`
`
`
`ITU-T
`
`TELECOMMUNICATION
`STANDARDIZATION SECTOR
`OF ITU
`
`X.500
`
`(11/2008)
`
`SERIES X: DATA NETWORKS, OPEN SYSTEM
`COMMUNICATIONS AND SECURITY
`Directory
`
`Information technology – Open Systems
`Interconnection – The Directory: Overview of
`concepts, models and services
`
`ITU-T Recommendation X.500
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`VIRNETX EXHIBIT 2015
`Apple v. Virnetx
`Case IPR2013-00397
`
`Page 1 of 32
`
`
`
`
`
`
`
`ITU-T X-SERIES RECOMMENDATIONS
`DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY
`
`
`X.1–X.19
`X.20–X.49
`X.50–X.89
`X.90–X.149
`X.150–X.179
`X.180–X.199
`
`X.200–X.209
`X.210–X.219
`X.220–X.229
`X.230–X.239
`X.240–X.259
`X.260–X.269
`X.270–X.279
`X.280–X.289
`X.290–X.299
`
`X.300–X.349
`X.350–X.369
`X.370–X.379
`X.400–X.499
`X.500–X.599
`
`X.600–X.629
`X.630–X.639
`X.640–X.649
`X.650–X.679
`X.680–X.699
`
`X.700–X.709
`X.710–X.719
`X.720–X.729
`X.730–X.799
`X.800–X.849
`
`X.850–X.859
`X.860–X.879
`X.880–X.889
`X.890–X.899
`X.900–X.999
`X.1000–X.1099
`X.1100–X.1199
`X.1200–X.1299
`X.1300–X.1399
`
`
`PUBLIC DATA NETWORKS
`Services and facilities
`Interfaces
`Transmission, signalling and switching
`Network aspects
`Maintenance
`Administrative arrangements
`OPEN SYSTEMS INTERCONNECTION
`Model and notation
`Service definitions
`Connection-mode protocol specifications
`Connectionless-mode protocol specifications
`PICS proformas
`Protocol Identification
`Security Protocols
`Layer Managed Objects
`Conformance testing
`INTERWORKING BETWEEN NETWORKS
`General
`Satellite data transmission systems
`IP-based networks
`MESSAGE HANDLING SYSTEMS
`DIRECTORY
`OSI NETWORKING AND SYSTEM ASPECTS
`Networking
`Efficiency
`Quality of service
`Naming, Addressing and Registration
`Abstract Syntax Notation One (ASN.1)
`OSI MANAGEMENT
`Systems Management framework and architecture
`Management Communication Service and Protocol
`Structure of Management Information
`Management functions and ODMA functions
`SECURITY
`OSI APPLICATIONS
`Commitment, Concurrency and Recovery
`Transaction processing
`Remote operations
`Generic applications of ASN.1
`OPEN DISTRIBUTED PROCESSING
`INFORMATION AND NETWORK SECURITY
`SECURE APPLICATIONS AND SERVICES
`CYBERSPACE SECURITY
`SECURE APPLICATIONS AND SERVICES
`
`For further details, please refer to the list of ITU-T Recommendations.
`
`
`Page 2 of 32
`
`
`
`
`
`INTERNATIONAL STANDARD ISO/IEC 9594-1
`ITU-T RECOMMENDATION X.500
`
`Information technology – Open Systems Interconnection – The Directory:
`Overview of concepts, models and services
`
`
`
`
`
`
`
`Summary
`ITU-T Recommendation X.500 | ISO/IEC 9594-1 introduces the concepts of the Directory and the DIB (Directory
`Information Base) and overviews the services and capabilities which they provide.
`
`
`
`
`
`Source
`ITU-T Recommendation X.500 was approved on 13 November 2008 by ITU-T Study Group 17 (2009-2012) under the
`ITU-T Recommendation A.8 procedure. An identical text is also published as ISO/IEC 9594-1.
`
`
`
`
`
`
`
`
`
`
`
`
`
`ITU-T Rec. X.500 (11/2008)
`
`i
`
`Page 3 of 32
`
`
`
`
`
`FOREWORD
`The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
`telecommunications, information and communication technologies (ICTs). The ITU Telecommunication
`Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,
`operating and tariff questions and issuing Recommendations on them with a view to standardizing
`telecommunications on a worldwide basis.
`The World Telecommunication Standardization Assembly (WTSA), which meets every four years,
`establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on
`these topics.
