ISO/IEC 9594-4:2017

INTERNATIONAL ISO/IEC
STANDARD 9594-4
Eighth edition
2017-05
Information technology — Open
Systems Interconnection — The
Directory —
Part 4:
Procedures for distributed operation
Technologies de l’information — Interconnexion de systèmes ouverts
(OSI) — L’annuaire —
Partie 4: Procédures pour le fonctionnement réparti
Reference number
ISO/IEC 9594-4:2017(E)
©
ISO/IEC 2017

---------------------- Page: 1 ----------------------
ISO/IEC 9594-4:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 9594-4:2017(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non‐governmental, in liaison with ISO and IEC, also
take part in the work. In the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does
not constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO's adherence to the World Trade Organization (WTO)
principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso.org/iso/foreword.html.
This eighth edition cancels and replaces the seventh edition (ISO/IEC 9594‐4:2014), which
has been technically revised.
This document was prepared by ISO/IEC JTC 1, Information technology, SC 6, Telecommunications
and information exchange between systems, in collaboration with ITU‐T. The identical text is
published as ITU‐T X.518 (10/2016).
A list of all parts in the ISO/IEC 9594 series, published under the general title Information technology
— Open Systems Interconnection — The Directory, can be found on the ISO website.
© ISO/IEC 2017 – All rights reserved ii-1

---------------------- Page: 3 ----------------------
CONTENTS
Page
SECTION 1 – GENERAL . 1
1 Scope . 1
2 References . 1
2.1 Normative references . 1
2.2 Non-normative reference . 2
3 Definitions . 2
3.1 Basic Directory definitions . 2
3.2 Directory model definitions . 2
3.3 DSA information model definitions . 2
3.4 Abstract service definitions . 3
3.5 Protocol definitions . 3
3.6 Directory replication definitions . 3
3.7 Distributed operation definitions . 3
4 Abbreviations . 5
5 Conventions . 5
SECTION 2 – OVERVIEW . 7
6 Overview . 7
SECTION 3 – DISTRIBUTED DIRECTORY MODELS . 8
7 Distributed Directory system model . 8
8 DSA interactions model . 9
8.1 Decomposition of a request . 9
8.2 Uni-chaining . 9
8.3 Multi-chaining . 10
8.4 Referral . 11
8.5 Mode determination . 12
SECTION 4 – DSA ABSTRACT SERVICE . 13
9 Overview of DSA abstract service . 13
10 Information types . 13
10.1 Introduction . 13
10.2 Information types defined elsewhere . 13
10.3 Chaining arguments . 14
10.4 Chaining results . 17
10.5 Operation progress . 17
10.6 Trace information . 18
10.7 Reference type . 18
10.8 Access point information . 18
10.9 DIT bridge knowledge . 19
10.10 Exclusions . 20
10.11 Continuation reference . 20
11 Bind and Unbind . 21
11.1 DSA Bind . 21
11.2 DSA Unbind . 22
12 Chained operations . 22
12.1 Chained operations . 23
12.2 Chained Abandon operation . 23
12.3 Chained operations and protocol version . 24
13 Chained errors . 24
13.1 Introduction . 24
13.2 DSA referral . 24
SECTION 5 – DISTRIBUTED PROCEDURES. 25
  Rec. ITU-T X.518 (10/2016) iii

