Difference between revisions of "RFC3088"
imported>Admin (Created page with " Network Working Group K. Zeilenga Request for Comments: 3088 OpenLDAP Foundation Category: Experimental ...") |
|||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Network Working Group K. Zeilenga | Network Working Group K. Zeilenga | ||
Request for Comments: 3088 OpenLDAP Foundation | Request for Comments: 3088 OpenLDAP Foundation | ||
Category: Experimental April 2001 | Category: Experimental April 2001 | ||
− | |||
OpenLDAP Root Service | OpenLDAP Root Service | ||
Line 48: | Line 41: | ||
registration infrastructure and DNS SRV [RFC2782] resource records | registration infrastructure and DNS SRV [RFC2782] resource records | ||
can be used to locate services [LOCATE]. | can be used to locate services [LOCATE]. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== The Glue === | === The Glue === | ||
Line 106: | Line 90: | ||
} | } | ||
else | else | ||
− | |||
− | |||
− | |||
− | |||
{ // append domainComponent | { // append domainComponent | ||
Line 142: | Line 122: | ||
algorithm. | algorithm. | ||
− | 2) | + | 2) RFC 2247 does not state how one can map the domain representing |
the root of the domain tree to a DN. We suggest the root of the | the root of the domain tree to a DN. We suggest the root of the | ||
domain tree be mapped to "DC=." and that this be reversable. | domain tree be mapped to "DC=." and that this be reversable. | ||
− | 3) | + | 3) RFC 2247 states that domain "example.net" should be mapped to the |
DN "DC=example,DC=net", not to "DC=example,DC=net,DC=.". As it is | DN "DC=example,DC=net", not to "DC=example,DC=net,DC=.". As it is | ||
not our intent to introduce or support an alternative domain to DN | not our intent to introduce or support an alternative domain to DN | ||
Line 152: | Line 132: | ||
"DC=.". | "DC=.". | ||
− | 4) | + | 4) RFC 2247 states that domain "example.net" should be mapped to the |
DN "DC=example,DC=net", not to "DC=example,DC=.,DC=net". As it is | DN "DC=example,DC=net", not to "DC=example,DC=.,DC=net". As it is | ||
not our intent to introduce or support an alternative domain to DN | not our intent to introduce or support an alternative domain to DN | ||
Line 159: | Line 139: | ||
the right. | the right. | ||
− | + | 5) RFC 2247 states that value of an DC attribute type is a domain | |
− | |||
− | |||
− | |||
− | |||
− | 5) | ||
component. It should not contain multiple domain components. A | component. It should not contain multiple domain components. A | ||
later incarnation of this service may map this domain to null or | later incarnation of this service may map this domain to null or | ||
Line 207: | Line 182: | ||
operations. The service supports operations extended through certain | operations. The service supports operations extended through certain | ||
controls as described in a later section. | controls as described in a later section. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Basic Operations === | === Basic Operations === | ||
Line 254: | Line 220: | ||
The service supports the ManageDSAit control. Unsupported controls | The service supports the ManageDSAit control. Unsupported controls | ||
− | are serviced per | + | are serviced per RFC 2251. |
=== ManageDSAit Control === | === ManageDSAit Control === | ||
Line 265: | Line 231: | ||
For search operations, an entry will be returned if within scope and | For search operations, an entry will be returned if within scope and | ||
matches the provided filter. For example: | matches the provided filter. For example: | ||
− | |||
− | |||
− | |||
− | |||
c: searchRequest { | c: searchRequest { | ||
Line 318: | Line 280: | ||
TCP/IPv4. Future incarnations of this service may support TCP/IPv6 | TCP/IPv4. Future incarnations of this service may support TCP/IPv6 | ||
or other transport/internet protocols. | or other transport/internet protocols. | ||
− | |||
− | |||
− | |||
− | |||
== Lessons Learned == | == Lessons Learned == | ||
Line 367: | Line 325: | ||
CLDAP [RFC1798] does not support the return of referrals and hence is | CLDAP [RFC1798] does not support the return of referrals and hence is | ||
not supported. | not supported. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Security Considerations == | == Security Considerations == | ||
Line 419: | Line 369: | ||
Root Service can be found at <http://www.openldap.org/>. | Root Service can be found at <http://www.openldap.org/>. | ||
− | + | 10. Author's Address | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Kurt Zeilenga | Kurt Zeilenga | ||
Line 436: | Line 376: | ||
EMail: [email protected] | EMail: [email protected] | ||
− | + | 11. Acknowledgments | |
Internet hosting for this experiment is provided by the Internet | Internet hosting for this experiment is provided by the Internet | ||
Line 449: | Line 389: | ||
[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", | [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", | ||
− | STD 13, | + | STD 13, RFC 1034, November 1987. |
