BS ISO IEC 9594-3-2017 Information technology Open Systems Interconnection The Directory Abstract service definition《信息技术 开放系统互连 目录 抽象服务定义》.pdf

1、Information technology Open Systems Interconnection The Directory Part 3: Abstract service definition BS ISO/IEC 95943:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technology Open Systems Interconnection The Directory Part 3: Abstract service def

2、inition Technologies de linformation Interconnexion de systmes ouverts (OSI) L annuaire Partie 3: Dfinition du service abstrait INTERNATIONAL STANDARD ISO/IEC 9594-3 Reference number ISO/IEC 9594-3:2017(E) Eighth edition 2017-05 ISO/IEC 2017 National foreword This British Standard is the UK implemen

3、tation of ISO/IEC 95943:2017. It supersedes BS ISO/IEC 95943:2014 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/6, Data communications. A list of organizations represented on this committee can be obtained on request to its secretary. This publi

4、cation does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 96318 6 ICS 35.100.70 Compliance with a British Standard cannot confer immun

5、ity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 August 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 95943:2017Information technology Open Systems Interconne

6、ction The Directory Part 3: Abstract service definition Technologies de linformation Interconnexion de systmes ouverts (OSI) L annuaire Partie 3: Dfinition du service abstrait INTERNATIONAL STANDARD ISO/IEC 9594-3 Reference number ISO/IEC 9594-3:2017(E) Eighth edition 2017-05 ISO/IEC 2017 BS ISO/IEC

7、 95943:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including ph

8、otocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41

9、 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 9594-3:2017(E) BS ISO/IEC 95943:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be rep

10、roduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the request

11、er. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 9594-3:2017(E)ISO/IEC 9594-3:2017(E) ISO/IEC 2017 All rights reserved ii-1 Foreword ISO (the I nternation al O rgani z atio n fo r

12、Standard iz ation) a nd I EC (the I nter nation al E lec trotechnical C om m i ssi o n ) f orm the s pe c i a l i z e d s ystem for worldwide s tandardiz at ion. N ational bo dies that a r e mem b ers of I SO o r IEC participate in t he d evelop ment o f Int e rna tion al S tandards through technic

13、al committ ees e stablished by the resp ective o r g an ization to d eal w ith par ticular f i e l d s o f technical a ct iv it y . IS O a nd IE C technical committees c o l l ab or at e in fields of m utual interest. Other internati onal organiz a tio n s, g overn m ental and no ngovern mental, i n

14、 l i a i s o n w i th I S O a n d I E C , a l s o ta ke p art in the w ork. In the field of i nformatio n technolo g y, I SO an d IEC have e stab li shed a jo i n t technical committee, ISO /IEC J TC 1. The pr oce du r es used to d evelop this document a nd those i nt ended f or its f u r th e r m a

15、 i n te n a n c e a r e d e s c r ib e d in the I S O / I E C Dir e c ti ves, Part 1. In p articul ar the d ifferent a pproval criter ia needed f or the differ e nt types o f document s hould be noted. T his document w as d rafted in accordance w ith the e di to ri a l rul e s of the ISO /I EC Direc

16、tives, Part 2 (see www.iso.org/directives ). A tt en ti o n is d rawn to t he possibility t hat some o f the el ements of t h i s d oc u men t m a y b e t h e s u bj ec t of p atent rights. ISO and IEC shall not be he l d r e sponsible f or identifying a ny or all such patent rig h ts. D e ta i l s

17、o f a n y pa t e n t rig h ts i d e n tif i e d d u rin g th e d e v el opment o f th e document w ill be i n the Introduction and/or on t he ISO list of patent declarations rec e ived (see ww w.iso.org/patents ). Any t r ade na me used in this document is information given for t h e co n v e n i e

18、n c e o f us e r s a n d d o e s not constitu t e an endorsement. For an e xpl a nati on on t he meanin g of I SO s peci fic terms an d expr essions related to c on f or mi t y a ss es s me nt, as well a s informati o n about ISOs a d h e r e n c e to the W o r l d T r a d e O rgan izat ion (WTO) pr

