Home

UNINtrTT

1. DIrectory SHell which is part of the QUIPU distribution User CC pua gt The Directory User cpus gt an access point Figure 1 Access to the Directory A DUA s access to the Directory is implemented over an OSI Association through the Directory Access Protocol DAP The DAP in turn uses the Remote Operations Service ROS which allows specification of the services cleanly as a set of remote procedure calls The services allow retrieving and modifying of Directory information and will be de scribed in more detail in Section 4 Internally the Directory is realized as a collection cooperating Directory Service Agents DSAs which provide the Directory Service in a distributed manner Figure 2 Each DSA is an application process that represents some portion of the DIB Its role is to pro vide access to the DIB for DUAs and other DSAs In doing so a DSA may either use the information stored in its local database or interact with other DSAs to carry out the request Alternatively a DSA may redirect the requestor to another DSA s mentioned above DUAs connect to the Directory through the Directory Access Proto col DAP The interactions between a pair of DSAs are supported by a slightly different application layer protocol called the Directory Service Protocol DSP The detailed spec ifications of these protocols can be found in ISO88e Figure 2 The Directory Provided by Multiple DSAs A request from a DUA can in
2. 358 31 162578 Compare Allows comparing whether a supplied value matches an attribute value of a particular named DIB entry For example a password in the Directory might be inacces sible for read but accessible for compare Example Comparing a person s directory password Dish gt compare c Fl o Tampere University of Technology ou Software Systems Labo ratory cn Juha Heinanen attribute userPassword foo print FALSE List Causes the Directory to return the list of immediate subordinates of a particular named entry in the DIT Example Listing at most five subordinates of Norway Dish gt list c NO sizelimit 5 localityName More og Romsdal fylke localityName Sor Troendelag fylke localityName Nord Trondelag fylke localityName Nordland fylke localityName Finnmark fylke Option sizelimit is an example of a service control Service controls can be included in most directory operations In addition to sizelimit there exist service controls for time limit priority chaining caching alias dereferencing as well as scope for the operation and the result Search Causes the Directory to return information from all the entries within a given por tion of the DIT that satisfy some filter Filter is a logical expression of one or more conditions As with read the information returned from each entry consists of some or all attributes of that entry Example Searching entries and attributes from the Directory Dish gt sea
3. Katalogtjenesten 6 vedlegg Vedl 2 Strategi og verkt y for etablere en hvite siders katalogtjeneste i UNINETT September 1991 Arbeidet med etablere en katalogtjeneste i UNINETT er kommet godt i gang Pr september 1991 har over 35 organisasjoner registrert seg i katalogen og gitt egne brukere tilgang til katalogtjenesten Ca 900 personer har selv registrert egeninformasjon i katalogen Totalt finnes det informasjon om ca 6500 personer i den norske delen av katalogen Internasjonalt er ca 350 000 personer registrert UNINETTs langsiktige m lsetting er at den elektroniske katalogen skal v re tilgjengelig for alle brukere av datamaskiner tilknyttet UNINETTet samt at informasjon om de fleste personer tilknyttet UNINETTs medlemsorganisasjoner skal v re tilgjengelig i katalogen UNINETT har utarbeidet en to faset strategi for n denne m lsettingen Fasene referer seg til hvordan hver enkelt UNINETT medlemsorganisasjon forholder seg til katalogtjenesten og presenteres her med vekt p de elementer som direkte relaterer seg til medlems organisasjonene Strategien representerer en anbefaling til medlemsorganisasjonene og danner utgangspunktet for det arbeidet UNINETT gj r for st tte medlemsorganisasjonene som tar i bruk katalogen De fleste organisasjonene vil starte i fase 1 for s etter noe tid g over i neste fase men avhengig den enkelte organisasjons utgansgspunkt vil det kunne v re aktuellt starte direkte p f
