ISO/IEC 9594-10:2008

INTERNATIONAL ISO/IEC
STANDARD 9594-10
Fourth edition
2008-12-15
Information technology — Open Systems
Interconnection — The Directory: Use of
systems management for administration
of the Directory
Technologies de l'information — Interconnexion de systèmes ouverts
(OSI) — L'annuaire: Utilisation de la gestion-systèmes pour
l'administration de l'annuaire

Reference number
©
ISO/IEC 2008
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published by ISO in 2009
Published in Switzerland
ii © ISO/IEC 2008 – All rights reserved

CONTENTS
Page
Foreword .    iv
Introduction .    v
SECTION 1 – GENERAL. 1
1 Scope. 1
2 Normative references . 1

2.1 Identical Recommendations | International Standards. 2
2.2 Paired Recommendations | International Standards equivalent in technical content. 2

3 Definitions . 2

3.1 Communication Model definitions. 2
3.2 Management Framework definitions. 3
3.3 System Management Overview definitions. 3
3.4 Management Information Model definitions. 3
3.5 Directory Model definitions . 3
3.6 Distributed Operation definitions . 4
4 Abbreviations . 4
5 Conventions . 4
SECTION 2 – MANAGEMENT REQUIREMENTS. 6
6 Directory management requirements . 6
6.1 Introduction . 6
6.2 Sources of management requirements . 6
6.3 Analysis of management requirements . 7
SECTION 3 – MANAGEMENT MODELS. 14
7 Directory Management Model. 14
7.1 Introduction . 14
7.2 Directory Management Model components . 14
7.3 Layered Directory Management Model . 14
7.4 Directory Information Model and System Management Information Model. 16
7.5 Directory Service Model. 16
8 Provision of management services . 17
9 Directory Management Information Model. 18
SECTION 4 – MANAGED OBJECTS . 20
10 Directory managed objects . 20
10.1 DSA managed object . 20
10.2 Known DSA managed objects . 28
10.3 Known DUA managed objects. 29
10.4 Upper layer definitions. 29
10.5 DUA managed objects . 29
10.6 Directory Service managed objects. 30
10.7 Directory Management Domain managed objects. 30
Annex A – Managed object definitions. 31
A.1 Management of a DSA. 31
A.2 Management of a Known DSA . 50
A.3 Management of a Known DUA. 51
A.4 Management of association . 52
A.5 Management of a DUA . 53
A.6 Directory Service management . 53
A.7 DMD. 55
A.8 Definition of attributes . 56
A.9 ASN.1 notations . 72
Annex B – Amendments and corrigenda. 79

© ISO/IEC 2008 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Subcommittee SC 6, Telecommunications and information exchange between systems, in collaboration with
ITU-T. The identical text is published as ITU-T Rec. X.530 (11/2008).
This fourth edition cancels and replaces the third edition (ISO/IEC 9594-10:2005), which has been technically
revised.
ISO/IEC 9594 consists of the following parts, under the general title Information technology — Open Systems
Interconnection — The Directory:
⎯ Part 1: Overview of concepts, models and services
⎯ Part 2: Models
⎯ Part 3: Abstract service definition
⎯ Part 4: Procedures for distributed operation
⎯ Part 5: Protocol specifications
⎯ Part 6: Selected attribute types
⎯ Part 7: Selected object classes
⎯ Part 8: Public-key and attribute certificate frameworks
⎯ Part 9: Replication
⎯ Part 10: Use of systems management for administration of the Directory

iv © ISO/IEC 2008 – All rights reserved

Introduction
This Recommendation | International Standard, together with other Recommendations | International Standards, has

