[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Note on DSML v2 Security
The following are some considerations on security in DSML v2. PART 1. The BindRequest in DSMLv2 specifies the principal used for authentication. The contents of this field are an LDAP DN which corresponds to the element "name" in the LDAPv3 BindRequest PDU. The BindRequest should only be included in a DSML document if the requestor's LDAP DN is not provided by the client through other means. As LDAPv3 was designed to run directly atop TCP/IP, it included in the Bind operation the SASL framework for negotiation of a security mechanism and the exchange of credentials to support authentication and provide the data required for the server to perform client authorization. Unlike the LDAPv3 Bind, the BindRequest in DSMLv2 does not specify authentication credentials. Instead, the exchange of credentials is anticipated to occur through a independent process. Examples include: - a user runs a command which takes as arguments a bind DN, bind credentials and a pathname to a file containing a DSMLv2 document. In this scenario, the DSMLv2 document would not need to contain a BindRequest. (This scenario is equivalent to common practice with LDAPv3 today; many implementations of LDAPv3 include command line tools which can parse LDIF files.) - the DSMLv2 is carried over a transport which provides for authentication, such as SOAP via HTTP/1.1 with Digest or TLS client certificates. (The use of a BindRequest in DSMLv2 in this scenario is equivalent to common practice with LDAPv3's "EXTERNAL" SASL mechanism). - the DSMLv2 is included inside of a enclosing document which contains authentication information elsewhere. PART 2. x. Security Services An implementation of the mapping of DSMLv2 onto SOAP/HTTP SHOULD support at least one of the following security services: - use of HTTP Digest [xx], - use of TLS upgrade on a HTTP connection [yy], or - use of HTTP over TLS [zz]. For compatibility with the installed base of HTTP servers, an implementation which supports the use of TLS Upgrade on a HTTP connection SHOULD also support use of HTTP over TLS. Use of DSMLv2 over HTTP without any security services is NOT RECOMMENDED. Use of DSMLv2 with HTTP Basic authentication [xx] is NOT RECOMMENDED. The DSMLv2 document sent by the client SHOULD include a BindRequest prior to any other protocol elements. x. Bibliography [xx] RFC 2617 (Draft Standard): "HTTP Authentication: Basic and Digest Access Authentication" [yy] RFC 2817 (Proposed Standard): "Upgrading to TLS Within HTTP/1.1" [zz] RFC 2818 (Informational): "HTTP Over TLS" Christine Tomlinson Mark Wahl Sun Microsystems
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC