RFC 3829 (rfc3829) - Page 1 of 6


Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls



Alternative Format: Original Text Document



Network Working Group                                         R. Weltman
Request for Comments: 3829                                America Online
Category: Informational                                         M. Smith
                                                     Pearl Crescent, LLC
                                                                 M. Wahl
                                                               July 2004

             Lightweight Directory Access Protocol (LDAP)
         Authorization Identity Request and Response Controls

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   This document extends the Lightweight Directory Access Protocol
   (LDAP) bind operation with a mechanism for requesting and returning
   the authorization identity it establishes.  Specifically, this
   document defines the Authorization Identity Request and Response
   controls for use with the Bind operation.

1.  Introduction

   This document defines support for the Authorization Identity Request
   Control and the Authorization Identity Response Control for
   requesting and returning the authorization established in a bind
   operation.  The Authorization Identity Request Control may be
   submitted by a client in a bind request if authenticating with
   version 3 of the Lightweight Directory Access Protocol (LDAP)
   protocol [LDAPv3].  In the LDAP server's bind response, it may then
   include an Authorization Identity Response Control.  The response
   control contains the identity assumed by the client.  This is useful
   when there is a mapping step or other indirection during the bind, so
   that the client can be told what LDAP identity was granted.  Client
   authentication with certificates is the primary situation where this
   applies.  Also, some Simple Authentication and Security Layer [SASL]
   authentication mechanisms may not involve the client explicitly
   providing a DN, or may result in an authorization identity which is
   different from the authentication identity provided by the client
   [AUTH].




Weltman, et al.              Informational