been produced to facilitate the interconnection of information processing systems to provide Directory services. A set of
such systems, together with the Directory information that they hold, can be viewed as an integrated whole, called the
Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is
typically used to facilitate communication between, with or about objects such as application entities, people, terminals
and distribution lists.
The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of
technical agreement outside of the interconnection standards themselves, the interconnection of information processing
systems:
– from different manufacturers;
– under different managements;
– of different levels of complexity; and
– of different ages.
The purpose of Directory management is to assure that needed, accurate Directory information is available to users as
scheduled with the expected response time, integrity, security and level of consistency. Furthermore, systems
management may be accomplished with the minimum burden on processing time and memory on platforms and the
communications system.
The Directory may support open systems applications such as message handling systems, File Transfer, Access and
Management (FTAM) systems, and transaction processing systems. Therefore, the Directory system may be
manageable from an integrated system management platform.
This Recommendation | International Standard provides the foundation frameworks upon which industry profiles can be
defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks
may be mandated for use in certain environments through profiles. This sixth edition technically revises and enhances,
but does not replace, the fifth edition of this Recommendation | International Standard. Implementations may still claim
conformance to the fifth edition. However, at some point, the fifth edition will not be supported (i.e., reported defects
will no longer be resolved). It is recommended that implementations conform to this sixth edition as soon as possible.
Annex A, which is an integral part of this Recommendation | International Standard, defines the managed objects used
for Directory System Agent administration.
Annex B, which is not an integral part of this Recommendation | International Standard, lists the amendments and
defect reports that have been incorporated to form this edition of this Recommendation | International Standard.

© ISO/IEC 2008 – All rights reserved v

INTERNATIONAL STANDARD
ITU-T RECOMMENDATION
Information technology – Open Systems Interconnection – The Directory:
Use of systems management for administration of the Directory
SECTION 1 – GENERAL
1 Scope
This Recommendation | International Standard describes the requirements for Directory management, and analyses
these requirements to identify those that may be realized by OSI Systems Management services (and protocols), those
that are realized by Directory services (and protocols), and those that are realized by local means.
Based on the requirements, this Directory Specification defines a model for Directory management that encompasses all
of the requirements.
Management of the Directory is divided into four major segments:
a) management of the DIT Domain: Management of Directory information;
b) management of the operation of a single DSA within a DMD;
c) management of the operation of a single DUA within a DMD; and
d) management of the Directory Management Domain (DMD): Integrated management of the functional
components of the Directory.
This Recommendation | International Standard covers items a), b) and c). Item d), Management of the Directory
Management Domain, is for further study.
Based on the model, this Recommendation | International Standard describes the detailed OSI Systems Management
Managed Objects used to manage Directory System Agents (DSAs) and Directory User Agents (DUAs) within a
Directory Domain, and describes the detailed OSI Systems Management Managed Objects used to manage the
interfaces to DUAs and DSAs in other domains as shown in Figure 1.

