ANSI ISO IEC 9594-2-2001 Information technology Open Systems Interconnection The Directory Models (Adopted by INCITS)《信息技术.开放系统互连.目录 被INCITS采用的模型》.pdf

1、Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 12/24/2003Published by American National Standards Institute,25 West 43rd Street, New York, New York 10036Copyright 2003 by Information Technology Industry Council

2、 (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council(ITI). Not for resale. No part of t

3、his publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 20005.Printed in the United States of AmericaReference numberISO

4、/IEC 9594-2:2001(E)ISO/IEC 2001INTERNATIONAL STANDARD ISO/IEC9594-2Fourth edition2001-12-15Information technology Open Systems Interconnection The Directory: Models Technologies de linformation Interconnexion de systmes ouverts (OSI) Lannuaire: Les modles ISO/IEC 9594-2:2001(E) PDF disclaimer This P

5、DF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therei

6、n the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the

7、PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2001 All rights res

8、erved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the reque

9、ster. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Published by ISO in 2002 Printed in Switzerland ii ISO/IEC 2001 All rights reserved ISO/IEC 9594-2:2001(E) ISO/IEC 2001 All rights reserved iiiCONTENTS Page

10、 SECTION 1 GENERAL 1 1 Scope . 1 2 Normative references 2 2.1 Identical Recommendations | International Standards. 2 2.2 Paired Recommendations | International Standards equivalent in technical content. 3 3 Definitions 3 3.1 OSI Reference Model Definitions . 3 3.2 Basic directory definitions. 3 3.3

11、Distributed operation definitions. 3 3.4 Replication definitions. 3 4 Abbreviations 4 5 Conventions 4 SECTION 2 OVERVIEW OF THE DIRECTORY MODELS 6 6 Directory Models 6 6.1 Definitions. 6 6.2 The Directory and its Users. 6 6.3 Directory and DSA Information Models . 7 6.4 Directory Administrative Auth

12、ority Model. 8 SECTION 3 MODEL OF DIRECTORY USER INFORMATION. 9 7 Directory Information Base 9 7.1 Definitions. 9 7.2 Objects. 10 7.3 Directory Entries . 10 7.4 The Directory Information Tree (DIT) 10 8 Directory Entries. 11 8.1 Definitions. 11 8.2 Overall Structure . 12 8.3 Object Classes . 13 8.4

13、Attribute Types 15 8.5 Attribute Values 15 8.6 Attribute Type Hierarchies 15 8.7 Contexts. 16 8.8 Matching Rules 17 8.9 Entry Collections. 20 8.10 Compound entries and families of entries . 21 9 Names . 22 9.1 Definitions. 22 9.2 Names in General 22 9.3 Relative Distinguished Names. 23 9.4 Name Matc

14、hing . 24 9.5 Names returned during operations. 24 9.6 Names held as attribute values or used as parameters . 25 9.7 Distinguished Names. 25 9.8 Alias Names 25 10 Hierarchical groups. 26 10.1 Definitions. 26 10.2 Hierarchical relationship . 27 ISO/IEC 9594-2:2001(E) iv ISO/IEC 2001 All rights reserv

15、ed Page SECTION 4 DIRECTORY ADMINISTRATIVE MODEL 28 11 Directory Administrative Authority model. 28 11.1 Definitions. 28 11.2 Overview . 28 11.3 Policy. 29 11.4 Specific administrative authorities 29 11.5 Administrative areas and administrative points. 30 11.6 DIT Domain policies . 32 11.7 DMD polic

16、ies 32 SECTION 5 MODEL OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL INFORMATION. 34 12 Model of Directory Administrative and Operational Information 34 12.1 Definitions. 34 12.2 Overview . 34 12.3 Subtrees . 35 12.4 Operational attributes 37 12.5 Entries 38 12.6 Subentries 38 12.7 Information model f

17、or collective attributes . 39 12.8 Information model for context defaults . 40 SECTION 6 THE DIRECTORY SCHEMA 41 13 Directory Schema . 41 13.1 Definitions. 41 13.2 Overview . 41 13.3 Object class definition . 43 13.4 Attribute type definition 45 13.5 Matching rule definition 47 13.6 Relaxations and

