CONTENTS - ITU-T Rec. X.501 (08/2005) Information technology � Open Systems Interconnection � The Directory: Models

SECTION 1 � GENERAL��
�1�� Scope�
�2�� Normative references��
�� 2.1�� Identical Recommendations | International Standards��
�� 2.2�� Paired Recommendations | International Standards equivalent in technical content��
�� 2.3�� Other references��
�3�� Definitions��
�� 3.1�� Communication Definitions�
�� 3.2�� Basic directory definitions��
�� 3.3�� Distributed operation definitions��
�� 3.4�� Replication definitions��
�4�� Abbreviations��
�5�� Conventions��
SECTION 2 � OVERVIEW OF THE DIRECTORY MODELS��
�6�� Directory Models
�� 6.1�� Definitions�
�� 6.2�� The Directory and its users�
�� 6.3�� Directory and DSA Information Models��
�� 6.4�� Directory Administrative Authority Model��
SECTION 3 � MODEL OF DIRECTORY USER INFORMATION��
�7�� Directory Information Base��
�� 7.1�� Definitions�
�� 7.2�� Objects��
�� 7.3�� Directory entries��
�� 7.4�� The Directory Information Tree (DIT)��
�8�� Directory entries��
�� 8.1�� Definitions�
�� 8.2�� Overall structure��
�� 8.3�� Object classes��
�� 8.4�� Attribute Types��
�� 8.5�� Attribute Values��
�� 8.6�� Attribute Type Hierarchies�
�� 8.7�� Friend attributes��
�� 8.8�� Contexts�
�� 8.9�� Matching rules��
�� 8.10�� Entry collections��
�� 8.11�� Compound entries and families of entries��
�9�� Names
�� 9.1�� Definitions�
�� 9.2�� Names in general��
�� 9.3�� Relative Distinguished Names��
�� 9.4�� Name matching��
�� 9.5�� Names returned during operations��
�� 9.6�� Names held as attribute values or used as parameters��
�� 9.7�� Distinguished Names��
�� 9.8�� Alias Names��
10�� Hierarchical groups��
�� 10.1�� Definitions
�� 10.2�� Hierarchical relationship��
�� 10.3�� Sequential ordering of a hierarchical group�
SECTION 4 � DIRECTORY ADMINISTRATIVE MODEL��
11�� Directory Administrative Authority model
�� 11.1�� Definitions
�� 11.2�� Overview�
�� 11.3�� Policy��
�� 11.4�� Specific administrative authorities��
�� 11.5�� Administrative areas and administrative points��
�� 11.6�� DIT Domain policies��
�� 11.7�� DMD policies��
SECTION 5 � MODEL OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL INFORMATION��
12�� Model of Directory Administrative and Operational Information��
�� 12.1�� Definitions
�� 12.2�� Overview�
�� 12.3�� Subtrees
�� 12.4�� Operational attributes��
�� 12.5�� Entries��
�� 12.6�� Subentries
�� 12.7�� Information model for collective attributes��
�� 12.8�� Information model for context defaults��
SECTION 6 � THE DIRECTORY SCHEMA��
13�� Directory Schema��
� ��13.1�� Definitions
�� 13.2�� Overview�
�� 13.3�� Object class definition��
�� 13.4�� Attribute type definition��
�� 13.5�� Matching rule definition��
�� 13.6�� Relaxations and tightenings
�� 13.7�� DIT structure definition��
�� 13.8�� DIT content rule definition�
�� 13.9�� Context type definition��
�� 13.10�� DIT Context Use definition��
�� 13.11�� Friends definition�
14�� Directory System Schema��
�� 14.1�� Overview�
�� 14.2�� System schema supporting the administrative and operational information model��
�� 14.3�� System schema supporting the administrative model��
�� 14.4�� System schema supporting general administrative and operational requirements��
�� 14.5�� System schema supporting access control��
�� 14.6�� System schema supporting the collective attribute model��
�� 14.7�� System schema supporting context assertion defaults��
�� 14.8�� System schema supporting the service administration model��
�� 14.9�� System schema supporting hierarchical groups��
�� 14.10�� Maintenance of system schema��
�� 14.11�� System schema for first-level subordinates
15�� Directory schema administration��
�� 15.1�� Overview�
�� 15.2�� Policy objects��
�� 15.3�� Policy parameters�
�� 15.4�� Policy procedures�
�� 15.5�� Subschema modification procedures��
�� 15.6�� Entry addition and modification procedures��
�� 15.7�� Subschema policy attributes��
SECTION 7 � DIRECTORY SERVICE ADMINISTRATION��
16�� Service Administration Model��
�� 16.1�� Definitions
�� 16.2�� Service-type/user-class model��
�� 16.3�� Service-specific administrative areas��
�� 16.4�� Introduction to search-rules��
�� 16.5�� Subfilters��
�� 16.6�� Filter requirements
�� 16.7�� Attribute information selection based on search-rules��
�� 16.8�� Access control aspects of search-rules��
�� 16.9�� Contexts aspects of search-rules��
�� 16.10�� Search-rule specification��
�� 16.11�� Matching restriction definition��
