Internet Draft S. Slone Document: draft-slone-ldap-x500-align-00.txt Lockheed Martin Expires: August 23, 2003 February 24, 2003 Maximizing Alignment Between LDAP and X.500 Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC 2026, and the author does not provide the IETF with any rights other than to publish as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document is intended to provide information of interest to developers of Lightweight Directory Access Protocol (LDAP) specifications and products. It is intended to provide background information and to facilitate discussion within IETF Working Groups, most notably LDAPbis. This Internet-Draft highlights decisions made by group attending the ITU-T and ISO/IEC JTC1 Collaborative Meeting on the Directory in London in February 2003 for inclusion in an upcoming Proposed Draft Amendment (PDAM) to the ITU-T X.500 / IS 9594 Specification. It also identifies issues that the X.500 group would like to bring to the attention of the LDAPbis Working Group at the upcoming IETF meeting in March. Slone 1 Maximizing Alignment Between LDAP and X.500 February 2003 Table of Contents Status of this Memo................................................1 Abstract...........................................................1 1. Introduction....................................................3 2. Background......................................................3 3. Alignment Changes for X.500.....................................3 3.1 InvokeID and messageID.........................................3 3.2 DAP modify semantics...........................................3 3.3 LDAP Controls and DAP Criticality Identifiers..................3 3.4 Preservation of values stored in the directory.................3 3.5 Interoperability in the presence of ;binary....................3 3.6 Operational models in the presence of X.500 and LDAP...........4 3.7 Chained LDAP...................................................4 3.8 Streamed Responses.............................................4 3.9 Removal of remaining dependency on OSI.........................4 3.10 SASL authentication...........................................4 3.11 Multi-master replication......................................4 3.12 Knowledge pointers for LDAP...................................4 3.13 Implicit knowledge and the use of SRV records.................5 3.14 The myth of "X.500-style names"...............................5 3.15 X.500 Contexts and LDAP options...............................5 3.16 String matching...............................................5 3.17 New knowledge type............................................5 3.18 Persistent identifier attribute (UUID)........................5 3.19 Enhanced matching.............................................5 4. Recommended Changes for LDAP....................................5 5. Next Steps......................................................6 6. Security Considerations.........................................6 7. Author's Address................................................7 8. References......................................................7 8.1 Normative References...........................................7 8.2 Informative References.........................................7 Slone Informational - Expires August 23, 2003 2 Maximizing Alignment Between LDAP and X.500 February 2003 1. Introduction In 2000, the ITU-T and ISO/IEC Collaborative Committee on the Directory began work on maximizing alignment between LDAP and X.500. The topic has been discussed at each meeting since then. This document summarizes the status of these discussions as of the conclusion of the latest X.500 meeting held in London, England, in February 2003. 2. Background The most recent X.500 specification is the fourth edition, published in 2001. The alignment project is intended to produce a set of amendments to the fourth edition that will result in the publication of a fifth edition, probably around 2004 or 2005. Thus far, the work has been captured in a series of Working Documents. As of the London meeting, it will determined that the document would be published as a Proposed Draft Amendment (PDAM), which will be balloted under ISO/IEC rules. The next meeting is scheduled for September 2003 in Geneva, Switzerland. 3. Alignment Changes for X.500 This section briefly highlights the alignment items that are to be included in the PDAM as changes to X.500. 3.1 InvokeID and messageID The PDAM will explicitly declare that X.500's invokeID and LDAP's messageID are equivalent. 3.2 DAP modify semantics. The PDAM will update the semantics of X.500's modify operation to align with LDAP's semantics as follows: - Remove restrictions on "addValue" and "removeValue" options, - Add "replace" option with same semantics as LDAP. 3.3 LDAP Controls and DAP Criticality Identifiers The PDAM will provide a mapping between DAP criticality identifiers (integers) and LDAP Control OIDs. 3.4 Preservation of values stored in the directory The PDAM will require the preservation of client-supplied values in stored data. (Note: this deficiency will also be a corrected retroactively in the 3rd and 4th editions via the defect report process. However, the 2nd edition (1993) will not be corrected since it is no longer under maintenance.) 3.5 Interoperability in the presence of ;binary Slone Informational - Expires August 23, 2003 3 Maximizing Alignment Between LDAP and X.500 February 2003 The PDAM will declare the explicit intent to ensure interoperability with respect to the ;binary issue, pending the final resolution of this issue within the LDAP community. 3.6 Operational models in the presence of X.500 and LDAP The PDAM will update the models sections as appropriate to depict various interoperation scenarios among a combination of X.500 DSAs and LDAP servers and with a mixture of X.500 DUAs and LDAP clients. These scenarios will include a combination of client/server operation, referrals, and chaining. 3.7 Chained LDAP The PDAM will modify DSP (Directory Server Protocol) to explicitly permit the encapsulation of LDAP operations for chaining. (Note: the mechanism will be defined in a way that will also be suitable for other directory protocols such as DSML should the need arise.) 