ISO/IEC 9594-4:1990

I NTER NATIONAL ISO/IEC
STANDARD
First edition
1990-1 2-1 5
Information technology - Open Systems
Interconnection - The Directory -
Part 4:
Procedures for distributed operation
Technologies de l'information - Interconnexion de systèmes ouverts - L'annuaire -
Partie 4: Procédures pour le fonctionnement réparti
Reference number
IÇO/IEC 9594-4 : 1990 (E)
ISO/IEC 9594-4 : 1990(E)
Contents
Page
Foreword . v
Introduction . vi
SECTION i : GENERAL 1
1 Scope . 1 0
2 Normative references . 1
3 Definitions . 1
OS1 Reference Model Definitions . 1
3.1
Basic Directory Definitions . 1
3.2
3.3 Directory Model Definitions . 2
3.4 Abstract Service Definition Conventions . 2
Distributed Operation Definitions . 2
3.5
4 Abbreviations . 3
5 Notation . 3
SECTION 2: OVERVIEW 3
6 Overview . 3
SECTION 3: DISTRIBUTED DIRECTORY MODELS
7 Distributed Directory System Model . 3
8 DSA Interactions Model . 4
8.1 Chaining . 4
8.2 Multi-casting . 5
8.3 Referral . 5
8.4 Mode Determination . 6
9 Directory Distribution . 6
O ISO/IEC 1990
All rights reserved . No part of this publication may be reproduced or utilized in any form or by
any means. electronic or mechanical. including photocopying and microfilm. without permission
the publisher .
in writing from
ISO/IEC Copyright Office 0 Case postale 56 CH-121 1 Genève 20 Switzerland
Printed in Switzerland
ISO/IEC 9594-4 : 1990(E)
10 Knowledge . 7
Minimal Knowledge References . 8
10.1
10.2 Root Context . 8
10.3 Knowledge References . 8
10.4 Knowledge Administration . 9
SECTION 4: DSA ABSTRACT SERVICE 10
11 Overview of DSA Abstract Service . 10
12 Information Types . 11
12.1 Introduction . 11
............................................................. 11
12.2 Information Types Defined Elsewhere
12.3 Chaining Arguments . 11
12.4 Chaining Results . 12
12.5 Operation Progress . 12
12.6 Trace Information . 13
.................................................................................................. 13
12.7 Reference Type
12.8 Access Point . 13
.................................................................................... 13
12.9 Continuation Reference
13 Abstract-bind and Abstract-unbind . 14
13.1 DSABind . 14
13.2 DSA Unbind . 14
14 Chained Abstract-operations . 14
15 Chained Abstract-errors . 15
15.1 Introduction . 15
15.2 DSAReferral . 15
SECTION 5: DISTRIBUTED OPERATIONS PROCEDURES 16
16 Introduction . 16
.............................................................................................. 16
16.1 Scope and Limits
16.2 Conceptual Model . 16
Individual and Cooperative Operation of DSAs . 16
16.3
Distributed Directory Behavior . 16
17.1 Cooperative Fulfillment of Operations . 16
Phases of Operation Processing . 16
17.2
Managing Distributed Operations . 17
17.3
17.4 Other Considerations for Distributed Operation . 18
Authentication of Distributed Operations. . 19
17.5
18 DSA Behavior . 19
18.1 Introduction . 19
iii
ISO/EC 9594-4 : 1990(E)
18.2 Overview of the DSA Behavior . 19
18.3 Specific Operations . 21
18.4 Operation Dispatcher . 22
1 8.5 Looping . 24
18.6 Name Resolution Procedure . 25
18.7 Object Evaluation Procedures . 30
18.8 Result Merging Procedure . 33
18.9 Procedures for Distributed Authentication . 33
Annex A - ASN.1 for Distributed Operations . 35
Annex B - Modelling of Knowledge . 39
Annex C - Distributed Use of Authentication . 43
Annex D - Distributed Directory Object Identifiers . 46
iv
SO/IEC 9594-4 : 199O(E)
Foreword
IS0 (the International Organization for Standardization) and IEC (the International
Electrotechnical Commission) form the specialized system for worldwide standardiz-
ation. National bodies that are members of IS0 or IEC participate in the development
of International Standards through technical committees established by the respective
organization to deal with particular fields of technical activity. IS0 and IEC technical
committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with IS0 and IEC, also take part in the
work.
