1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.501 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2016) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Directory Information technology Open Systems Interconnection The Directory: Models Recommenda
2、tion ITU-T X.501 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements
3、 X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 L
4、ayer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629
5、 Efficiency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems management framework and architecture X.700X.709 Management communication service and protocol X.710X.719 Structure of management
6、 information X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, concurrency and recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.9
7、99 INFORMATION AND NETWORK SECURITY X.1000X.1099 SECURE APPLICATIONS AND SERVICES X.1100X.1199 CYBERSPACE SECURITY X.1200X.1299 SECURE APPLICATIONS AND SERVICES X.1300X.1399 CYBERSECURITY INFORMATION EXCHANGE X.1500X.1599 CLOUD COMPUTING SECURITY X.1600X.1699 For further details, please refer to the
8、 list of ITU-T Recommendations. Rec. ITU-T X.501 (10/2016) i INTERNATIONAL STANDARD ISO/IEC 9594-2 RECOMMENDATION ITU-T X.501 Information technology Open Systems Interconnection The Directory: Models Summary Recommendation ITU-T X.501 | ISO/IEC 9594-2 provides a number of different models for the Di
9、rectory as a framework for the other Recommendations in the ITU-T X.500-series. The models are the overall (functional) model, the administrative authority model, generic Directory Information models providing Directory User and Administrative User views on Directory information, generic Directory S
10、ystem Agent (DSA) and DSA information models and operational framework, and a security model. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.501 1988-11-25 11.1002/1000/2997 2.0 ITU-T X.501 1993-11-16 7 11.1002/1000/2998 3.0 ITU-T X.501 1997-08-09 7 11.1002/1000/4122 3.1
11、ITU-T X.501 (1997) Technical Cor. 1 2000-03-31 7 11.1002/1000/5031 3.2 ITU-T X.501 (1997) Amd. 1 2000-03-31 7 11.1002/1000/5030 3.3 ITU-T X.501 (1997) Technical Cor. 2 2001-02-02 7 11.1002/1000/5308 3.4 ITU-T X.501 (1997) Technical Cor. 3 2005-05-14 17 11.1002/1000/8499 4.0 ITU-T X.501 2001-02-02 7
12、11.1002/1000/5310 4.1 ITU-T X.501 (2001) Technical Cor. 1 2005-05-14 17 11.1002/1000/8500 4.2 ITU-T X.501 (2001) Technical Cor. 2 2005-11-29 17 11.1002/1000/8634 4.3 ITU-T X.501 (2001) Cor. 3 2008-05-29 17 11.1002/1000/9431 5.0 ITU-T X.501 2005-08-29 17 11.1002/1000/8489 5.1 ITU-T X.501 (2005) Cor.
13、1 2008-05-29 17 11.1002/1000/9432 5.2 ITU-T X.501 (2005) Cor. 2 2008-11-13 17 11.1002/1000/9589 5.3 ITU-T X.501 (2005) Cor. 3 2011-02-13 17 11.1002/1000/11040 5.4 ITU-T X.501 (2005) Cor. 4 2012-04-13 17 11.1002/1000/11575 6.0 ITU-T X.501 2008-11-13 17 11.1002/1000/9588 6.1 ITU-T X.501 (2008) Cor. 1
14、2011-02-13 17 11.1002/1000/11041 6.2 ITU-T X.501 (2008) Cor. 2 2012-04-13 17 11.1002/1000/11576 6.3 ITU-T X.501 (2008) Cor. 3 2012-10-14 17 11.1002/1000/11734 7.0 ITU-T X.501 2012-10-14 17 11.1002/1000/11733 8.0 ITU-T X.501 2016-10-14 17 11.1002/1000/13030 Keywords Attribute, chaining, directory, di
15、rectory information tree, directory system agent, directory user agent, distinguished name, referral. _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/10
16、00/11830-en. ii Rec. ITU-T X.501 (10/2016) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent
17、organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes t
18、he topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards a
19、re prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommenda
20、tion may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are us
21、ed to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellec
22、tual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received
23、notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. I
24、TU 2016 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.501 (10/2016) iii CONTENTS Page SECTION 1 GENERAL . 1 1 Scope 1 2 References 2 2.1 Normative references 2 2.2 Non-normative reference . 3 3 D
25、efinitions 3 3.1 Communication definitions . 3 3.2 Basic Directory definitions 3 3.3 Distributed operation definitions . 3 3.4 Replication definitions 4 4 Abbreviations . 4 5 Conventions 5 SECTION 2 OVERVIEW OF THE DIRECTORY MODELS 6 6 Directory Models 6 6.1 Definitions . 6 6.2 The Directory and its
26、 users 6 6.3 Directory and DSA Information Models . 7 6.4 Directory Administrative Authority Model . 8 SECTION 3 MODEL OF DIRECTORY USER INFORMATION 9 7 Directory Information Base 9 7.1 Definitions . 9 7.2 Objects 10 7.3 Directory entries 10 7.4 Directory Information Tree (DIT) . 10 8 Directory entr
27、ies . 11 8.1 Definitions . 11 8.2 Overall structure 13 8.3 Object classes 14 8.4 Attribute types . 16 8.5 Attribute values . 16 8.6 Attribute type hierarchies 16 8.7 Friend attributes 17 8.8 Contexts 17 8.9 Matching rules . 18 8.10 Entry collections 22 8.11 Compound entries and families of entries .