---------------------- Page: 4 ----------------------
Page
14 Introduction . 25
14.1 Scope and limits . 25
14.2 Conformance . 25
14.3 Conceptual model . 25
14.4 Individual and cooperative operation of DSAs . 25
14.5 Cooperative agreements between DSAs . 26
15 Distributed Directory behaviour . 26
15.1 Cooperative fulfilment of operations . 26
15.2 Phases of operation processing. 26
15.3 Managing Distributed Operations . 27
15.4 Loop handling . 28
15.5 Other considerations for distributed operation . 29
15.6 Authentication of Distributed operations . 30
16 The Operation Dispatcher . 31
16.1 General concepts . 31
16.2 Procedures of the Operation Dispatcher . 36
16.3 Overview of procedures . 37
17 Request Validation procedure . 38
17.1 Introduction . 38
17.2 Procedure parameters . 39
17.3 Procedure definition . 40
18 Name Resolution procedure . 42
18.1 Introduction . 42
18.2 Find DSE procedure parameters . 43
18.3 Procedures . 44
19 Operation evaluation . 53
19.1 Modification procedures . 54
19.2 Single entry interrogation procedure . 61
19.3 Multiple entry interrogation procedure . 61
20 Continuation Reference procedures . 75
20.1 Chaining strategy in the presence of shadowing . 75
20.2 Issuing chained subrequests to a remote DSA or LDAP server . 77
20.3 Procedures' parameters . 77
20.4 Definition of the procedures . 78
20.5 Abandon procedures . 87
20.6 DAP request to LDAP request procedure . 89
20.7 LDAP result to DAP reply procedure . 93
21 Results Merging procedure . 95
22 Procedures for distributed authentication . 97
22.1 Requester authentication . 98
22.2 Results authentication . 98
SECTION 6 – KNOWLEDGE ADMINISTRATION . 99
23 Knowledge administration overview . 99
23.1 Maintenance of knowledge references . 99
23.2 Requesting cross reference . 100
23.3 Knowledge inconsistencies . 101
24 Hierarchical operational bindings . 102
24.1 Operational binding type characteristics . 102
24.2 Operational binding information object Class definition . 104
24.3 DSA procedures for hierarchical operational binding management . 105
24.4 Procedures for operations . 108
24.5 Use of application contexts . 109
iv Rec. ITU-T X.518 (10/2016)

---------------------- Page: 5 ----------------------
Page
25 Non-specific hierarchical operational binding . 109
25.1 Operational binding type characteristics . 109
25.2 Operational binding information object class definition . 110
25.3 DSA procedures for non-specific hierarchical operational binding management . 110
25.4 Procedures for operations . 112
25.5 Use of application contexts . 112
Annex A – ASN.1 for Distributed Operations . 113
Annex B – Specification of hierarchical and non-specific hierarchical operational binding types. 117
Annex C – Example of distributed name resolution . 119
Annex D – Distributed use of authentication . 121
D.1 Summary . 121
D.2 Distributed protection model . 121
D.3 Signed chained operations . 121
Annex E – Knowledge maintenance example . 123
Annex F – Amendments and corrigenda . 126

  Rec. ITU-T X.518 (10/2016) v

---------------------- Page: 6 ----------------------
Introduction
This Recommendation | International Standard, together with other Recommendations | International Standards, have
been produced to facilitate the interconnection of information processing systems to provide directory services. A set of
such systems, together with the directory information that they hold, can be viewed as an integrated whole, called the
Directory. The information held by the Directory, collectively known as the Directory information base (DIB), is typically
used to facilitate communication between, with or about objects such as application entities, people, terminals and
distribution lists.
The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of
technical agreement outside of the interconnection standards themselves, the interconnection of information processing
systems:
– from different manufacturers;
– under different managements;
– of different levels of complexity; and
– of different ages.
This Recommendation | International Standard specifies the procedures by which the distributed components of the
Directory interwork in order to provide a consistent service to its users.
This Recommendation | International Standard provides the foundation frameworks upon which industry profiles can be
defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks may
be mandated for use in certain environments through profiles. This eighth edition technically revises and enhances the
seventh edition of this Recommendation | International Standard.
This eighth edition specifies versions 1 and 2 of the Directory protocols.
The first and second editions specified only version 1. Most of the services and protocols specified in this edition are
designed to function under version 1. However, some enhanced services and protocols, e.g., signed errors, will not
function unless all Directory entities involved in the operation have negotiated version 2. Whichever version has been
negotiated, differences between the services and between the protocols defined in the eight editions, except for those
specifically assigned to version 2, are accommodated using the rules of extensibility defined in Rec. ITU-T X.519 |
ISO/IEC 9594-5.
Annex A, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for
directory distributed operations.
Annex B, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module providing
definitions for hierarchical operational bindings.
Annex C, which is not an integral part of this Recommendation | International Standard, describes an example of
distributed name resolution.
Annex D, which is not an integral part of this Recommendation | International Standard, describes authentication in the
distributed operations environment.
Annex E, which is not an integral part of this Recommendation | International Standard, illustrates knowledge
maintenance.
Annex F, which is not an integral part of this Recommendation | International Standard, lists the amendments and defect
reports that have been incorporated to form this edition of this Recommendation | International Standard.
vi Rec. ITU-T X.518 (10/2016)