In the field of information technology, IS0 and IEC have established a joint technical
committee, ISO/IEC JTC 1. Draft International Standards adopted by the joint
technical committee are circulated to national bodies for voting. Publication as an
International Standard requires approval by at least 75 'To of the national bodies casting
a vote.
International Standard ISO/IEC 9594-4 was prepared by Joint Technical Committee
ISOAEC JTC 1, Information technology.
ISOAEC 9594 consists of the following parts, under the general title Information
technology - Open Systems Interconnection - The Directory :
- Part I: Overview of concepts, models and services
- Part 2: Models
- Part 3: Abstract service definition
- Part 4: Procedures for distributed operation
- Part 5: Protocol specifications
- Part 6: Selected attribute types
- Part 7: Selected object classes
- Part 8: Authentication framework
Annexes A and D form an integral part of this part of ISOAEC 9594. Annexes B
and C are for information only.
V
Introduction
0.1 This part of ISO/IEC 9594, together with the other parts, has been produced to facilitate the interconnection of
information processing systems to provide directory services. The set of all such systems, together with the directory
information which they hold, can be viewed as an integrated whole, called the Directory. The information held by the
Directory, collectively known as the Directory Information Base (DIB), is typically used to facilitate communication between,
with or about objects such as OS1 application entities, people, terminals and distribution lists.
0.2 The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of a
technical agreement outside of the interconnection standards themselves, the interconnection of information processing
systems:
from different manufacturers;
under different managements;
of different levels of complexity: and
of different ages.
0.3 This part of ISO/iEC 9594 specifies the procedures by which the distributed components of the Directory interwork in
order to provide a consistent service to its users.

INTERNATIONAL STANDARD
ISO/IEC 9594-4 : 1990 (E)
Information technology - Open Systems Interconnection -
The Directory -
Part 4:
Procedures for distributed operation
SECTION 1: GENERAL
1 Scope ISOAEC 9594-5: 1990, Information Technology - Open
Systems Interconnection - The
1.1 This Part of ISO/IEC 9594 specifies the behavior of
Directory - Part 5: Protocol
DSAs taking part in the distributed Directory application.
Specifications.
The allowed behavior has been designed so as to ensure a
consistent service given a wide distribution of the DIB
ISO/IEC 9594-6: 1990, Information Technology - Open
across many DSAs.
Systems Interconnection - The
Directory - Part 6: Selected At-
1.2 The Directory is not intended to be a general purpose
tribute Types.
database system, although it may be built on such systems.
It is assumed that there is a considerably higher frequency
ISO/IEC 9594-7: 1990, Information Technology - Open
of queries than of updates.
Systems Interconnection - The
Directory - Part 7: Selected Object
Classes.
2 Normative references
ISO/IEC 9594-8: 1990, Information Technology - Open
The following standards contain provisions which, through
Systems Interconnection - The
reference in this text, constitute provisions of this part of
Directory - Part 8: Authentication
ISO/IEC 9594. At the time of publication, the editions
Framework.
indicated were valid. All standards are subject to revision,
and parties to agreements based on this part of ISO/IEC
ISOAEC 10021-3: 1990, Information Technology - Text
9594 are encouraged to investigate the possibility of
Communication - Message
applying the most recent editions of the standards listed
Oriented Text Interchange System
below. Members of IEC and IS0 maintain registers of
('OTIS) - Part 3: Abstract Service
currently valid International Standards.
Definition Conventions.
IS0 7498: 1984, Information Processing Systems -
Open Systems Interconnection -
Basic Reference Model.
3 Definitions
ISO/IEC 8824: 1990, Information Technology -Open
Systems Interconnection -
The definitions contained in this clause make use of the
Specification of Abstract Syntax
abbreviations defined in clause 4.
Notation One (ASN.1).