4. I Directory in short the Directory has originally started from the telecommunications users needs to find out how a person can be reached via telephone telefax electronic mail etc The OSI directory service as defined today has a more gener al applicability It can hold information not only about individuals but also about OSI applications such as the presentation addresses of application entities Other uses of the Directory include support for MHS routing and distribution lists yellow page servic es and wide area authentication This paper gives an overview of the OSI directory system drawing examples from the QUIPU Kil88 implementation that is part of the ISODE Ros89 package The text is based on the Draft International Standard ISO88a h the IS version although ap proved is not available yet and has been influenced by the earlier tutorials Hui88 Lun88 and Kil89 We start by viewing the Directory as a distributed database Next we describe how the directory is organized in the form of a Directory Information Tree DIT and how informa tion about objects is stored in its entries Then we discuss the services the directory provides to its users Finally we cover some topics that are left as future work for the next revision of the directory standard 2 The Directory as a Distributed Database In OSI terms the Directory is a collection of open systems that cooperatively hold infor mation about a set of real world
5. TT kunne f tilgang til interaktive katalog brukersnitt som ledd i lokal kompetanse oppbygging om katalogtjenesten Organisasjoner som befinner seg i fase 2 gir sine lokale brukere tilgang til interaktive brukersnitt mot katalogen og etterhvert ogs interaktive brukersnitt integrert i applikasjoner som f eks elektronisk post For organisasjoner i fase 2 vil informasjon om de fleste personer tilknyttet organisasjonen v re tilgjengelig i katalogen Organisasasjoner i fase 2 driver sin egen Directory Service Agent DSA ref vedlegg 1 Heinanen 89 som holder EEE EE S E Strategi og verkt y for etablere en hvite siders katalogtjeneste i UNINETT Side 1 lokal informasjon og behandler katalogoperasjoner fra lokale brukere Dette vil v re n dvendig pga den kte belastning og nske om lav responstid som interaktive brukersnitt gjerne bringer med seg Organisasjoner som befinner seg i fase 2 vil ofte etablere rutiner som s rger for at info rmasjon om alle personer tilknyttet organisasjonen befinner seg i katalogen Dette da til passet lokale forhold og relatert til de krav Lov om personregistre setter Ref vedlegg 4 For st rre organisasjoner vil slike rutiner ofte hente data fra en kombinasjon av personal database telefonregister og datamaskin brukerregister P sikt kan man tenke seg at katalogtjenesten erstatter eksisterende trykte organisasjons interne telefonkataloger for org anisasjoner i fase 2 Programvare UNINETTs kata
6. UNINETT Katalogtjenesten c o Universitetet i Oslo USIT Postboks 1059 Blindern 0316 Oslo E Post Directory ADM UNINETT NO Velkommen som brukerorganisasjon av katalogtjenesten i UNINETT UNINETT har mottatt registreringsskjema for registrering av organisasjonen deres i den elektroniske katalogen Informasjonen fra det insendte regis treringsskjemaet er n lagt inn i katalogen og dere er velkommen til ta katalogtjenesten i bruk og annonsere den ovenfor egne brukere Som vedlegg til dette brevet f lger en del informasjon vi h per vil v re nyttig for dere n r dere n skal ta i bruk den elektroniske katalogtjenesten e En kopi av en artikkel som gir en introduksjon til grunnleggende aspekter ved katalog tjenesten Juha Hein nen Introduction to the OSI Directory NORDUNET 1989 Man kan ogs finne en introduksjon til katalogtjenesten i kapittel 3 i den vedlagte manualen for QUIPU Et dokument som g r gjennom UNINETTs strategi for etablere en hvite siders katalogtjeneste tar opp ulike m ter ta i bruk katalogtjenesten p og gir informasjon om tilgjengelig programvare for gi brukerene tilgang til katalogtjenesten i dag e Et dokument som tar opp annonsering og promosjon av katalogtjenesten ovenfor lokale brukere En rapport som tar opp personvernmessige aspekter ved katalogtjenesten Dette er i f rste rekke aktuellt for organisasjoner som registrerer personer i katalogen ut fra andre registre f eks person
7. University of Technology ou Software Systems Laborato ry cn Matti Virtanen objectclass organizationalperson At this point the DUA invokes an editor on a draft entry of the specified object class Af ter the user has filled the entry and exited the editor the entry it added to the DIT Remove Entry Allows removing a leaf entry from the DIT Example Removing a leaf entry Dish gt delete c FiI o Tampere University of Technology ou Software Systems Labora tory cn Matti Virtanen Modify Entry Modifies existing entries in the DIT The sequence of changes may in Clude addition removal and replacement of attributes or attribute values of a particular entry Modify Entry is atomic in that if any of the changes fails then the whole operation will fail Example Modifying an entry Dish gt modify c Fl o Tampere University of Technology ou Software Systems Labora tory cn Maija Meikalainen The DUA again invokes an editor on the specified entry The actual modification takes place after the user has made his her changes and exited the editor Modify Relative Distinguished Name Modifies the RDN of a leaf entry Example Modifying a RDN Dish gt modifyrdn c Fl o Tampere University of Technology ou Software Systems Lab oratory cn Maija Meikalainen name cn Maija Liisa Meikalainen Note that in current version of the Directory service it is only possible to add or remove object entries that remain as leaves eg entri