[RFC1777] Yeong, W., Howes, T. and S. Kille, "Lightweight Directory | [RFC1777] Yeong, W., Howes, T. and S. Kille, "Lightweight Directory | ||
− | Access Protocol", | + | Access Protocol", RFC 1777, March 1995. |
[RFC1798] Young, A., "Connection-less Lightweight Directory Access | [RFC1798] Young, A., "Connection-less Lightweight Directory Access | ||
− | Protocol", | + | Protocol", RFC 1798, June 1995. |
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate | ||
− | Requirement Levels", | + | Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. | [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. | ||
Sataluri, "Using Domains in LDAP/X.500 Distinguished | Sataluri, "Using Domains in LDAP/X.500 Distinguished | ||
− | Names", | + | Names", RFC 2247, January 1998. |
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory | [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory | ||
− | Access Protocol (v3)", | + | Access Protocol (v3)", RFC 2251, December 1997. |
[RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory | [RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory | ||
Access Protocol (v3): UTF-8 String Representation of | Access Protocol (v3): UTF-8 String Representation of | ||
− | Distinguished Names", | + | Distinguished Names", RFC 2253, December 1997. |
− | [RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", | + | [RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255, |
December 1997. | December 1997. | ||
[RFC2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for | [RFC2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for | ||
− | specifying the location of services (DNS SRV)", | + | specifying the location of services (DNS SRV)", RFC 2782, |
February 2000. | February 2000. | ||
− | |||
− | |||
− | |||
− | |||
[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan, | [RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan, | ||
− | "Authentication Methods for LDAP", | + | "Authentication Methods for LDAP", RFC 2829, May 2000. |
[RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory | [RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory | ||
Access Protocol (v3): Extension for Transport Layer | Access Protocol (v3): Extension for Transport Layer | ||
− | Security", | + | Security", RFC 2830, May 2000. |
[LOCATE] IETF LDAPext WG, "Discovering LDAP Services with DNS", | [LOCATE] IETF LDAPext WG, "Discovering LDAP Services with DNS", | ||
Line 500: | Line 436: | ||
[X500] ITU-T Rec. X.500, "The Directory: Overview of Concepts, | [X500] ITU-T Rec. X.500, "The Directory: Overview of Concepts, | ||
Models and Service", 1993. | Models and Service", 1993. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Full Copyright Statement | Full Copyright Statement | ||
Line 567: | Line 469: | ||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | ||
Internet Society. | Internet Society. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Revision as of 10:32, 24 September 2020
Network Working Group K. Zeilenga Request for Comments: 3088 OpenLDAP Foundation Category: Experimental April 2001
OpenLDAP Root Service An experimental LDAP referral service
Status of this Memo
This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
The OpenLDAP Project is operating an experimental LDAP (Lightweight Directory Access Protocol) referral service known as the "OpenLDAP Root Service". The automated system generates referrals based upon service location information published in DNS SRV RRs (Domain Name System location of services resource records). This document describes this service.
Contents
Background
LDAP [RFC2251] directories use a hierarchical naming scheme inherited from X.500 [X500]. Traditionally, X.500 deployments have used a geo-political naming scheme (e.g., CN=Jane Doe,OU=Engineering,O=Example,ST=CA,C=US). However, registration infrastructure and location services in many portions of the naming hierarchical are inadequate or nonexistent.
The construction of a global directory requires a robust registration infrastructure and location service. Use of Internet domain-based naming [RFC2247] (e.g., UID=jdoe,DC=eng,DC=example,DC=net) allows LDAP directory services to leverage the existing DNS [RFC1034] registration infrastructure and DNS SRV [RFC2782] resource records can be used to locate services [LOCATE].
The Glue
Most existing LDAP implementations do not support location of directory services using DNS SRV resource records. However, most servers support generation of referrals to "superior" server(s). This service provides a "root" LDAP service which servers may use as their superior referral service.
Client may also use the service directly to locate services associated with an arbitrary Distinguished Name [RFC2253] within the domain based hierarchy.
Notice:
The mechanisms used by service are experimental. The descriptions provided by this document are not definitive. Definitive mechanisms shall be published in a Standard Track document(s).
Generating Referrals based upon DNS SRV RRs
This service returns referrals generated from DNS SRV resource records [RFC2782].
