SECTION 1 – GENERAL
1 Scope
2 References
2.1 Normative references
2.2 Non-normative reference
3 Definitions
3.1 Communication definitions
3.2 Basic Directory definitions
3.3 Distributed operation definitions
3.4 Replication definitions
4 Abbreviations
5 Conventions
SECTION 2 – OVERVIEW OF THE DIRECTORY MODELS
6 Directory Models
6.1 Definitions
6.2 The Directory and its users
6.3 Directory and DSA Information Models
6.4 Directory Administrative Authority Model
SECTION 3 – MODEL OF DIRECTORY USER INFORMATION
7 Directory Information Base
7.1 Definitions
7.2 Objects
7.3 Directory entries
7.4 Directory Information Tree (DIT)
8 Directory entries
8.1 Definitions
8.2 Overall structure
8.3 Object classes
8.4 Attribute types
8.5 Attribute values
8.6 Attribute type hierarchies
8.7 Friend attributes
8.8 Contexts
8.9 Matching rules
8.10 Entry collections
8.11 Compound entries and families of entries
9 Names
9.1 Definitions
9.2 Names in general
9.3 Relative distinguished name
9.4 Name matching
9.5 Distinguished names
9.6 Alias names
10 Hierarchical groups
10.1 Definitions
10.2 Hierarchical relationship
10.3 Sequential ordering of a hierarchical group
SECTION 4 – DIRECTORY ADMINISTRATIVE MODEL
11 Directory Administrative Authority model
11.1 Definitions
11.2 Overview
11.3 Policy
11.4 Specific administrative authorities
11.5 Administrative areas and administrative points
11.6 DIT Domain policies
11.7 DMD policies
SECTION 5 – MODEL OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL
INFORMATION
12 Model of Directory Administrative and Operational Information
12.1 Definitions
12.2 Overview
12.3 Subtrees
12.4 Operational attributes
12.5 Entries
12.6 Subentries
12.7 Information model for collective attributes
12.8 Information model for context defaults
SECTION 6 – THE DIRECTORY SCHEMA
13 Directory Schema
13.1 Definitions
13.2 Overview
13.3 Object class definition
13.4 Attribute type definition
13.5 Matching rule definition
13.6 Relaxation and tightening
13.7 DIT structure definition
13.8 DIT content rule definition
13.9 Context type definition
13.10 DIT Context Use definition
13.11 Friends definition
13.12 Syntax definitions
14 Directory System Schema
14.1 Overview
14.2 System schema supporting the administrative and operational
information model
14.3 System schema supporting the administrative model
14.4 System schema supporting general administrative and operational
requirements
14.5 System schema supporting access control
14.6 System schema supporting the collective attribute model
14.7 System schema supporting context assertion defaults
14.8 System schema supporting the service administration model
14.9 System schema supporting password administration
14.10 System schema supporting hierarchical groups
14.11 Maintenance of system schema
14.12 System schema for first-level subordinates
15 Directory schema administration
15.1 Overview
15.2 Policy objects
15.3 Policy parameters
15.4 Policy procedures
15.5 Subschema modification procedures
15.6 Entry addition and modification procedures
15.7 Subschema policy attributes
Page
SECTION 7 – DIRECTORY SERVICE ADMINISTRATION
16 Service Administration Model
16.1 Definitions
16.2 Service-type/user-class model
16.3 Service-specific administrative areas
16.4 Introduction to search-rules
16.5 Subfilters
16.6 Filter requirements
16.7 Attribute information selection based on search-rules
16.8 Access control aspects of search-rules
16.9 Contexts aspects of search-rules
16.10 Search-rule specification
16.11 Matching restriction definition
16.12 Search-validation function
SECTION 8 – SECURITY
17 Security model
17.1 Definitions
17.2 Security policies
17.3 Protection of Directory operations
18 Basic Access Control
18.1 Scope and application
18.2 Basic Access Control model
18.3 Access control administrative areas
18.4 Representation of Access Control Information
18.5 ACI operational attributes