`The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
`In some areas of information technology which fall within ITU-T's purview, the necessary standards are
`prepared on a collaborative basis with ISO and IEC.
`
`
`
`NOTE
`In this Recommendation, the expression "Administration" is used for conciseness to indicate both a
`telecommunication administration and a recognized operating agency.
`Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain
`mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the
`Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some
`other obligatory language such as "must" and the negative equivalents are used to express requirements. The
`use of such words does not suggest that compliance with the Recommendation is required of any party.
`
`
`
`INTELLECTUAL PROPERTY RIGHTS
`ITU draws attention to the possibility that the practice or implementation of this Recommendation may
`involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence,
`validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others
`outside of the Recommendation development process.
`As of the date of approval of this Recommendation, ITU had not received notice of intellectual property,
`protected by patents, which may be required to implement this Recommendation. However, implementers
`are cautioned that this may not represent the latest information and are therefore strongly urged to consult the
`TSB patent database at http://www.itu.int/ITU-T/ipr/.
`
`
`
`© ITU 2009
`All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the
`prior written permission of ITU.
`
`ii
`
`ITU-T Rec. X.500 (11/2008)
`
`Page 4 of 32
`
`
`
`
`1
`2
`
`3
`
`4
`5
`6
`7
`8
`
`9
`
`10
`11
`12
`
`13
`14
`
`
`
`CONTENTS
`
`Page
`1
`1
`1
`2
`2
`2
`3
`3
`3
`3
`4
`4
`5
`7
`7
`7
`8
`8
`9
`9
`9
`10
`10
`13
`14
`15
`15
`15
`16
`16
`17
`17
`17
`18
`18
`18
`19
`19
`19
`19
`21
`23
`
`Scope.....................................................................................................................................
`Normative references ................................................................................................................
`2.1
`Identical Recommendations | International Standards.............................................................
`Definitions ..............................................................................................................................
`3.1 Communication model definitions......................................................................................
`3.2 Directory model definitions...............................................................................................
`3.3 Distributed Operation definitions .......................................................................................
`3.4 Replication definitions .....................................................................................................
`3.5 Basic directory definitions ................................................................................................
`Abbreviations ..........................................................................................................................
`Conventions ............................................................................................................................
`Overview of the Directory..........................................................................................................
`The Directory Information Base (DIB) .........................................................................................
`The Directory service ................................................................................................................
`8.1
`Introduction ...................................................................................................................
`8.2
`Service qualification ........................................................................................................
`8.3 Directory interrogation.....................................................................................................
`8.4 Directory modification .....................................................................................................
`8.5 Other outcomes...............................................................................................................
`The distributed Directory ...........................................................................................................
`9.1
`Functional model ............................................................................................................
`9.2 Organizational model.......................................................................................................
`9.3 Operation of the model.....................................................................................................
`Access control in the Directory....................................................................................................
`Service administration ...............................................................................................................
`Replication in the Directory........................................................................................................
`12.1
`Introduction ...................................................................................................................
`12.2 Forms of Directory replication...........................................................................................
`12.3 Replication and consistency of Directory information.............................................................
`12.4 Views of replication.........................................................................................................
`12.5 Replication and Access Control .........................................................................................
`Directory protocols ...................................................................................................................
`Systems management of the Directory ..........................................................................................
`14.1
`Introduction ...................................................................................................................
`14.2 Management of the DIT domain.........................................................................................
`14.3 Management of Directory components ................................................................................
`Annex A – Applying the Directory .......................................................................................................
`A.1 The Directory environment ...............................................................................................
`A.2 Directory service characteristics.........................................................................................
`A.3 Patterns of use of the Directory..........................................................................................
`A.4 Generic applications ........................................................................................................
`Annex B – Amendments and corrigenda................................................................................................
`
`
`
`
`
`
`ITU-T Rec. X.500 (11/2008)
`
`iii
`
`Page 5 of 32
`
`
`
`
`
`Introduction
`This Recommendation | International Standard together with other Recommendations | International Standards, has
`been produced to facilitate the interconnection of information processing systems to provide directory services. A set of
`such systems, together with the directory information that they hold, can be viewed as an integrated whole, called the
`Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is
`typically used to facilitate communication between, with or about objects such as application entities, people, terminals
`and distribution lists.
`The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of
`technical agreement outside of the interconnection standards themselves, the interconnection of information processing
`systems:
`
`from different manufacturers;
`–
`under different managements;
`–
`of different levels of complexity; and
`–
`of different ages.