DN to Domain Name Mapping
The service maps a DN [RFC2253] to a fully qualified domain name using the following algorithm:
domain = null; foreach RDN left-to-right // [1]
{ if not multi-valued RDN and RDN.type == domainComponent { if ( domain == null || domain == "." ) { // start domain = ""; } else { // append separator domain .= "."; }
if ( RDN.value == "." ) { // root domain = "."; } else
{ // append domainComponent domain .= RDN.value; } continue; } domain = null; }
Examples:
Distinguished Name Domain ----------------------------- ------------ DC=example,DC=net example.net UID=jdoe,DC=example,DC=net example.net DC=. . [2] DC=example,DC=net,DC=. . [3] DC=example,DC=.,DC=net net [4] DC=example.net example.net [5] CN=Jane Doe,O=example,C=US null UID=jdoe,DC=example,C=US null DC=example,O=example,DC=net net DC=example+O=example,DC=net net DC=example,C=US+DC=net null
Notes:
0) A later incarnation will use a Standard Track mechanism.
1) A later incarnation of this service may use a right-to-left
algorithm.
2) RFC 2247 does not state how one can map the domain representing
the root of the domain tree to a DN. We suggest the root of the domain tree be mapped to "DC=." and that this be reversable.
3) RFC 2247 states that domain "example.net" should be mapped to the
DN "DC=example,DC=net", not to "DC=example,DC=net,DC=.". As it is not our intent to introduce or support an alternative domain to DN mapping, the algorithm ignores domainComponents to the left of "DC=.".
4) RFC 2247 states that domain "example.net" should be mapped to the
DN "DC=example,DC=net", not to "DC=example,DC=.,DC=net". As it is not our intent to introduce or support an alternative domain to DN mapping, the algorithm ignores domainComponents to the left of "DC=." and "DC=." itself if further domainComponents are found to the right.
5) RFC 2247 states that value of an DC attribute type is a domain
component. It should not contain multiple domain components. A later incarnation of this service may map this domain to null or be coded to return invalid DN error.
If the domain is null or ".", the service aborts further processing and returns noSuchObject. Later incarnation of this service may abort processing if the resulting domain is a top-level domain.
Locating LDAP services
The root service locates services associated with a given fully qualified domain name by querying the Domain Name System for LDAP SRV resource records. For the domain example.net, the service would do a issue a SRV query for the domain "_ldap._tcp.example.net". A successful query will return one or more resource records of the form:
_ldap._tcp.example.net. IN SRV 0 0 389 ldap.example.net.
If no LDAP SRV resource records are returned or any DNS error occurs, the service aborts further processing and returns noSuchObject. Later incarnations of this service will better handle transient errors.
Constructing an LDAP Referrals
For each DNS SRV resource record returned for the domain, a LDAP URL [RFC2255] is constructed. For the above resource record, the URL would be:
ldap://ldap.example.net:389/
These URLs are then returned in the referral. The URLs are currently returned in resolver order. That is, the server itself does not make use of priority or weight information in the SRV resource records. A later incarnation of this service may.
Protocol Operations
This section describes how the service performs basic LDAP operations. The service supports operations extended through certain controls as described in a later section.
Basic Operations
Basic (add, compare, delete, modify, rename, search) operations return a referral result if the target (or base) DN can be mapped to a set of LDAP URLs as described above. Otherwise a noSuchObject response or other appropriate response is returned.
Bind Operation
The service accepts "anonymous" bind specifying version 2 or version 3 of the protocol. All other bind requests will return a non- successful resultCode. In particular, clients which submit clear text credentials will be sent an unwillingToPerform resultCode with a cautionary text regarding providing passwords to strangers.
As this service is read-only, LDAPv3 authentication [RFC2829] is not supported.
Unbind Operations
Upon receipt of an unbind request, the server abandons all outstanding requests made by client and disconnects.
Extended Operations
The service currently does recognize any extended operation. Later incarnations of the service may support Start TLS [RFC2830] and other operations.
Update Operations
A later incarnation of this service may return unwillingToPerform for all update operations as this is an unauthenticated service.
Controls
The service supports the ManageDSAit control. Unsupported controls are serviced per RFC 2251.
ManageDSAit Control
The server recognizes and honors the ManageDSAit control [NAMEDREF] provided with operations.
If DNS location information is available for the base DN itself, the service will return unwillingToPerform for non-search operations. For search operations, an entry will be returned if within scope and matches the provided filter. For example:
c: searchRequest { base="DC=example,DC=net" scope=base filter=(objectClass=*) ManageDSAit }
s: searchEntry { dn: DC=example,DC=net objectClass: referral objectClass: extensibleObject dc: example ref: ldap://ldap.example.net:389/ associatedDomain: example.net } s: searchResult { success }
If DNS location information is available for the DC portion of a subordinate entry, the service will return noSuchObject with the matchedDN set to the DC portion of the base for search and update operations.
c: searchRequest { base="CN=subordinate,DC=example,DC=net" scope=base filter=(objectClass=*) ManageDSAit }
s: searchResult { noSuchObject matchedDN="DC=example,DC=net" }
Using the Service
Servers may be configured to refer superior requests to <ldap://root.openldap.org:389>.
