- 1. A Background of X.500
- 2. X500 Overview
- 3. Directory Model definition
- 4. Overview of the Directory
- 5. The Directory Service
- 6. Distributed Directory
- 7. Access Control in the Directory
- 8. Replication in the Directory
- 9. Directory Protocol
- 10. X500 implementation (QUIPU).
- 11. X500 Standard Documentations.
1. A Background of X.500.
: Appearance of Interconnected local and wide area network.
: need to provide basic service ( Distributed Directory information).
: E-mail and electronic File Transfer (FTP).
: fostered the growth of group interaction and cooperative research.
- has changed how research interact with across the world.
- single address schema ( require the individual exact E-mail address).
: need applications which will provide assistance.
2. X500 Overview.
: white page support for E-mail.
: is distributed over physically separated entities (DSA).
: define transfer protocol and distributed operation procedure and other
objects.
: provide an information repository and service agent (handle information
tree and retrieval request for application user).
: The Distribution is transparent to user
(through the use of DSP operation).
: Each user is represented by a DUA which is responsible for interacting
with the Directory.
: Easily and efficiently access the Directory information through local
or nearby DSAs.
: define abstract port and operations (Simple Interface Protocol (DAP)).
- Interrogation function: READ, COMPARE, LIST, SEARCH.
- Entry manipulation function: ADD, REMOVE, MODIFY.
3. Directory Model Definitions.
o attribute:
- consist of type and one or more values.
- attributes type indicates the class of information.
- attribute value is a particular instance of the class of information
indicated by an attribute type.
o entry:
: arranged in the strictly hierarchical and logically form of a tree,
Directory Information Tree (DIT).
- higher in the tree: countries, organizations.
- lower in the tree: people, application processes.
: has a distinguished name (DN) which identifies the entry uniquely in
the totality of the DIB.
: Each level has a naming authority which is responsible for the assignment
of names from the point of the authority down.
Figure 1.: Structure of an Entry.
o Directory Schema:
The Directory Schema is the set of definitions and constraints which
govern the structure and content of the user data held within the DIT.
It is the "blue print" for location and information held by the Directory.
The naming of entries, and the growth and form of the DIT is handled by
the various superior and subordinate authorities at their levels within
the tree structure.
Defines the way object entries are:
- named and identified;
- object organizations to facilitate search and retrieval of directory
information;
- types and syntax of attribute;
- kinds of match during a user search request.
Enables Directory Services
- prevent addition of an inappropriate attribute type or syntax to an
entry.
- prevent the creation of a subordinate object class.
o DSA:
An OSI application process which is part of directory and whose role
is to provide access to the DIB to DUAs and/or other DSAs.
o DSA Model:
The information is actually distributed over many DSAs which must cooperate.
In order to successfully cooperate, the DSA need information which
describes how the distributed parts of the directory are tied together.
The DSA Information model is concerned with:
- how Directory Information is mapped onto individual DSAs;
- how DSA hold copies of the Directory Information;
- the operation information required by DSAs to engage in shadowing and
to use shadowed information.
- the operation information required by DSAs to perform names resolution
and operation evaluation.
The basis for this information is the distribution model described in
the 1988 version of X.518. This model described how the entries in the
DIT were grouped into Naming Context and how these contexts were linked
together using knowledge reference.
The major extensions to the model are:
- standard mechanism for distributing copies of naming contexts (known
as "shadowing").
- knowledge references are effectively held as attributes in entries.
* Knowledge reference:
The DIT is divided up into non-overlapping Naming Contexts. A Naming
Contexts is a subtree contain at least one entry. DSA hold one or more
Naming Context. One DSA will hold the master for Naming Context, but
copies of that Naming Context may be held by many other DSAs. Knowledge
e References are the information which a DSA holds which allow it to
identify the DSA which holds a particular Naming Context.