`–
`This Recommendation | International Standard introduces and models the concepts of the Directory and of the DIB and
`overviews the services and capabilities which they provide. Other Recommendations | International Standards make use
`of these models in defining the abstract service provided by the Directory, and in specifying the protocols through
`which this service can be obtained or propagated.
`This Recommendation | International Standard provides the foundation frameworks upon which industry profiles can be
`defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks,
`may be mandated for use in certain environments through profiles. This sixth edition technically revises and enhances,
`but does not replace, the fifth edition of this Recommendation | International Standard. Implementations may still claim
`conformance to the fifth edition. However, at some point, the fifth edition will not be supported (i.e., reported defects
`will no longer be resolved). It is recommended that implementations conform to this sixth edition as soon as possible.
`This sixth edition specifies versions 1 and 2 of the Directory protocols.
`The first and second editions specified only version 1. Most of the services and protocols specified in this edition are
`designed to function under version 1. However some enhanced services and protocols, e.g., signed errors, will not
`function unless all Directory entities involved in the operation have negotiated version 2. Whichever version has been
`negotiated, differences between the services and between the protocols defined in the six editions, except for those
`specifically assigned to version 2, are accommodated using the rules of extensibility defined in ITU-T Rec. X.519 |
`ISO/IEC 9594-5.
`Annex A, which is an integral part of this Recommendation | International Standard, describes the types of use to which
`the Directory can be applied.
`Annex B, which is not an integral part of this Recommendation | International Standard, lists the amendments and
`defect reports that have been incorporated to form this edition of this Recommendation | International Standard.
`
`iv
`
`ITU-T Rec. X.500 (11/2008)
`
`Page 6 of 32
`
`
`
`INTERNATIONAL STANDARD
`ITU-T RECOMMENDATION
`
`ISO/IEC 9594-1:2008 (E)
`
`Information technology – Open Systems Interconnection – The Directory:
`Overview of concepts, models and services
`
`Scope
`1
`The Directory provides the directory capabilities required by OSI applications, OSI management processes, other OSI
`layer entities, and telecommunications services. Among the capabilities which it provides are those of "user-friendly
`naming", whereby objects can be referred to by names which are suitable for citing by human users (though not all
`objects need have user-friendly names); and "name-to-address mapping" which allows the binding between objects and
`their locations to be dynamic. The latter capability allows OSI networks, for example, to be "self-configuring" in the
`sense that addition, removal and the changes of object location do not affect OSI network operation.
`The Directory is not intended to be a general-purpose database system, although it may be built on such systems. It is
`assumed, for instance, that, as is typical with communications directories, there is a considerably higher frequency of
`"queries" than of updates. The rate of updates is expected to be governed by the dynamics of people and organizations,
`rather than, for example, the dynamics of networks. There is also no need for instantaneous global commitment of
`updates; transient conditions, where both old and new versions of the same information are available, are quite
`acceptable.
`It is a characteristic of the Directory that, except as a consequence of differing access rights or unpropagated updates,
`the results of directory queries will not be dependent on the identity or location of the inquirer. This characteristic
`renders the Directory unsuitable for some telecommunications applications, for example some types of routing. For
`cases where the results are dependent on the identity of the inquirer, access to directory information and updates of the
`Directory may be denied.
`
`Normative references
`2
`The following Recommendations and International Standards contain provisions which, through reference in this text,
`constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
`were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
`Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent
`edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently
`valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently
`valid ITU-T Recommendations.
`
`2.1
`
`–
`
`–
`
`Identical Recommendations | International Standards
`ITU-T Recommendation X.200 (1994) | ISO/IEC 7498-1:1994, Information technology – Open Systems
`–
`Interconnection – Basic Reference Model: The Basic Model.
`ITU-T Recommendation X.501 (2008) | ISO/IEC 9594-2:2008, Information technology – Open Systems
`Interconnection – The Directory: Models.
`ITU-T Recommendation X.509 (2008) | ISO/IEC 9594-8:2008, Information technology – Open Systems
`Interconnection – The Directory: Public-key and attribute certificate frameworks.
`ITU-T Recommendation X.511 (2008) | ISO/IEC 9594-3:2008, Information technology – Open Systems
`Interconnection – The Directory: Abstract service definition.
`ITU-T Recommendation X.518 (2008) | ISO/IEC 9594-4:2008, Information technology – Open Systems
`Interconnection – The Directory: Procedures for distributed operation.
