1、 International Telecommunication Union ITU-T X.501TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Directory Information technology Open Systems Interconnection The Directory: Models ITU-T Recommendation X.501 ITU-T X-SERIES R
2、ECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199 OPEN SYSTEMS INTERCON
3、NECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Managed Objects X.280X.289 C
4、onformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency X.630X.639 Quality of
5、service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information X.720X.729 Management
6、 functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURIT
7、Y X.1000X.1099 SECURE APPLICATIONS AND SERVICES X.1100X.1199 CYBERSPACE SECURITY X.1200X.1299 SECURE APPLICATIONS AND SERVICES X.1300X.1399 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.501 (11/2008) iINTERNATIONAL STANDARD ISO/IEC 9594-2 ITU-T RECOMMENDATION X
8、.501 Information technology Open Systems Interconnection The Directory: Models Summary ITU-T Recommendation X.501 | ISO/IEC 9594-2 provides a number of different models for the Directory as a framework for the other ITU-T Recommendations in the X.500 series. The models are the overall (functional) m
9、odel, the administrative authority model, generic Directory Information models providing Directory User and Administrative User views on Directory information, generic Directory System Agent (DSA) and DSA information models and operational framework and a security model. Source ITU-T Recommendation
10、X.501 was approved on 13 November 2008 by ITU-T Study Group 17 (2009-2012) under the ITU-T Recommendation A.8 procedure. An identical text is also published as ISO/IEC 9594-2. ITU-T Rec. X.501 (11/2008) ii FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized age
11、ncy in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view
12、 to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendati
13、ons is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for concisene
14、ss to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation i
15、s achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELL
16、ECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whe
17、ther asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are c
18、autioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission
19、of ITU. ITU-T Rec. X.501 (11/2008) iiiCONTENTS Page SECTION 1 GENERAL . 1 1 Scope . 1 2 Normative references 2 2.1 Identical Recommendations | International Standards . 2 2.2 Paired Recommendations | International Standards equivalent in technical content. 2 2.3 Other references 3 3 Definitions 3 3.
20、1 Communication definitions . 3 3.2 Basic Directory definitions 3 3.3 Distributed operation definitions 3 3.4 Replication definitions . 3 4 Abbreviations 4 5 Conventions 4 SECTION 2 OVERVIEW OF THE DIRECTORY MODELS 6 6 Directory Models 6 6.1 Definitions. 6 6.2 The Directory and its users 6 6.3 Direc
21、tory and DSA Information Models 7 6.4 Directory Administrative Authority Model. 8 SECTION 3 MODEL OF DIRECTORY USER INFORMATION 9 7 Directory Information Base 9 7.1 Definitions. 9 7.2 Objects 10 7.3 Directory entries . 10 7.4 Directory Information Tree (DIT). 10 8 Directory entries. 11 8.1 Definitio
22、ns. 11 8.2 Overall structure . 13 8.3 Object classes. 14 8.4 Attribute Types. 16 8.5 Attribute Values 16 8.6 Attribute Type Hierarchies 16 8.7 Friend attributes 17 8.8 Contexts 17 8.9 Matching rules 18 8.10 Entry collections . 21 8.11 Compound entries and families of entries. 22 9 Names 23 9.1 Defin
23、itions. 23 9.2 Names in general 23 9.3 Relative Distinguished Names . 23 9.4 Name matching. 25 9.5 Names returned during operations 25 9.6 Names held as attribute values or used as parameters . 25 9.7 Distinguished Names . 26 9.8 Alias Names. 27 10 Hierarchical groups. 27 10.1 Definitions. 27 10.2 H
