[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
StartTLS State Transition table
Ariel'd sent me this StartTLS State Transition table ages ago, but too late to
include in what became RFCs 2829/2830. I mentioned it in the last ldapbis
meeting or two, and here it finally is. I have NOT checked it for accuracy.
The pictoral representation it is nominally based on is here (URL possibly
folded)..
http://www.stanford.edu/~hodges/doc/LDAPAssociationStateDiagram-1999-12-14.html
..though the table below was created prior to the issuance of RFCs 2829/2830
and the 1999-12-14 version of LDAPAssociationStateDiagram, so it needs to be
carefully checked over and brought up-to-date. Note that there are still some
subtleties in the 1999-12-14 version of LDAPAssociationStateDiagram that need
to be fixed w.r.t. RFCs 2829/2830 (see the Notes in the bottom righthand
corner for known omissions)).
I strongly hope that a table much like the below will make it into the LDAPbis
successor(s) to RFCs 2829/2830.
thanks,
JeffH
-------
ariel@columbia.edu wrote...
In my quest to be really really sure I have a solid understand of how to
implement SASL external with TLS, here's the state diagram rewritten
as it could be shoehorned into an I-D.
Terms used:
Auth ID -- authentication ID associated with the LDAP connection.
AuthZ ID -- authorization ID associated with the LDAP connection.
Rules:
1) client state: No TLS connection
action: client does SASL external bind w/wo sasl credentials
server sends Inappropriate Auth
2) client state: TLS connection exists, no TLS credentials exist
(either because server did not request it, or server requested
it but no certificate was provided and the server elected
to permit the connection)
action: client does SASL external bind w/wo sasl credentials
server sends Inappropriate Auth
3) client state: TLS connection exists; TLS credentials may or may
not exist; other credentials from any sort of bind may or
may not exist.
action: client closes TLS
client enters state of no TLS connection, no credentials of any sort
This is the anonymous bind state (with no TLS connection).
4) client state: TLS connection stablished, TLS credentials exist
action: client does SASL external bind without sasl credentials
server must try to derive an AuthZ ID from the TLS credentials;
if it can't, it returns "InvalidCreds" and any credentials previously
in force stay in force;
if it can, the client now has TLS on, Auth ID, AuthZ ID; any
previous AuthZ credentials, including from a previous SASL external
bind, are flushed.
5) client state: TLS connection stablished, TLS credentials exist
action: client does SASL external bind with sasl credentials
server must try to map the TLS credentials to AuthZ ID specified
in the sasl credentials
if it can't, it returns "InvalidCreds" and any credentials previously
in force stay in force;
if it can, the client now has TLS on, Auth ID, AuthZ ID; any
previous AuthZ credentials, including from a previous SASL external
bind, are flushed.
Here's the chart:
I feel a confusion here between TLS creds and Auth ID creds; see states
3 and 7 for the source of the confusion. I think that in State 3
we should claim that there is no Auth ID yet; not until a successful Bind,
which sets both Auth ID and AuthZ ID, (possibly to the same thing).
Client states
- -------------
State 1: No Auth ID, No AuthZ ID, TLS Conn OFF, No TLS Creds
State 2: No Auth ID, No AuthZ ID, TLS Conn ON, No TLS Creds
State 3: Auth ID I from TLS, No AuthZ ID, TLS Conn ON, TLS Creds I
State 4: Auth ID X from non-SASL Ext method,
AuthZ ID Y from non-SASL Ext method, TLS Conn OFF, No TLS Creds
State 5: Auth ID X from non-SASL Ext method,
AuthZ ID Y from non-SASL Ext method, TLS Conn ON, No TLS Creds
State 7: Auth ID X from non-SASL Ext method,
AuthZ ID Y from non-SASL Ext method, TLS Conn ON, TLS Creds I
State 8: Auth ID I from TLS, AuthZ ID J from SASL Ext creds,
TLS Conn ON, TLS Creds I
State 11: Auth ID I from TLS, AuthZ ID K derived from Auth ID I,
TLS Conn ON, TLS Creds I
Server Decisions
- ----------------
Decision 1: Can a valid AuthZ ID be derived from Auth ID I?
Decision 2: Can Auth ID I be mapped to AuthZ ID J?
State Matrix
- ------------
State Action Error Resultant State Rules used
- ------- ---------------- ------------- --------------- ----------
State 1 Anon Bind --- State 1
SASL Ext Bind InappropriateAuth State 1 1
with or without
SASL creds
Start TLS without --- State 2
client creds
Start TLS with --- State 3
client creds
Bind with mechanism ---(assume ok) State 4
not SASL Ext
State 2 Close TLS Conn --- State 1 3
SASL Ext Bind InappropriateAuth State 2 2
with or without
SASL creds
State 3 Close TLS Conn --- State 1 3
SASL Ext Bind --- Decision 1 4
without SASL creds
SASL Ext Bind --- Decision 2 5
with SASL creds
State 4 SASL Ext Bind InappropriateAuth State 4 1
with or without
SASL creds
Start TLS without --- State 5
client creds
Start TLS with --- State 6
client creds
State 5 SASL Ext Bind InappropriateAuth State 4 2
with or without
SASL creds
Close TLS --- State 1 3
State 7 SASL Ext Bind --- Decision 1 4
without SASL creds
SASL Ext Bind --- Decision 2 5
with SASL creds
Close TLS --- State 1 3
State 8 Close TLS --- State 1 3
State 11 Close TLS --- State 1 3
Decision Matrix
_______________
Decision Yes/No Error State Transition Rules used
- ---------- ------- ------------------ ------------------- ----------
Decision 1 Yes --- 3 or 7 --> 11 4
No InvalidCredentials 3-->3 or 7-->7 4
Decision 2 Yes --- 3 or 7 --> 8 5
No InvalidCredentials 3-->3 or 7-->7 5
------- End of Forwarded Message