Figure 1 – Scope of Directory management
2 Normative references
The following Recommendations and International Standards contain provisions which, through reference in this text,
constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent
edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently
valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently
valid ITU-T Recommendations.
ITU-T Rec. X.530 (11/2008) 1
2.1 Identical Recommendations | International Standards
– ITU-T Recommendation X.200 (1994) | ISO/IEC 7498-1:1994, Information technology – Open Systems
Interconnection – Basic Reference Model: The basic model.
– ITU-T Recommendation X.500 (2008) | ISO/IEC 9594-1:2008, Information technology – Open Systems
Interconnection – The Directory: Overview of concepts, models and services.
– ITU-T Recommendation X.501 (2008) | ISO/IEC 9594-2:2008, Information technology – Open Systems
Interconnection – The Directory: Models.
– ITU-T Recommendation X.509 (2008) | ISO/IEC 9594-8:2008, Information technology – Open Systems
Interconnection – The Directory: Public-key and attribute certificate frameworks.
– ITU-T Recommendation X.511 (2008) | ISO/IEC 9594-3:2008, Information technology – Open Systems
Interconnection – The Directory: Abstract service definition.
– ITU-T Recommendation X.518 (2008) | ISO/IEC 9594-4:2008, Information technology – Open Systems
Interconnection – The Directory: Procedures for distributed operation.
– ITU-T Recommendation X.519 (2008) | ISO/IEC 9594-5:2008, Information technology – Open Systems
Interconnection – The Directory: Protocol specifications.
– ITU-T Recommendation X.520 (2008) | ISO/IEC 9594-6:2008, Information technology – Open Systems
Interconnection – The Directory: Selected attribute types.
– ITU-T Recommendation X.521 (2008) | ISO/IEC 9594-7:2008, Information technology – Open Systems
Interconnection – The Directory: Selected object classes.
– ITU-T Recommendation X.525 (2008) | ISO/IEC 9594-9:2008, Information technology – Open Systems
Interconnection – The Directory: Replication.
– ITU-T Recommendation X.701 (1997) | ISO/IEC 10040:1998, Information technology – Open Systems
Interconnection – Systems management overview.
– ITU-T Recommendation X.710 (1997) | ISO/IEC 9595:1998, Information technology – Open Systems
Interconnection – Common Management Information service.
– ITU-T Recommendation X.711 (1997) | ISO/IEC 9596-1:1998, Information technology – Open Systems
Interconnection – Common Management Information Protocol: Specification.
– CCITT Recommendation X.720 (1992) | ISO/IEC 10165-1:1993, Information technology – Open
Systems Interconnection – Structure of management information: Management information model.
– CCITT Recommendation X.721 (1992) | ISO/IEC 10165-2:1992, Information technology – Open
Systems Interconnection – Structure of management information: Definition of management information.
– CCITT Recommendation X.722 (1992) | ISO/IEC 10165-4:1992, Information technology – Open
Systems Interconnection – Structure of management information: Guidelines for the definition of
managed objects.
– ITU-T Recommendation X.723 (1993) | ISO/IEC 10165-5:1994, Information technology – Open Systems
Interconnection – Structure of management information: Generic management information.
2.2 Paired Recommendations | International Standards equivalent in technical content
– CCITT Recommendation X.700 (1992), Management framework for Open Systems Interconnection
(OSI) for CCITT applications.
ISO/IEC 7498-4:1989, Information processing systems – Open Systems Interconnection – Basic
Reference Model – Part 4: Management framework.
3 Definitions
For the purposes of this Recommendation | International Standard, the following definitions apply.
3.1 Communication Model definitions
The following terms are defined in ITU-T Rec. X.519 | ISO/IEC 9495-5:
a) application-entity;
b) application Layer;
c) application process.
2 ITU-T Rec. X.530 (11/2008)
3.2 Management Framework definitions
The following terms are defined in CCITT Rec. X.700 | ISO/IEC 7498-4:
a) management information base;
b) managed object.
3.3 System Management Overview definitions
The following terms are defined in ITU-T Rec. X.701 | ISO/IEC 10040:
a) agent;
b) manager;
c) notification;
d) managed object class.