3.1 OS1 Reference Model Definitions
ISO/IEC 9594-1 : 1990, Information Technology - Open
Systems Interconnection - The
This part of the International Standard makes use of the
Directory - Part I: Overview of
following terms defined in IS0 7498:
Concepts, Models and Services.
a) application entity title;
ISO/IEC 9594-2: 1990, In formation Technology - Open
Systems Interconnection - The
3.2 Basic Directory Definitions
Directory - Part 2: Models.
This part of ISO/IEC 9594 makes use of the following
terms defined in ISO/IEC 9594-1 :
ISO/IEC 9594-3: 1990, Information Technology - Open
Systems Interconnection - The
a) (the) Directory;
Directory - Part 3: Abstract Ser-
b) Directory Information Base ;
vice Definition.
ISO/IEC 9594-4 : 1990(E)
3.5.8 knowledge reference: Knowledge which associates,
3.3 Directory Model Definitions
either directly or indirectly, a DIT entry with the DSA in
This part of ISO/IEC 9594 makes use of the following which it is located.
terms defined in ISO/IEC 9594-2:
3.5.9 knowledge tree: The conceptual model of the
a) access point;
knowledge information that a DSA holds to enable it to per-
b) alias;
form distributed name resolution.
c) distinguished name;
3.5.10 multicasting. A mode of interaction which may
d) Directory Information Tree ;
optionally be used by a DSA which cannot perform an
operation itself. The DSA multicasts the operation, i.e.,
e) Directory System Agent;
invokes the same operation of several other DSAs (in
f) Directory User Agent;
series or in parallel) and passes an appropriate outcome to
the original requestor.
g) relative distinguished name;
3.5.11 name resolution : The process of locating an entry
3.4 Abstract Service Definition Conventions
by sequentially matching each RDN in a purported name
to a vertex of the DIT.
This part of ISODEC9594 makes use of the following
terms defined in ISO/IEC 1002 1 - 1 :
3.5.12 naming context : A partial sub tree of the DIT
a) abstract error :
which starts at a vertex and extends downwards to leaf
and/or non-leaf vertices. Such vertices constitute the
b) abstract operation;
border of the naming context. Subordinates of non-leaf
c) result;
vertices belonging to the border denote the start of further
naming contexts.
3.5 Distributed Operation Definitions
For the purpose of this part of ISODEC 9594 the following
3.513 non-specific subordinate reference : A knowledge
definitions apply:
reference that holds information about the DSA that holds
one or more unspecified subordinate entries.
3.5.1 chaining : A mode of interaction optionally used
by a DSA which cannot perform an operation itself. The
3.5.14 operation progress: A set of values which denotes
DSA chains by invoking an operation of another DSA and
the extent to which name resolution has taken place.
then relaying the outcome to the original requestor.
3.5.15 reference path: A continues sequence of
3.5.2 context prefix : The sequence of RDNs leading
knowledge references.
from the Root of the DIT to the initial vertex of a naming
context, corresponds to the distinguished name of that
3.5.16 referral: An outcome which can be returned by a
vertex.
DSA which cannot perform an operation itself, and which
identifies one or more other DSAs more able to perform the
operation.
3.5.3 cross reference : A knowledge reference
O
containing information about the DSA that holds an entry.
This is used for optimization. The entry need have no
3.5.17 request decomposition : Decomposition of a request
superior or subordinate relationship,
into subrequests each accomplishing a part of the distributed
operation.
DIB fragment : The portion of the DIB that is held
3.5.4
by one DSA, comprising one or more naming contexts.
3.5.18 root context: The naming context for the vertex
whose name comprises the empty sequence of RDNs.
3.5.5 distributed name resolution : The process by which
name resolution is performed in more than one DSA.
3.5.19 subordinate reference: A knowiedge reference
containing information about the DSA that holds a specific
3.5.6 internal reference : A knowledge reference
subordinate entry.
containing an internal pointer to an entry held in the same
DSA.
3.5.20 subrequest: A request generated by request
decomposition.
3.5.7 knowledge information : the information which a
particular DSA has about the entries it holds and how to
3.5.21 superior reference: A knowledge reference
locate other entries in the directory.
containing information about the DSA that holds a
superior entry.