19、inciples in the Technic a l B a r r i e r s to T r a d e (TBT) s e e the f o l lowing URL: www.iso.org/iso/foreword.html. This e ight h e dition c ancels a nd r eplaces t he s eventh e dition ( ISO/IEC 95943:2014), w hich has been technical ly revised. This d ocum ent was pr e p ared b y IS O/IEC J

20、T C 1 , Information technology, SC 6, Telecommunications and information exchange between systems , i n c o ll a b o r a ti o n w i th I T U T . T he i d e n ti c a l te x t i s published as ITU T X.5 11 (10/ 20 16). A li st o f al l pa rt s in t he ISO/I E C 9 5 94 s e rie s, publishe d unde r t h

21、e g en eral ti t le Information technology Open Systems Interconnection The Directory , c a n be fou nd on t h e IS O w e bsite. BS ISO/IEC 95943:2017 BS ISO/IEC 95943:2017 Rec. ITU-T X.511 (10/2016) iii CONTENTS Page 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International S

22、tandards 1 2.2 Other references 2 3 Definitions 2 3.1 OSI Reference Model security architecture definitions. 2 3.2 Basic Directory definitions 2 3.3 Directory model definitions 2 3.4 Directory information base definitions 2 3.5 Directory entry definitions 2 3.6 Name definitions . 3 3.7 Distributed o

23、perations definitions . 3 3.8 Abstract service definitions . 3 4 Abbreviations . 4 5 Conventions 4 6 Overview of the Directory service 5 7 Information types and common procedures . 5 7.1 Introduction . 5 7.2 Information types defined elsewhere 5 7.3 Common arguments 6 7.4 Common results 9 7.5 Servic

24、e controls . 10 7.6 Entry information selection . 12 7.7 Entry information 15 7.8 Filter 17 7.9 Paged results 20 7.10 Security parameters . 22 7.11 Common elements of procedure for access control . 23 7.12 Managing the DSA Information Tree . 25 7.13 Procedures for families of entries 25 8 Directory

25、authentication . 26 8.1 Simple authentication procedure . 26 8.2 Password policy 28 9 Bind, Unbind operations, Change Password and Administer Password operations . 31 9.1 Directory Bind . 31 9.2 Directory Unbind 34 10 Directory Read operations 34 10.1 Read 34 10.2 Compare 37 10.3 Abandon 40 11 Direc

26、tory Search operations . 40 11.1 List 40 11.2 Search 44 12 Directory Modify operations 54 12.1 Add Entry 55 12.2 Remove Entry 57 12.3 Modify Entry . 58 12.4 Modify DN 62 12.5 Change Password 65 12.6 Administer Password. 65 BS ISO/IEC 95943:2017 iv Rec. ITU-T X.511 (10/2016) Page 13 Operations for LD

27、AP messages . 66 13.1 LDAP Transport operation 67 13.2 Linked LDAP operation 69 14 Errors 69 14.1 Error precedence . 69 14.2 Abandoned 70 14.3 Abandon Failed . 70 14.4 Attribute Error . 71 14.5 Name Error 72 14.6 Referral 73 14.7 Security Error 73 14.8 Service Error . 74 14.9 Update Error 76 15 Anal

28、ysis of search arguments . 77 15.1 General check of search filter 78 15.2 Check of request-attribute-profiles 79 15.3 Check of controls and hierarchy selections . 80 15.4 Check of matching use 81 Annex A Abstract Service in ASN.1 82 Annex B Operational semantics for Basic Access Control . 98 Annex C

29、 Examples of searching families of entries . 111 C.1 Single family example . 111 C.2 Multiple families example . 112 Annex D External ASN.1 module 115 Annex E Use of Protected Passwords for Bind operations . 119 Annex F Amendments and corrigenda . 120 BS ISO/IEC 95943:2017 iv Rec. ITU-T X.511 (10/20

30、16) Page 13 Operations for LDAP messages . 66 13.1 LDAP Transport operation 67 13.2 Linked LDAP operation 69 14 Errors 69 14.1 Error precedence . 69 14.2 Abandoned 70 14.3 Abandon Failed . 70 14.4 Attribute Error . 71 14.5 Name Error 72 14.6 Referral 73 14.7 Security Error 73 14.8 Service Error . 74