---------------------- Page: 7 ----------------------
ISO/IEC 9594-4:2017 (E)
INTERNATIONAL STANDARD
RECOMMENDATION ITU-T
Information technology – Open Systems Interconnection – The Directory: Procedures for
distributed operation
SECTION 1 – GENERAL
1 Scope
This Recommendation | International Standard specifies the behaviour of DSAs taking part in a distributed directory
consisting of multiple Directory systems agents (DSAs) and/or LDAP servers with at least one DSA. The allowed
behaviour has been designed to ensure a consistent service given a wide distribution of the DIB across a distributed
directory. Only the behaviour of DSAs taking part in a distributed directory is specified. The behaviour of LDAP servers
are specified in relevant LDAP specifications. There are no special requirements on an LDAP server beyond those given
by the LDAP specifications.
The Directory is not intended to be a general purpose database system, although it may be built on such systems. It is
assumed that there is a considerably higher frequency of queries than of updates.
2 References
2.1 Normative references
The following Recommendations and International Standards contain provisions which, through reference in this text,
constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition
of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid
International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid
ITU-T Recommendations.
2.1.1 Identical Recommendations | International Standards
– Recommendation ITU-T X.500 (2016 | ISO/IEC 9594-1:2017, Information technology – Open Systems
Interconnection – The Directory: Overview of concepts, models and services.
– Recommendation ITU-T X.501 (2016) | ISO/IEC 9594-2:2017, Information technology – Open Systems
Interconnection – The Directory: Models.
– Recommendation ITU-T X.509 (2016) | ISO/IEC 9594-8:2017, Information technology – Open Systems
Interconnection – The Directory: Public-key and attribute certificate frameworks.
– Recommendation ITU-T X.511 (2016) | ISO/IEC 9594-3:2017, Information technology – Open Systems
Interconnection – The Directory: Abstract service definition.
– Recommendation ITU-T X.519 (2016) | ISO/IEC 9594-5:2017, Information technology – Open Systems
Interconnection – The Directory: Protocol specifications.
– Recommendation ITU-T X.520 (2016) | ISO/IEC 9594-6:2017, Information technology – Open Systems
Interconnection – The Directory: Selected attribute types.
– Recommendation ITU-T X.521 (2016) | ISO/IEC 9594-7:2017, Information technology – Open Systems
Interconnection – The Directory: Selected object classes.
– Recommendation ITU-T X.525 (2016) | ISO/IEC 9594-9:2017, Information technology – Open Systems
Interconnection – The Directory: Replication.
– Recommendation ITU-T X.680 (2015) | ISO/IEC 8824-1:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Specification of basic notation.
2.1.2 Other references
– Recommendation ITU-T X.681 (2015) | ISO/IEC 8824-2:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Information object specification.
  Rec. ITU-T X.518 (10/2016) 1

---------------------- Page: 8 ----------------------
ISO/IEC 9594-4:2017 (E)
– Recommendation ITU-T X.682 (2015) | ISO/IEC 8824-3:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Constraint specification.
– Recommendation ITU-T X.683 (2015) | ISO/IEC 8824-4:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Parameterization of ASN.1 specifications.
– IETF RFC 4511 (2006), Lightweight Directory Access Protocol (LDAP): The Protocol.
– IETF RFC 4514 (2006), Lightweight Directory Access Protocol (LDAP): String Representation of
Distinguished Names.
2.2 Non-normative reference
– IETF RFC 4510 (2006), Lightweight Directory Access Protocol (LDAP): Technical Specification Road
Map.
3 Definitions
For the purposes of this Recommendation | International Standard, the following definitions apply:
3.1 Basic Directory definitions
The following terms are defined in Rec. ITU-T X.500 | ISO/IEC 9594-1:
a) (the) Directory;
b) Directory Information Base.
3.2 Directory model definitions
The following terms are defined in Rec. ITU-T X.501 | ISO/IEC 9594-2:
a) access point;
b) alias;
...