Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120



Network Working Group                                            M. Wahl
Internet-Draft                                     Informed Control Inc.
Intended status: Standards Track                             May 9, 2007
Expires: November 10, 2007


                     LDAP Session Tracking Control
                       draft-wahl-ldap-session-03

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on November 10, 2007.

Copyright Notice

   Copyright (C) The IETF Trust (2007).














Wahl                    Expires November 10, 2007               [Page 1]

Internet-Draft        LDAP Session Tracking Control             May 2007


Abstract

   Many network devices, application servers, and middleware components
   of a enterprise software infrastructure generate some form of session
   tracking identifiers, which are useful when analyzing activity and
   accounting logs to group activity relating to a particular session.
   This document discusses how Lightweight Directory Access Protocol
   version 3 (LDAP) clients can include session tracking identifiers
   with their LDAP requests.  This information is provided through
   controls in the requests the clients send to LDAP servers.  The LDAP
   server receiving these controls can include the session tracking
   identifiers in the log messages it writes, enabling LDAP requests in
   the LDAP server's logs to be correlated with activity in logs of
   other components in the infrastructure.  The control also enables
   session tracking information to be generated by LDAP servers and
   returned to clients and other servers.  Three formats of session
   tracking identifiers are defined in this document.


































Wahl                    Expires November 10, 2007               [Page 2]

Internet-Draft        LDAP Session Tracking Control             May 2007


1.  Introduction

   The majority of directory server implementations produce access logs
   detailing each request they receive.  These logs can be read using
   log parsing tools or specialized log viewer applications.  Typically
   it will be possible, for each request logged by a directory server,
   to determine the bind DN (or possibly another form of authentication
   identity) of the client which sent the request to the server, and
   many servers also log the IP address of the client that sent the
   request.

   In the original OSI architecture, it was envisaged that users might
   interact with a directory service through specialized applications,
   known as Directory User Agents, which were the clients of the
   Directory Access Protocol.  Similarly, in early Internet directory
   deployments, a majority of LDAP clients were desktop applications,
   that used the LDAP protocol to search an enterprise directory for
   address book/contact information.

   Today, the majority of LDAP clients are embedded within middleware
   and server applications.  Legacy address book protocols might be
   gatewayed into LDAP, or a server might consult an LDAP server in
   order to check a user's password or obtain their preferences.  While
   the LDAP requests might result from a user's activity somewhere on
   the network, it is rare for the user to be 'driving' the LDAP client,
   and in most cases the user performing the activity is unaware that
   LDAP requests are being generated on their behalf.

   However, this information is important to directory system
   administrators and auditors.  They may wish to determine who is
   making use of the directory service, or track the source of unusual
   requests.

   When a directory server administrator reviews a log file produced by
   a directory server that has been accessed only by clients that are
   themselves middleware, where the end user does not interact with the
   middleware directly, only through other kinds of servers (e.g.
   application servers or remote access servers), it will be difficult
   to correlate between the directory server's log and the logs of the
   servers which made use of this directory to determine why the LDAP
   requests were made and who were responsible for causing them.

   Reasons for this include:

   o  Directory servers are capable of performing many hundreds of
      requests per second or more, and even with time synchronization
      between the systems on which the directory server and middleware
      are deployed, times of requests might not be logged accurately



Wahl                    Expires November 10, 2007               [Page 3]

Internet-Draft        LDAP Session Tracking Control             May 2007


      enough to be able to correlate based on time: the server's logs
      might be only to 1-second resolution.

   o  A single function on a middleware server, such as "authenticate a
      user", may result in multiple LDAP requests being generated in
      order to perform that request.

   o  Many high performance middleware servers implement connection
      pooling, managing a set of persistent connections to each
      directory server and multiplexing operations across the
      connections.  Each connection will have the same source IP address
      and bind DN.  If a particular activity causes multiple LDAP
      requests to be generated, each LDAP request might be sent on a
      different connection.  Also, as LDAP is an asynchronous protocol,
      middleware servers may have more than one request in progress on
      each connection, asynchronously sending requests to the directory
      server on each connection and processing the responses in whatever
      order they are received.

   This document defines a new control for use in LDAPv3 [1] operation
   requests.  This control contains session tracking information that
   can be used to correlate log information present in the directory
   server's log with the logs of other middleware servers.