24、ierarchical relationship. 28 10.3 Sequential ordering of a hierarchical group 28 ITU-T Rec. X.501 (11/2008) iv Page SECTION 4 DIRECTORY ADMINISTRATIVE MODEL 30 11 Directory Administrative Authority model. 30 11.1 Definitions. 30 11.2 Overview. 30 11.3 Policy . 31 11.4 Specific administrative authori
25、ties 31 11.5 Administrative areas and administrative points . 32 11.6 DIT Domain policies . 34 11.7 DMD policies. 34 SECTION 5 MODEL OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL INFORMATION 36 12 Model of Directory Administrative and Operational Information . 36 12.1 Definitions. 36 12.2 Overview. 36
26、 12.3 Subtrees 37 12.4 Operational attributes. 39 12.5 Entries 40 12.6 Subentries 40 12.7 Information model for collective attributes. 41 12.8 Information model for context defaults 42 SECTION 6 THE DIRECTORY SCHEMA 43 13 Directory Schema . 43 13.1 Definitions. 43 13.2 Overview. 43 13.3 Object class
27、 definition 45 13.4 Attribute type definition . 46 13.5 Matching rule definition . 49 13.6 Relaxations and tightenings. 51 13.7 DIT structure definition 57 13.8 DIT content rule definition 59 13.9 Context type definition. 61 13.10 DIT Context Use definition. 62 13.11 Friends definition 63 14 Directo
28、ry System Schema 63 14.1 Overview. 63 14.2 System schema supporting the administrative and operational information model 64 14.3 System schema supporting the administrative model 64 14.4 System schema supporting general administrative and operational requirements 65 14.5 System schema supporting acc
29、ess control 67 14.6 System schema supporting the collective attribute model 67 14.7 System schema supporting context assertion defaults . 68 14.8 System schema supporting the service administration model 68 14.9 System schema supporting hierarchical groups 68 14.10 Maintenance of system schema 69 14
30、.11 System schema for first-level subordinates. 70 15 Directory schema administration . 70 15.1 Overview. 70 15.2 Policy objects. 70 15.3 Policy parameters 70 15.4 Policy procedures 71 15.5 Subschema modification procedures . 71 15.6 Entry addition and modification procedures 72 15.7 Subschema polic
31、y attributes 72 ITU-T Rec. X.501 (11/2008) vPage SECTION 7 DIRECTORY SERVICE ADMINISTRATION . 78 16 Service Administration Model. 78 16.1 Definitions. 78 16.2 Service-type/user-class model 78 16.3 Service-specific administrative areas. 79 16.4 Introduction to search-rules. 80 16.5 Subfilters. 80 16.
32、6 Filter requirements 81 16.7 Attribute information selection based on search-rules. 81 16.8 Access control aspects of search-rules . 81 16.9 Contexts aspects of search-rules. 82 16.10 Search-rule specification 82 16.11 Matching restriction definition. 90 16.12 Search-validation function 90 SECTION
33、8 SECURITY 91 17 Security model. 91 17.1 Definitions. 91 17.2 Security policies . 91 17.3 Protection of Directory operations 92 18 Basic Access Control 93 18.1 Scope and application 93 18.2 Basic Access Control model 93 18.3 Access control administrative areas 95 18.4 Representation of Access Contro
34、l Information 98 18.5 ACI operational attributes. 103 18.6 Protecting the ACI. 104 18.7 Access control and Directory operations 104 18.8 Access Control Decision Function 104 18.9 Simplified Access Control 106 19 Rule-based Access Control. 106 19.1 Scope and application 106 19.2 Rule-based Access Con
35、trol model 107 19.3 Access control administrative areas 107 19.4 Security Label 107 19.5 Clearance 109 19.6 Access Control and Directory operations . 109 19.7 Access Control Decision Function 110 19.8 Use of Rule-based and Basic Access Control 110 20 Data Integrity in Storage 110 20.1 Introduction .
