Note on DSML v2 Security

[Christine Tomlinson <chris.tomlinson@sun.com>]

The following are some considerations on security in DSML v2.

PART 1.

The BindRequest in DSMLv2 specifies the principal used for
authentication.
The contents of this field are an LDAP DN which corresponds to the
element
"name" in the LDAPv3 BindRequest PDU.

The BindRequest should only be included in a DSML document if the
requestor's
LDAP DN is not provided by the client through other means.

As LDAPv3 was designed to run directly atop TCP/IP, it included in the
Bind
operation the SASL framework for negotiation of a security mechanism and
the
exchange of credentials to support authentication and provide the data
required
for the server to perform client authorization.

Unlike the LDAPv3 Bind, the BindRequest in DSMLv2 does not specify
authentication credentials.  Instead, the exchange of credentials is
anticipated to occur through a independent process.  Examples include:

 - a user runs a command which takes as arguments a bind DN, bind
credentials
   and a pathname to a file containing a DSMLv2 document.  In this
scenario,
   the DSMLv2 document would not need to contain a BindRequest.  (This
   scenario is equivalent to common practice with LDAPv3 today; many
   implementations of LDAPv3 include command line tools which can
   parse LDIF files.)

 - the DSMLv2 is carried over a transport which provides for
authentication,
   such as SOAP via HTTP/1.1 with Digest or TLS client certificates.
(The
   use of a BindRequest in DSMLv2 in this scenario is equivalent to
common
   practice with LDAPv3's "EXTERNAL" SASL mechanism).

 - the DSMLv2 is included inside of a enclosing document which contains
   authentication information elsewhere.

PART 2.

x. Security Services

An implementation of the mapping of DSMLv2 onto SOAP/HTTP SHOULD support

at least one of the following security services:

 - use of HTTP Digest [xx],
 - use of TLS upgrade on a HTTP connection [yy], or
 - use of HTTP over TLS [zz].

For compatibility with the installed base of HTTP servers, an
implementation
which supports the use of TLS Upgrade on a HTTP connection SHOULD also
support use of HTTP over TLS.

Use of DSMLv2 over HTTP without any security services is NOT
RECOMMENDED.

Use of DSMLv2 with HTTP Basic authentication [xx] is NOT RECOMMENDED.

The DSMLv2 document sent by the client SHOULD include a BindRequest
prior
to any other protocol elements.

x. Bibliography

[xx] RFC 2617 (Draft Standard): "HTTP Authentication: Basic and Digest
Access Authentication"

[yy] RFC 2817 (Proposed Standard): "Upgrading to TLS Within HTTP/1.1"

[zz] RFC 2818 (Informational): "HTTP Over TLS"


Christine Tomlinson
Mark Wahl
Sun Microsystems