ISO/IEC 9594-4 : 1990(E)
RDN Relative Distinguished Name
4 Abbreviations
5 Notation
The following abbreviations are used in this part of
ISO/IEC 9594:
The notation used in this clause is defined as follows:
the data syntax notation, encoding and macro
a)
DIB Directory Information Base
notation are defined in ISO/IEC 8824;
DIT Directon, Information Tree
DSA Directory System Agent b) the notations for abstract models and abstract services
are defined in ISO/IEC 10021-3.
DUA Directory User Agent
SECTION 2: OVERVIEW
For the limiting case where the DIB is contained within a
single DSA, the Directory is in fact centralized; for the
0 6 Overview
case where the DIB is distributed over two or more DSAs,
knowledge and navigation mechanisms are specified
The Directory Abstract Service allows the interrogation,
which ensure that the whole of the DIB is potentially
retrieval and modification of Directory information in the
accessible from all DSAs that hold constituent entries.
DIB. This service is described in terms of the abstract
Directory object as specified in ISO/IEC 9594-3.
Additionally, request handling interactions are specified
that enable particular operational characteristics of the
Necessarily, the specification of the abstract Directory
Directory to be controlled by its users. In particular, the
object does not in any way address the physical realization
user has control over whether a DSA, responding to a
of the Directory: in particular it does not address the
directory enquiry pertaining to information held in other
specification of Directory System Agents (DSA) within
DSA(s), has the option of interrogating the other DSA(s)
which the DIB is stored and managed, and through which
directly (chaining/multicasting) or, whether it should
the service is provided. Furthermore, it does not consider
respond with information about other DSA(s) which could
whether the DIB is centralized, i.e., contained within a
further progress the enquiry (referral).
single DSA, or distributed over a number of DSAs.
Consequently, the requirements for DSAs to have
knowledge of, navigate to, and cooperate with other DSAs, Generally, the decision by a DSA to chain/multicast or
in order to support the abstract service in a distributed refer is determined by the service controls set by the user,
environment is also not covered by the service description. and by the DSA's own administrative, operational, or
technical circumstances.
This part of ISO/IEC 9594 specifies the refinement of the
0 abstract Directory object, the refinement being expressed
Recognizing that, in general, the Directory will be
in terms of a set of one or more DSA objects which
distributed, that directory enquiries will be satisfied by an
collectively constitute the distributed directory service.
arbitrary number of cooperating DSAs which may
Inherent in this is the identification and specification of the
arbitrarily chain/multicast or refer according to the above
DSA ports that are internal to the Directory object. For
criteria, this part of ISO/IEC 9594 specifies the appropriate
each such port, this part specifies, the associated abstract
procedures to be effected by DSAs in responding to
service, and its procedures.
distributed directory enquiries, These procedures will
ensure that users of the distributed Directory service
In addition this part specifies the permissible ways in perceive it to be both user-friendly and consistent.
which the DIB may be distributed over one or more DSAs.
SECTION 3: DISTRIBUTED DIRECTORY MODELS
provides a set of directory services to its users. The
services of the directory are modelled in terms of ports,
7 Distributed Directory System
where each port provides a particular set of directory
Model
services. Users of the directory access its services through
an access point. The directory may have one or more
The Directory abstract service as defined in
access points and each access point is characterized by the
ISO/IEC 9594-3 models the directory as an object which
ISO/IEC 9594-4 : 1990(E)
services it provides and the mode of interaction used to In addition to the service-ports of the DSA object which
provide these services. accommodate access to the Directory object, a second set
of ports are defined, the chained-service-ports. These
permit inter-DSA communication in order that the
This clause addresses the internal structure of the directory
Directory abstract service can be realized in a distributed
object, identifying its constituent objects and their ports,
environment.
and thereby facilitates the specification of a distributed
directory service.
The chained-service-ports and the operations provided
through them are in direct correspondence to the similarly
Figure 1 illustrates the distributed directory model which
named service-ports, and are, respectively, ChaineciRead,
will be used as the basis for specifying the distributed
chainedsearch, and chainedModify .
aspects of the directory. It illustrates the directory object as
comprising a set of one or more DSA objects.