`ITU-T Recommendation X.519 (2008) | ISO/IEC 9594-5:2008, Information technology – Open Systems
`Interconnection – The Directory: Protocol specifications.
`ITU-T Recommendation X.520 (2008) | ISO/IEC 9594-6:2008, Information technology – Open Systems
`Interconnection – The Directory: Selected attribute types.
`
`–
`
`–
`
`–
`
`–
`
`
`
`
`
`ITU-T Rec. X.500 (11/2008)
`
`1
`
`Page 7 of 32
`
`
`
`ISO/IEC 9594-1:2008 (E)
`
`–
`
`–
`
`–
`
`ITU-T Recommendation X.521 (2008) | ISO/IEC 9594-7:2008, Information technology – Open Systems
`Interconnection – The Directory: Selected object classes.
`ITU-T Recommendation X.525 (2008) | ISO/IEC 9594-9:2008, Information technology – Open Systems
`Interconnection – The Directory: Replication.
`ITU-T Recommendation X.530 (2008) | ISO/IEC 9594-10:2008, Information technology – Open Systems
`Interconnection – The Directory: Use of systems management for administration of the Directory.
`
`Definitions
`3
`For the purposes of this Recommendation | International Standard, the following definitions apply.
`
`Communication model definitions
`3.1
`The following terms are defined in ITU-T Rec. X.519 | ISO/IEC 9594-5:
`a)
`application-entity;
`b)
`application layer;
`c)
`application process.
`
`Directory model definitions
`3.2
`The following terms are defined in ITU-T Rec. X.501 | ISO/IEC 9594-2:
`a)
`access control;
`b) Administration Directory Management Domain;
`c)
`alias;
`d)
`ancestor;
`e)
`attribute;
`f)
`attribute type;
`g)
`attribute value;
`h)
`authentication;
`i)
`compound entry;
`j)
`context;
`k) Directory Information Tree (DIT);
`l) Directory Management Domain (DMD);
`m) Directory System Agent (DSA);
`n) Directory User Agent (DUA);
`o) distinguished name;
`p)
`entry;
`q)
`family (of entries);
`r)
`hierarchical group;
`s) LDAP client;
`t) LDAP requester;
`u) LDAP responder;
`v) LDAP server;
`w) name;
`x) object (of interest);
`y) Private Directory Management Domain;
`z)
`related entries;
`aa) relative distinguished name;
`bb) root;
`
`2
`
`ITU-T Rec. X.500 (11/2008)
`
`Page 8 of 32
`
`
`
`ISO/IEC 9594-1:2008 (E)
`
`cc) schema;
`dd) security policy;
`ee) subordinate object;
`ff) superior entry;
`gg) superior object;
`hh) tree.
`
`Distributed Operation definitions
`3.3
`The following terms are defined in ITU-T Rec. X.518 | ISO/IEC 9594-4:
`a) uni-chaining;
`b) multi-chaining;
`c)
`referral.
`
`Replication definitions
`3.4
`The following terms are defined in ITU-T Rec. X.525 | ISO/IEC 9594-9:
`a)
`caching;
`b)
`cache-copy;
`c)
`entry-copy;
`d) master DSA;
`e)
`replication;
`f)
`shadow consumer;
`g)
`shadow supplier;
`h)
`shadowed information;
`i)
`shadowing agreement.
`
`Basic directory definitions
`3.5
`The following terms are defined in this Recommendation | International Standard:
`3.5.1
`the Directory: A collection of open systems cooperating to provide directory services.
`3.5.2
`directory information base (DIB): The set of information managed by the Directory.
`3.5.3
`(directory) user: The end user of the Directory, i.e., the entity or person which accesses the Directory.
`
`Abbreviations
`4
`For the purposes of this Recommendation | International Standard, the following abbreviations apply:
`ACI
`
`Access Control Information
`ADDMD
`Administration Directory Management Domain
`DAP
`
`Directory Access Protocol
`DIB
`
`Directory Information Base
`DISP
`
`Directory Information Shadowing Protocol
`DIT
`
`Directory Information Tree
`DMD
`
`Directory Management Domain
`DOP
`
`Directory Operational Binding Management Protocol
`DSA
`
`Directory System Agent
`DSP
`
`Directory System Protocol
`DUA
`
`Directory User Agent
`LDAP
`
`Lightweight Directory Access Protocol
`
`
`
`
`
`ITU-T Rec. X.500 (11/2008)
`
`3
`
`Page 9 of 32
`
`
`
`ISO/IEC 9594-1:2008 (E)
`
`
`OSI
`PRDMD
`RDN
`
`
`Open Systems Interconnection
`Private Directory Management Domain
`Relative Distinguished Name
`
`Conventions
`5
`The term "Directory Specification" (as in "this Directory Specification") shall be taken to mean ITU-T Rec. X.500 |
`ISO/IEC 9594-1. The term "Directory Specifications" shall be taken to mean the X.500-series Recommendations and all
`parts of ISO/IEC 9594.