Though clients may use the service directly, this is not encouraged. Clients should use a local service and only use this service when referred to it.
The service supports LDAPv3 and LDAPv2+ [LDAPv2+] clients over TCP/IPv4. Future incarnations of this service may support TCP/IPv6 or other transport/internet protocols.
Lessons Learned
Scaling / Reliability
This service currently runs on a single host. This host and associated network resources are not yet exhausted. If they do become exhausted, we believe we can easily scale to meet the demand through common distributed load balancing technics. The service can also easily be duplicated locally.
Protocol interoperability
This service has able avoided known interoperability issues in supporting variants of LDAP.
LDAPv3
The server implements all features of LDAPv3 [RFC2251] necessary to provide the service.
LDAPv2
LDAPv2 [RFC1777] does not support the return of referrals and hence may not be referred to this service. Though a LDAPv2 client could connect and issue requests to this service, the client would treat any referral returned to it as an unknown error.
LDAPv2+
LDAPv2+ [LDAPv2+] provides a number of extensions to LDAPv2, including referrals. LDAPv2+, like LDAPv3, does not require a bind operation before issuing of other operations. As the referral representation differ between LDAPv2+ and LDAPv3, the service returns LDAPv3 referrals in this case. However, as commonly deployed LDAPv2+ clients issue bind requests (for compatibility with LDAPv2 servers), this has not generated any interoperability issues (yet).
A future incarnation of this service may drop support for LDAPv2+ (and LDAPv2).
CLDAP
CLDAP [RFC1798] does not support the return of referrals and hence is not supported.
Security Considerations
This service provides information to "anonymous" clients. This information is derived from the public directories, namely the Domain Name System.
The use of authentication would require clients to disclose information to the service. This would be an unnecessary invasion of privacy.
The lack of encryption allows eavesdropping upon client requests and responses. A later incarnation of this service may support encryption (such as via Start TLS [RFC2830]).
Information integrity protection is not provided by the service. The service is subject to varies forms of DNS spoofing and attacks. LDAP session or operation integrity would provide false sense of security concerning the integrity of DNS information. A later incarnation of this service may support DNSSEC and provide integrity protection (via SASL, TLS, or IPSEC).
The service is subject to a variety of denial of service attacks. The service is capable of blocking access by a number of factors. This capability have yet to be used and likely would be ineffective in preventing sophisticated attacks. Later incarnations of this service will likely need better protection from such attacks.
Conclusions
DNS is good glue. By leveraging of the Domain Name System, global LDAP directories may be built without requiring a protocol specific registration infrastructures.
In addition, use of DNS service location allows global directories to be built "ad hoc". That is, anyone with a domain name can participate. There is no requirement that the superior domain participate.
Additional Information
Additional information about the OpenLDAP Project and the OpenLDAP Root Service can be found at <http://www.openldap.org/>.
10. Author's Address
Kurt Zeilenga OpenLDAP Foundation
EMail: [email protected]
11. Acknowledgments
Internet hosting for this experiment is provided by the Internet Software Consortium <http://www.isc.org/>. Computing resources were provided by Net Boolean Incorporated <http://www.boolean.net/>. This experiment would not have been possible without the contributions of numerous volunteers of the open source community. Mechanisms described in this document are based upon those introduced in [RFC2247] and [LOCATE].
References
[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
STD 13, RFC 1034, November 1987.
[RFC1777] Yeong, W., Howes, T. and S. Kille, "Lightweight Directory
Access Protocol", RFC 1777, March 1995.
[RFC1798] Young, A., "Connection-less Lightweight Directory Access
Protocol", RFC 1798, June 1995.
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S.
Sataluri, "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, January 1998.
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory
Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997.
[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255,
December 1997.
[RFC2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, February 2000.
[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan,
"Authentication Methods for LDAP", RFC 2829, May 2000.
[RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory
Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000.
[LOCATE] IETF LDAPext WG, "Discovering LDAP Services with DNS",
Work in Progress.
[LDAPv2+] University of Michigan LDAP Team, "Referrals within the
LDAPv2 Protocol", August 1996.
[NAMEDREF] Zeilenga, K. (editor), "Named Subordinate References in
LDAP Directories", Work in Progress.
[X500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
Models and Service", 1993.
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the Internet Society.