The process of specifying the constituent objects of a more
abstract object is termed "refinement". The specification of
pZqq---., The Directory
the refinement of the Directory object into its component
parts (the DSAs), and the specification of the abstract
service provided by each of them (the DSA Abstract
Service) is contained in Section Four of this part of
ISO/IEC 9594. (The protocol specification of the
corresponding OS1 application service elements, as derived
from the distributed port definitions, can be found in
ISO/IEC 9594-5).
I
I I
8 DSA Interactions Model
A basic characteristic of the Directory is that, given a
L I
distributed DIB, a user should potentially be able to have
~~ ~
any service request satisfied (subject to security, access
Figure 1 -Objects of the Distributed Directory Model
control and administrator policies) irrespective of the
access point at which the request originates. In
accommodating this requirement it is necessary that any
DSA objects are specified in detail in the subsequent
DSA involved in satisfying a particular service request
clauses of this part of ISODEC 9594. This clause merely
have some knowledge (as specified in clause 10 of this
states a number of their characteristics in order to serve as
part of ISODEC 9594) of where the requested information
an introduction and to establish the relationship between
is located and either return this knowledge to the requestor
this part and other parts of ISO/iEC 9594.
or attempt to have the request satisfied on its behalf. (The
requestor may either be a DUA or another DSA: in the
DSA objects are defined in order that distribution of the
latter case both DSAs shall have a chained-service-port).
DIB can be accommodated and that a number of physically
distributed DSAs can interact in a prescribed, cooperative
Three modes of DSA interaction are defined to meet these
manner to provide directory services to the users of the
requirements, namely "chaining", "multicasting", and
directory (DUAs).
"referral". "Chaining" and "mu1ticasting"are defined to
meet the latter of the above requirements whilst referrals
DSA objects, like the Directory object, are characterized
address the former.
by their externally visible ports. The ports associated with
a DSA object are of two types: service-ports and chained-
service-ports.
8.1 Chaining
This mode of interaction (depicted in figure 2) may be
The service-ports of a DSA object are identical to those of
used by one DSA, to pass on a request to another DSA
the Directory object, namely, read, search, and modify.
when the former has knowledge about naming contexts
Figure 1 illustrates that the service-ports associated with a
held by the latter. Chaining may be used to contact a single
DSA object constitute an access-point through which
DSA pointed to in a cross reference, a subordinate
directory services are made available.
reference, or a superior reference. Multicasting is a form of
chaining, described in 8.2.
The detailed specification of the read, search, and modify
service-ports of the DSA object can be found in
ISO/IEC 9594-3. (The protocol specification for the
corresponding OS1 application service elements, as derived
from these port definitions, can be found in ISO/IEC 9594-
5).
ISO/IEC 9594-4 : 1990(E)
Figure 3a - Multicasting mode (parallel)
Figure 2 - Chaining mode
Note - In figure 2, the order of interactions is defined by the
with the interaction lines.
numbers associated
8.2 Multi-casting
This mode of interaction (depicted in figures 3a and 3b)
may be used by a DSA, to chain an identical request in
* unable to
parallel (figure 3a) or sequential (figure 3b) to one or more
proceed
other DSAs, when the former does not know the complete
% DSA
naming contexts held by the other DSAs. Multi-casting is
only used by a DSA to contact other DSAs pointed to in a
non-specific subordinate reference. Each of the DSAs is
passed the identical request. Normally, during name
resolution, only one of the DSAs will be able to continue
processing the request, all of the others returning the
unable to proceed Service Error. However, during the
evaluation phase of Search and List operations, all the
DSAs in a non-specific subordinate reference should be
able to continue processing the request.
Figure 3b - Multicasting mode (sequential)
-
Note - In figures 3a and 3b the order of interactions is defined
by the numbers associated with the interaction lines.
8.3 Referral
A referral (depicted in figures 4a and 4b) is returned by a
DSA in its response to a request which it had been
requested to perform, either by a DUA, or by another DSA
(in which case both DSAs shall have a chained-service-
port). The referral may constitute the whole response (in
which case it is categorized as an error) or just part of the
response. The referral contains a knowledge reference,
which may be either a superior, subordinate, cross or non-
specific subordinate reference.
