了非DN身份验证标识,并允许密码的非目录存储。因此,不能使用更新目录(例如修改)的机制来更改用户的密码。本文档描述了一个LDAP扩展操作,以允许修改用户密码,该操作不依赖于身份验证标识的形式,也不依赖于所使用的密码存储机制。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in RFC 2119.

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”和“可”应按照RFC 2119中的说明进行解释。

1. Background and Intent of Use
1. 使用背景和意图

Lightweight Directory Access Protocol (LDAP) [RFC2251] is designed to support an number of authentication mechanisms including simple user name/password pairs. Traditionally, LDAP users where identified by the Distinguished Name [RFC2253] of a directory entry and this entry contained a userPassword [RFC2256] attribute containing one or more passwords.

轻量级目录访问协议(LDAP)[RFC2251]旨在支持多种身份验证机制,包括简单的用户名/密码对。传统上,LDAP用户由目录项的可分辨名称[RFC2253]标识,并且此项包含包含一个或多个密码的userPassword[RFC2256]属性。

The protocol does not mandate that passwords associated with a user be stored in the directory server. The server may use any attribute suitable for password storage (e.g., userPassword), or use non-directory storage.

该协议不要求将与用户关联的密码存储在目录服务器中。服务器可以使用适合于密码存储的任何属性(例如,userPassword),或者使用非目录存储。

The integration [RFC2829] of application neutral SASL [RFC2222] services which support simple username/password mechanisms (such as DIGEST-MD5) has introduced non-LDAP DN authentication identity forms and made storage of passwords the responsibility of the SASL service provider.

支持简单用户名/密码机制(如DIGEST-MD5)的应用中立SASL[RFC2222]服务的集成[RFC2829]引入了非LDAP DN身份验证形式,并使密码的存储成为SASL服务提供商的责任。

LDAP update operations are designed to act upon attributes of an entry within the directory. LDAP update operations cannot be used to modify a user's password when the user is not represented by a DN, does not have a entry, or when that password used by the server is not stored as an attribute of an entry. An alternative mechanism is needed.

LDAP更新操作旨在对目录中条目的属性进行操作。当用户未由DN表示、没有条目或服务器使用的密码未存储为条目属性时,LDAP更新操作不能用于修改用户密码。需要另一种机制。

This document describes an LDAP Extended Operation intended to allow directory clients to update user passwords. The user may or may not be associated with a directory entry. The user may or may not be represented as an LDAP DN. The user's password may or may not be stored in the directory.

本文档描述了一个LDAP扩展操作,旨在允许目录客户端更新用户密码。用户可能与目录条目相关联,也可能不与目录条目相关联。用户可以表示为LDAP DN,也可以不表示为LDAP DN。用户密码可能存储在目录中,也可能不存储在目录中。

The operation SHOULD NOT be used without adequate security protection as the operation affords no privacy or integrity protect itself. This operation SHALL NOT be used anonymously.

在没有足够的安全保护的情况下,不得使用该操作,因为该操作本身不提供隐私或完整性保护。此操作不得匿名使用。

2. Password Modify Request and Response
2. 密码修改请求和响应

The Password Modify operation is an LDAPv3 Extended Operation [RFC2251, Section 4.12] and is identified by the OBJECT IDENTIFIER passwdModifyOID. This section details the syntax of the protocol request and response.

密码修改操作是一个LDAPv3扩展操作[RFC2251,第4.12节],由对象标识符passwdModifyOID标识。本节详细介绍协议请求和响应的语法。

   passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1
        
   passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1
        
   PasswdModifyRequestValue ::= SEQUENCE {
     userIdentity    [0]  OCTET STRING OPTIONAL
     oldPasswd       [1]  OCTET STRING OPTIONAL
     newPasswd       [2]  OCTET STRING OPTIONAL }
        
   PasswdModifyRequestValue ::= SEQUENCE {
     userIdentity    [0]  OCTET STRING OPTIONAL
     oldPasswd       [1]  OCTET STRING OPTIONAL
     newPasswd       [2]  OCTET STRING OPTIONAL }
        