* Shadowing:
A Naming Context held by a DSA may either be the master copy of the
Naming Context or Shadow (copy). The presence of shadow copies has meant
a number of changes to knowledge references.
o DUA:
A OSI application process which represents a user in accessing the
Directory. The DUA interact with the Directory by communicating with one
or more DSAs. A DUA need not be bound to any particular DSA. It may
interact directory with various DSAs to make required. For some
administrative reasons, it may not always be possible to interact directly
with the DSA which needs to carry out the requests. e.g. to return some
Directory information. It is also possible that the DUA can access the
Directory through a single DSA. For this purpose, DSAs will need to
interact with each other.
- is manifested as an application process.
- Each DUA represents precisely one Directory user.
- access the Directory and interacts with it to obtain the service in be
half of a particular user.
o DIB:
The DIB is made up of information about object. it is composed of entries.
The entries of the DIB are arranged in the form of a tree the DIT where
the vertices represent the entries. The complete set of information to
which the Directory provides access and which includes all of the pieces
of information which can be read or manipulated using the operations of
the Directory.
Figure 2.: Determination of Distinguished Names.
* To build a DN, an entry's relative distinguished name (RDN), which is
unique among all the entries immediately below its parent entry, is
added to the DN of it's parent entry.
o DIT (Directory Information Tree):
In order to satisfy the requirement for the distribution and management
of a potentially very large DIB, and to ensure that objects can be
unambiguously named, and their entries found, a flat structure of
entries is not likely to be feasible.
The term DIT is used instead of DIB only in contexts where the structure
of the information is relevant. The hierarchical relationship commonly
found among object, (e.g. person works for a department which belongs to
an organization, which is headquartered in a country) can be exploited
by the arrangement of the entries into a tree known as the DIT.
The components part of the DIT have the following interpretations:
- vertices are the entries. Object entries may be either leaf or
non-leaf vertices.
- The root is not an entry such as a null object entry.
- The object represented by an entry is closely associated with the
naming authority for the subordinates.
- The root represents the highest level of naming authority for the
DIB.
o DIT structure:
DIT structure define the distinguished names that entry may have and
the ways in which they may be related to one other through the DIT.
- DIT structure rule:
. defines the permitted hierarchical relationships between entries, and
their permitted RDNs.
. identifying the subordinate and superior object class.
. identifying the attribute type which may be involved in subordinate
entries RDN.
. optionally additional information.
Figure 3.: Overview of Directory Schema.
4. Overview of the Directory.
The Directory is a repository of information object, and the Directory
service it provides to its its user are concerned with various kind of
access to this information. The Directory is manifested as a set of one
or more application process known as DSAs.
Directory is a collection of open systems which cooperate to hold a logical
database of information about a set of objects in the real world.
The users of the Directory, including people and computer programs, can
read or modify the information, on part of it, subject to having permission
to do so. Each user is represented in accessing the Directory by a DUA,
which is considered to be an application-process. The information
held in the Directory is collectively known as the DIB. The Directory
provides a well-defined set of access capabilities, known as the abstract
service of the Directory, to its users. This service provides a simple
modification and retrieval capabilities. The Directory will be distributed,
perhaps widely distributed, both along functional and organizational lines.
When the Directory is distributed, it may be desirable to replicate
information to improve performance and availability.
The provision and consumption of the directory services requires that
the users (DUA) and the various functional components of the Directory
should cooperate with one another.
Figure 4: Access to Directory.
5. The Directory Service.
All services are provided by the Directory in response to requests from
DUA. There are requests which allow interrogation of the Directory, and
those for modification In addition, requests for service can be qualified.
The Directory always reports the outcome of each request that is made
of it. The form of the normal outcome is specific to the request, and is
evident from the description of the request.
The Directory ensure that changes to the DIB, whether the result of a
directory service request, or by some other (local) means, results in a
DIB which continues to obey the rules of the Directory schema.
o service controls:
A number of controls can be applied to the various services requests,
primarily to allow the user to impose limits on the use of resources
which the Directory shall not surpass. Controls are the amount of time,
the size of results, the scope of search, the interaction modes, and
priority of the request.
