RFC 3829 (rfc3829) - Page 2 of 6


Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls



Alternative Format: Original Text Document



RFC 3829          Authorization Identity Bind Control          July 2004


   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   used in this document are to be interpreted as described in
   [RFCKeyWords].

2.  Publishing support for the Authorization Identity Request Control
    and the Authorization Identity Response Control

   Support for the Authorization Identity Request Control and the
   Authorization Identity Response Control is indicated by the presence
   of the Object Identifiers (OIDs) 2.16.840.1.113730.3.4.16 and
   2.16.840.1.113730.3.4.15, respectively, in the supportedControl
   attribute [LDAPATTRS] of a server's root DSA-specific Entry (DSE).

3.  Authorization Identity Request Control

   This control MAY be included in any bind request which specifies
   protocol version 3, as part of the controls field of the LDAPMessage
   as defined in [LDAPPROT].  In a multi-step bind operation, the client
   MUST provide the control with each bind request.

   The controlType is "2.16.840.1.113730.3.4.16" and the controlValue is
   absent.

4.  Authorization Identity Response Control

   This control MAY be included in any final bind response where the
   first bind request of the bind operation included an Authorization
   Identity Request Control as part of the controls field of the
   LDAPMessage as defined in [LDAPPROT].

   The controlType is "2.16.840.1.113730.3.4.15".  If the bind request
   succeeded and resulted in an identity (not anonymous), the
   controlValue contains the authorization identity (authzId), as
   defined in [AUTH] section 9, granted to the requestor.  If the bind
   request resulted in an anonymous association, the controlValue field
   is a string of zero length.  If the bind request resulted in more
   than one authzId, the primary authzId is returned in the controlValue
   field.

   The control is only included in a bind response if the resultCode for
   the bind operation is success.

   If the server requires confidentiality protections to be in place
   prior to use of this control (see Security Considerations), the
   server reports failure to have adequate confidentiality protections
   in place by returning the confidentialityRequired result code.





Weltman, et al.              Informational