31、 14.9 Update Error 76 15 Analysis of search arguments . 77 15.1 General check of search filter 78 15.2 Check of request-attribute-profiles 79 15.3 Check of controls and hierarchy selections . 80 15.4 Check of matching use 81 Annex A Abstract Service in ASN.1 82 Annex B Operational semantics for Basi

32、c Access Control . 98 Annex C Examples of searching families of entries . 111 C.1 Single family example . 111 C.2 Multiple families example . 112 Annex D External ASN.1 module 115 Annex E Use of Protected Passwords for Bind operations . 119 Annex F Amendments and corrigenda . 120 Rec. ITU-T X.511 (1

33、0/2016) v Introduction This Recommendation | International Standard, together with the other Recommendations | International Standards, has been produced to facilitate the interconnection of information processing systems to provide directory services. A set of such systems, together with the direct

34、ory information that they hold, can be viewed as an integrated whole, called the Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is typically used to facilitate communication between, with or about objects such as application entities, pe

35、ople, terminals, and distribution lists. The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of technical agreement outside of the interconnection standards themselves, the interconnection of information processing systems: from different man

36、ufacturers; under different managements; of different levels of complexity; and of different ages. This Recommendation | International Standard defines the capabilities provided by the Directory to its users. This Recommendation | International Standard provides the foundation frameworks upon which

37、industry profiles can be defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks may be mandated for use in certain environments through profiles. This eighth edition technically revises and enhances the seventh edition of this Recommendati

38、on | International Standard. This eighth edition specifies versions 1 and 2 of the Directory protocols. The first and second editions specified only version 1. Most of the services and protocols specified in this edition are designed to function under version 1. However, some enhanced services and p

39、rotocols, e.g., signed errors, will not function unless all Directory entities involved in the operation have negotiated version 2. Whichever version has been negotiated, differences between the services and between the protocols defined in the eight editions, except for those specifically assigned

40、to version 2, are accommodated using the rules of extensibility defined in Rec. ITU-T X.519 | ISO/IEC 9594-5. Annex A, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for the Directory abstract service. Annex B, which is not an integral part of th

41、is Recommendation | International Standard, provides charts that describe the semantics associated with Basic Access Control as it applies to the processing of a Directory operation. Annex C, which is not an integral part of this Recommendation | International Standard, gives examples of the use of

42、families of entries. Annex D, which is not an integral part of this Recommendation | International Standard, includes an updated copy of an external ASN.1 module referenced by this Directory Specification. Annex E, which is not an integral part of this Recommendation | International Standard, provid

43、es a suggested technique for Bind protected password. Annex F, which is not an integral part of this Recommendation | International Standard, lists the amendments and defect reports that have been incorporated to form this edition of this Recommendation | International Standard. BS ISO/IEC 95943:201

44、7BS ISO/IEC 95943:2017 ISO/IEC 9594-3:2017 (E) Rec. ITU-T X.511 (10/2016) 1 INTERNATIONAL STANDARD ITU-T RECOMMENDATION Information technology Open Systems Interconnection The Directory: Abstract service definition 1 Scope This Recommendation | International Standard defines in an abstract way the e

45、xternally visible service provided by the Directory. This Recommendation | International Standard does not specify individual implementations or products. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, consti

46、tute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation | International Standard are encouraged to investigate the

47、 possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations.

48、 2.1 Identical Recommendations | International Standards Recommendation ITU-T X.500 (2016) | ISO/IEC 9594-1:2017, Information technology Open Systems Interconnection The Directory: Overview of concepts, models and services. Recommendation ITU-T X.501 (2016) | ISO/IEC 9594-2:2017, Information technol

49、ogy Open Systems Interconnection The Directory: Models. Recommendation ITU-T X.509 (2016) | ISO/IEC 9594-8:2017, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. Recommendation ITU-T X.518 (2016) | ISO/IEC 9594-4:2017, Information technology Open Systems Interconnection The Directory: Procedures for distributed operation. Recommendation ITU-T X.519 (2016) | ISO/IEC 9594-5:2017, I