Rec. ITU-T X.501 (10/2019) - Information technology – Open Systems Interconnection – The Directory: Models
Summary
History
FOREWORD
CONTENTS
1 Scope
2 References
     2.1 Normative references
          2.1.1 Identical Recommendations | International Standards
          2.1.2 Paired Recommendations | International Standards equivalent in technical content
          2.1.3 Other references
     2.2 Non-normative references
3 Definitions
     3.1 Communication definitions
     3.2 Basic Directory definitions
     3.3 Distributed operation definitions
     3.4 Replication definitions
4 Abbreviations
5 Conventions
6 Directory Models
     6.1 Definitions
     6.2 The Directory and its users
     6.3 Directory and DSA Information Models
          6.3.1 Generic Models
          6.3.2 Specific information models
     6.4 Directory Administrative Authority Model
7 Directory Information Base
     7.1 Definitions
     7.2 Objects
     7.3 Directory entries
     7.4 Directory Information Tree (DIT)
8 Directory entries
     8.1 Definitions
     8.2 Overall structure
     8.3 Object classes
          8.3.1 Abstract object class
          8.3.2 Structural object class
          8.3.3 Auxiliary object class
          8.3.4 Object class definition and Rec. CCITT X.501 (1988) | ISO/IEC 9594-2:1990
     8.4 Attribute types
     8.5 Attribute values
     8.6 Attribute type hierarchies
     8.7 Friend attributes
     8.8 Contexts
     8.9 Matching rules
          8.9.1 Overview
          8.9.2 Attribute value assertion
               8.9.2.1 Evaluation of an AVA
               8.9.2.2 Use of assertedContexts or context assertion defaults
               8.9.2.3 Evaluation of assertedContexts
               8.9.2.4 Evaluation of a ContextAssertion
          8.9.3 Attribute Type Assertions
               8.9.3.1 Evaluation of an attribute type assertion
               8.9.3.2 Use of assertedContexts or context assertion defaults
          8.9.4 Built-in matching rule assertions
          8.9.5 Matching rule requirements
          8.9.6 Object Identifier and Distinguished Name equality matching rules
     8.10 Entry collections
          8.10.1 Overview
          8.10.2 Collective attributes
     8.11 Compound entries and families of entries
9 Names
     9.1 Definitions
     9.2 Names in general
     9.3 Relative distinguished name
     9.4 Name matching
     9.5 Distinguished names
     9.6 Alias names
10 Hierarchical groups
     10.1 Definitions
     10.2 Hierarchical relationship
     10.3 Sequential ordering of a hierarchical group
11 Directory Administrative Authority model
     11.1 Definitions
     11.2 Overview
     11.3 Policy
     11.4 Specific administrative authorities
     11.5 Administrative areas and administrative points
          11.5.1 Autonomous administrative areas
          11.5.2 Specific administrative areas
          11.5.3 Inner administrative areas
          11.5.4 Administrative points
          11.5.5 Administrative entries
     11.6 DIT Domain policies
     11.7 DMD policies
12 Model of Directory Administrative and Operational Information
     12.1 Definitions
     12.2 Overview
     12.3 Subtrees
          12.3.1 Overview
          12.3.2 Subtree specification
          12.3.3 Base
          12.3.4 Chop Specification
               12.3.4.1 Specific Exclusions
               12.3.4.2 Minimum and Maximum
          12.3.5 Specification Filter
     12.4 Operational attributes
     12.5 Entries
          12.5.1 Overview
          12.5.2 Access to operational attributes
     12.6 Subentries
          12.6.1 Overview
          12.6.2 Subentry RDN attribute
          12.6.3 Subtree Specification attribute
          12.6.4 Use of Object Class attribute
          12.6.5 Other subentry attributes
     12.7 Information model for collective attributes
     12.8 Information model for context defaults
13 Directory Schema
     13.1 Definitions
     13.2 Overview
     13.3 Object class definition
          13.3.1 Subclassing
          13.3.2 Object class attribute
          13.3.3 Object class specification
     13.4 Attribute type definition
          13.4.1 Operational attributes
          13.4.2 Attribute hierarchies
          13.4.3 Friend attributes
          13.4.4 Collective attributes
          13.4.5 Derived attributes
          13.4.6 Attribute syntax
          13.4.7 Matching rules
          13.4.8 Attribute definition
     13.5 Matching rule definition
          13.5.1 Overview
          13.5.2 Matching rule definition