- Directory Interrogation: Read, Compare, Search, List, Abandon
- Directory Modification: Add Entry, Remove Entry, Modify Entry,
Modify Distinguished Name
- Other outcomes: Error, Referrals
6. The Distributed Directory.
o Functional model:
DSA role is to provide access to the DIB to DUAs and/or other DSAs.
A DSA may use information stored in its local database or interact
with other DSAs to carry out requests. Alternatively, the DSA may
direct a requester to another DSA which can help carry out the request.
Figure 5.: Functional Model of the Directory
o Organizational Model:
A set of one or more DSAs and zero or more DUAs managed by a single
organization may form a Directory Management Domain (DMD). The
organization concerned may or may not elect to make use of the Directory
Specification to govern the communications among the functional component
within the DMD. A group of DSAs within one DMD may, at the option of
the organization which manages the DMD, behave as a single DSA. A DMD
may be an Administration DMD (ADDMD), or a Private DMD (PRDMD) depending
on whether or not it is being operated by a public telecommunication
organization.
o Operation of the model:
The DUA interacts directly with various DSAs to make requests. The
DSA return some Directory information. The DUA can access the Directory
through a single DSA. DSAs will need to interact with each other.
The DSA is concerned with carrying out the requests of DUAs, and with
obtaining the information where it does not have the necessary information.
Figure 6.: Referral
: DSA 'C' receives a referral from DSA A and is responsible for either
conveying the request to DSA 'B' or conveying the refarral back to
the originating DUA.
: If DSA 'C' returns the referral to the DUA, the "request (to 'B')"
will not occur.
: If DSA 'C' conveys the requests to DSA 'B', it will not return a referral
to the DUA.
Figure 7.: Referral
: The DUA receives the referral from DSA 'C', and is responsible for
reissuing the request directory to DSA 'A'.
Figure 8.: Uni-chaining
: DSA uni_chaining, a hereby the request can be passed through several
DSAs before the response is returned.
Figure 9.: Multi-chaining
: The DSA associated with the DUA carries out the request by forwarding
it to two or more other DSAs, the requests to each DSA being identical.
7. Access control in the Directory
: ITU-T REC. x.501 | ISO/IEC 9594-2
: Access to Directory information is determined by some administratively
controlled security policy.
o authentication procedure and mechanisms include methods:
- to verify and propagate, where necessary, the identity of DSAs,
directory users, and the origin of information received at an access
point.
- General authentication procedure are defined in ITU-T Rec.509 |
ISO/IEC 9594-8.
o Access control schema include methods:
- to specify access control information, enforce access rights defined
by that access control information.
- to maintain access control information.
o Control of access to information enables the prevention of unauthorized
detection, disclosure, or modification of that information.
The basis access control model for the directory defines, for every
operation, one or more points at which access control decisions may
take place.
Each access control decision involves:
- that component within the Directory being accessed;
- the user requesting the operation;
- a specific right necessary to complete a portion of the operation;
- the security policy governing access to that item.
8. Replication in the Directory
: ITU-T Rec.X.525 | ISO/IEC 9594-9
Replication in the Directory refers to the existence of directory entry
and operational information held by DSAs other than the DSA responsible
for the creation and update of the information. This DSA, containing the
information, is the master DSA.
The deployment of additional copies of directory entry information may
be of use in the improvement of the service provided by the Directory
by:
- improving the performance of directory systems by moving directory
information "closer" to particular Directory users;
- improving the availability of the directory service by introducing
redundant directory information and Directory components so that an
individual component failure does not prevent all access to the information
in some portion of the DIT.
o Forms of Directory Replication
1) Cache copies are copies of entry information
2) Shadowed copies are copies of directory information
- DSA may retain information obtained from another DSA.
- A DSA retaining such information may only supply it to DUAs in accordance
with the access control policy. If it is known that there are no read
access controls on the information.
- The information to be replicated will typically comprise three
elements:
(1) Replicated entry information from within a subtree of the DIT
(2) Relevant operational information, including access control
information, required to give full read access to the replication
information.
(3) Optionally, subordinate knowledge information.