3.4 Management Information Model definitions
The following terms are defined in CCITT Rec. X.720 | ISO/IEC 10165-1:
a) behaviour;
b) conditional package;
c) inheritance;
d) naming tree;
e) package;
f) subclass;
g) superclass.
3.5 Directory Model definitions
The following terms are defined in ITU-T Rec. X.501 | ISO/IEC 9594-2:
a) access control;
b) Administration Directory Management Domain;
c) alias;
d) attribute;
e) attribute type;
f) attribute value;
g) authentication;
h) Directory Information Tree;
i) Directory Management Domain;
j) Directory System Agent;
k) DSA-Specific Entry;
l) Directory User Agent (DUA);
m) distinguished name;
n) entry;
o) name;
p) object (of interest);
q) Private Directory Management Domain;
r) relative distinguished name;
s) root;
t) schema;
u) security policy;
v) subordinate object;
ITU-T Rec. X.530 (11/2008) 3
w) superior entry;
x) superior object;
y) tree;
z) (Directory) user.
3.6 Distributed Operation definitions
The following terms are defined in ITU-T Rec. X.518 | ISO/IEC 9594-4:
a) hierarchical operational binding;
b) non-specific hierarchical operational binding.
4 Abbreviations
For the purposes of this Recommendation | International Standard, the following abbreviations apply:
ADDMD Administration Directory Management Domain
CMIP Common Management Information Protocol
DAP Directory Access Protocol
DIB  Directory Information Base
DISP Directory Information Shadowing Protocol
DIT  Directory Information Tree
DMD Directory Management Domain
DOP Directory Operational Binding Management Protocol
DSA Directory System Agent
DSE  DSA-Specific Entry
DSP  Directory System Protocol
DUA Directory User Agent
HOB Hierarchical Operational Binding
MIB  Management Information Base
NHOB Non-specific Hierarchical Operational Binding
NSAP Network Service Access Point
NSSR Non-specific Subordinate Reference
OSI  Open Systems Interconnection
PRDMD Private Directory Management Domain
RDN Relative Distinguished Name
TMN Telecommunications Management Network
5 Conventions
The term "Directory Specification" (as in "this Directory Specification") shall be taken to mean
ITU-T Rec. X.530 | ISO/IEC 9594-10. The term "Directory Specifications" shall be taken to mean the X.500-series
Recommendations and all parts of ISO/IEC 9594.
This Directory Specification uses the term first edition systems to refer to systems conforming to the first edition of the
Directory Specifications, i.e., the 1988 edition of the series of CCITT X.500 Recommendations and the
ISO/IEC 9594:1990 edition.
This Directory Specification uses the term second edition systems to refer to systems conforming to the second edition
of the Directory Specifications, i.e., the 1993 edition of the series of ITU-T X.500 Recommendations and the
ISO/IEC 9594:1995 edition.
This Directory Specification uses the term third edition systems to refer to systems conforming to the third edition of the
Directory Specifications, i.e., the 1997 edition of the series of ITU-T X.500 Recommendations and the
ISO/IEC 9594:1998 edition.
4 ITU-T Rec. X.530 (11/2008)
This Directory Specification uses the term fourth edition systems to refer to systems conforming to the fourth edition of
the Directory Specifications, i.e., the 2001 editions of ITU-T X.500, X.501, X.511, X.518, X.519, X.520, X.521, X.525,
and X.530, the 2000 edition of ITU-T X.509, and parts 1-10 of the ISO/IEC 9594:2001 edition.
This Directory Specification uses the term fifth edition systems to refer to systems conforming to the fifth edition of the
Directory Specifications, i.e., the 2005 edition of the series of ITU-T X.500 Recommendations and the
ISO/IEC 9594:2005 edition.
This Directory Specification uses the term sixth edition systems to refer to systems conforming to the sixth edition of the
Directory Specifications, i.e., the 2008 edition of the series of ITU-T X.500 Recommendations and the
ISO/IEC 9594:2008 edition.
This Directory Specification presents ASN.1 notation and Managed Object Definitions in the bold Helvetica, 9 point
typeface. When ASN.1 types and values or Managed Object Definitions are referenced in normal text, they are
differentiated from normal text by presenting them in the bold Helvetica, 9-point typeface. Access control permissions
are presented in italicized Helvetica.

