X500 Directory Service
X.500 is a directory service used in the same way as a conventional name service, but it is primarily used to satisfy descriptive queries and is designed to discover the names and attributes of other users or system resources. Users may have a variety of requirements for searching and browsing in a directory of network users, organizations and system resources to obtain information about the entities that the directory contains. The uses for such a service are likely to be quite diverse. They range from enquiries that are directly analogous to the use of telephone directories, such as a simple ‘white pages’ access to obtain a user’s electronic mail address or a ‘yellow pages’ query aimed, for example, at obtaining the names and telephone numbers of garages specializing in the repair of a particular make of car, to the use of the directory to access personal details such as job roles, dietary habits or even photographic images of the individuals.
Standard of ITU and ISO organizations
Organized in a tree structure with name nodes as in the case of other name servers
A wide range of attributes are stored in each node
Directory Information Tree (DIT)
Directory Information Base (DIB)
X.500 service architecture
The data stored in X.500 servers is organized in a tree structure with named nodes, as in the case of the other name servers discussed in this chapter, but in X.500 a wide range of attributes are stored at each node in the tree, and access is possible not just by name but also by searching for entries with any required combination of attributes. The X.500 name tree is called the Directory Information Tree (DIT), and the entire directory structure including the data associated with the nodes, is called the Directory Information Base (DIB). There is intended to be a single integrated DIB containing information provided by organizations throughout the world, with portions of the DIB located in individual X.500 servers. Typically, a medium-sized or large organization would provide at least one server. Clients access the directory by establishing a connection to a server and issuing access requests. Clients can contact any server with an enquiry. If the data required are not in the segment of the DIB held by the contacted server, it will either invoke other servers to resolve the query or redirect the client to another server.
Directory Server Agent (DSA)
Directory User Agent (DUA)
In the terminology of the X.500 standard, servers are Directory Service Agents (DSAs), and their clients are termed Directory User Agents (DUAs). Each entry in the DIB consists of a name and a set of attributes. As in other name servers, the full name of an entry corresponds to a path through the DIT from the root of the tree to the entry. In addition to full or absolute names, a DUA can establish a context, which includes a base node, and then use shorter relative names that give the path from the base node to the named entry.
An X.500 DIB Entry
Part of the X.500 Directory Information Tree
The data structure for the entries in the DIB and the DIT is very flexible. A DIB entry consists of a set of attributes, where an attribute has a type and one or more values. The type of each attribute is denoted by a type name (for example, countryName, organizationName, commonName, telephoneNumber, mailbox, objectClass). New attribute types can be defined if they are required. For each distinct type name there is a corresponding type definition, which includes a type description and a syntax definition in the ASN.1 notation (a standard notation for syntax definitions) defining representations for all permissible values of the type.
DIB entries are classified in a manner similar to the object class structures found in object-oriented programming languages. Each entry includes an objectClass attribute, which determines the class (or classes) of the object to which an entry refers. Organization, organizationalPerson and document are all examples of objectClass values. Further classes can be defined as they are required. The definition of a class determines which attributes are mandatory and which are optional for entries of the given class. The definitions of classes are organized in an inheritance hierarchy in which all classes except one (called topClass) must contain an objectClass attribute, and the value of the objectClass attribute must be the names of one or more classes. If there are several objectClass values, the object inherits the mandatory and optional attributes of each of the classes.
Administration and updating of the DIB • The DSA interface includes operations for adding, deleting and modifying entries. Access control is provided for both queries and updating operations, so access to parts of the DIT may be restricted to certain users or classes of user
Lightweight Directory Access Protocol • X.500’s assumption that organizations would provide information about themselves in public directories within a common system has proved largely unfounded. group at the University of Michigan proposed a more lightweight approach called the Lightweight Directory Access Protocol (LDAP), in which a DUA accesses X.500 directory services directly over TCP/IP instead of the upper layers of the ISO protocol stack.