X'500 Overview

1
X.500 Overview

• Jieping Lu
• Dept of ICS, UC Irvine
• jlu_at_ics.uci.edu

2
Directory Service

• A directory service is a service that allows
  quick access to a database of information.
• Directories are specialized databases that are
  designed to make it quick and easy to look up
  informationWilcox, 98.
• Service describes the interface to the directory.

3
Original Goal of X.500

• Provide wide international standardization of the
  directory service
• provides a white page service with phone numbers
  or X.400 addresses of people (CCITT)
• provides name server service for OSI applications
  (ISO and ECMA)
• Characteristics
• designed for OSI structure
• client-server model

4
Organization

• Information is stored at Directory Information
  Base (DIB)
• Directory is represented hierarchically using
  Directory Information Tree (DIT)

5
Logical Structure

• DIT Directory Information Tree
• Root virtual
• Ccountry
• Oorganization
• OU organization
• unit
• CNcommon
• name

6
Physical Structure

• DSADirectory
• System Agent
• DUADirectory
• User Agent

7
Issues to Address

• How information is stored
• four information models
• describes how information looks like and how it
  is distributed and managed
• How information is exchanged
• two protocols
• Directory System Protocol (DSP) between DSAs
• Directory Access Protocol (DAP) between DUAs and
  DSAs

8
Information Models

• Directory User Information Model users view of
  the directory.
• Directory Operational and Administrative
  Information Model administrators view of the
  directory.
• DSA Information Model how the information is
  distributed between the computers.
• Directory Administrative Authority Model
  controls the administrative rights

9
Entity

• Records in the directory are called Entities.
• Entities are identified by Distinguished
  Names(DN)
• CUS, ODoc, OUNIST, SRansom
• Entities are defined by Object Classes
• object class defines which attributes are
  available to an entry
• Entities are expressed by attributes
• Attributes are defined by attribute types

10
Attributes

• User attributes the attributes of an entry that
  can be read and/or modified by the ordinary
  users.
• Collective attributes the attributes that are
  shared by a set of entries.
• Operational attributes the attributes that are
  related to the operation of the directory
• defined in the Administrative and Operational
  Model

11
DSA Attributes

• Defined in the DSA Information Model
• for the maintenance of distributed DIT
• the values depend on the DIT is distributed and
  replicated
• DSA shared attributes the values of whom are
  independent of the computer in which they are
  held
• DSA specific attributes the values of whom are
  dependent of the computer in which they are held.

12
Accessibility of Attributes
User Information Model
Operational and Administrative Information Model
DSA Information Model
13
Administrative Authority

• Three types of administrative authority are
  defined in the Administrative Authority Model.
• Administrative tasks
• Subschema administration
• the data storage structure (DIT structure, Object
  Classes, Attribute types, syntax) in an
  administrative area
• Access control administration
• the security policy
• Collective attribute administration

14
Administrative Areas

• Administrative area is the collection of entries
  that is managed by an administrator.
• Autonomous Administrative Area
• the sub tree that can not be managed by the upper
  level administrators.
• Inner Administrative Area
• the sub tree that can be managed by the
  administrators of upper level
• Specific Administrative Area
• define a collection of entities in the sub tree
• similar to IAA

15
Subentity

• Is linked to the root of each administrative area
  as a child entity
• Contains
• subtree specification attribute defines which
  entities are in the administrative area
• operational attributes associated wit the
  entities in the area
• collective attributes applied to the area

16
X.500 Protocols

• DAP (Directory Access Protocol)
• defines the directory services provided to the
  use
• Defines 4 read-like operations
• read, compare, list, search
• and 5 write-like operations
• addEntry, removeEntry, ModifyRDN, ModifiyDN,
  modifyEntry
• DSP(Directory System Protocol)
• provides cooperation among directory servers to
  answer users query
• adding chaining information to that of the DAP
  operations
• progress of the operation, security and local
  information
• errors are passed back unchanged

17
X.500 Protocols

• DOP (Directory Operations Binding Management
  Protocol)
• maintain long term relationships between pairs of
  DSAs
• defined 3 operations
• establish / modify /terminate operational
  bindings
• establish two types of operational binding
• Hierarchical -- between DSAs holding vertical
  adjacent portions of DIT
• Shadow -- between master copy and replicas

18
X.500 Protocols

• DISP(Directory Information Shadowing Protocol)
• used to transfer the shadowed information from
  the shadow supplier to the shadow consumer
• defines three operations
• coordinate shadow update
• initiate the shadow copying from the shadow
  supplier
• request shadow update
• reply from the shadow consumer
• update shadow
• send the updates

19
Limitations of X.500

• Very complicated
• difficult to implement
• Applies only to ISO network structure
• difficult to migrate to PC
• Slow response time