ITU-T Rec. X.530 (11/2008) 5
SECTION 2 – MANAGEMENT REQUIREMENTS
6 Directory management requirements
The collection and processing of management information is an overhead set against the primary objective of the
Directory. Consequently, it is essential to ensure that all activities involved in acquiring management information are
useful, valid and present the minimum overhead to the natural processes of Directory components.
In order to derive the required management information and associated actions, it is necessary to analyse the various
entities which both provide the Directory service and also interact with it so that the relevant management needs are
identified. Furthermore, the Directory will operate in conjunction with other networks and services. The
1)
Telecommunications Management Network (TMN) is designed to provide a framework for management across
differing networks and services. Hence, the management features of Directory components are aligned with the
expectations of TMN.
6.1 Introduction
This Section analyses the environment in which a Directory will operate and isolates the management requirements.
The management requirements are defined by analysis of the activities of roles concerned with using, operating and
owning a Directory service. The motivation for the selection of these roles has been influenced by the functional
hierarchy view of management, defined within the TMN. This takes a broad view of an organization offering Directory
services and encompasses the need for low-level component management, the customer-oriented requirements of
offering services and the effects of the business objectives of the owners of Directory systems.
6.2 Sources of management requirements
6.2.1 Service agreement
6.2.1.1 Directory customer service agreement
A Directory service agreement is a set of terms and conditions governing the provision of the Directory services and
establishing the contractual relationship between the Directory customer and a Directory service provider. A service
agreement may cover a number of items relating to the expected operation of the Directory, such as accessible Directory
information (including maintenance of indirect data links such as seeAlso attributes and groupOfName entries),
allowed operations on accessible Directory information, quality of service operation, conditions for settlement for usage
of the service, and availability of the service and access points.
Of these items, some are directly embodied by Directory components and management activities (for example,
detecting aliases that point to non-existent distinguished names). Conversely, some service agreement items (for
example, settlement) are indirectly embodied by Directory components in that a management process uses a record of
Directory component activity as a basis for fulfilling the service agreement.
Associated with a service agreement there are a number of roles such as:
– Directory user;
– Directory customer;
– Directory service manager;
– Directory system manager/administrator (see 6.2.2); and
– Directory business manager (see 6.2.3 and 6.3.5).
A Directory customer, acting on behalf of Directory users, enters into an agreement with the Directory management
organization which determines an agreed service to be presented to users. The Directory customer may represent any
arbitrary group of users, the structure and content of which are not restricted by the Directory management organization.
A Directory user is a consumer of Directory services. Actions of Directory users stimulate the Directory components to
produce management information in order that the Directory service manager may ascertain whether the Directory is
operating within the bounds of the Directory user's service agreement.
____________________
1)
ITU-T Rec. M.3010, Principles for a telecommunications management network.
6 ITU-T Rec. X.530 (11/2008)
A Directory service manager is responsible for ensuring that a service agreement is implemented and maintained. The
Directory service manager functions may encompass a number of areas such as:
– registration (e.g., of Directory users, Directory customers);
– configuration changes (e.g., enabling or disabling DSAs);
– assistance (e.g., help desk, technical support);
– service configuration changes (e.g., changes to service characteristics);
– quality of service monitoring and reporting; and
– accounting, billing and settlement.
6.2.1.2 Peer service provider service agreement
In order to fully satisfy a service offered to a Directory user, it may be necessary to make use of Directory services
provided by other Directory service providers. The essence of a peer service provider service agreement may be similar
to that constructed for the basis of interaction with Directory users. That is, available information, allowed operations,
access details, etc., will need to be agreed between two Directory service providers before interaction can occur.
6.2.2 Operations
An essential part of attaining an agreed service is the ongoing monitoring and maintenance of the Directory components
which provide the service:
– Reconfiguration of Directory components:
a) predictable downtime due to equipment maintenance;
b) unpredictable downtime due to equipment failure.
– Management reconfiguration:
a) for example, redirecting collected management information out of office hours.
– Management of product operating limitations:
a) observing product maximum operating parameters (e.g., maximum number of associations for a
DSA, maximum number of entries for a DSA);
b) observing inter-provider operating parameters.
– Troubleshooting:
a) configuring components to act in a specific way for the purposes of problem solving.
The role associated with Operations is Directory system administrator.
6.2.3 Business processes
Business processes reflect the activities undertaken by business managers in the pursuit of business objectives through
the offering of Directory services. Objectives and motivations differ from one organization to another, e.g., financial
gain is one motivation. Different objectives/motivations will result in different sets of management information being
relevant to different organizations. The Directory management facilities shall enable the construction of management
policies by organizations.