18.6 Protecting the ACI
18.7 Access control and Directory operations
18.8 Access Control Decision Function
18.9 Simplified Access Control
19 Rule-based Access Control
19.1 Scope and application
19.2 Rule-based Access Control model
19.3 Access control administrative areas
19.4 Security Label
19.5 Clearance
19.6 Access Control and Directory operations
19.7 Access Control Decision Function
19.8 Use of Rule-based and Basic Access Control
20 Data Integrity in Storage
20.1 Introduction
20.2 Protection of an Entry or Selected Attribute Types
20.3 Context for Protection of a Single Attribute Value
SECTION 9 – DSA MODELS
21 DSA Models
21.1 Definitions
21.2 Directory Functional Model
21.3 Directory Distribution Model
SECTION 10 – DSA INFORMATION MODEL
22 Knowledge
22.1 Definitions
22.2 Introduction
22.3 Knowledge References
22.4 Minimum Knowledge
22.5 First Level DSAs
22.6 Knowledge references to LDAP servers
23 Basic Elements of the DSA Information Model
23.1 Definitions
23.2 Introduction
23.3 DSA Specific Entries and their Names
23.4 Basic Elements
24 Representation of DSA Information
24.1 Representation of Directory User and Operational Information
24.2 Representation of Knowledge References
24.3 Representation of Names and Naming Contexts
SECTION 11 – DSA OPERATIONAL FRAMEWORK
25 Overview
25.1 Definitions
25.2 Introduction
26 Operational bindings
26.1 General
26.2 Application of the operational framework
26.3 States of cooperation
27 Operational binding specification and management
27.1 Operational binding type specification
27.2 Operational binding management
27.3 Operational binding specification templates
28 Operations for operational binding management
28.1 Application-context definition
28.2 Establish Operational Binding operation
28.3 Modify Operational Binding operation
28.4 Terminate Operational Binding operation
28.5 Operational Binding Error
28.6 Operational Binding Management Bind and Unbind
SECTION 12 – INTERWORKING WITH LDAP
29 Overview
29.1 Definitions
29.2 Introduction
30 LDAP interworking model
30.1 LDAP interworking scenarios
30.2 Overview of bound DSA handling LDAP operations
30.3 General LDAP requestor characteristics
30.4 LDAP extension mechanisms
31 LDAP specific system schema
31.1 Operational Attribute types from IETF RFC 4512
Annex A – Object identifier usage
Annex B – Information framework in ASN.1
Annex C – Subschema administration in ASN.1
Annex D – Service administration in ASN.1
Annex E – Basic Access Control in ASN.1
Annex F – DSA operational attribute types in ASN.1
Annex G – Operational binding management in ASN.1
Annex H – Enhanced security in ASN.1
Page
Annex I – LDAP system schema
Annex J – The mathematics of trees
Annex K – Name design criteria
Annex L – Examples of various aspects of schema
L.1 Example of an attribute hierarchy
L.2 Example of a subtree specification
L.3 Schema specification
L.4 DIT content rules
L.5 DIT context use
Annex M – Overview of basic access control permissions
M.1 Introduction
M.2 Permissions required for operations
M.3 Permissions affecting error
M.4 Entry level permissions
M.5 Entry level permissions
Annex N – Examples of access control
N.1 Introduction
N.2 Design principles for Basic Access Control
N.3 Introduction to example
N.4 Policy affecting the definition of specific and inner areas
N.5 Policy affecting the definition of Directory Access Control
Domains (DACDs)
N.6 Policy expressed in prescriptiveACI attributes
N.7 Policy expressed in subentryACI attributes
N.8 Policy expressed in entryACI attributes
N.9 ACDF examples
N.10 Rule-based access control
Annex O – DSE type combinations
Annex P – Modelling of knowledge
Annex Q – Subfilters
Annex R – Compound entry name patterns and their use
Annex S – Naming concepts and considerations
S.1 History tells us …
S.2 A new look at name resolution
Annex T – Alphabetical index of definitions
Annex U – Amendments and corrigenda