28、 22 9 Names . 23 9.1 Definitions . 23 9.2 Names in general . 24 9.3 Relative distinguished name 24 9.4 Name matching . 25 9.5 Distinguished names . 25 9.6 Alias names . 26 10 Hierarchical groups 26 10.1 Definitions . 26 10.2 Hierarchical relationship . 27 10.3 Sequential ordering of a hierarchical g
29、roup 28 iv Rec. ITU-T X.501 (10/2016) Page SECTION 4 DIRECTORY ADMINISTRATIVE MODEL . 29 11 Directory Administrative Authority model 29 11.1 Definitions . 29 11.2 Overview . 29 11.3 Policy 30 11.4 Specific administrative authorities 30 11.5 Administrative areas and administrative points 31 11.6 DIT
30、Domain policies . 33 11.7 DMD policies 33 SECTION 5 MODEL OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL INFORMATION . 35 12 Model of Directory Administrative and Operational Information 35 12.1 Definitions . 35 12.2 Overview . 35 12.3 Subtrees . 36 12.4 Operational attributes 38 12.5 Entries . 39 12.6
31、 Subentries 39 12.7 Information model for collective attributes . 40 12.8 Information model for context defaults . 41 SECTION 6 THE DIRECTORY SCHEMA 42 13 Directory Schema . 42 13.1 Definitions . 42 13.2 Overview . 42 13.3 Object class definition . 44 13.4 Attribute type definition 46 13.5 Matching
32、rule definition 50 13.6 Relaxation and tightening 52 13.7 DIT structure definition . 58 13.8 DIT content rule definition 61 13.9 Context type definition 62 13.10 DIT Context Use definition . 63 13.11 Friends definition 64 13.12 Syntax definitions 65 14 Directory System Schema 65 14.1 Overview . 65 1
33、4.2 System schema supporting the administrative and operational information model 66 14.3 System schema supporting the administrative model 66 14.4 System schema supporting general administrative and operational requirements 67 14.5 System schema supporting access control . 69 14.6 System schema sup
34、porting the collective attribute model . 70 14.7 System schema supporting context assertion defaults . 70 14.8 System schema supporting the service administration model . 70 14.9 System schema supporting password administration 71 14.10 System schema supporting hierarchical groups. 72 14.11 Maintena
35、nce of system schema . 73 14.12 System schema for first-level subordinates . 73 15 Directory schema administration 73 15.1 Overview . 73 15.2 Policy objects 74 15.3 Policy parameters 74 15.4 Policy procedures 75 15.5 Subschema modification procedures . 75 15.6 Entry addition and modification procedu
36、res . 75 15.7 Subschema policy attributes 76 Rec. ITU-T X.501 (10/2016) v Page SECTION 7 DIRECTORY SERVICE ADMINISTRATION 82 16 Service Administration Model 82 16.1 Definitions . 82 16.2 Service-type/user-class model . 82 16.3 Service-specific administrative areas 83 16.4 Introduction to search-rule
37、s . 84 16.5 Subfilters . 84 16.6 Filter requirements 85 16.7 Attribute information selection based on search-rules 85 16.8 Access control aspects of search-rules 86 16.9 Contexts aspects of search-rules 86 16.10 Search-rule specification . 86 16.11 Matching restriction definition 94 16.12 Search-val
38、idation function 95 SECTION 8 SECURITY 96 17 Security model 96 17.1 Definitions . 96 17.2 Security policies 96 17.3 Protection of Directory operations 97 18 Basic Access Control 98 18.1 Scope and application 98 18.2 Basic Access Control model . 98 18.3 Access control administrative areas 101 18.4 Re