Information regarding the performance against those objectives is required. Activities which are undertaken will include
sell/(advertise) services, expand/contract system, procure equipment, and evolve services.
The role associated with business processes is the Directory business manager who will strive to meet business
objectives through the setting of service targets (for example, in terms of reducing operating costs), selling/advertising
services, expanding/contracting capacity, procuring capital equipment, instigating new service offerings, etc.
6.3 Analysis of management requirements
The identification of management requirements illustrates the roles and activities concerned with both using, providing
and owning a Directory service. A closer analysis of these roles and activities will identify a set of required
management information and management actions which serve to maintain a successful Directory service.
ITU-T Rec. X.530 (11/2008) 7
6.3.1 General requirements
There are a number of issues to consider:
– Management information can be expressed in a number of different forms such as maintaining logs and
counters, establishing gauges and thresholds, and generating events and alarms. It is expected that the
management system will supply standardized mechanisms for the expression of different management
information formats.
– Management activities, and thus the need for specific elements of management information, may vary
over time. There is a need for the dynamic configuration of the collection of management information.
– Implementation of management policies should not be hindered by Directory management specifications.
– Operational information produced by Directory systems may change status according to which type of
organization is operating the service and which type of service agreement has been made.
6.3.2 Directory user
6.3.2.1 Allowed Directory user activity
6.3.2.1.1 Successful Directory user access
Record Directory DAP, DSP, DISP, DOP activity:
– Log operation counts.
– Log operation details.
– Log details against the data retrieved rather than the operation invoked.
– Log resource usage.
– Notifications of an exceptional valid operation that will take place may be required. This may be required
if, for example, the operation would cause a large amount of activity within the Directory system (e.g., a
subtree search at the country level, or a shadow update is occurring).
6.3.2.1.2 Unsuccessful Directory user access
Directory reports no errors, but service operation is not as expected. It will be necessary to report the details to service
management as a violation of the service agreement. The Directory components will only collect management
information as described in 6.3.2.1.1.
The unexpected event may be against any of the items of the service agreement that the user is aware of, for example:
– unable to invoke a specific Directory operation on the DIB;
– returned data is not of a quality agreed within the service agreement (e.g., the data is out of date or
certain agreed optional attributes are not included).
A condition caused by a valid operation which fails because of:
– direct information failure (e.g., alias dereference failure, knowledge problem);
– indirect information failure (e.g., an entry does not exist with the distinguished name found on a previous
read of a groupOfNames entry or seeAlso);
– equipment failure.
6.3.2.2 Disallowed Directory user activity
6.3.2.2.1 Disallowed unsuccessful Directory service access
The Directory detects and shall notify an attempt at illegal access to:
– the Directory service (i.e., the bind);
– specific information and (invocation of) operations (i.e., detection by access control procedures).
Logging of all unauthorized activity may also occur.
Additionally, resource usage incurred when making an unauthorized access. This information allows system and service
administrators to assess the cost of unauthorized access.
6.3.2.2.2 Disallowed successful Directory service access
This situation occurs when a Directory user has successfully accessed the Directory in a way which breaches the service
agreement but the Directory did not detect this as an error. This indicates an error in the system configuration against
8 ITU-T Rec. X.530 (11/2008)
the service agreement. Detection would only take place if sufficient log information was available and was analysed
off-line.
6.3.3 Directory customer
– Establishment of service agreement:
a) scope assigned to the user (i.e., anywhere, within the DMD, within the DSA).
– Represents users of service – The specific combination of users in terms of numbers, structure and
service agreement features is arbitrary and not inhibited by the Directory management capabilities.
– Query status of service against service agreement.
– Query capabilities of service with a view to extending/curtailing existing service agreement.
– Settle for usage of service. Settlement arrangement is based upon an internal calculation of service
management and can include:
a) query-oriented, based on resources used in querying;
b) data supplier oriented, based on resources used by information residing in DIT;
c) predefined absolute time limit usage of the Directory (as opposed to a specific association time);
d) a pre-settled resource usage of the Directory.
The customer may represent a number of users; the settlement process will need to be able to identify users with the
billable customer.
6.3.4 Directory service manager
The Directory service manager acts upon requests made by Directory customers and the need to monitor the operation
of the Directory service in order that service agreements are maintained:
– Create Directory configuration necessary for meeting a service agreement.
– Respond to requests for service information from customer:
a) Billing information – Based upon customer, rather than user.
b) Problem reports.
– Make decision as to exactly what management information is required to be collected and when, in order
that the service agreement is maintained.
– Inhibit binds (for example, due to user not registered for a service, service available during limited times,
service unavailable due to customer/service contravening service agreement).
– Validate operation requests against service agreements.