18、tightenings. 49 13.7 DIT structure definition. 56 13.8 DIT content rule definition 58 13.9 Context type definition 59 13.10 DIT Context Use definition . 60 14 Directory System Schema. 61 14.1 Overview . 61 14.2 System schema supporting the administrative and operational information model. 61 14.3 Sy

19、stem schema supporting the administrative model 62 14.4 System schema supporting general administrative and operational requirements. 62 14.5 System schema supporting access control. 65 14.6 System schema supporting the collective attribute model. 65 14.7 System schema supporting context assertion d

20、efaults. 65 14.8 System schema supporting the service administration model . 66 14.9 System schema supporting hierarchical groups. 66 14.10 Maintenance of system schema . 67 14.11 System schema for first-level subordinates . 67 15 Directory schema administration 67 15.1 Overview . 67 15.2 Policy obj

21、ects 67 15.3 Policy parameters 68 15.4 Policy procedures 68 15.5 Subschema modification procedures . 68 15.6 Entry addition and modification procedures 69 15.7 Subschema policy attributes 69 ISO/IEC 9594-2:2001(E) ISO/IEC 2001 All rights reserved vPage SECTION 7 DIRECTORY SERVICE ADMINISTRATION . 75

22、 16 Service Administration Model 75 16.1 Definitions. 75 16.2 Service-type/user-class model . 75 16.3 Service specific administrative areas. 76 16.4 Introduction to search-rules. 77 16.5 Subfilters . 77 16.6 Filter requirements. 78 16.7 Attribute information selection based on search-rules. 78 16.8

23、Access control aspects of search-rules 79 16.9 Contexts aspects of search-rules 79 16.10 Search-rule specification . 79 16.11 Matching restriction definition 87 16.12 Search-validation function. 87 SECTION 8 SECURITY . 89 17 Security model 89 17.1 Definitions. 89 17.2 Security policies 89 17.3 Prote

24、ction of Directory operations. 90 18 Basic Access Control 94 18.1 Scope and application 94 18.2 Basic Access Control model 94 18.3 Access control administrative areas. 96 18.4 Representation of Access Control Information . 99 18.5 The ACI operational attributes 104 18.6 Protecting the ACI. 104 18.7

25、Access control and Directory operations. 105 18.8 Access Control Decision Function 105 18.9 Simplified Access Control. 106 19 Rule-based Access Control. 107 19.1 Scope and application 107 19.2 Rule-based Access Control model. 107 19.3 Access control administrative areas. 108 19.4 Security Label 108

26、19.5 Clearance. 109 19.6 Access Control and Directory operations 109 19.7 Access Control Decision Function 110 19.8 Use of Rule-based and Basic Access Control 110 20 Cryptographic Protection in Storage. 110 20.1 Data Integrity in Storage . 110 20.2 Confidentiality of stored data 112 SECTION 9 DSA MO

27、DELS 115 21 DSA Models . 115 21.1 Definitions. 115 21.2 Directory Functional Model 115 21.3 Directory Distribution Model 116 SECTION 10 DSA INFORMATION MODEL. 118 22 Knowledge 118 22.1 Definitions. 118 22.2 Introduction . 118 22.3 Knowledge References 119 22.4 Minimum Knowledge 121 22.5 First Level

28、DSAs . 122 ISO/IEC 9594-2:2001(E) vi ISO/IEC 2001 All rights reserved Page 23 Basic Elements of the DSA Information Model . 122 23.1 Definitions. 12223.2 Introduction . 122 23.3 DSA-Specific Entries and their Names . 123 23.4 Basic Elements 124 24 Representation of DSA Information . 126 24.1 Represe

29、ntation of Directory User and Operational Information 126 24.2 Representation of Knowledge References. 127 24.3 Representation of Names and Naming Contexts . 133 SECTION 11 DSA OPERATIONAL FRAMEWORK . 135 25 Overview 135 25.1 Definitions. 135 25.2 Introduction . 135 26 Operational bindings. 135 26.1

30、 General 135 26.2 Application of the operational framework. 136 26.3 States of cooperation . 137 27 Operational binding specification and management. 138 27.1 Operational binding type specification 138 27.2 Operational binding management 139 27.3 Operational binding specification templates . 140 28

31、Operations for operational binding management 142 28.1 Application-context definition. 142 28.2 Establish Operational Binding operation. 142 28.3 Modify Operational Binding operation . 144 28.4 Terminate Operational Binding operation . 145 28.5 Operational Binding Error. 146 28.6 Operational Binding

32、 Management Bind and Unbind 147 Annex A Object identifier usage 149 Annex B Information Framework in ASN.1. 152 Annex C SubSchema Administration Schema in ASN.1 161 Annex D Service Administration in ASN.1 165 Annex E Basic Access Control in ASN.1 . 169 Annex F DSA Operational Attribute Types in ASN.

