RFC 3829 (rfc3829) - Page 2 of 6
Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls
Alternative Format: Original Text Document
RFC 3829 Authorization Identity Bind Control July 2004
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
used in this document are to be interpreted as described in
[RFCKeyWords].
2. Publishing support for the Authorization Identity Request Control
and the Authorization Identity Response Control
Support for the Authorization Identity Request Control and the
Authorization Identity Response Control is indicated by the presence
of the Object Identifiers (OIDs) 2.16.840.1.113730.3.4.16 and
2.16.840.1.113730.3.4.15, respectively, in the supportedControl
attribute [LDAPATTRS] of a server's root DSA-specific Entry (DSE).
3. Authorization Identity Request Control
This control MAY be included in any bind request which specifies
protocol version 3, as part of the controls field of the LDAPMessage
as defined in [LDAPPROT]. In a multi-step bind operation, the client
MUST provide the control with each bind request.
The controlType is "2.16.840.1.113730.3.4.16" and the controlValue is
absent.
4. Authorization Identity Response Control
This control MAY be included in any final bind response where the
first bind request of the bind operation included an Authorization
Identity Request Control as part of the controls field of the
LDAPMessage as defined in [LDAPPROT].
The controlType is "2.16.840.1.113730.3.4.15". If the bind request
succeeded and resulted in an identity (not anonymous), the
controlValue contains the authorization identity (authzId), as
defined in [AUTH] section 9, granted to the requestor. If the bind
request resulted in an anonymous association, the controlValue field
is a string of zero length. If the bind request resulted in more
than one authzId, the primary authzId is returned in the controlValue
field.
The control is only included in a bind response if the resultCode for
the bind operation is success.
If the server requires confidentiality protections to be in place
prior to use of this control (see Security Considerations), the
server reports failure to have adequate confidentiality protections
in place by returning the confidentialityRequired result code.
Weltman, et al. Informational