The DSA (figure 4a) receiving the referral may use the
knowledge reference contained therein, to subsequently
chain or multi-cast (depending upon the type of reference)
the original request to other DSAs. Alternatively, a DSA
receiving a referral, may in turn pass the referral back in its
response. A DUA (figure 4b) receiving a referral may use
it to contact one or more other DSAs to progress the
request.
ISO/IEC 9594-4 : 1990(E)
9 Directory Distribution
This clause defines the principles according to which the
DIB can be distributed.
0 referral to B
Each entry within the DIB is administered by one, and
O referral to C
only one, DSAs Administrator who is said to have
administrative authority for that entry. Maintenance and
management of an entry shall take place in a DSA
administered by the administrative authority for the entry.
%
Request Response
Although the Directory does not provide any support for
the replication of entries, it is nevertheless possible to
realize replication in two ways.
Q
Copies of an entry may be stored in other DSA(s)
through bilateral agreement. The means by which
Figure 4a - Referral mode
these copies are maintained and managed is a
(DSA with chained-service-port)
function of the bilateral agreement and is not
defined in this part of ISO/IEC 9594.
Copies of an entry may be acquired by storing
(locally and dynamically) a copy of an entry which
results from a request.
Note - The acquisition of cache entries is subject to access
control.
The originator of the request is informed (via fromEntry)
O referral to
as to whether information returned in response to a request
is from a replicated entry or not. A service control,
dontUseCopy , is defined which allows the user to prohibit
the use of replicated entries.
Figure 4b - Referral mode
(DUA requests - DSAs with no chained ports)
Each DSA within the Directory holds a fragment of the
DIB. The DIB fragment held by a DSA is described in
Note - In figures 4a and 4b, the order of interactions is defined
terms of the DIT and comprises one or more naming
by the numbers associated with the interaction lines.
contexts. A naming context is a partial subtree of the DIT
defined as starting at a vertex and extending downwards to
8.4 Mode Determination leaf and/or non-leaf vertices. Such vertices constitute the
border of the naming context. Subordinates of the non-leaf
If a DSA cannot itself fully resolve a request, it shall
vertices belonging to the border denote the start of further
chain/multicast the request (or a request formed by
naming contexts.
decomposing the original one), to another DSA, unless:
chaining is prohibited by the user via the service
It is possible for a DSA's administrator to have
a)
controls, in which case the DSA shall return a
administrative authority for several disjoint naming
referral or a chaining Required ServiceError (at its
contexts. For every naming context for which a DSA has
choice), or administrative authority, it shall logically hold the
sequence of RDNs which lead from the root of the DIT to
b) the DSA has administrative, operational, or
the initial vertex of the subtree comprising the naming
technical reasons for preferring not to chain, in
context. This sequence of RDNs is called the context
which case the DSA shall return a referral.
prefix.
Notes
A DSA's administrator may delegate administrative
1 A "technical reason" for not chaining/multicasting is that
authority for any immediate subordinates of any entry held
the DSA identified in the knowledge reference has no chained-
locally to another DSA. A DSA that delegated authority is
service-ports.
called a superior DSA and the context that holds the
2 If the localScope service control is set, then the DSA (or
superior entry of one for which the administrative
DMD) shall either resolve the request or return an error.
authority was delegated, is called the superior naming
3 If the user prefers referrals, the user should set
context. Delegation of administrative authority begins with
chainingprohibited.
ISO/IEC 9594-4 1990(E)
the root and proceeds downwards in the DIT; that is, it can Whilst the logical to physical mapping of the DIT onto
only occur from an entry to its subordinates. DSAs is potentially arbitrary, the task of information
location and management is simplified if the DSAs are
I
Figure 5 illustrates a hypothetical DIT logically partitioned configured to hold a small number of naming contexts.
into five naming contexts (named A, B, C, D and E),
which are physically distributed over three DSAs (DSAl, In order for a DUA to begin processing a request it shall
DSA2, and DSA3). hold some information, specifically the presentation
address, about at least one DSA that it can contact initially.