`This Directory Specification uses the term first edition systems to refer to systems conforming to the first edition of the
`Directory Specifications, i.e., the 1988 edition of the series of CCITT X.500 Recommendations and the
`ISO/IEC 9594:1990 edition.
`This Directory Specification uses the term second edition systems to refer to systems conforming to the second edition
`of the Directory Specifications, i.e., the 1993 edition of the series of ITU-T X.500 Recommendations and the
`ISO/IEC 9594:1995 edition.
`This Directory Specification uses the term third edition systems to refer to systems conforming to the third edition of the
`Directory Specifications, i.e., the 1997 edition of the series of ITU-T X.500 Recommendations and the ISO/IEC
`9594:1998 edition.
`This Directory Specification uses the term fourth edition systems to refer to systems conforming to the fourth edition of
`the Directory Specifications, i.e., the 2001 editions of ITU-T Recs X.500, X.501, X.511, X.518, X.519, X.520, X.521,
`X.525, and X.530, the 2000 edition of ITU-T Rec. X.509, and parts 1-10 of the ISO/IEC 9594:2001 edition.
`This Directory Specification uses the term fifth edition systems to refer to systems conforming to the fifth edition of the
`Directory Specifications, i.e., the 2005 editions of the series of ITU-T X.500 Recommendations and the ISO/IEC
`9594:2005 edition.
`This Directory Specification uses the term sixth edition systems to refer to systems conforming to the sixth edition of the
`Directory Specifications, i.e., the 2008 editions of the series of ITU-T X.500 Recommendations and the ISO/IEC
`9594:2008 edition.
`
`Overview of the Directory
`6
`The Directory is a collection of open systems which cooperate to hold a logical database of information about a set of
`objects in the real world. The users of the Directory, including people and computer programs, can read or modify the
`information, or parts of it, subject to having permission to do so. Each user is represented in accessing the Directory by
`a Directory User Agent (DUA) or an LDAP client, each of which is considered to be an application-process. These
`concepts are illustrated in Figure 1.
`NOTE – The Directory Specifications refer to the Directory in the singular, and reflects the intention to create, through a single,
`unified, name space, one logical directory composed of many systems and serving many applications. Whether or not these
`systems choose to interwork will depend on the needs of the applications they support. Applications dealing with non-
`intersecting worlds of objects may have no such need. The single name space facilitates later interworking should the needs
`change. For a variety of reasons, such as security, connectivity, or business decisions, it is likely that some portions of the
`Directory may be unreachable from other portions of the Directory using third edition operations. This results in differing views
`of the Directory. Such differing views may contain related entries about a given real world object. Such related entries may or
`may not have the same distinguished name. Using fourth or subsequent edition systems, it is possible to perform operations
`across multiple, differing views to provide an integrated response to the user. Specifically:
`–
`DMD administrators (see 9.2) may have a need to publish their own view (or views) of some specific real-world object; a
`real-world object may thus be modelled by multiple independent entries in the directory. This may happen whether or not
`they need to interwork. Interworking using DSP may also be unsupported.
`Notwithstanding the last sentence of the Note, it is also possible that particular DMDs may choose to publish information
`about real-world objects within their own distinct directory name-spaces (i.e., in one of multiple DITs); in this case, it
`would be possible to have a specific real-world object modelled by entries in the same or different DIT namespaces, with
`the same or different distinguished names in each. Note that certain Directory facilities (e.g., the acquisition of certificates,
`and related functions based on digital signatures) cannot be implemented when distinct objects are permitted to share
`distinguished names.
`The objective of related entries is to provide a means whereby users can access such entries, bringing the resulting
`information together, if possible. This would apply to the situation described by both of the preceding bullet points.
`
`–
`
`–
`
`4
`
`ITU-T Rec. X.500 (11/2008)
`
`Page 10 of 32
`
`
`
`ISO/IEC 9594-1:2008 (E)
`
`Figure 1 – Access to the Directory
`
`
`
`The information held in the Directory is collectively known as the Directory Information Base (DIB). Clause 7 gives an
`overview of its structure.