39、presentation of Access Control Information . 103 18.5 ACI operational attributes . 108 18.6 Protecting the ACI . 109 18.7 Access control and Directory operations . 109 18.8 Access Control Decision Function 110 18.9 Simplified Access Control 111 19 Rule-based Access Control . 111 19.1 Scope and appli
40、cation 111 19.2 Rule-based Access Control model 112 19.3 Access control administrative areas 113 19.4 Security Label . 113 19.5 Clearance . 114 19.6 Access Control and Directory operations 115 19.7 Access Control Decision Function 115 19.8 Use of Rule-based and Basic Access Control . 115 20 Data Int
41、egrity in Storage 116 20.1 Introduction . 116 20.2 Protection of an Entry or Selected Attribute Types . 116 20.3 Context for Protection of a Single Attribute Value . 117 SECTION 9 DSA MODELS 119 21 DSA Models . 119 21.1 Definitions . 119 21.2 Directory Functional Model 119 21.3 Directory Distributio
42、n Model 120 SECTION 10 DSA INFORMATION MODEL 122 22 Knowledge 122 22.1 Definitions . 122 22.2 Introduction . 122 22.3 Knowledge References 123 vi Rec. ITU-T X.501 (10/2016) Page 22.4 Minimum Knowledge . 125 22.5 First Level DSAs . 126 22.6 Knowledge references to LDAP servers . 126 23 Basic Elements
43、 of the DSA Information Model . 126 23.1 Definitions . 126 23.2 Introduction . 127 23.3 DSA Specific Entries and their Names . 127 23.4 Basic Elements 129 24 Representation of DSA Information . 130 24.1 Representation of Directory User and Operational Information . 130 24.2 Representation of Knowled
44、ge References . 131 24.3 Representation of Names and Naming Contexts . 138 SECTION 11 DSA OPERATIONAL FRAMEWORK 140 25 Overview 140 25.1 Definitions . 140 25.2 Introduction . 140 26 Operational bindings 140 26.1 General 140 26.2 Application of the operational framework 141 26.3 States of cooperation
45、 . 142 27 Operational binding specification and management . 143 27.1 Operational binding type specification 143 27.2 Operational binding management . 144 27.3 Operational binding specification templates . 145 28 Operations for operational binding management 147 28.1 Application-context definition 1
46、47 28.2 Establish Operational Binding operation. 147 28.3 Modify Operational Binding operation . 150 28.4 Terminate Operational Binding operation . 152 28.5 Operational Binding Error . 153 28.6 Operational Binding Management Bind and Unbind 155 SECTION 12 INTERWORKING WITH LDAP 156 29 Overview 156 2
47、9.1 Definitions . 156 29.2 Introduction . 156 30 LDAP interworking model . 156 30.1 LDAP interworking scenarios . 156 30.2 Overview of bound DSA handling LDAP operations . 157 30.3 General LDAP requestor characteristics . 157 30.4 LDAP extension mechanisms . 158 31 LDAP specific system schema . 158
48、31.1 Operational Attribute types from IETF RFC 4512 158 Annex A Object identifier usage. 161 Annex B Information framework in ASN.1 165 Annex C Subschema administration in ASN.1 . 177 Annex D Service administration in ASN.1 . 182 Annex E Basic Access Control in ASN.1 . 186 Annex F DSA operational at
49、tribute types in ASN.1 . 190 Annex G Operational binding management in ASN.1 193 Annex H Enhanced security in ASN.1 . 198 Rec. ITU-T X.501 (10/2016) vii Page Annex I LDAP system schema . 201 Annex J The mathematics of trees 203 Annex K Name design criteria 204 Annex L Examples of various aspects of schema . 206 L.1 Example of an attribute hierarchy . 206 L.2 Example of a subtree spec