How it acquires and holds this information is a local
From the example it can be seen that the naming contexts
matter.
held by particular DSAs may be configured so as to meet a
wide range of operational requirements. Certain DSAs
,
may be configured to hold those entries that represent
During the process of modification of entries it is possible
I
higher level naming domains within some logical part(s) of that the directory may become inconsistent. This will be
I
the DIB, the organizational structure of a large company
particularly likely if modification involves aliases or
say, but not necessarily all the subordinate entries. aliased objects which may be in different DSAs. The
I
Alternatively, DSAs may be configured to hold only those inconsistency shall be corrected by specific administrator
naming contexts representing primarily leaf entries. action, for example to delete aliases if the corresponding
aliased objects have been deleted. The Directory continues
to operate during this period of inconsistency.
From the above definitions, the limiting case for a naming
context can be either a single entry or the whole of the
DIT.
DSAI
DSA3
0 DIBentty
DIB Alias entry
CN=O
Figure 5 -Hypothetical DIT
Note - The Root is not held by any DSA, however some indication shall exist at the local level to distinguish those vertices (e.g., C=VV,
C=WW) which are immediate subordinates of the Root.
It is a requirement of the Directory that, for particular
modes of user interaction, the distribution of the directory
10 Knowledge
be rendered transparent, thereby giving the effect that the
The DIB is potentially distributed across multiple DSAs whole of the DIB appears to be within each and every
with each DSA holding a DIB fragment; the principles that DSA.
govern distribution of the DIB are specified in clause 9 of
this part of ISO/IEC 9594.
In order to support the operational requirements described
above, it is necessary that each DSA holding a fragment of
ISO/IEC 9594-4 : 1990(E)
the DIB be able to identify and optionally interact with which holds the root context. The functionality of a 'root-
other fragments of the DIB held by other DSAs. DSA concerning the name resolution process has to be
provided by those DSAs which have administrative
authority for naming contexts that are immediately
This clause defines knowledge as the basis for the mapping
subordinate to the root. These DSAs are called First Level
of a name to its location within a fragment of the DIT.
DSAs. Each First Level DSA shall be able to simulate the
functionality of the 'root-DSA'. This requires full
Conceptually DSAs hold two types of information:
knowledge about the root naming context. The root
a) Directory Information
context is replicated onto each First Level DSA and
therefore has to be administered commonly by the
b) Knowledge Information
autonomous first level administrative authorities.
Administration procedures have to be determined by
Directory Information is the collection of entries
multilateral agreements outside the scope of this part of
comprising the Naming Context(s) for which the
ISO/IEC 9594.
Administrator of a particular DSA has Administrative
Authority.
Each first level DSA shall hold the root context,
which implies a reference path to each other first
Knowledge Information embodies the Naming Context(s)
level DSA.
held by a particular DSA and denotes how these fit into the
Each non-first level DSA shall have a superior
overall DIT hierarchy. Name Resolution, the process of
reference, which implies a reference path to any
locating the DSA which has Administrative Authority for a
arbitrary first level DSA.
particular entry given that entry's name, is based on
knowledge information.
10.3 Knowledge References
The knowledge possessed by a DSA is defined in terms of
A Context Prefix is the sequence of RDNs leading from
a set of one or more knowledge references where each
the Root of the DIT to the initial vertex of a naming
reference associates, either directly or indirectly, entries of
context and corresponds to the distinguished name of that
the DIB with DSAs which hold those entries.
vertex.
A Naming Context comprises a collection of knowledge
To be able to fulfill the requirements to reach every DIB
references and a Context Prefix. A Naming Context shall
entry from any DSA, every DSA is required to have
contain exactly the following knowledge references:
knowledge about the entries which it itself holds, and
about subordinates and possibly superiors thereof. This
All the internal references which define the internal
gives rise to the following types of knowledge references:
structure of the portion of the DIT included in the
Naming Context.
Internal references
All the subordinate and non-specific subordinate
Subordinate references
references to other Naming Contexts.
Superior references
10.1 Minimal Knowledge References
Non-specific subordinate references
It is a property of the Directory that each entry can be
a
accessed independently of where a request is generated.
Additionally, for optimization purposes the following
types of optional references are defined:
To accomplish this, each DSA shall at least maintain the
Cross references
following knowledge references:
In the event that the set of knowledge references associated
subordinate references as defined in 10.3.2 and/or
with a particular DSA contain only internal references, the
non-specific subordinate references as defined in
DSA has no knowledge of other DSAs and the DIB is
10.3.5; and
therefore centralized.
superior references as defined in 10.3.3.