`The Directory provides a well-defined set of access capabilities, known as the abstract service of the Directory, to its
`users. This service, which is briefly described in clause 8, provides a simple modification and retrieval capability. This
`can be built on with local DUA functions to provide the capabilities required by the end-users.
`The Directory is distributed, both along functional and organizational lines. Clause 9 gives an overview of the
`corresponding models of the Directory. These have been developed in order to provide a framework for the cooperation
`of the various components to provide an integrated whole.
`The Directory exists in an environment where various administrative authorities control access to their portion of the
`information. Clause 10 gives an overview of access control.
`When the Directory is distributed, it may be desirable to replicate information to improve performance and availability.
`Clause 11 gives an overview of the Directory replication mechanism.
`The provision and consumption of the Directory services requires that the users (actually the DUAs and/or LDAP
`clients) and the various functional components of the Directory should cooperate with one another. In many cases, this
`will require cooperation between application processes in different open systems, which in turn requires standardized
`application protocols, briefly described in clause 11, to govern this cooperation.
`The Directory has been designed so as to support multiple applications, drawn from a wide range of possibilities. The
`nature of the applications supported governs which objects are listed in the Directory, which users access the
`information, and which kinds of access they carry out. Applications may be very specific, such as the provision of
`distribution lists for electronic mail, or generic, such as the 'inter-personal communications directory' application. The
`Directory provides the opportunity to exploit commonness among the applications:
`– A single object may be relevant to more than one application: Perhaps even the same piece of
`information about the same object may be so relevant.
`To support this, a number of object classes and attribute types are defined, which are useful across a
`range of applications. These definitions are contained in ITU-T Rec. X.520 | ISO/IEC 9594-6 and
`ITU-T Rec. X.521 | ISO/IEC 9594-7.
`– Certain patterns of use of the Directory are common across a range of applications: Annex A gives an
`overview of this area.
`
`–
`
`7
`
`The Directory Information Base (DIB)
`NOTE 1 – The DIB, and its structure, are defined in ITU-T Rec. X.501 | ISO/IEC 9594-2.
`The DIB is made up of information about objects. It is composed of (Directory) entries, each of which consists of a
`collection of information on one object. An entry may be an aggregate of member entries each holding information
`about a particular aspect of an object. Such an aggregate entry is called a compound entry. Each entry is made up of
`attributes, each with a type and one or more values. The types of attribute which are present in a particular entry are
`dependent on the class of object which the entry describes. Each value of an attribute may be tagged with one or more
`contexts that specify information about a value that can be used to determine the applicability of the value.
`The entries of the DIB are arranged in the form of a tree, the Directory Information Tree (DIT) where the vertices
`represent the entries. Entries higher in the tree (nearer the root) will often represent objects such as countries or
`organizations, while entries lower in the tree will represent people or application processes.
`
`
`
`
`
`ITU-T Rec. X.500 (11/2008)
`
`5
`
`Page 11 of 32
`
`
`
`ISO/IEC 9594-1:2008 (E)
`
`NOTE 2 – The services defined in the Directory Specifications operate only on a tree-structured DIT. The Directory
`Specifications do not preclude the existence in the future of other structures (as the need arises).
`Every entry has a distinguished name, which uniquely and unambiguously identifies the entry. These properties of the
`distinguished name are derived from the tree structure of the information. The distinguished name of an entry is made
`up of the distinguished name of its superior entry, together with specially nominated attribute values (the distinguished
`values) from the entry.
`Some of the entries at the leaves of the tree are alias entries, while other entries are object entries and compound entries.
`Alias entries point to object entries, and provide the basis for alternative names for the corresponding objects.
`A compound entry is an entry representing a single object and it is an aggregate of member entries each representing a
`part of the information about the object.
`The Directory enforces a set of rules to ensure that the DIB remains well-formed in the face of modifications over time.
`These rules, known as the Directory schema, prevent entries having the wrong types of attributes for its object class,
`attribute values being of the wrong form for the attribute type, and even entries having subordinate entries of the wrong
`class.
`Figure 2 illustrates the above concepts of the DIT and its components.
`
`Figure 2 – Structure of the DIT and of entries
`
`
`
`Figure 3 gives a hypothetical example of a DIT. The tree provides examples of some of the types of attributes used to
`identify different objects. For example the name:
`{C=GB, L=Winslow, O=Graphic Services, CN=Laser Printer}
`identi