   The words "MUST", "SHOULD" and "MAY" are used as defined in RFC 2119
   [2].

1.1.  Motivation for session tracking

   A typical enterprise deployment with an application indirectly
   relying upon the directory might resemble:


       +------+     +--------+       +----------+      +--------+
       | User |     | Appli- |       | Auth./   | LDAP |  LDAP  |
       |      +-----+ cation +-------+ Identity +------+ Server |
       |      |     | Server |       | Provider |      |        |
       |  A   |     |   B    |       |    C     |      |   D    |
       +------+     +--------+       +----------+      +--------+


   In this diagram, a user (A) makes some request of an application
   server (B).  The application server might rely on an integrated or
   external authentication provider in order to check the user's
   authentication credentials, or might use an identity provider to
   obtain profile information about the user.  This request might be
   made through an API or a protocol other than LDAP, e.g.  RADIUS,
   Kerberos, SMB, etc.  The authentication/identity provider (C) would



Wahl                    Expires November 10, 2007               [Page 4]

Internet-Draft        LDAP Session Tracking Control             May 2007


   generate one or more LDAP requests and send them to an LDAP server
   (D).

   The LDAP server has the following information already available to it
   through the LDAP protocol: the IP address and authentication
   credentials of the authentication/identity provider (C).  If the
   provider has included the Proxy Authorization Control [11], then the
   LDAP server might also receive the Distinguished Name or
   authorization identity of either the user (A) or the application
   server (B), depending on how the authentication/identity provider (C)
   uses the directory.  In order to obtain this distinguished name
   however, the authentication/identity provider (C) might need to
   perform one or more LDAP search or bind requests.  If there is no
   entry in the directory corresponding to the identity of the user (A)
   or the application server (B), then there is no way in the base LDAP
   specification or the Proxy Authorization Control for the
   authentication/identity provider (C) to describe the user (A) or the
   application server (B) to the LDAP server (D).

   If either the application server (B) or the authentication/identity
   provider (C) have generated a session identifier for tracking the
   interactions of the user (A) for a particular session, then it is
   useful to include this information with the requests made to the
   directory server, so that this session identifier will show up in the
   directory server's logs.  That is the purpose of the control defined
   in the next section.

























Wahl                    Expires November 10, 2007               [Page 5]

Internet-Draft        LDAP Session Tracking Control             May 2007


2.  Control definition

   There is currently no standard way of describing a session: there are
   many different formats for a session identifier, and each application
   that tracks sessions typically has its own semantics for what a
   session means.  Thus, a control is defined using an extensible model,
   in order to incorporate many different application's concepts and
   formats of a session tracking identifier.

   The value of the session identifier control encapsulates the
   following four pieces of information: sessionSourceIp,
   sessionSourceName, formatOID and sessionTrackingIdentifier.

   The sessionSourceIp field is a US-ASCII string encoding of an IPv4 or
   IPv6 [3] address of the component of the system which has generated a
   session tracking identifier.  The purpose of this field is to enable
   the directory server administrator, even if they do not have a log
   parser that understands a particular session tracking identifier
   format, to at least be able to identify the server that manages the
   session.  Note that there is no guarantee of IP-level connectivity
   between the directory server and the system which generated the
   tracking identifier, and if Network Address Translation is being
   used, the IP address in this field might be from a private use
   address range.

   The sessionSourceName field is a UTF-8 [4] encoded ISO 10646 [5] text
   string.  This field describes the component of the system which has
   generated a session tracking identifier.  The format of this field is
   determined by the formatOID (discussed below); examples of contents
   of a sessionSourceName field might be a hostname, a distinguished
   name, or a web service address.  This contents of this field is not
   intended to identify an end user; instead it identifies the server
   using a name other than the server's IP address.

   The formatOID is a US-ASCII encoded dotted decimal representation of
   an OBJECT IDENTIFIER.  The OBJECT IDENTIFIER indicates the scheme
   that is used to generate the sessionSourceName and
   sessionTrackingIdentifier fields.  As there is currently no standard
   scheme for session information, it is expected that there will be
   many different formats carried within this control.  The OBJECT
   IDENTIFIERs for three formats are presented in this document.

