Table of Contents - ITU-T Rec. X.501 (10/2016) Information technology � Open Systems Interconnection � The Directory: Models

SECTION 1 � GENERAL��
�1�� Scope��
�2�� References
�� 2.1�� Normative references��
�� 2.2�� Non-normative reference��
�3�� Definitions�
�� 3.1�� Communication definitions��
�� 3.2�� Basic Directory definitions��
�� 3.3�� Distributed operation definitions��
�� 3.4�� Replication definitions��
�4�� Abbreviations��
�5�� Conventions��
SECTION 2 � OVERVIEW OF THE DIRECTORY MODELS��
�6�� Directory Models��
�� 6.1�� Definitions��
�� 6.2�� The Directory and its users��
�� 6.3�� Directory and DSA Information Models��
�� 6.4�� Directory Administrative Authority Model��
SECTION 3 � MODEL OF DIRECTORY USER INFORMATION��
�7�� Directory Information Base
�� 7.1�� Definitions��
�� 7.2�� Objects��
�� 7.3�� Directory entries��
�� 7.4�� Directory Information Tree (DIT)��
�8�� Directory entries��
�� 8.1�� Definitions��
�� 8.2�� Overall structure��
�� 8.3�� Object classes
�� 8.4�� Attribute types��
�� 8.5�� Attribute values��
�� 8.6�� Attribute type hierarchies��
�� 8.7�� Friend attributes��
�� 8.8�� Contexts��
�� 8.9�� Matching rules��
�� 8.10�� Entry collections��
�� 8.11 ��Compound entries and families of entries��
�9�� Names��
�� 9.1�� Definitions��
�� 9.2�� Names in general��
�� 9.3�� Relative distinguished name��
�� 9.4�� Name matching��
�� 9.5�� Distinguished names��
�� 9.6�� Alias names��
10�� Hierarchical groups��
�� 10.1�� Definitions��
�� 10.2�� Hierarchical relationship��
�� 10.3�� Sequential ordering of a hierarchical group��
SECTION 4 � DIRECTORY ADMINISTRATIVE MODEL��
11�� Directory Administrative Authority model��
�� 11.1�� Definitions��
�� 11.2�� Overview��
�� 11.3�� Policy��
�� 11.4�� Specific administrative authorities��
�� 11.5�� Administrative areas and administrative points��
�� 11.6�� DIT Domain policies��
�� 11.7 ��DMD policies
SECTION 5 � MODEL OF DIRECTORY ADMINISTRATIVE AND OPERATIONAL INFORMATION��
12�� Model of Directory Administrative and Operational Information��
�� 12.1�� Definitions��
�� 12.2�� Overview��
�� 12.3�� Subtrees��
�� 12.4�� Operational attributes��
�� 12.5�� Entries��
�� 12.6�� Subentries��
�� 12.7�� Information model for collective attributes��
�� 12.8�� Information model for context defaults��
SECTION 6 � THE DIRECTORY SCHEMA��
13�� Directory Schema��
�� 13.1�� Definitions��
�� 13.2�� Overview��
�� 13.3�� Object class definition��
�� 13.4�� Attribute type definition��
�� 13.5�� Matching rule definition��
�� 13.6�� Relaxation and tightening��
�� 13.7�� DIT structure definition��
�� 13.8�� DIT content rule definition��
�� 13.9�� Context type definition��
�� 13.10�� DIT Context Use definition��
�� 13.11�� Friends definition��
�� 13.12�� Syntax definitions��
14�� Directory System Schema��
�� 14.1�� Overview��
�� 14.2�� System schema supporting the administrative and operational information model��
�� 14.3�� System schema supporting the administrative model
�� 14.4�� System schema supporting general administrative and operational requirements��
�� 14.5�� System schema supporting access control��
�� 14.6�� System schema supporting the collective attribute model��
�� 14.7�� System schema supporting context assertion defaults��
�� 14.8�� System schema supporting the service administration model
�� 14.9�� System schema supporting password administration�
�� 14.10�� System schema supporting hierarchical groups��
�� 14.11�� Maintenance of system schema��
�� 14.12�� System schema for first-level subordinates��
15�� Directory schema administration��
�� 15.1�� Overview��
�� 15.2�� Policy objects��
�� 15.3�� Policy parameters��
�� 15.4�� Policy procedures��
�� 15.5�� Subschema modification procedures�
�� 15.6�� Entry addition and modification procedures��
�� 15.7�� Subschema policy attributes��
�� Page
SECTION 7 � DIRECTORY SERVICE ADMINISTRATION��
16�� Service Administration Model��
�� 16.1�� Definitions��
�� 16.2�� Service-type/user-class model��
�� 16.3�� Service-specific administrative areas�
�� 16.4�� Introduction to search-rules��
�� 16.5�� Subfilters��
�� 16.6�� Filter requirements��
�� 16.7�� Attribute information selection based on search-rules��
�� 16.8�� Access control aspects of search-rules��
�� 16.9�� Contexts aspects of search-rules��
�� 16.10�� Search-rule specification��
�� 16.11�� Matching restriction definition��
�� 16.12�� Search-validation function��
SECTION 8 � SECURITY��
17�� Security model��
�� 17.1�� Definitions��
�� 17.2�� Security policies��
�� 17.3�� Protection of Directory operations��
18�� Basic Access Control��
�� 18.1�� Scope and application��
�� 18.2�� Basic Access Control model��
