1、Information technology Open Systems Interconnection The Directory Part 2: Models BS ISO/IEC 95942:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technology Open Systems Interconnection The Directory Part 2: Models Technologies de linformation Inter
2、connexion de systmes ouverts (OSI) L annuaire Partie 2: Les modles INTERNATIONAL STANDARD ISO/IEC 9594-2 Reference number ISO/IEC 9594-2:2017(E) Eighth edition 2017-05 ISO/IEC 2017 National foreword This British Standard is the UK implementation of ISO/IEC 95942:2017. It supersedes BS ISO/IEC 95942:
3、2014, which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/6, Data communications. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisi
4、ons of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 96317 9 ICS 35.100.70 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was publis
5、hed under the authority of the Standards Policy and Strategy Committee on 30 June 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 95942:2017Information technology Open Systems Interconnection The Directory Part 2: Models Technologies de linformatio
6、n Interconnexion de systmes ouverts (OSI) L annuaire Partie 2: Les modles INTERNATIONAL STANDARD ISO/IEC 9594-2 Reference number ISO/IEC 9594-2:2017(E) Eighth edition 2017-05 ISO/IEC 2017 BS ISO/IEC 95942:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published i
7、n Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission ca
8、n be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 9594-2:2017(E) BS ISO/IEC 9594
9、2:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photoco
10、pying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 7
11、49 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 9594-2:2017(E)ISO/IEC 9594-2:2017(E) ISO/IEC 2017 All rights reserved ii-1 Foreword ISO (the I nternation al O rgani z atio n fo r Standard iz ation) a nd I EC (the I nter nation al E lec trotechnical C om m i ssi o n ) f orm the s p
12、e c i a l i z e d s ystem for worldwide s tandardiz at ion. N ational bo dies that a r e mem b ers of I SO o r IEC participate in t he d evelop ment o f Int e rna tion al S tandards through technic al committ ees e stablished by the resp ective o r g an ization to d eal w ith par ticular f i e l d s
13、 o f technical a ct iv it y . IS O a nd IE C technical committees c o l l ab or at e in fields of m utual interest. Other internati onal organiz a tio n s, g overn m ental and no ngovern mental, i n l i a i s o n w i th I S O a n d I E C , a l s o ta ke p art in the w ork. In the field of i nformati
14、o n technolo g y, I SO an d IEC have e stab li shed a jo i n t technical committee, ISO /IEC J TC 1. The pr oce du r es used to d evelop this document a nd those i nt ended f or its f u r th e r m a i n te n a n c e a r e d e s c r ib e d in the I S O / I E C Dir e c ti ves, Part 1. In p articul ar
15、the d ifferent a pproval criter ia needed f or the differ e nt types o f document s hould be noted. T his document w as d rafted in accordance w ith the e di to ri a l rul e s of the ISO /I EC Directives, Part 2 (see www.iso.org/directives ). A tt en ti o n is d rawn to t he possibility t hat some o
16、 f the el ements of t h i s d oc u men t m a y b e t h e s u bj ec t of p atent rights. ISO and IEC shall not be he l d r e sponsible f or identifying a ny or all such patent r ig h ts. D e ta i l s o f a n y pa t e n t rig h ts i d e n tif i e d d u rin g th e d e v el opment o f th e document w il
17、l be i n the Introduction and/or on t he ISO list of patent declarations rec eived (see ww w.iso.org/patents ). Any t r ade na me used in this document is information given for t h e co n v e n i e n c e o f us e r s and d o e s not constitu t e an endorsement. For an e xpl a nati on on t he meanin
18、g of I SO s peci fic terms an d expr essions related to c on f or mi t y a ss es s me nt, as well a s informati o n about ISOs a d h e r e n c e to the W o r l d T r a d e O rgan izat ion (WTO) principles in the Technic al B a r r i e r s to T r a d e (TBT) s e e the f o l lowing URL: www.iso.org/is
19、o/foreword.html. This e ight h e dition c ancels a nd r eplaces t he s eventh e dition ( ISO/IEC 95942:2014), w hich has been technically revised. This d ocum ent was pr e p ared b y IS O/IEC J T C 1 , Information technology, SC 6, Telecommunications and information exchange between systems , i n c