   The sessionTrackingIdentifier field is a UTF-8 encoded ISO 10646
   string.  The session identifier SHOULD be limited to whitespace and
   printable characters; non-printing and control characters SHOULD NOT
   be used, and byte sequences that are not legal UTF-8 MUST NOT be
   used.  The syntax of the session identifier and its semantics (e.g.,
   how values are compared for equality) are governed by the formatOID.



Wahl                    Expires November 10, 2007               [Page 6]

Internet-Draft        LDAP Session Tracking Control             May 2007


   For example, the session identifier might be a simple string encoding
   of a decimal counter, a username, a timestamp, a fragment of XML, or
   it might be something else, depending on the format.

2.1.  Formal definition

   This document defines a single LDAP control.

   The controlType is 1.3.6.1.4.1.21008.108.63.1, the criticality MUST
   be either FALSE or absent, and the controlValue MUST be present.  The
   controlValue OCTET STRING is always present and contains the bytes of
   the BER [6] encoding of a value of the ASN.1 data type
   SessionIdentifierControlValue, defined as follows:

      LDAP-Session-Identifier-Control
      DEFINITIONS IMPLICIT TAGS ::=
      BEGIN

      LDAPString ::= OCTET STRING -- UTF-8 encoded
      LDAPOID ::= OCTET STRING -- Constrained to numericoid

      SessionIdentifierControlValue ::= SEQUENCE {
           sessionSourceIp                 LDAPString,
           sessionSourceName               LDAPString,
           formatOID                       LDAPOID,
           sessionTrackingIdentifier       LDAPString
      }

      END

   The sessionSourceIp element SHOULD NOT be longer than 42 characters
   (the length necessary for a string representation of an IPv6
   address), and MUST NOT be longer than 128 characters.  Each character
   will be encoded into a single byte.  If the IP address of the system
   which generated the session tracking identifier is not known, the
   sessionSourceIp element SHOULD be of zero length.

   The sessionSourceName element SHOULD NOT be longer than 1024
   characters, and MUST NOT be longer than 65536 bytes.  Note that in
   the UTF-8 encoding a character MAY be encoded into more than one
   byte.  If no other addressing information about that system is known
   or relevant to the format, the sessionSourceName element SHOULD be of
   zero length.

   The formatOID element MUST contain only the US-ASCII encodings of the
   ISO 10646 characters FULL STOP and DIGIT ZERO through DIGIT NINE
   (0x2E, 0x30-0x39).  The formatOID element MUST NOT be of zero length,
   and SHOULD NOT be longer than 1024 characters.



Wahl                    Expires November 10, 2007               [Page 7]

Internet-Draft        LDAP Session Tracking Control             May 2007


   The sessionTrackingIdentifier field MAY be of zero length (although
   this might not be useful).  There is no upper bound on the
   sessionTrackingIdentifier, but it is suggested that values SHOULD NOT
   be longer than 65536 characters without prior agreement with the
   directory server administrator.  Note that in the UTF-8 encoding a
   character MAY be encoded into more than one byte.

2.2.  Use in LDAP

   The control MAY be included in any LDAP operation.  The control has
   order-dependent semantics.

   A client might place the control on a message with a bindRequest,
   searchRequest, modifyRequest, addRequest, delRequest, modDNRequest,
   compareRequest or extendedReq.  A client MAY include multiple
   controls of this type in a single request.  This enables the client
   to incorporate multiple distinct session tracking identifiers with
   different formats.

   When a network service is proxying or chaining LDAP, in which the
   service receives an incoming LDAP request from a client and from this
   generates one or more requests to other LDAP servers, the service
   SHOULD include any controls of this type that it received from
   clients in requests it generates, without modification.  A service
   MAY silently remove a control if that control would violate security
   policy.  If the service has its own session state identifier, it
   SHOULD include the session identifier control it generates in the
   Controls SEQUENCE after any session identifier controls received by
   clients.  (If there are multiple proxies involved, each will add
   their own session state to the end of the controls list).

   A server might place the control on message with a bindResponse,
   searchResDone, modifyResponse, addResponse, delResponse,
   modDNResponse, compareResponse, extendedResp or intermediateResponse.
   The server can include the control in the response regardless of
   whether the client included a control in the request or not.  (The
   control in a response is unsolicited, and a client which does not
   recognize the control or a session tracking format can safely ignore
   the control, as discussed in the following section).  A server MAY
   include multiple controls of this type in a response.