33、1 172 Annex G Operational Binding Management in ASN.1. 175 Annex H Enhanced security 179 Annex I The Mathematics of Trees. 185 Annex J Name Design Criteria . 186 Annex K Examples of various aspects of schema. 188 K.1 Example of an Attribute Hierarchy . 188 K.2 Example of a Subtree Specification. 188

34、 K.3 Schema Specification 189 K.4 DIT content rules. 190 K.5 DIT context use . 191 Annex L Overview of Basic Access Control Permissions 192 L.1 Introduction . 192 L.2 Permissions required for operations 192 L.3 Permissions affecting error 193 L.4 Entry level permissions . 194 L.5 Entry level permiss

35、ions . 195 ISO/IEC 9594-2:2001(E) ISO/IEC 2001 All rights reserved viiPage Annex M Examples of Access Control. 196 M.1 Introduction . 196 M.2 Design principles for Basic Access Control 196 M.3 Introduction to example. 197 M.4 Policy affecting the definition of specific and inner areas. 197 M.5 Polic

36、y affecting the definition of DACDs . 200 M.6 Policy expressed in prescriptiveACI attributes 202 M.7 Policy expressed in subentryACI attributes. 209 M.8 Policy expressed in entryACI attributes 210 M.9 ACDF examples 210 M.10 Rule-based Access Control 212 Annex N DSE Type Combinations. 213 Annex O Mod

37、elling of knowledge 215 Annex P Names held as attribute values or used as parameters 220 Annex Q Subfilters . 221 Annex R Compound entry name patterns and their use 222 Annex S Alphabetical index of definitions . 224 Annex T Amendments and corrigenda 226 ISO/IEC 9594-2:2001(E) viii ISO/IEC 2001 All

38、rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standard

39、s through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC

40、, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of the joint technical committee is t

41、o prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibi

42、lity that some of the elements of this part of ISO/IEC 9594 may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Users and implementors should note the existence of a “defect resolution” procedure in ISO/IEC JTC 1 to identify a

43、nd correct errors in International Standards through the publication of Technical Corrigenda. Identical corrections are made to the corresponding ITU-T Recommendations through Corrigenda and may also be made in the form of Implementors Guides. Details of Technical Corrigenda to International Standar

44、ds are available on the ISO website; published Technical Corrigenda can be obtained via the ISO webstore or from the ISO and IEC national bodies. Corrigenda and Implementors Guides to ITU-T Recommendations can be obtained from the ITU-T website. ISO/IEC 9594-2 was prepared by Joint Technical Committ

45、ee ISO/IEC JTC 1, Information technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in collaboration with ITU-T. The identical text is published as ITU-T Rec. X.501. This fourth edition of ISO/IEC 9594-2 constitutes a technical revision of the third edition (ISO

46、/IEC 9594-2:1998), which is provisionally retained in order to support implementations based on the third edition. This edition also incorporates Corrigendum 1:2002 and Corrigendum 2:2002. ISO/IEC 9594 consists of the following parts, under the general title Information technology Open Systems Inter

47、connection The Directory: Part 1: Overview of concepts, models and services Part 2: Models Part 3: Abstract service definition Part 4: Procedures for distributed operation Part 5: Protocol specifications Part 6: Selected attribute types Part 7: Selected object classes Part 8: Public-key and attribut

48、e certificate frameworks Part 9: Replication Part 10: Use of systems management for administration of the Directory Annexes A to H form a normative part of this part of ISO/IEC 9594. Annexes I to T are for information only. ISO/IEC 9594-2:2001(E) ISO/IEC 2001 All rights reserved ixIntroduction This

49、Recommendation | International Standard, together with the other Recommendations | International Standards, has been produced to facilitate the interconnection of information processing systems to provide directory services. A set of such systems, together with the directory information that they hold, can be viewed as an integrated whole, called the Directory. The information held by the Directory, collectively known as the Directory Information Base (D