   PasswdModifyResponseValue ::= SEQUENCE {
     genPasswd       [0]     OCTET STRING OPTIONAL }
        
   PasswdModifyResponseValue ::= SEQUENCE {
     genPasswd       [0]     OCTET STRING OPTIONAL }
        
2.1. Password Modify Request
2.1. 密码修改请求

A Password Modify request is an ExtendedRequest with the requestName field containing passwdModifyOID OID and optionally provides a requestValue field. If the requestValue field is provided, it SHALL contain a PasswdModifyRequestValue with one or more fields present.

密码修改请求是一个ExtendedRequest,其requestName字段包含PasswordModifyoid,并可选地提供requestValue字段。如果提供了requestValue字段,则该字段应包含一个PasswordModifyRequestValue,其中包含一个或多个字段。

The userIdentity field, if present, SHALL contain an octet string representation of the user associated with the request. This string may or may not be an LDAPDN [RFC2253]. If no userIdentity field is present, the request acts up upon the password of the user currently associated with the LDAP session.

userIdentity字段(如果存在)应包含与请求相关联的用户的八进制字符串表示。此字符串可能是也可能不是LDAPDN[RFC2253]。如果不存在userIdentity字段,则请求将根据当前与LDAP会话关联的用户的密码进行操作。

The oldPasswd field, if present, SHALL contain the user's current password.

oldPasswd字段(如果存在)应包含用户的当前密码。

The newPasswd field, if present, SHALL contain the desired password for this user.

newPasswd字段(如果存在)应包含该用户所需的密码。

2.2. Password Modify Response
2.2. 密码修改响应

A Password Modify response is an ExtendedResponse where the responseName field is absent and the response field is optional. The response field, if present, SHALL contain a PasswdModifyResponseValue with genPasswd field present.

密码修改响应是一个ExtendedResponse,其中responseName字段不存在,response字段是可选的。响应字段(如果存在)应包含存在genPasswd字段的PasswdModifyResponseValue。

The genPasswd field, if present, SHALL contain a generated password for the user.

genPasswd字段(如果存在)应包含为用户生成的密码。

If an resultCode other than success (0) is indicated in the response, the response field MUST be absent.

如果响应中指示的结果代码不是成功(0),则响应字段必须不存在。

3. Operation Requirements
3. 操作要求

Clients SHOULD NOT submit a Password Modification request without ensuring adequate security safeguards are in place. Servers SHOULD return a non-success resultCode if sufficient security protection are not in place.

在未确保有足够的安全保障措施的情况下,客户端不应提交密码修改请求。如果没有足够的安全保护,服务器应该返回一个不成功的resultCode。

Servers SHOULD indicate their support for this extended operation by providing PasswdModifyOID as a value of the supportedExtension attribute type in their root DSE. A server MAY choose to advertise this extension only when the client is authorized and/or has established the necessary security protections to use this operation. Clients SHOULD verify the server implements this extended operation prior to attempting the operation by asserting the supportedExtension attribute contains a value of PasswdModifyOID.

服务器应通过在其根DSE中提供PasswdModifyOID作为supportedExtension属性类型的值来指示其对此扩展操作的支持。只有当客户端获得授权和/或已建立必要的安全保护以使用此操作时,服务器才可以选择公布此扩展。客户端应在尝试该操作之前,通过断言supportedExtension属性包含值PasswdModifyOID,验证服务器是否实现了此扩展操作。

The server SHALL only return success upon successfully changing the user's password. The server SHALL leave the password unmodified and return a non-success resultCode otherwise.

只有在成功更改用户密码后,服务器才会返回成功。服务器应保持密码不变,否则返回非成功结果代码。

If the server does not recognize provided fields or does not support the combination of fields provided, it SHALL NOT change the user password.

