Internet Engineering Task Force (IETF) K. Zeilenga Request for Comments: 6171 Isode Limited Category: Standards Track March 2011 ISSN: 2070-1721
Internet Engineering Task Force (IETF) K. Zeilenga Request for Comments: 6171 Isode Limited Category: Standards Track March 2011 ISSN: 2070-1721
The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control
轻量级目录访问协议(LDAP)不使用复制控制
Abstract
摘要
This document defines the Lightweight Directory Access Protocol (LDAP) Don't Use Copy control extension, which allows a client to specify that copied information should not be used in providing service. This control is based upon the X.511 dontUseCopy service control option.
本文档定义了轻量级目录访问协议(LDAP)不使用复制控制扩展,该扩展允许客户端指定复制的信息不应用于提供服务。此控件基于X.511 dontUseCopy服务控件选项。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6171.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6171.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
This document defines the Lightweight Directory Access Protocol (LDAP) [RFC4510] Don't Use Copy control extension. The control may be attached to request messages to indicate that copied (replicated or cached) information [X.500] is not be used in providing service. This control is based upon the X.511 [X.511] dontUseCopy service control option.
本文档定义了轻量级目录访问协议(LDAP)[RFC4510]不使用复制控制扩展。该控件可以附加到请求消息,以指示复制(复制或缓存)的信息[X.500]不用于提供服务。此控件基于X.511[X.511]dontUseCopy服务控件选项。
The Don't Use Copy control is intended to be used where the client requires the service be provided using original (master) information [X.500]. In absence of this control, the server is free to make use of copied (i.e., non-authoritative) information in providing the requested service.
当客户要求使用原始(主)信息[X.500]提供服务时,可使用“不使用副本”控件。在没有这种控制的情况下,服务器可以在提供请求的服务时自由地使用复制的(即非权威的)信息。
For instance, a client might desire to have an authoritative answer to a question of whether or not a particular user is a member of a group. To ask this question of a server, the client might issue a compare request [RFC4511], with the Don't Use Copy control, where the entry parameter is the Distinguished Name (DN) of the group, the ava.attributeDesc is 'member', and the ava.assertionValue is the DN of the user in question. If the server has access to the original (master) information directly or through chaining, it performs the operation against the original (master) information and returns compareTrue or compareFalse (or an error). If the server does not have access to the original information, the server is obligated to either return a referral or an error.
例如,客户机可能希望对特定用户是否为组成员的问题有权威的答案。要询问服务器的这个问题,客户机可能会发出一个比较请求[RFC4511],使用“不使用复制”控件,其中输入参数是组的可分辨名称(DN),ava.AttributeDisc是“成员”,ava.assertionValue是相关用户的DN。如果服务器可以直接或通过链接访问原始(主)信息,它将对原始(主)信息执行操作,并返回compareTrue或CompareValse(或错误)。如果服务器无法访问原始信息,则服务器有义务返回引用或错误。
It is not intended that this control be used generally (e.g., for all LDAP interrogation operations) but only as required to ensure proper directory application behavior. In general, directory applications ought to designed to use copied information well.
此控件不打算被普遍使用(例如,用于所有LDAP查询操作),而仅在确保正确的目录应用程序行为所需时使用。一般来说,目录应用程序的设计应该能够很好地使用复制的信息。
DSA stands for Directory System Agent (or server). DSE stands for DSA-Specific Entry.
DSA代表目录系统代理(或服务器)。DSE代表DSA特定条目。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
The Don't Use Copy control is an LDAP Control [RFC4511] whose controlType is 1.3.6.1.1.22 and controlValue is absent. The criticality MUST be TRUE. There is no corresponding response control.
不使用复制控件是一个LDAP控件[RFC4511],其controlType为1.3.6.1.1.22,而controlValue不存在。关键性必须是真实的。没有相应的响应控制。
The control is appropriate for LDAP interrogation operations, including Compare and Search operations [RFC4511]. It is inappropriate for all other operations, including Abandon, Bind, Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511].
该控件适用于LDAP查询操作,包括比较和搜索操作[RFC4511]。它不适用于所有其他操作,包括放弃、绑定、删除、修改、修改DN、StartTLS和取消绑定操作[RFC4511]。
When the control is attached to an LDAP request, the requested operation MUST NOT be performed on copied information. That is, the requested operation MUST be performed on original information.
将控件附加到LDAP请求时,不得对复制的信息执行请求的操作。也就是说,必须对原始信息执行请求的操作。
If original (master) information for the target or base object of the operation is not available (either locally or through chaining), the server MUST either return a referral directing the client to a server believed to be better able to service the request or return an appropriate result code (e.g., unwillingToPerform).
如果操作的目标或基本对象的原始(主)信息不可用(本地或通过链接),则服务器必须返回一个引用,将客户机定向到认为能够更好地服务请求的服务器,或返回一个适当的结果代码(例如,不愿意操作)。
It is noted that a referral, if returned, is not necessarily to the server holding the original (master) information. It is also noted that an authoritative answer to the question might not be available to the client for any number of reasons.