3.8 Streamed Responses The PDAM will enhance DSP to permit the chaining of streamed responses. This enhancement will include a negotiation mechanism to ensure backward compatibility with older DSAs that do not understand streamed responses. 3.9 Removal of remaining dependency on OSI The PDAM will remove remaining dependencies on legacy OSI protocols (most notably ROSE), facilitating implementation of X.500 protocols directly over TCP. (Note: A direct mapping of X.500 protocols onto TCP/IP was first specified in the 3rd (1997) edition. This update will remove some residual dependencies on ROSE.) 3.10 SASL authentication Although left for further study, the PDAM will call for comments on the topic of whether X.500 protocols should be extended to include SASL. 3.11 Multi-master replication The PDAM will also call for comments exploring whether the existing information model (X.501) requires modification in the presence of multi-master replication (it appears that it does not require modification) and whether the "otherStrategy" mechanism of the existing replication protocol (DISP) is sufficient to signal the use of external replication mechanisms such as LDAP changelog, LDIF, DSMLv2, or proprietary mechanisms. 3.12 Knowledge pointers for LDAP Slone Informational - Expires August 23, 2003 4 Maximizing Alignment Between LDAP and X.500 February 2003 The PDAM will expand the specification of AccessPoint to include a labeledURI type, permitting LDAP URLs to be used as knowledge pointers in X.500. 3.13 Implicit knowledge and the use of SRV records The PDAM will include a new informative annex for X.501 that discusses naming issues in general, and that formalizes the use of implicit knowledge (such as that contained within domainComponent RDNs) and how that implicit knowledge can be used to locate directory servers (e.g., by using DNS SRV records). 3.14 The myth of "X.500-style names" The PDAM will enhance Annex B of X.521 (the informative annex that is commonly misquoted as "requiring" the use of country- and organization-based names) to illustrate that dc-based names and "traditional X.500" names are both valid options. 3.15 X.500 Contexts and LDAP options The PDAM will include a new context type definition called "LDAPAttributeOptionsContext" to provide an alignment mechanism between LDAP options and X.500 contexts. 3.16 String matching The PDAM will incorporate the recommendations from draft-zeilenga- ldapbis-strmatch-01.txt [STRMATCH] into X.520. 3.17 New knowledge type The PDAM will create a new knowledge reference type called "disjoint knowledge" to provide the explicit ability to reference disconnected and/or overlapping naming contexts for use in chaining or referrals. 3.18 Persistent identifier attribute (UUID) The PDAM will propose adding the Universal Unique Identifier (UUID) as a generally useful attribute type for use as a persistent identifier. 3.19 Enhanced matching The PDAM will specify a new service control to enable the client to signal its need for the server to require that all assertions in a filter match on any one value of the relevant attribute. This is to avoid the "false positive" matches that can sometimes occur with multi-valued attributes when different assertions in a compound filter match on different values. 4. Recommended Changes for LDAP Slone Informational - Expires August 23, 2003 5 Maximizing Alignment Between LDAP and X.500 February 2003 On behalf of the X.500 group, this author wishes to express appreciation for the spirit of cooperation that has been shown by members of various LDAP working groups since this project began. Most of the LDAP-specific changes resulting from this alignment activity are being absorbed into the normal flow of LDAP development activities. At the time of this writing, the only additional alignment change that the X.500 group recommends is the specification of an LDAP Control to permit the capabilities described above in 3.19. 5. Next Steps The PDAM is expected to be completed and registered for ballot by early April 2003. Once that is completed, this I-D will be updated to provide further details and to provide a reference to an on-line version of the PDAM. Interest parties may contact the author of this I-D for further information. 6. Security Considerations Security implications of this I-D are related primarily to a difference in the approaches to security between X.500 and LDAP. This difference results from some fundamental differences in design and operational assumptions. That is, LDAP is designed essentially as a point-to-point system, whereas X.500 was designed to operate in a widely distributed fashion. To the extent directory operations occur in a point-to-point fashion, it is believed that current mechanisms (such as TLS) for securing the communication channels are appropriate and sufficient. However, to the extent alignment between X.500 and LDAP results in an increase in distributed directory operations, mechanisms such as TLS may be insufficient since directory clients and servers will each find themselves interoperating with communications partners with which they have not established a direct connection. The security implications of distributed directory operations environments are documented extensively throughout the X.500 specifications. However, the X.500 group notes some basic differences that could be of concern. Specifically, X.500 protocols protect arguments, results, and errors (not complete PDUs), whereas LDAP operations are not protected. It may be appropriate to consider the development of a mechanism for protecting (i.e., signing and/or encrypting) LDAP operations for use in a distributed environment. Specific mechanisms are left for further study. Slone Informational - Expires August 23, 2003 6 Maximizing Alignment Between LDAP and X.500 February 2003 7. Author's Address Skip Slone Phone: +1 407-306-7102 Lockheed Martin Email: skip.slone@lmco.com 12506 Lake Underhill Rd. MP 166 Orlando, FL 32825 USA 8. References 8.1 Normative References None 8.2 Informative References [STRMATCH] Zeilenga, K., "Internationalized String Matching Rules for X.500", draft-zeilenga-ldapbis-strmatch-xx.txt (a work-in- progress). [X.500] International Telephone Union, "The Directory: Overview of Concepts, Models and Service", X.500, 2001. Slone Informational - Expires August 23, 2003 7