20、o ll a b o r a ti o n w i th I T U T . T he i d e n ti c a l te x t i s published as ITU T X.5 01 (10/ 20 16). A l ist o f al l pa rt s in t he ISO/I EC 9 5 94 s e rie s, publishe d unde r t h e g en eral ti t le Information technology Open Systems Interconnection The Directory , c a n be fou nd on
21、t h e IS O w e bsite. BS ISO/IEC 95942:2017 BS ISO/IEC 95942:2017 Rec. ITU-T X.501 (10/2016) iii CONTENTS Page SECTION 1 GENERAL . 1 1 Scope 1 2 References 2 2.1 Normative references 2 2.2 Non-normative reference . 3 3 Definitions 3 3.1 Communication definitions . 3 3.2 Basic Directory definitions 3
22、 3.3 Distributed operation definitions . 3 3.4 Replication definitions 4 4 Abbreviations . 4 5 Conventions 5 SECTION 2 OVERVIEW OF THE DIRECTORY MODELS 6 6 Directory Models 6 6.1 Definitions . 6 6.2 The Directory and its users 6 6.3 Directory and DSA Information Models . 7 6.4 Directory Administrati
23、ve Authority Model . 8 SECTION 3 MODEL OF DIRECTORY USER INFORMATION 9 7 Directory Information Base 9 7.1 Definitions . 9 7.2 Objects 10 7.3 Directory entries 10 7.4 Directory Information Tree (DIT) . 10 8 Directory entries . 11 8.1 Definitions . 11 8.2 Overall structure 13 8.3 Object classes 14 8.4
24、 Attribute types . 16 8.5 Attribute values . 16 8.6 Attribute type hierarchies 16 8.7 Friend attributes 17 8.8 Contexts 17 8.9 Matching rules . 18 8.10 Entry collections 22 8.11 Compound entries and families of entries . 22 9 Names . 23 9.1 Definitions . 23 9.2 Names in general . 24 9.3 Relative dis
25、tinguished name 24 9.4 Name matching . 25 9.5 Distinguished names . 25 9.6 Alias names . 26 10 Hierarchical groups 26 10.1 Definitions . 26 10.2 Hierarchical relationship . 27 10.3 Sequential ordering of a hierarchical group 28 BS ISO/IEC 95942:2017 iv Rec. ITU-T X.501 (10/2016) Page SECTION 4 DIREC
26、TORY ADMINISTRATIVE MODEL . 29 11 Directory Administrative Authority model 29 11.1 Definitions . 29 11.2 Overview . 29 11.3 Policy 30 11.4 Specific administrative authorities 30 11.5 Administrative areas and administrative points 31 11.6 DIT Domain policies . 33 11.7 DMD policies 33 SECTION 5 MODEL
27、OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL INFORMATION . 35 12 Model of Directory Administrative and Operational Information 35 12.1 Definitions . 35 12.2 Overview . 35 12.3 Subtrees . 36 12.4 Operational attributes 38 12.5 Entries . 39 12.6 Subentries 39 12.7 Information model for collective attri
28、butes . 40 12.8 Information model for context defaults . 41 SECTION 6 THE DIRECTORY SCHEMA 42 13 Directory Schema . 42 13.1 Definitions . 42 13.2 Overview . 42 13.3 Object class definition . 44 13.4 Attribute type definition 46 13.5 Matching rule definition 50 13.6 Relaxation and tightening 52 13.7
29、DIT structure definition . 58 13.8 DIT content rule definition 61 13.9 Context type definition 62 13.10 DIT Context Use definition . 63 13.11 Friends definition 64 13.12 Syntax definitions 65 14 Directory System Schema 65 14.1 Overview . 65 14.2 System schema supporting the administrative and operat
30、ional information model 66 14.3 System schema supporting the administrative model 66 14.4 System schema supporting general administrative and operational requirements 67 14.5 System schema supporting access control . 69 14.6 System schema supporting the collective attribute model . 70 14.7 System sc
31、hema supporting context assertion defaults . 70 14.8 System schema supporting the service administration model . 70 14.9 System schema supporting password administration 71 14.10 System schema supporting hierarchical groups. 72 14.11 Maintenance of system schema . 73 14.12 System schema for first-le
32、vel subordinates . 73 15 Directory schema administration 73 15.1 Overview . 73 15.2 Policy objects 74 15.3 Policy parameters 74 15.4 Policy procedures 75 15.5 Subschema modification procedures . 75 15.6 Entry addition and modification procedures . 75 15.7 Subschema policy attributes 76 BS ISO/IEC 95
33、942:2017 iv Rec. ITU-T X.501 (10/2016) Page SECTION 4 DIRECTORY ADMINISTRATIVE MODEL . 29 11 Directory Administrative Authority model 29 11.1 Definitions . 29 11.2 Overview . 29 11.3 Policy 30 11.4 Specific administrative authorities 30 11.5 Administrative areas and administrative points 31 11.6 DIT
34、 Domain policies . 33 11.7 DMD policies 33 SECTION 5 MODEL OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL INFORMATION . 35 12 Model of Directory Administrative and Operational Information 35 12.1 Definitions . 35 12.2 Overview . 35 12.3 Subtrees . 36 12.4 Operational attributes 38 12.5 Entries . 39 12.