2.3.  Extensibility considerations

   The following section of this document defines 3 possible formats,
   and it is expected that applications MAY define their own formats to
   represent session tracking identifiers already implemented.

   An application developer or server developer who wishes to transfer



Wahl                    Expires November 10, 2007               [Page 8]

Internet-Draft        LDAP Session Tracking Control             May 2007


   their implementation's format for session tracking identifier within
   an LDAP control MUST choose a new, unique, OBJECT IDENTIFIER to
   represent this format.

   The format determines the semantics of the sessionSourceName string,
   and the sessionTrackingIdentifier string.

   In general, when an LDAP server that has session tracking logging
   enabled receives one or more of these controls with a request, the
   server SHOULD include all fields of all of the controls with the
   logging information for the request.

   A LDAP server that supports third-party or extensible log parsing
   tools SHOULD NOT reject or ignore a control if the formatOID value is
   not recognized, as it is expected that applications may include
   session tracking identifiers and want to make this information
   available to log parsers for correlation purposes, even if the
   directory server does not need to make any use of this information.

   However, if the LDAP server does not recognize the control, the
   control is not properly formatted, or the LDAP client is not
   authorized to use this control, the LDAP server SHOULD ignore the
   control and process the request as if the control had not been
   included.

   When an LDAP client receives a response that includes this control,
   the behavior depends on the client implementation.  Clients SHOULD
   silently ignore controls with formats they do not recognize, and
   process the response as if the control had not been included.






















Wahl                    Expires November 10, 2007               [Page 9]

Internet-Draft        LDAP Session Tracking Control             May 2007


3.  Session tracking format definitions

   This section defines three session tracking formats that can be used
   within the session tracking control: two for RADIUS accounting, and
   one based on usernames.  Other formats can be defined in other
   documents.

3.1.  Formats for use with RADIUS accounting

   This section defines two possible session tracking formats, that can
   be used in LDAP clients that are part of or used by RADIUS servers
   [7].

   With formatOID set to 1.3.6.1.4.1.21008.108.63.1.1 within the control
   value, the sessionTrackingIdentifier SHOULD contain the value of the
   Acct-Session-Id RADIUS attribute (type 44), as defined in RFC 2866
   [8].  (RFC 2866 section 5.5 states that the Acct-Session-Id SHOULD
   contain UTF-8 encoded ISO 10646 characters.)

   With formatOID set to 1.3.6.1.4.1.21008.108.63.1.2 within the control
   value, the sessionTrackingIdentifier SHOULD contain the value of the
   Acct-Multi-Session-Id RADIUS attribute (type 50), as defined in RFC
   2866 [8].  (RFC 2866 section 5.11 states that the
   Acct-Multi-Session-Id SHOULD contain UTF-8 encoded ISO 10646
   characters.)

   In both of these two formats, the value of the sessionSourceIp field
   SHOULD contain either a string encoding value of the IPv4 address
   from the NAS-IP-Address RADIUS attribute (type 4), or a string
   encoding of the IPv6 address from the value of the NAS-IPv6-Address
   RADIUS attribute (type 95) as defined in RFC 3162 [9].  The value of
   the sessionSourceName field SHOULD contain a string encoding the
   value of the NAS-Identifier RADIUS attribute (type 32), if present,
   or be of zero length if the NAS-Identifier RADIUS attribute was not
   provided or was not in a recognized format.

3.2.  Format for username accounting

   This section defines another possible session tracking format that
   can be used in LDAP clients that are part of applications which
   identify users with simple string usernames.

   With formatOID set to 1.3.6.1.4.1.21008.108.63.1.3 within the control
   value, the sessionTrackingIdentifier SHOULD contain a username that
   has already been authenticated by the application that is generating
   the session.  This format SHOULD NOT be used for purported names,
   where the application has not verified that the username is valid.




Wahl                    Expires November 10, 2007              [Page 10]

Internet-Draft        LDAP Session Tracking Control             May 2007


   The sessionSourceName field SHOULD contain the hostname where that
   application is running, or be of zero length if the hostname is not
   known.