36、 110 20.2 Protection of an Entry or Selected Attribute Types. 110 20.3 Context for Protection of a Single Attribute Value. 112 SECTION 9 DSA MODELS 113 21 DSA Models 113 21.1 Definitions. 113 21.2 Directory Functional Model 113 21.3 Directory Distribution Model 114 ITU-T Rec. X.501 (11/2008) vi Page
37、 SECTION 10 DSA INFORMATION MODEL 116 22 Knowledge 116 22.1 Definitions. 116 22.2 Introduction . 116 22.3 Knowledge References. 117 22.4 Minimum Knowledge 119 22.5 First Level DSAs 120 23 Basic Elements of the DSA Information Model 120 23.1 Definitions. 120 23.2 Introduction . 120 23.3 DSA Specific
38、Entries and their Names 121 23.4 Basic Elements . 122 24 Representation of DSA Information . 124 24.1 Representation of Directory User and Operational Information 124 24.2 Representation of Knowledge References 125 24.3 Representation of Names and Naming Contexts 131 SECTION 11 DSA OPERATIONAL FRAME
39、WORK 133 25 Overview 133 25.1 Definitions. 133 25.2 Introduction . 133 26 Operational bindings . 133 26.1 General . 133 26.2 Application of the operational framework 134 26.3 States of cooperation 135 27 Operational binding specification and management . 136 27.1 Operational binding type specificati
40、on. 136 27.2 Operational binding management . 137 27.3 Operational binding specification templates . 137 28 Operations for operational binding management . 139 28.1 Application-context definition . 139 28.2 Establish Operational Binding operation 140 28.3 Modify Operational Binding operation 142 28.
41、4 Terminate Operational Binding operation 143 28.5 Operational Binding Error. 144 28.6 Operational Binding Management Bind and Unbind 145 Annex A Object identifier usage. 146 Annex B Information Framework in ASN.1 149 Annex C SubSchema Administration Schema in ASN.1 159 Annex D Service Administratio
42、n in ASN.1. 163 Annex E Basic Access Control in ASN.1 . 167 Annex F DSA Operational Attribute Types in ASN.1 . 171 Annex G Operational Binding Management in ASN.1 174 Annex H Enhanced security. 178 Annex I The Mathematics of Trees . 181 Annex J Name Design Criteria . 182 ITU-T Rec. X.501 (11/2008) v
43、iiPage Annex K Examples of various aspects of schema. 184 K.1 Example of an attribute hierarchy. 184 K.2 Example of a subtree specification 184 K.3 Schema specification . 185 K.4 DIT content rules 186 K.5 DIT context use 187 Annex L Overview of basic access control permissions. 188 L.1 Introduction
44、. 188 L.2 Permissions required for operations 188 L.3 Permissions affecting error 189 L.4 Entry level permissions 189 L.5 Entry level permissions 190 Annex M Examples of access control 192 M.1 Introduction . 192 M.2 Design principles for Basic Access Control 192 M.3 Introduction to example 192 M.4 P
45、olicy affecting the definition of specific and inner areas 193 M.5 Policy affecting the definition of DACDs. 195 M.6 Policy expressed in prescriptiveACI attributes 197 M.7 Policy expressed in subentryACI attributes. 202 M.8 Policy expressed in entryACI attributes . 203 M.9 ACDF examples . 204 M.10 R
46、ule-based Access Control . 206 Annex N DSE type combinations . 207 Annex O Modelling of knowledge 209 Annex P Names held as attribute values or used as parameters . 214 Annex Q Subfilters 215 Annex R Compound entry name patterns and their use 216 Annex S Naming concepts and considerations. 218 S.1 H
47、istory tells us . 218 S.2 A new look at name resolution. 218 Annex T Alphabetical index of definitions 224 Annex U Amendments and corrigenda. 226 ITU-T Rec. X.501 (11/2008) viii Introduction This Recommendation | International Standard, together with the other Recommendations | International Standar
48、ds, has been produced to facilitate the interconnection of information processing systems to provide directory services. A set of such systems, together with the directory information that they hold, can be viewed as an integrated whole, called the Directory. The information held by the Directory, c
49、ollectively known as the Directory Information Base (DIB), is typically used to facilitate communication between, with or about objects such as application entities, people, terminals and distribution lists. The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of technical agreement outside of the interconnection standards themselves, the interconnection of information processing systems: from different manufacturers;