     13.6 Relaxation and tightening
          13.6.1 Matching rule substitution
          13.6.2 Mapping-based matching
     13.7 DIT structure definition
          13.7.1 Overview
          13.7.2 Name form definition
          13.7.3 Name form specification
          13.7.4 Structural object class of an entry
          13.7.5 DIT structure rule definition
          13.7.6 DIT structure rule specification
     13.8 DIT content rule definition
          13.8.1 Overview
          13.8.2 DIT content rule specification
     13.9 Context type definition
          13.9.1 Context value matching
          13.9.2 Context definition
     13.10 DIT Context Use definition
          13.10.1 Overview
          13.10.2 DIT Context Use specification
     13.11 Friends definition
     13.12 Syntax definitions
14 Directory System Schema
     14.1 Overview
     14.2 System schema supporting the administrative and operational information model
          14.2.1 Subentry object class
          14.2.2 Subentry name form
          14.2.3 Subtree Specification operational attribute
     14.3 System schema supporting the administrative model
     14.4 System schema supporting general administrative and operational requirements
          14.4.1 Timestamps
          14.4.2 Entry Modifier operational attributes
          14.4.3 Subentry identification operational attributes
          14.4.4 Has Subordinates operational attribute
     14.5 System schema supporting access control
     14.6 System schema supporting the collective attribute model
     14.7 System schema supporting context assertion defaults
     14.8 System schema supporting the service administration model
     14.9 System schema supporting password administration
          14.9.1 Definition of an history attribute from the password attribute, the history matching rule and an object identifier
          14.9.2 Definition of a recently expired password attribute from the password attribute and an object identifier
          14.9.3 Definition of a password history matching rule from the password attribute and an object identifier
     14.10 System schema supporting hierarchical groups
     14.11 Maintenance of system schema
     14.12 System schema for first-level subordinates
15 Directory schema administration
     15.1 Overview
     15.2 Policy objects
     15.3 Policy parameters
     15.4 Policy procedures
     15.5 Subschema modification procedures
     15.6 Entry addition and modification procedures
     15.7 Subschema policy attributes
          15.7.1 DIT Structure Rules operational attribute
          15.7.2 DIT Content Rules operational attribute
          15.7.3 Matching Rules operational attribute
          15.7.4 Attribute Types operational attribute
          15.7.5 Object Classes operational attribute
          15.7.6 Name Forms operational attribute
          15.7.7 Matching Rule Use operational attribute
          15.7.8 Structural Object Class operational attribute type
          15.7.9 Governing Structure Rule operational attribute
          15.7.10 ContextTypes operational attribute
          15.7.11 DIT Context Use operational attribute
          15.7.12 Friends operational attribute
16 Service Administration Model
     16.1 Definitions
     16.2 Service-type/user-class model
     16.3 Service-specific administrative areas
     16.4 Introduction to search-rules
     16.5 Subfilters
     16.6 Filter requirements
     16.7 Attribute information selection based on search-rules
     16.8 Access control aspects of search-rules
     16.9 Contexts aspects of search-rules
     16.10 Search-rule specification
          16.10.1 Search-rule identification components
          16.10.2 Request-attribute-profiles
          16.10.3 Attribute combinations
          16.10.4 Attributes in the result
          16.10.5 Service and search controls
          16.10.6 Family specifications
          16.10.7 Control of relaxation
          16.10.8 Additional control component
          16.10.9 Miscellaneous components
          16.10.10 ASN.1 information object classes
     16.11 Matching restriction definition
     16.12 Search-validation function
17 Security model
     17.1 Definitions
     17.2 Security policies
          17.2.1 Authentication procedures and mechanisms
          17.2.2 Access control scheme
     17.3 Protection of Directory operations
18 Basic Access Control
     18.1 Scope and application
     18.2 Basic Access Control model