10.3.1 Internal References
It is then possible to establish a reference path, as a
An internal reference consists of :
continuous sequence of knowledge references, to all
naming contexts within the Directory.
the RDN corresponding to a DIB entry;
an internal pointer to where the entry is stored in the
Optionally, cross references, as defined in 10.3.4, may
local DIB. (The specification of this pointer is
form part of a reference path to optimize performance.
outside the scope of this part of ISO/IEC 9594).
10.2 Root Context
All entries for which a particular DSA has Administrative
Authority are represented by internal references in the
Because of the autonomy of the different countries or
global organizations, there is likely to be no 'single' DSA knowledge information of that DSA.
ISO/IEC 9594-4 1990(E)
10.3.2 Subordinate References
10.4 Knowledge Administration
A subordinate reference consists of
To operate a widely distributed Directory with an
acceptable degree of consistency and performance,
an RDN corresponding to an immediate subordinate
procedures are required to maintain and extend the
DIB entry;
knowledge held by each DSA. The same procedures are
appropriate for creating initial knowledge.
the Access Point of the DSA to which
Administrative Authority for that entry was
Knowledge can be maintained by:
delegated.
The DSA or its administrative authority propagating
a)
All subordinate entries held by another DSA to which this
changes of knowledge to those DSAs holding all
DSA has delegated Administrative Authority, shall be
kinds of references to it, whenever changes at that
represented by subordinate references (or non-specific
DSA cause the references to become invalid. This
subordinate references as described in 10.3.5).
is the only way superior, subordinate and non-
specific subordinate references can be maintained;
10.3.3 Superior References
A superior reference consists of
b) DSAs requesting and obtaining cross references to
improve the performance through ordinary directory
operations.
the Access Point of a DSA.
This part of ISODEC 9594 does not define any procedures
Each non-first level DSA maintains precisely one superior
reference. The superior reference shall form part of a for propagating knowledge changes as described in a).
reference path to the root. Unless some method outside the Bilateral agreements shall be established locally for this.
standard is employed to ensure this, for example within a
DMD, this shall be accomplished by referring to a DSA
10.4.1 Requesting Cross References
which holds a naming context whose context prefix has
To improve the performance of the Directory System, the
less RDNs than the context prefix with fewest RDNs held
local set of cross references can be expanded using
by this DSA.
ordinary Directory operations. If a DSA has a chained-
service-port it may request another DSA (which also shall
10.3.4 Cross References
have a chained-service-port) to return those knowledge
A cross reference consists of references which contain information about the location of
naming contexts related to the target object name of an
a Context Prefix;
ordinary Directory operation.
the Access Point of a DSA which has
If the returnCrossReferences component of the
Administrative Authority for that Naming Context.
ChainedOperationsArgument is set to T R U E , the
This type of reference is optional and serves to optimize
c r O s s R e f e r e n c e component of the
Name Resolution. A DSA may hold any number
ChainedOperationsResult may be present, consisting of a
(including zero) of cross references.
sequence of cross reference items.
10.3.5 Non-specific Subordinate References
If a DSA is not able to chain a request to the next DSA a
referral is returned to the originating DSA. If the
A non-specific subordinate reference consists of
return C r os s Ref e r e n ce component of
the Access Point of a DSA which holds one or more
ChainingArguments was TRUE, the referral may contain
immediately subordinate Naming Contexts.
additionally the context prefix of the naming context
which the referral refers to. The contextprefix component
This type of reference is optional, to allow for the case in
is absent if the referral is based on a non-specific
which a DSA is known to contain some subordinate entries
subordinate reference. The cross reference returned by a
but the specific RDNs of those entries is not known.
referral is based on knowledge held by the DSA which
generated the referral.
For each naming context which it holds, a DSA may hold
any number (including zero) of non-specific subordinate
In both cases (chaining result and referral) an
references, which will be evaluated if all specific internal
administrative authority through its DSA may elect to
and subordinate references have been pursued. DSAs
ignore the request for returning cross references.
a
...