8. alregister I tillegg finnes vedlagt et eksemplar av en manual for QUIPU en mye brukt implementasjon av katalogtjenesten og en statusrapport fra PARADISE et prosjekt for etablere en europeisk pilot katalogtjeneste UNINETT deltar aktivt i dette prosjektet Rapporten er fra mai og dessverre ikke lenger fullt oppdatert Katalogtjenesten er basert p internasjonale standarder utarbeidet av ISO og CCITT ISO benevner katalog standardene IS9594 7 mens de tilsvarende standardene fra CCITT g r under betegnelsen X 500 Katalogtjenesten inneholder i dag i f rste rekke informasjon om personer og organiasjoner 1 International Standardisation Organisation 2 International Telegraph and Telephone Consultative Commitee Dette kalles popul rt katalogens hvite sider og er en del av katalogtjenesten man for tiden satser bredt internasjonalt p for bygge opp For personer i din organiasjon er denne delen av katalogtjenesten et verkt y for enkelt finne elektroniske postadresser telefonnummer fax telefonnummer postadresser etc for personer tilknyttet andre organisasjoner i inn og utland samt tilsvarende for personer i egen organiasjon En rekke grupperinger deriblant UNINETT arbeider ogs for unders ke katalogens potensialer for holde andre typer informasjon f eks om databaser og andre ressurser tilgjengelig over datanett For tiden er det h y aktivitet i en rekke europeiske land Nord amerika og Australia fo
9. ase 2 Fase I gir alle UNINETT medlemsorganisasjoner mulighet til i dag gi brukere av elek tronisk post tilgang til katalogtjenesten uten at dette krever lokal kompetanse om katalogtjenesten Brukere ved organisasjoner som befinner seg i fase 1 vil ha mulighet til sl opp informasjon og registere egeninformasjon i den globale katalogen Disse tjenestene er realisert ved en sentral mailresponder drevet av UNINETT Brukerene vil enten selv generere elektroniske postmeldinger med foresp rsler til denne responderen eller benytte et program som gj r dette Denne tjenesten g r under navnet UNINETT MHS Katalogtjenesten En UNINETT medlemsorganisasjon som befinner seg i fase 1 har registrert basal organisa torisk informasjon i katalogen Dette skjer ved fylle inn et registreringsskjema som over sendes UNINETT Registreringsskjemaet kan f es ved henvendelse til UNINETT gjerne ved hjelp av elektronisk post til Directory ADMGUNINETT NO Etter denne registreringen er fore tatt kan organisasjonen gj re katalogen tilgjengelig for lokale brukere som beskrevet oven for Informasjon som registreres i katalogen av personer ved organisasjoner som befinner seg i fase 1 lagres av UNINETT Dette samt den omtalt mail responderen er med gj re terskelen for gj re katalogtjenesten tilgjengelig i en organisasjon sv rt lav N kkelpersoner for drift og brukerst tte ved organisasjoner som befinner seg i fase 1 vil ved henvendelse til UNI NE
10. ch also knows the presentation address of the Jaguar DSA Stronger authentication schemes have also been defined but not usually implemented yet that are based upon public key cryptography They allow each request to contain a digital signature of the requestor together with information to assist the correct party to verify it See ISO88h for a detailed description of the Directory authentication frame work When the DUA has done with its requests it closes the association with the DSA by is suing an Unbind operation Unbind has no parameters After an association to a Directory access point is established the Directory may be ac cessed by nine different operations Five of them read compare list search and abandon deal with directory interrogation Read Allows reading information from a particular named entry in the DIB Either all or a selected set of attributes of that entry is returned Example Reading entries and attributes from the Directory Dish gt showentry c Fl o Tampere University of Technology telephoneNumber 358 31 162111 postalCode SF 33101 organizationName TUT amp TTKK amp Tampereen teknillinen korkeakoulu amp Tampere Univer sity of Technology StreetAddress PO Box 527 localityName Tampere Dish gt showentry c Fi o Tampere University of Technology ou Software Systems Lab oratory cn Juha Heinanen type rfc822Mailbox telephoneNumber rfc822Mailbox jh tut fi telephoneNumber