�� 18.3�� Access control administrative areas��
�� 18.4�� Representation of Access Control Information��
�� 18.5�� ACI operational attributes��
�� 18.6�� Protecting the ACI��
�� 18.7�� Access control and Directory operations��
�� 18.8�� Access Control Decision Function��
�� 18.9�� Simplified Access Control��
19�� Rule-based Access Control
�� 19.1�� Scope and application��
�� 19.2�� Rule-based Access Control model��
�� 19.3�� Access control administrative areas��
�� 19.4�� Security Label��
�� 19.5�� Clearance��
�� 19.6�� Access Control and Directory operations��
�� 19.7�� Access Control Decision Function��
�� 19.8�� Use of Rule-based and Basic Access Control��
20�� Data Integrity in Storage��
�� 20.1�� Introduction�
�� 20.2�� Protection of an Entry or Selected Attribute Types��
�� 20.3�� Context for Protection of a Single Attribute Value��
SECTION 9 � DSA MODELS��
21�� DSA Models��
�� 21.1�� Definitions��
�� 21.2�� Directory Functional Model��
�� 21.3�� Directory Distribution Model�
SECTION 10 � DSA INFORMATION MODEL��
22�� Knowledge��
�� 22.1�� Definitions��
�� 22.2�� Introduction�
�� 22.3�� Knowledge References��
�� 22.4�� Minimum Knowledge��
�� 22.5�� First Level DSAs��
�� 22.6�� Knowledge references to LDAP servers��
23�� Basic Elements of the DSA Information Model��
�� 23.1�� Definitions��
�� 23.2�� Introduction�
�� 23.3�� DSA Specific Entries and their Names
�� 23.4�� Basic Elements��
24�� Representation of DSA Information��
�� 24.1�� Representation of Directory User and Operational Information��
�� 24.2�� Representation of Knowledge References��
�� 24.3�� Representation of Names and Naming Contexts��
SECTION 11 � DSA OPERATIONAL FRAMEWORK��
25�� Overview��
�� 25.1�� Definitions��
�� 25.2�� Introduction�
26�� Operational bindings��
�� 26.1�� General��
�� 26.2�� Application of the operational framework��
�� 26.3�� States of cooperation��
27�� Operational binding specification and management��
�� 27.1�� Operational binding type specification��
�� 27.2�� Operational binding management��
�� 27.3�� Operational binding specification templates��
28�� Operations for operational binding management��
�� 28.1�� Application-context definition��
�� 28.2�� Establish Operational Binding operation��
�� 28.3�� Modify Operational Binding operation��
�� 28.4�� Terminate Operational Binding operation��
�� 28.5�� Operational Binding Error��
�� 28.6�� Operational Binding Management Bind and Unbind��
SECTION 12 � INTERWORKING WITH LDAP��
29�� Overview��
�� 29.1�� Definitions��
�� 29.2�� Introduction�
30�� LDAP interworking model��
�� 30.1�� LDAP interworking scenarios�
�� 30.2�� Overview of bound DSA handling LDAP operations��
�� 30.3�� General LDAP requestor characteristics��
�� 30.4�� LDAP extension mechanisms
31�� LDAP specific system schema��
�� 31.1�� Operational Attribute types from IETF RFC 4512��
Annex A � Object identifier usage��
Annex B � Information framework in ASN.1��
Annex C � Subschema administration in ASN.1��
Annex D � Service administration in ASN.1��
Annex E � Basic Access Control in ASN.1��
Annex F � DSA operational attribute types in ASN.1��
Annex G � Operational binding management in ASN.1��
Annex H � Enhanced security in ASN.1��
�� Page
Annex I � LDAP system schema��
Annex J � The mathematics of trees��
Annex K � Name design criteria��
Annex L � Examples of various aspects of schema��
�� L.1�� Example of an attribute hierarchy��
�� L.2�� Example of a subtree specification��
�� L.3�� Schema specification��
� ��L.4�� DIT content rules��
�� L.5�� DIT context use��
Annex M � Overview of basic access control permissions��
�� M.1�� Introduction�
�� M.2�� Permissions required for operations�
�� M.3�� Permissions affecting error��
� ��M.4�� Entry level permissions��
�� M.5�� Entry level permissions��
Annex N � Examples of access control��
�� N.1�� Introduction��
�� N.2�� Design principles for Basic Access Control��
�� N.3�� Introduction to example��
�� N.4�� Policy affecting the definition of specific and inner areas��
�� N.5�� Policy affecting the definition of Directory Access Control Domains (DACDs)��
�� N.6�� Policy expressed in prescriptiveACI attributes
�� N.7�� Policy expressed in subentryACI attributes��
�� N.8�� Policy expressed in entryACI attributes��
�� N.9�� ACDF examples��
�� N.10�� Rule-based access control��
Annex O � DSE type combinations��
Annex P � Modelling of knowledge��
Annex Q � Subfilters��
Annex R � Compound entry name patterns and their use��
Annex S � Naming concepts and considerations��
�� S.1�� History tells us ��
�� S.2�� A new look at name resolution��
Annex T � Alphabetical index of definitions��
Annex U � Amendments and corrigenda��