�� 16.12�� Search-validation function
SECTION 8 � SECURITY��
17�� Security model�
�� 17.1�� Definitions
�� 17.2�� Security policies��
�� 17.3�� Protection of Directory operations�
18�� Basic Access Control��
�� 18.1�� Scope and application��
�� 18.2�� Basic Access Control model��
�� 18.3�� Access control administrative areas��
�� 18.4�� Representation of Access Control Information��
�� 18.5�� The ACI operational attributes��
�� 18.6�� Protecting the ACI
�� 18.7�� Access control and Directory operations��
�� 18.8�� Access Control Decision Function�
�� 18.9�� Simplified Access Control�
19�� Rule-based Access Control��
�� 19.1�� Scope and application��
�� 19.2�� Rule-based Access Control model
�� 19.3�� Access control administrative areas��
�� 19.4�� Security Label��
�� 19.5�� Clearance�
�� 19.6�� Access Control and Directory operations��
�� 19.7�� Access Control Decision Function�
�� 19.8�� Use of Rule-based and Basic Access Control��
20�� Data Integrity in Storage�
�� 20.1�� Introduction��
�� 20.2�� Protection of an Entry or Selected Attribute Types
�� 20.3�� Context for Protection of a Single Attribute Value��
SECTION 9 � DSA MODELS��
21�� DSA Models��
�� 21.1�� Definitions
�� 21.2�� Directory Functional Model��
�� 21.3�� Directory Distribution Model��
SECTION 10 � DSA INFORMATION MODEL��
22�� Knowledge��
�� 22.1�� Definitions
�� 22.2�� Introduction��
�� 22.3�� Knowledge References��
�� 22.4�� Minimum Knowledge��
�� 22.5�� First Level DSAs��
23�� Basic Elements of the DSA Information Model��
�� 23.1�� Definitions
�� 23.2�� Introduction��
�� 23.3�� DSA-Specific Entries and their Names��
�� 23.4�� Basic Elements��
24�� Representation of DSA Information��
�� 24.1�� Representation of Directory User and Operational Information��
�� 24.2�� Representation of Knowledge References�
�� 24.3�� Representation of Names and Naming Contexts��
SECTION 11 � DSA OPERATIONAL FRAMEWORK��
25�� Overview��
�� 25.1�� Definitions
�� 25.2�� Introduction��
26�� Operational bindings��
�� 26.1�� General�
�� 26.2�� Application of the operational framework��
�� 26.3�� States of cooperation��
27�� Operational binding specification and management��
�� 27.1� ��Operational binding type specification��
�� 27.2�� Operational binding management��
�� 27.3�� Operational binding specification templates
28�� Operations for operational binding management��
�� 28.1�� Application-context definition��
� ��28.2�� Establish Operational Binding operation��
�� 28.3�� Modify Operational Binding operation��
�� 28.4�� Terminate Operational Binding operation��
�� 28.5�� Operational Binding Error�
�� 28.6�� Operational Binding Management Bind and Unbind��
Annex A � Object identifier usage��
Annex B � Information Framework in ASN.1��
Annex C � SubSchema Administration Schema in ASN.1��
Annex D � Service Administration in ASN.1��
Annex E � Basic Access Control in ASN.1��
Annex F � DSA Operational Attribute Types in ASN.1��
Annex G � Operational Binding Management in ASN.1��
Annex H � Enhanced security��
Annex I � The Mathematics of Trees��
Annex J � Name Design Criteria��
Annex K � Examples of various aspects of schema��
�� K.1�� Example of an attribute hierarchy��
�� K.2�� Example of a subtree specification�
�� K.3�� Schema specification��
�� K.4�� DIT content rules��
�� K.5�� DIT context use��
Annex L � Overview of basic access control permissions��
�� L.1�� Introduction��
�� L.2�� Permissions required for operations
�� L.3�� Permissions affecting error�
�� L.4�� Entry level permissions��
�� L.5�� Entry level permissions��
Annex M � Examples of access control��
�� M.1�� Introduction��
�� M.2�� Design principles for Basic Access Control��
�� M.3�� Introduction to example��
�� M.4�� Policy affecting the definition of specific and inner areas��
�� M.5�� Policy affecting the definition of DACDs��
�� M.6�� Policy expressed in prescriptiveACI attributes��
�� M.7�� Policy expressed in subentryACI attributes��
�� M.8�� Policy expressed in entryACI attributes��
�� M.9�� ACDF examples��
�� M.10�� Rule-based Access Control��
Annex N � DSE type combinations��
Annex O � Modelling of knowledge��
Annex P � Names held as attribute values or used as parameters��
Annex Q � Subfilters��
Annex R � Compound entry name patterns and their use��
Annex S � Naming concepts and considerations��
�� S.1�� History tells us ��
�� S.2�� A new look at name resolution��
Annex T � Alphabetical index of definitions��
Annex U � Amendments and corrigenda��