   The username SHOULD be a SASL authorization identity string, as
   described in section 3.4.1 of RFC 4422 [10].  It is expected that
   these usernames are not globally unique, but are only unique within
   the context of a particular application or particular enterprise.  A
   username need not be a distinguished name, and an implementation
   receiving a control in this format MUST NOT assume that the contents
   of the sessionTrackingIdentifier can be parsed as a distinguished
   name.

   A control with this format differs from the Proxied Authorization
   Control as defined in RFC 4370 [11], as the presence of this session
   identifier control on a request SHOULD NOT influence the directory
   server's access control decision of whether or how to perform that
   request.

   Note that this format does not provide any information to
   differentiate between multiple sessions or periods of interaction by
   the same user.  It is primarily intended for deployments which merely
   need to be able to tie each directory operation to they identity of
   the user whose activities caused the operation request to be
   generated, even if the user might not even be represented in the
   directory where the operations are being performed.

3.2.1.  Example

   For example, if an application server "app.example.com" with IPv4
   address "192.0.2.1" had authenticated an user with name "bloggs", and
   then sent a search request to the LDAP directory in order to obtain
   some public information on service configuration intending to provide
   it to that user, the application might include a session identifier
   control.  The SessionIdentifierControlValue would have the following
   ASN.1 value prior to encoding:


      {  -- SEQUENCE
         "192.0.2.1",                    -- sessionSourceIp
         "app.example.com",              -- sessionSourceName
         "1.3.6.1.4.1.21008.108.63.1.3", -- formatOID
         "bloggs"                        -- sessionTrackingIdentifier
      }







Wahl                    Expires November 10, 2007              [Page 11]

Internet-Draft        LDAP Session Tracking Control             May 2007


   The session identifier control would be sent with controlType
   1.3.6.1.4.1.21008.108.63.1, criticality FALSE, and the controlValue
   the BER encoding of the SessionIdentifierControlValue.  The control
   included with the LDAP request would resemble:


      {  -- SEQUENCE
         "1.3.6.1.4.1.21008.108.63.1", -- controlType
         FALSE,                        -- criticality
         '304204093139322e302e322e31040f6170702e6578616d706c652e636f6d
          041c312e332e362e312e342e312e32313030382e3130382e36332e312e33
          0406626c6f676773'H           -- controlValue
      }






































Wahl                    Expires November 10, 2007              [Page 12]

Internet-Draft        LDAP Session Tracking Control             May 2007


4.  Security Considerations

   The session identifier controls used in this document are not
   intended as a security control or proxy authentication mechanism, and
   SHOULD NOT be used within a directory server to influence the
   operation processing behavior.

   Malicious clients might attempt to provide false or misleading
   information in directory server logs through the use of this control.
   LDAP servers SHOULD implement access checks which limit whether
   session identifier information provided by a client is logged.  LDAP
   servers which implement this control SHOULD permit the administrator
   of the directory server to configure that this control is ignored
   unless the request containing the control was received from a client
   that been authenticated.  LDAP servers which implement this control
   SHOULD permit the administrator of the directory server to configure
   that this control is ignored unless the client is authorized to use
   this or related controls, such as the Proxied Authorization Control
   [11].  Session identifier information from clients which do not meet
   the server's access check requirement SHOULD be silently discarded.

   In some formats, session tracking identifiers may contain personal-
   identifiable information, such as usernames or client IP addresses.
   Unless data link, network or transport level encryption is being
   used, this information might be visible to attackers monitoring the
   network segments across which this information is being transmitted.
   Implementations of LDAP clients which include this control in
   requests sent to directory servers SHOULD support the use of
   underlying security services that establish connection
   confidentiality before the control is sent, such as a SASL mechanism
   that negotiates a security layer, or the Start TLS operation.

   Correlation of activities across multiple servers can enable
   administrators and monitoring tools to construct a more accurate
   picture of user behavior.  In particular, this tracking control could
   be used to determine the set of applications and services with which
   a particular user has had interactions.  Thus, this control would not
   be appropriate to deployments intending to anonymize directory
   requests.  Session formats containing personal identifiable
   information SHOULD NOT be used between systems in different
   organizations where there is no existing agreement between those
   organizations on privacy protection.