- The replicated information may form a subset of the complete information
within the subtree, in that:
(1) A selection of the entries may be made by specifying only those
that meet certain criteria on their object classes.
(2) Within each entry, a selection of the attributes may be made in
accordance with a specification of attributes.
o Replication and consistency of directory information
Consistency in the Directory is achieved when all copies of a specific
attribute are the same. At times consistency may be subject to comprise
because transient inconsistencies can exit within the Directory
for shadowed information and permanent inconsistencies can exist for
cached information.
- Cached entry information may become and indefinitely remain inconsistency
with entry information.
- Shadowed information held by a shadow consumer is brought into agreement
with the corresponding information held by shadow supplier according to
a schedule contracted to as part of the shadowing agreement.
- In an environment where directory information is replicated, the
Directory has no specific time constraints to achieve consistency.
A user of shadowed information will have a high level of confidence
in it because:
(1) the shadowed information is internally consistent;
(2) the knowledge relating it to the DIT is accurate; and
(3) the shadowed entry will ultimately become consistent with the
entry in the master DSA.
o DSA View of replication
Although a DSA can detect the difference between replicated information
and information which is held by a master, it generally uses
both in the same way. i.e., it satisfies user interrogation requests
with either, depending on which is most conveniently available to it.
Since the information held locally may be known to be partial, a DSA
may pass an inquiry to another DSA better able to provide the information
required.
o Replication and Access Control
The Access Control Model allows access control information to be specified
for an area of the DIT. Any time entries are replicated to another DSA,
the access control information shall also be replicated.
9. Directory protocols.
: ITU-T Rec. X.519 | ISO / IEC 9594-5
1. Directory Access Protocol (DAP): defines the exchange of requests
and outcomes between a DUA and a DSA.
2. Directory System Protocol (DSP): defines the exchange of requests
and outcomes between two DSAs.
3. Directory Information Shadowing Protocol (DISP): defines the exchange
of replication information between two DSAs that have established
shadowing agreements.
4. Directory Operational Binding Management Protocol (DOP): defines
the exchange of administrative information between two DSAs to administer
operational bindings between them.
Each protocol is defined by one or more application contexts, each
containing a set of protocol elements. These application service
elements are defined to use the Remote Operations Service Element (ROSE)
of ITU-T Rec. X.880 | ISO / IEC 9072-1 to structure and support their
interactions. Thus the DAP, DSP, DISP, and DOP are defined as sets of
remote operations and errors using the ROS notation.
10. X.500 Implementation.
: QUIPU (Univ. College London)
: EAN X500 (Univ. of British Columbia)
- maintain their subschema which must be update manually and off-line
to executing DSAs and DUAs.
- The Directory Schema is held within a master DSA. When other DSA
within the domain startup they load the schema from the master DSA
into usable data store. There is currently no implementation which
dynamically propagate schema change between its functional components
(either DSAs or DUA).
11. X.500 Standard Documents.
X.500:
Overview of concepts, model and services.
X.501:
Models
X.509:
Authentication framework
X.511:
Abstract Service definition
X.518:
Procedures for distribution operation
X.519:
Protocol specifications
X.520:
Selected attributed types
X.521:
Selected object class
X.525:
Replication
X.581:
Directory Access Protocol
X.582:
Directory system protocol
: Access to Directory information is determined by some administratively controlled security policy. o authentication procedure and mechanisms include methods: - to verify and propagate, where necessary, the identity of DSAs, directory users, and the origin of information received at an access point. - General authentication procedure are defined in ITU-T Rec.509 | ISO/IEC 9594-8. o Access control schema include methods: - to specify access control information, enforce access rights defined by that access control information. - to maintain access control information. o Control of access to information enables the prevention of unauthorized detection, disclosure, or modification of that information. The basis access control model for the directory defines, for every operation, one or more points at which access control decisions may take place. Each access control decision involves: - that component within the Directory being accessed; - the user requesting the operation; - a specific right necessary to complete a portion of the operation; - the security policy governing access to that item.