When considering the management of Directory information extraction, there are a number of issues:
– Control is needed over the amount of data that may be extracted, and the Directory currently addresses
this concern through the setting of size and time limits on requests. Additionally, control may be imposed
on users who would otherwise attempt to destroy the integrity of information within the Directory.
– Waste of resources through either retrieval of Directory information based upon an inappropriate choice
of filter, which results in a large number of entries being processed (e.g., search using a substring filter of
"Hotel" within a DIT subtree holding UK data).
– Waste of resources through specification of an operation that it is known will not succeed (e.g., searching
for an entry with a localityName filter which is non-existent).
– Attempting to retrieve directory information on an illegal basis. This may either be through the usage of
a particular attribute type within a filter (e.g., filtering entries against their telephone number is not
allowed within the UK) or through the use of a particular matching algorithm (e.g., it is not permitted
within France to use final substring filter match on surnames).
– A Directory service provider may not allow a user a wide-ranging browsing capability. This would result
in a designated set of DIT access locations (distinguished names).
6.3.5 Directory business manager
– Specify monitoring conditions concerned with detecting:
a) specific usage patterns (for example, from particular known groups or geographical areas);
b) candidates for the expansion/contraction of service resources (either through procurement or
reconfiguration) – due to demand;
ITU-T Rec. X.530 (11/2008) 9
c) candidates for identifying groups of users which do/do not use particular service features (as basis
of marketing exercises);
d) configuration to cope with localized (temporally and/or geographically) demand (e.g., for special
events).
6.3.6 Management of the DIT domain
The schema, including DIT, object classes, attributes, attribute syntaxes, structure rules and matching rules shall be
implemented and maintained. The schema may be "published" in subentries. Provision is made for adding, modifying
and deleting Directory names and entry information for both user and operational attributes. The Directory
administrator ensures that relative distinguished names are registered and that the contents of entries are correct and in
accordance with the schema. Tools for content error detection and analysis should be available.
6.3.6.1 Management of aliases and other pointers
Management of aliases and similar pointers is not standardized. The Directory system manager may require solutions to
ensure consistency between object entries and alias entries. That is, it should be possible for a manager to list those
aliases the target entries of which do not exist.
6.3.6.2 Management of lists and seeAlso
Consistency between Directory lists and seeAlso attributes may be managed; that is, there should be an entry for each
member of a list and the entry named in a seeAlso attribute should exist. The Directory Specifications do not provide
this service. An example of a list is groupOfNames, defined in these Directory Specifications.
6.3.7 Management of a DSA
Requirements for management of the DSA application process may be divided into the accounting, configuration, fault,
performance and security functional areas; the same information may be applicable to more than one functional area.
The management requirements can be divided further into those that can be considered monitoring and those that can be
considered controlling. Some notifications from the managed system may require real-time reporting to a manager and
others may be logged for future analysis.
6.3.7.1 Configuration management
Configuration management is the maintenance and exchange of information with regard to actual physical and logical
placement of the components of a system. With regard to Directory management, requirements for the management of
the Directory information should be distinguished from requirements for the management of the DSA:
– Requirements for the management of the Directory information: some of the important requirements are:
a) provide the capability to ensure that the Directory information is configured according to the
appropriate subschema; and
b) provide the capability to manage the subschemas including adding, deleting and modifying the
subschema;
c) provide tools to redistribute the Directory Information Base to other DSAs.
– Requirements for the management of the DSA: some of the important requirements are:
a) provide the capability to initiate user service, e.g., registering a user with a DUA and setting some
of the default service control parameters;
b) provide the capability of managing inventory and location of deployed Directory components
(inventory to be managed includes software resource details, license details, and vendor contact
information);
c) provide the Directory managers with the capability to configure, add, or delete components, as well
as the capability to enable (e.g., starting a DSA process) or disable Directory entities;
d) provide the Directory managers with the capability to lock and unlock the Directory;
e) provide the capability to list the operational bindings of which the DSA is cognizant, and to which
other DSAs can make an application association or to which a referral can be returned;
f) provide the ability to reconfigure the DSA to improve performance and/or overcome faults;
g) accommodate topology changes;
h) provide the ability to examine and be notified of changes of state, monitor overall operability, and
usage of the DSA;
10 ITU-T Rec. X.530 (11/2008)
i) provide the controls for the monitoring and distribution of configuration information to other
DMDs;
j) provide information for neighbour DSAs including: DSA name and security credentials,
presentation address, lower layers supported, naming contexts and availability;
k) provide the ability to summarize shadowing agreements;
l) provide the ability to set administrative limits and thresholds (e.g., maximum time for an operation,
maximum number of associations); and
m) provide the capability to configure support for matching rules and attribute syntaxes in
...