          18.2.1 Protected items
          18.2.2 Access control permissions and their scope
          18.2.3 Permission categories for entry access
          18.2.4 Permission categories for attribute and attribute value access
     18.3 Access control administrative areas
          18.3.1 Access control areas and Directory Access Control Domains
          18.3.2 Associating controls with administrative areas
     18.4 Representation of Access Control Information
          18.4.1 ASN.1 for Access Control Information
          18.4.2 Description of ACIItem Parameters
               18.4.2.1 Identification Tag
               18.4.2.2 Precedence
               18.4.2.3 Authentication Level
               18.4.2.4 itemFirst and userFirst Parameters
               18.4.2.5 Determining group membership
     18.5 ACI operational attributes
          18.5.1 Prescriptive access control information
          18.5.2 Entry access control information
          18.5.3 Subentry ACI
     18.6 Protecting the ACI
     18.7 Access control and Directory operations
     18.8 Access Control Decision Function
          18.8.1 Inputs and outputs
          18.8.2 Tuples
          18.8.3 Discarding non-relevant tuples
          18.8.4 Selecting highest precedence, most specific tuples
     18.9 Simplified Access Control
          18.9.1 Introduction
          18.9.2 Definition of Simplified Access Control functionality
19 Rule-based Access Control
     19.1 Scope and application
     19.2 Rule-based Access Control model
     19.3 Access control administrative areas
     19.4 Security Label
          19.4.1 Introduction
          19.4.2 Administration of Security Labels
          19.4.3 Labelled Attribute Values
     19.5 Clearance
     19.6 Access Control and Directory operations
     19.7 Access Control Decision Function
     19.8 Use of Rule-based and Basic Access Control
20 Data Integrity in Storage
     20.1 Introduction
     20.2 Protection of an Entry or Selected Attribute Types
     20.3 Context for Protection of a Single Attribute Value
21 DSA Models
     21.1 Definitions
     21.2 Directory Functional Model
     21.3 Directory Distribution Model
22 Knowledge
     22.1 Definitions
     22.2 Introduction
     22.3 Knowledge References
          22.3.1 Knowledge Categories
          22.3.2 Knowledge Reference Types
               22.3.2.1 Superior References
               22.3.2.2 Immediate Superior References
               22.3.2.3 Subordinate References
               22.3.2.4 Non-Specific Subordinate References
               22.3.2.5 Cross References
               22.3.2.6 Supplier References
               22.3.2.7 Consumer References
     22.4 Minimum Knowledge
          22.4.1 Superior Knowledge
          22.4.2 Subordinate Knowledge
          22.4.3 Supplier Knowledge
          22.4.4 Consumer Knowledge
     22.5 First Level DSAs
     22.6 Knowledge references to LDAP servers
23 Basic Elements of the DSA Information Model
     23.1 Definitions
     23.2 Introduction
     23.3 DSA Specific Entries and their Names
     23.4 Basic Elements
          23.4.1 DSA Operational Attributes
          23.4.2 DSE Types
24 Representation of DSA Information
     24.1 Representation of Directory User and Operational Information
          24.1.1 Object Entry
          24.1.2 Alias Entry
          24.1.3 Administrative Point
          24.1.4 Subentry
          24.1.5 Family member
     24.2 Representation of Knowledge References
          24.2.1 Knowledge Attribute Types
               24.2.1.1 My Access Point
               24.2.1.2 Superior Knowledge
               24.2.1.3 Specific Knowledge
               24.2.1.4 Non-Specific Knowledge
               24.2.1.5 Supplier Knowledge
               24.2.1.6 Consumer Knowledge
               24.2.1.7 Secondary Shadow Knowledge
               24.2.1.8 DIT Bridge Knowledge
               24.2.1.9 Matching Rules
                    24.2.1.9.1 Access Point Match
                    24.2.1.9.2 Master And Shadow Access Points Match
                    24.2.1.9.3 Supplier or Consumer Information Match
                    24.2.1.9.4 Suppliers and Consumers Match
          24.2.2 Knowledge Reference Types
               24.2.2.1  Self Reference
               24.2.2.2 Superior Reference
               24.2.2.3 Immediate Superior Reference
               24.2.2.4 Subordinate Reference
               24.2.2.5 Non-Specific Subordinate Reference
               24.2.2.6 Cross Reference