11. ed Applications North Holland Publishing October 1988 K1189 Kalle S E et al Proposal for Co ordination of a RARE OSI Directory Project Department of Computer Science University College London 1989 Lun88 Lundberg Johan Introduction till Directory Systems X 500 TeleDelta Report M 88 029 1988 Ros89 Rose M T The ISO Development Environment User s Manual version 5 0 March 1989 12
12. er navnet QUIPU For forenkle installasjon av denne delen av ISODE har UNINETTs katalogprosjekt utviklet en bin r distribusjon av QUIPU Denne er rettet mot organisasjoner som er p vei inn i fase 2 Bin r distribusjonen inkluderer en X 500 DSA noen interaktive brukersnitt for katalogen og et verkt y for automatisert overv kning drift av DSAen Programvaren vil kunne kj re p de fleste Unix maskiner Installasjon av bin rdistribusjonen betinger f eller ingen forkunskaper om katalogtjenesten eller ISODE For informasjon om hvordan man kan f tilgang til denne bin rdistribusjonen kan man henvende seg til katalogprosjektet gjerne vha elektronisk post til Directory ADM UNINETT NO Hein nen 89 Juha Hein nen Introduction to the OSI Directory NORDUNETS89 Strategi og verkt y for etablere en hvite siders katalogtjeneste i UNINETT Side 3 Introduction to the OSI Directory Juha Hein nen Software Systems Laboratory Tampere University of Technology P O Box 527 SF 33101 Tampere Finland JHO tut fi Abstract The OSI Directory will have an important role in supporting various OSI applications such as electronic mail and file transfer as well as providing ordinary white page yellow page ser vices This paper gives an introduction to the OSI Directory as defined in the Draft International Standard Examples from the QUIPU implementation of the Directory are used to illustrate the concepts I Introduction The work on the OS
13. es for persons So it is not possible to con struct the DIT from scratch by using the Add Entry operation or totally remove it by using the Remove Entry operation 10 5 Future Work The current directory standard leaves many areas beyond its Scope as a local matter or topics for future extensions Among the most important such issues are access and alias control schema and DIT management as well as use of descriptive names The standard covers extensively user identification via various authentication mecha nisms but doesn t define how to control users access to data Such facility is however essential for any real directory implementation The QUIPU directory handles access control by associating an Access Control List ACL attribute for each directory entry The ACL specifies what nights e g none de tect compare read and write each DU e g owner of the entry member of a group and others has over the attributes of the entry For example an entry containing a user Password attribute should at the very least have the following ACL acl others compare attributes userPassword amp self write attributes userPass word It gives the owner of the entry the right to modify the userPassword attribute value and others only the right to compare it The current standard allows creating alias entries that should refer to object entries The Directory doesn t however guarantee the integrity of alias entries f
14. har tilgang til en Unix maskin vil det kunne v re aktuellt selv utforme elektroniske postmeldinger med foresp rsler til MHS Katalogtjenestens mailresponder Dette er imidlertid ikke anbefalt Dersom man likevel skulle nske benytte denne muligheten kan man f tilstendt dokumentasjon av meldingsformatet ved sende en elektronisk postmelding til Directory UNINETT NO med ordet HJELP i meldingens Subject felt 3 Vi tar likevel her med informasjon om hvordan man konfigurerer EAN til benytte UNINETTs MHS Katalogtjeneste Det finnes to varianter en for VAX VMS og en for Unix Felles for dem begge er at en bestemt fil skal inneholde teksten C no PRMD uninett O uninett S directory For VAX VMS er dette filen EANROOT lt SYS UA gt NAMEINFO mens det for Unix er filen usr spool ean sys ua nameinfo Strategi og verkt y for etablere en hvite siders katalogtjeneste i UNINETT Side 2 The ISO Development Environment ISODE er en fritt tilgjengelig implementasjon av OSI protokoll stakken samt en rekke OSI applikasjoner X 500 FTAM VT og X 400 Denne pakken danner det tekniske grunnlaget for mye av katalog aktivitetene i UNINETT Denne pakken vil kunne v re av interesse for noen organisasjoner Den er utf rlig dokumentert gjennom et fem binds manualsett I skrivende stund er gjeldende version av ISODE 7 0 Denne kan hentes ved hjelp av anonym ftp fra nac no i katalogen pub isode X 500 implementasjonen del av ISODE g r und