   A value of the session tracking control might contain internal IP
   addresses, hostnames and other identifiers that reveal the structure
   of an enterprise network.  A network service that generates its own
   sessions SHOULD NOT send a session tracking control to a directory
   server that is under different administration or in a different



Wahl                    Expires November 10, 2007              [Page 13]

Internet-Draft        LDAP Session Tracking Control             May 2007


   security enclave from itself.  A network service that is an LDAP
   client and also either receives requests over another protocol that
   contains session tracking identifiers or is proxying incoming LDAP
   requests SHOULD NOT forward received session tracking identifiers to
   a directory server that is under different administration or in a
   different security enclave from itself.  A packet inspecting firewall
   that permits outgoing LDAP requests from an enterprise network SHOULD
   silently remove any session tracking controls from requests that are
   being sent to directory servers outside of the enterprise network for
   which there is not a preexisting policy configured to allow the
   session tracking control to be sent to that directory server.








































Wahl                    Expires November 10, 2007              [Page 14]

Internet-Draft        LDAP Session Tracking Control             May 2007


5.  IANA Considerations

   This control will be registered as follows:

      Subject: Request for LDAP Protocol Mechanism Registration

      Object Identifier: 1.3.6.1.4.1.21008.108.63.1

      Description: Session Tracking Identifier

      Person & email address to contact for further information:
      Mark Wahl <Mark.Wahl@informed-control.com>

      Usage: Control

      Specification: (I-D) RFC XXXX

      Author/Change Controller: Mark Wahl


   The OBJECT IDENTIFIER for particular session identifier formats
   defined for other applications need not be registered with IANA.





























Wahl                    Expires November 10, 2007              [Page 15]

Internet-Draft        LDAP Session Tracking Control             May 2007


6.  Acknowledgments

   This control was inspired by conversations with Greg Lavender.  Neil
   Wilson provided useful feedback on this document.















































Wahl                    Expires November 10, 2007              [Page 16]

Internet-Draft        LDAP Session Tracking Control             May 2007


7.  References

7.1.  Normative References

   [1]   Zeilenga, K., "Lightweight Directory Access Protocol (LDAP):
         Technical Specification Road Map", RFC 4510, June 2006.

   [2]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", RFC 2119, BCP 14, March 1997.

   [3]   Hinden, R., "IP Version 6 Addressing Architecture", RFC 1884,
         January 1996.

   [4]   Yergeau, F., "UTF-8, a transformation format of ISO 10646",
         RFC 3629, November 2003.

   [5]   "Universal Multiple-Octet Coded Character Set (UCS) -
         Architecture and Basic Multilingual Plane, ISO/IEC 10646-1:
         1993".

   [6]   "ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002, "Information
         technology - ASN.1 encoding rules: Specification of Basic
         Encoding Rules (BER), Canonical Encoding Rules (CER) and
         Distinguished Encoding Rules (DER)", 2002.".

   [7]   Rigney, C., "Remote Authentication Dial In User Service
         (RADIUS)", RFC 2865, June 2000.

   [8]   Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

   [9]   Aboba, B., "RADIUS and IPv6", RFC 3162, August 2001.

   [10]  Melnikov, A., "Simple Authentication and Security Layer
         (SASL)", RFC 4422, June 2006.

7.2.  Informative References

   [11]  Weltman, R., "Lightweight Directory Access Protocol (LDAP)
         Proxied Authorization Control", RFC 4370, February 2006.












Wahl                    Expires November 10, 2007              [Page 17]

Internet-Draft        LDAP Session Tracking Control             May 2007


Appendix A.  Copyright

   Copyright (C) The IETF Trust (2007).  This document is subject to the
   rights, licenses and restrictions contained in BCP 78, and except as
   set forth therein, the authors retain all their rights.  This
   document and the information contained herein are provided on an "AS
   IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
   IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.







































Wahl                    Expires November 10, 2007              [Page 18]

Internet-Draft        LDAP Session Tracking Control             May 2007


Author's Address

   Mark Wahl
   Informed Control Inc.
   PO Box 90626
   Austin, TX  78709
   US

   Email: mark.wahl@informed-control.com










































Wahl                    Expires November 10, 2007              [Page 19]

Internet-Draft        LDAP Session Tracking Control             May 2007


Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Wahl                    Expires November 10, 2007              [Page 20]