需要注意的是,引用如果返回,则不一定是到保存原始(主)信息的服务器。还需要注意的是,由于各种原因,客户可能无法获得对该问题的权威答案。
Where the client chases a referral to a server (as referenced by an LDAP URL) in the server response in order to obtain an authoritative response, the client MUST provide the dontUseCopy control with the interrogation request it makes to the referred to server. While LDAP allows return of other kinds of URIs, the syntax and semantics of other kinds of URIs are left to future specifications. The particulars of how to act upon other kinds of URIs are also left to future specifications.
如果客户端在服务器响应中追逐对服务器的引用(由LDAP URL引用)以获得权威响应,则客户端必须向dontUseCopy控件提供它对引用的服务器发出的询问请求。虽然LDAP允许返回其他类型的URI,但其他类型URI的语法和语义将留待将来的规范处理。如何处理其他类型的URI的细节也留给未来的规范。
Servers implementing this technical specification SHOULD publish the object identifier 1.3.6.1.1.22 as a value of the 'supportedControl' attribute [RFC4512] in their root DSE. A server MAY choose to advertise this extension only when the client is authorized to use it.
实现本技术规范的服务器应在其根DSE中将对象标识符1.3.6.1.1.22作为“supportedControl”属性[RFC4512]的值发布。只有当客户机被授权使用此扩展时,服务器才可以选择公布此扩展。
This control is intended to be provided where providing service using copied information might lead to unexpected application behavior.
当使用复制的信息提供服务可能导致意外的应用程序行为时,将提供此控件。
Use of the Don't Use Copy control may permit an attacker to perform or amplify a denial-of-service attack by causing additional server resources to be employed, such as when the server chooses to chain the request instead of returning a referral. Servers capable of such chaining can mitigate this threat by limiting chaining to a particular group of authenticated entities.
使用“不使用复制”控制可能会允许攻击者通过使用其他服务器资源(例如,当服务器选择链接请求而不是返回引用时)来执行或放大拒绝服务攻击。能够进行这种链接的服务器可以通过将链接限制到特定的一组经过身份验证的实体来缓解这种威胁。
LDAP is frequently used for storage and distribution of security-sensitive information, including access control and security policy information. Failure to use the Don't Use Copy control may thus permit an attacker to gain unauthorized access by allowing reliance on stale data.
LDAP经常用于存储和分发安全敏感信息,包括访问控制和安全策略信息。因此,如果未能使用“不使用复制”控件,攻击者可能会通过依赖过时数据获得未经授权的访问权限。
IANA has assigned an LDAP Object Identifier [RFC4520] to identify the LDAP Don't Use Copy Control defined in this document.
IANA已分配一个LDAP对象标识符[RFC4520]来标识LDAP不使用本文档中定义的复制控制。
Subject: Request for LDAP Object Identifier Registration Person & email address to contact for further information: Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> Specification: RFC 6171 Author/Change Controller: IESG Comments: Identifies the LDAP Don't Use Copy Control
Subject: Request for LDAP Object Identifier Registration Person & email address to contact for further information: Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> Specification: RFC 6171 Author/Change Controller: IESG Comments: Identifies the LDAP Don't Use Copy Control
IANA has registered this protocol mechanism [RFC4520] as follows.
IANA已将该协议机制[RFC4520]注册如下。
Subject: Request for LDAP Protocol Mechanism Registration Object Identifier: 1.3.6.1.1.22 Description: Don't Use Copy Control Person & email address to contact for further information: Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> Usage: Control Specification: RFC 6171 Author/Change Controller: IESG Comments: none
Subject: Request for LDAP Protocol Mechanism Registration Object Identifier: 1.3.6.1.1.22 Description: Don't Use Copy Control Person & email address to contact for further information: Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> Usage: Control Specification: RFC 6171 Author/Change Controller: IESG Comments: none
The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie for providing review and specific suggestions.
作者感谢Ben Campbell、Phillip Hallam Baker和Ted Hardie提供的评论和具体建议。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006.
[RFC4510]Zeilenga,K.,Ed.“轻量级目录访问协议(LDAP):技术规范路线图”,RFC45102006年6月。
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, June 2006.
[RFC4511]Sermersheim,J.,Ed.,“轻量级目录访问协议(LDAP):协议”,RFC4511,2006年6月。
[RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006.
[RFC4512]Zeilenga,K.,Ed.,“轻量级目录访问协议(LDAP):目录信息模型”,RFC4512,2006年6月。
[X.500] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory -- Overview of concepts, models and services," X.500(1993) (also ISO/IEC 9594-1:1994).
[X.500]国际电信联盟-电信标准化部门,“目录——概念、模型和服务概述”,X.500(1993)(也指ISO/IEC 9594-1:1994)。
[X.511] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Abstract Service Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
[X.511]国际电信联盟-电信标准化部门,“目录:抽象服务定义”,X.511(1993)(也称ISO/IEC 9594-3:1993)。
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
[RFC4520]Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,BCP 64,RFC 4520,2006年6月。
Author's Address
作者地址
Kurt D. Zeilenga Isode Limited
Kurt D.Zeilenga Isode有限公司
EMail: Kurt.Zeilenga@Isode.COM
EMail: Kurt.Zeilenga@Isode.COM