15. logprosjekt distribuerer flere programvarepakker for st tte organisasjoner som arbeider for gj re katalogtjenesten tilgjengelig Vi gir her en rask presentasjon av tre aktuelle pakker med informasjon om hvilke grupper de er tiltenkt samt hvordan man kan f tilgang p dem Alle distribueres med utf rlig dokumentasjon Brukere kan f tilgang til UNINETTs MHS Katalogtjeneste p tre forskjellige m ter ved bruk av EAN bruk av directory programmet eller ved selv utforme elektroniske postmeldinger til tjenestens mailresponder Alle organisasjoner som har installert EAN vil ha konfigurert denne slik at katalog foresp rsler generert vha FIND INSTALL REGISTER og DROP kommandoene sendes til MHS Katalogtjenestens mailresponder gt Directory programmet er et Unix program som ved hjelp av et linjeorientert brukersnitt lar brukere p en enkel m te gj re foresp rsler til MHS Katalogtjenestens mail responder Brukerene kan benytte dette programmet til legge inn egen informasjon i katalogen og til sl opp informasjon i katalogen Svar p foresp rsler returneres sp rrer som en vanlig elektronisk postmelding UNINETT oppforderer alle sine medlemsorganisasjoner til gj re dette programmet tilgjengelig for alle brukere av Unix maskiner Directory programmet kan hentes ved hjelp av anonym ftp fra maskinen nac no Distribusjonen av programmet ligger som filen pub isode directory tar Z For brukere som ikke benytter EAN og som ikke
16. ly and unambiguously The DN of an entry is a sequence of Relative Distinguished Names RDNs of entries on the path in the DIT from the root to the named entry The RDN of an entry in turn consists of a set of designated values so called distinguished values of some of its attributes Figure 7 shows an example of naming entries in the DIT In order for a DN to uniquely identify an object the RDNs of all entries below each imme diate superior entry have to be distinct Usually a single distinguished value eg the Common Name of a person suffices to make the RDNs distinct If this is not the case additional distinguished values eg Organizational Unit Name of a person may be em ployed It is the responsibility of the naming authority of each non leaf entry to ensure the uniqueness of RDNs by appropriately assigning distinguished attribute values The rela tionship of the naming authorities is reflected by the hierarchical structure of the DIT The responsibility is passed down the tree from superior to subordinate authorities eg from the National Naming Authority to Organizational Naming Authorities C FI O FUNET es e OU TUT PEOPLE ae ee OQU TUT CN Kaittola CN Kaittola Figure 7 A Naming Example In addition to its object entry an object may have one or more so called alias entries Alias entries of an object point to its object entry and provide a means for referring the object using alter
17. native names For example an organization object with RDN Tampere University of Technology might have an alias entry with RDN TUT commonName TUT aliasedObjectName c Fl o Tampere University of Technology The DIB is kept well formed by enforcing a set of rules called the Directory Schema The Directory Schema resembles database schemas and its purpose is to capture the time in dependent properties of the DIB More precisely the Directory Schema comprises a set of e DIT Structure Rules that define 1 the permitted hierarchical relationship be tween entries e g an organization may be subordinate to a country but not vise versa and 2 their permitted RDNs If a rule for an entry allows immediate sub ordinates of a particular class it also allows subordinates belonging to any subclass of that class In QUIPU the DIT structure is defined using a multivalued attribute called treeStructure The treeStructure attribute of an organization entry might look like treeStructure organizationalUnit amp applicationProcess amp dSA amp applicationEntity telling that entries of the listed object classes are permitted as immediate subor dinates of an organization entry e Object Class Definitions that 1 may assign an object identifier for an object class 2 define which classes are superclasses of the object class e g an internetPerson might be a subclass of person and 3 specify which are the mandatory and opti