               24.2.2.7 Supplier Reference
               24.2.2.8 Consumer Reference
     24.3 Representation of Names and Naming Contexts
          24.3.1 Names and Glue DSEs
          24.3.2 Naming Contexts
          24.3.3 Example
25 Overview
     25.1 Definitions
     25.2 Introduction
26 Operational bindings
     26.1 General
     26.2 Application of the operational framework
          26.2.1 Two DSAs
          26.2.2 The agreement
          26.2.3 Operations
          26.2.4 Management of the agreement
     26.3 States of cooperation
27 Operational binding specification and management
     27.1 Operational binding type specification
     27.2 Operational binding management
     27.3 Operational binding specification templates
          27.3.1 Operational binding information object class
          27.3.2 Operational binding cooperation information object class
          27.3.3 Operational binding role information object class
28 Operations for operational binding management
     28.1 Application-context definition
     28.2 Establish Operational Binding operation
          28.2.1 Establish Operational Binding syntax
          28.2.2 Establish Operational Binding arguments
          28.2.3 Establish Operational Binding results
     28.3 Modify Operational Binding operation
          28.3.1 Modify Operational Binding syntax
          28.3.2 Modify Operational Binding argument
          28.3.3 Modify Operational Binding results
     28.4 Terminate Operational Binding operation
          28.4.1 Terminate Operational Binding syntax
          28.4.2 Terminate Operational Binding argument
          28.4.3 Terminate Operational Binding result
     28.5 Operational Binding Error
     28.6 Operational Binding Management Bind and Unbind
          28.6.1 DSA Operational Binding Management Bind
          28.6.2 DSA Operational Binding Management Unbind
29 Overview
     29.1 Definitions
     29.2 Introduction
30 LDAP interworking model
     30.1 LDAP interworking scenarios
     30.2 Overview of bound DSA handling LDAP operations
     30.3 General LDAP requestor characteristics
     30.4 LDAP extension mechanisms
          30.4.1 General
          30.4.2 LDAP controls
          30.4.3 LDAP extended operations
          30.4.4 LDAP extended features
31 LDAP specific system schema
     31.1 Operational Attribute types from IETF RFC 4512
          31.1.1 Introduction
          31.1.2 Naming contexts
          31.1.3 Alternative server
          31.1.4 Supported extension
          31.1.5 Supported control
          31.1.6 Supported SASL Mechanisms
          31.1.7 Supported LDAP version
          31.1.8 Supported features
          31.1.9 LDAP Syntaxes
     L.1 Example of an attribute hierarchy
     L.2 Example of a subtree specification
     L.3 Schema specification
          L.3.1 Object classes and name forms
          L.3.2 DIT structure rules
     L.4 DIT content rules
     L.5 DIT context use
     M.1 Introduction
     M.2 Permissions required for operations
     M.3 Permissions affecting error
     M.4 Entry level permissions
     M.5 Entry level permissions
     N.1 Introduction
     N.2 Design principles for Basic Access Control
     N.3 Introduction to example
     N.4 Policy affecting the definition of specific and inner areas
     N.5 Policy affecting the definition of Directory Access Control Domains (DACDs)
          N.5.1 Administrative area associated with each DACD
     N.6 Policy expressed in prescriptiveACI attributes
          N.6.1 prescriptiveACI for DACD-1
          N.6.2 prescriptiveACI for DACD-2
          N.6.3 prescriptiveACI for DACD-3
          N.6.4 prescriptiveACI for DACD-4
          N.6.5 prescriptiveACI for DACD-5
     N.7 Policy expressed in subentryACI attributes
          N.7.1 subentryACI in the administrative entry for ACSA-1
          N.7.2 subentryACI in the administrative entry for ACIA-1
     N.8 Policy expressed in entryACI attributes
     N.9 ACDF examples
          N.9.1 Public access read
          N.9.2 Public access search
               N.9.2.1 Check each entry in the search scope for proper entry permission
               N.9.2.2 Check for satisfaction of Filter
     N.10 Rule-based access control
     S.1 History tells us …
          S.1.1 Original concepts that are still valid
          S.1.2 Original concepts that are no longer valid
     S.2 A new look at name resolution
          S.2.1 The explicit knowledge model
          S.2.2 Name resolution with implicit knowledge