如果服务器不识别提供的字段或不支持提供的字段组合,则不应更改用户密码。

If oldPasswd is present and the provided value cannot be verified or is incorrect, the server SHALL NOT change the user password. If oldPasswd is not present, the server MAY use other policy to determine whether or not to change the password.

如果存在oldPasswd,且提供的值无法验证或不正确,服务器不得更改用户密码。如果oldPasswd不存在,服务器可以使用其他策略来确定是否更改密码。

The server SHALL NOT generate a password on behalf of the client if the client has provided a newPasswd. In absence of a client provided newPasswd, the server SHALL either generate a password on behalf of the client or return a non-success result code. The server MUST provide the generated password upon success as the value of the genPasswd field.

如果客户机提供了新密码,则服务器不得代表客户机生成密码。如果没有客户机提供的newPasswd,服务器应代表客户机生成密码或返回非成功结果代码。服务器必须在成功时提供生成的密码作为genPasswd字段的值。

The server MAY return adminLimitExceeded, busy, confidentialityRequired, operationsError, unavailable, unwillingToPerform, or other non-success resultCode as appropriate to indicate that it was unable to successfully complete the operation.

服务器可能会返回AdminLimitOverseed、busy、SecretentityRequired、operationsError、unavailable、UnwillingOperform或其他不成功的结果代码(视情况而定),以指示无法成功完成操作。

Servers MAY implement administrative policies which restrict this operation.

服务器可能会实施限制此操作的管理策略。

4. Security Considerations
4. 安全考虑

This operation is used to modify user passwords. The operation itself does not provide any security protection to ensure integrity and/or confidentiality of the information. Use of this operation is strongly discouraged when privacy protections are not in place to guarantee confidentiality and may result in the disclosure of the password to unauthorized parties. This extension MUST be used with confidentiality protection, such as Start TLS [RFC 2830]. The NULL cipher suite MUST NOT be used.

此操作用于修改用户密码。操作本身不提供任何安全保护,以确保信息的完整性和/或机密性。如果没有隐私保护来保证机密性,并且可能导致密码泄露给未经授权的方,则强烈反对使用此操作。此扩展必须与机密性保护一起使用,例如启动TLS[RFC 2830]。不能使用空密码套件。

5. Bibliography
5. 参考文献

[RFC2219] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2219]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2222] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997.

[RFC2222]迈尔斯,J.,“简单认证和安全层(SASL)”,RFC22221997年10月。

[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.

[RFC2251]Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。

[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.

[RFC2252]Wahl,M.,Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。

[RFC2253] Wahl, M., Kille,S. and T. Howes, "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997.

[RFC2253]Wahl,M.,Kille,S.和T.Howes,“轻量级目录访问协议(v3):可分辨名称的UTF-8字符串表示”,RFC 2253,1997年12月。

[RFC2256] Wahl, M., "A Summary of the X.500(96) User Schema for use with LDAPv3", RFC 2256, December 1997.

[RFC2256]Wahl,M.,“用于LDAPv3的X.500(96)用户模式摘要”,RFC 2256,1997年12月。

[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan, "Authentication Methods for LDAP", RFC 2829, May 2000.

[RFC2829]Wahl,M.,Alvestrand,H.,Hodges,J.和R.Morgan,“LDAP的身份验证方法”,RFC 28292000年5月。

[RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000.

[RFC2830]Hodges,J.,Morgan,R.和M.Wahl,“轻量级目录访问协议(v3):传输层安全扩展”,RFC 28302000年5月。

6. Acknowledgment
6. 致谢

This document borrows from a number of IETF documents and is based upon input from the IETF LDAPext working group.

本文件借鉴了许多IETF文件,并基于IETF LDAPext工作组的输入。

7. Author's Address
7. 作者地址

Kurt D. Zeilenga OpenLDAP Foundation

库尔特D.Zeeliga OpenLDAP基金会

   EMail: Kurt@OpenLDAP.org
        
   EMail: Kurt@OpenLDAP.org
        
8. Full Copyright Statement
8. 完整版权声明

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。