35、6 Subentries 39 12.7 Information model for collective attributes . 40 12.8 Information model for context defaults . 41 SECTION 6 THE DIRECTORY SCHEMA 42 13 Directory Schema . 42 13.1 Definitions . 42 13.2 Overview . 42 13.3 Object class definition . 44 13.4 Attribute type definition 46 13.5 Matching
36、 rule definition 50 13.6 Relaxation and tightening 52 13.7 DIT structure definition . 58 13.8 DIT content rule definition 61 13.9 Context type definition 62 13.10 DIT Context Use definition . 63 13.11 Friends definition 64 13.12 Syntax definitions 65 14 Directory System Schema 65 14.1 Overview . 65
37、14.2 System schema supporting the administrative and operational information model 66 14.3 System schema supporting the administrative model 66 14.4 System schema supporting general administrative and operational requirements 67 14.5 System schema supporting access control . 69 14.6 System schema su
38、pporting the collective attribute model . 70 14.7 System schema supporting context assertion defaults . 70 14.8 System schema supporting the service administration model . 70 14.9 System schema supporting password administration 71 14.10 System schema supporting hierarchical groups. 72 14.11 Mainten
39、ance of system schema . 73 14.12 System schema for first-level subordinates . 73 15 Directory schema administration 73 15.1 Overview . 73 15.2 Policy objects 74 15.3 Policy parameters 74 15.4 Policy procedures 75 15.5 Subschema modification procedures . 75 15.6 Entry addition and modification proced
40、ures . 75 15.7 Subschema policy attributes 76 Rec. ITU-T X.501 (10/2016) v Page SECTION 7 DIRECTORY SERVICE ADMINISTRATION 82 16 Service Administration Model 82 16.1 Definitions . 82 16.2 Service-type/user-class model . 82 16.3 Service-specific administrative areas 83 16.4 Introduction to search-rul
41、es . 84 16.5 Subfilters . 84 16.6 Filter requirements 85 16.7 Attribute information selection based on search-rules 85 16.8 Access control aspects of search-rules 86 16.9 Contexts aspects of search-rules 86 16.10 Search-rule specification . 86 16.11 Matching restriction definition 94 16.12 Search-va
42、lidation function 95 SECTION 8 SECURITY 96 17 Security model 96 17.1 Definitions . 96 17.2 Security policies 96 17.3 Protection of Directory operations 97 18 Basic Access Control 98 18.1 Scope and application 98 18.2 Basic Access Control model . 98 18.3 Access control administrative areas 101 18.4 R
43、epresentation of Access Control Information . 103 18.5 ACI operational attributes . 108 18.6 Protecting the ACI . 109 18.7 Access control and Directory operations . 109 18.8 Access Control Decision Function 110 18.9 Simplified Access Control 111 19 Rule-based Access Control . 111 19.1 Scope and appl
44、ication 111 19.2 Rule-based Access Control model 112 19.3 Access control administrative areas 113 19.4 Security Label . 113 19.5 Clearance . 114 19.6 Access Control and Directory operations 115 19.7 Access Control Decision Function 115 19.8 Use of Rule-based and Basic Access Control . 115 20 Data In
45、tegrity in Storage 116 20.1 Introduction . 116 20.2 Protection of an Entry or Selected Attribute Types . 116 20.3 Context for Protection of a Single Attribute Value . 117 SECTION 9 DSA MODELS 119 21 DSA Models . 119 21.1 Definitions . 119 21.2 Directory Functional Model 119 21.3 Directory Distributi
46、on Model 120 SECTION 10 DSA INFORMATION MODEL 122 22 Knowledge 122 22.1 Definitions . 122 22.2 Introduction . 122 22.3 Knowledge References 123 BS ISO/IEC 95942:2017 vi Rec. ITU-T X.501 (10/2016) Page 22.4 Minimum Knowledge . 125 22.5 First Level DSAs . 126 22.6 Knowledge references to LDAP servers
47、. 126 23 Basic Elements of the DSA Information Model . 126 23.1 Definitions . 126 23.2 Introduction . 127 23.3 DSA Specific Entries and their Names . 127 23.4 Basic Elements 129 24 Representation of DSA Information . 130 24.1 Representation of Directory User and Operational Information . 130 24.2 Re
48、presentation of Knowledge References . 131 24.3 Representation of Names and Naming Contexts . 138 SECTION 11 DSA OPERATIONAL FRAMEWORK 140 25 Overview 140 25.1 Definitions . 140 25.2 Introduction . 140 26 Operational bindings 140 26.1 General 140 26.2 Application of the operational framework 141 26.
49、3 States of cooperation . 142 27 Operational binding specification and management . 143 27.1 Operational binding type specification 143 27.2 Operational binding management . 144 27.3 Operational binding specification templates . 145 28 Operations for operational binding management 147 28.1 Application-context definition 147 28.2 Establish Operational Binding operation. 147 28.3 Modify Operational Binding operation . 150 28.4 Terminate Operational Binding operation . 152 28.5 Oper