18. objects An object can be anything that can be named in some world but usually the world is restricted to that of telecommunications and informa tion processing areas Examples of typical directory objects include countries organizations persons computer systems and application processes such as the FTAM process The set of information managed by the Directory is called the Directory Information Base DIB The Directory User DU is an entity or person which accesses the Directory In more concrete terms the Directory can be thought of a distributed database to which the DU is given remote access using OSI provided means The database is specialized and it doesn t have to be able to cope with all the problems usually associated with database distribution For example the database is structured in a hierarchical manner it assumed that the frequency of queries is considerably higher than that of up dates and e there is no need for instantaneous global commitment for updates The Directory can also be viewed as an abstract object which provides a number of ser vices for the DU The DU doesn t access the Directory directly but by the use of a Directory User Agent DUA Figure 1 The Directory provides one or more access points at which such accesses can take place The DUA itself is a normal application pro cess which may support different user interface styles The examples in this paper use a line oriented DUA called Dish
19. onal attributes in an entry of that class eg a telephoneNumber may appear in a person s entry but a serialNumber may not Attribute Type Definitions that 1 identify the object identifier and 2 syntax of an attribute as well as 3 tell whether the attribute can have multiple values For example an organizationName attribute type is defined to be multivalued and of syntax caseIgnoreStringSyntax e Attribute Syntax Definitions that 1 may assign an object identifier to an at tribute syntax 2 define for each attribute syntax the underlying ASN 1 data type e g caselgnoreStringSyntax is either a T61String or PrintableString and 3 specify matching rules for comparing a given value with a value in the DIB e g caselgnoreString is matched for equality and substrings The relationship between the schema definitions and the DIT elements is summarized in Figure 8 Definitions DIT Elements DIT Structure ET DIT uses rules for l Object Class Entries uses rules for Attribute Type Attributes uses rules for Attribute Syntax Values Figure 8 Overview of the Directory Schema The Directory Schema is distributed like the DIB itself Itis the task of each Administra tive Authority to establish the schema for those portions of the DIB that it administers Current version of the Directory standard doesn t support any automatic means to dis tribute schema information across different DSA
20. or example in case the aliased object entry is removed As the result the alias entry may point to a nonex isting or wrong object entry Any DSA owner may create new object classes and attribute types specific to his her di rectory applications and register them with a naming authority Currently there is however no automatic way to distribute knowledge about such local additions among DSAs So remote DUAs may not be aware of the structure of the locally defined entries or the syntax of the locally defined attribute values As explained in Section 2 the Directory is a distributed data base where each DSA rep resents some portion of the DIB If a DSA can t process a query by itself it must somehow know to which DSA it should chain or refer the request The standard doesn t specify how the knowledge about these external DSAs is stored in a DSA or distributed among participating DSAs Many directory operations have DNs as arguments Since the RDNs forming a DN have to be unique at each branch of the DIT they tend to be long and cumbersome to use The RDN requirement should be relaxed in most operations so that any of the possible multi ple values of the RDN attributes could be used in the request For example to search the telephone number of every Virtanen at the Software Systems Laboratory of the Tam pere University of Technology one should be able to type Dish gt search object c Fi o TUT ou SSL filter surname Virtanen type
21. r etablere en velfungerende hvite siders katalogtjeneste Mye av arbeidet innen dette omr det i Nord amerika skjer innenfor Internet TCP IP milj et hvor katalogtjenesten ses p som en viktig komponent for videre utvikling av Internettet Den kanskje viktigste m lsettingen for det p g ende internasjonale koordineringsarbeidet rundt katalogtjenesten er s rge for at vi globalt kun f r en katalog Katalogtjenesten er et viktig satsningsomr de for UNINETT av flere grunner P kort sikt i f rste rekke fordi den representerer en sterkt etterspurt tjeneste som vil v re med forenkle kommunikasjon for personer tilknyttet UNINETTs medlemsorganisasjoner P lengre sikt ser vi at katalogen vil spille en viktig rolle i arbeidet med gj re nye avanserte tjenester tilgjengelig over datanett Dette vil f eks kunne v re tilgang til informasjons orienterte tjenester og andre spesialiserte ressurser og mulighet for autentifikasjon mellom kommuniserende enheter f eks basert p Public Key RSA som spesifisert i X 509 Vi h per ogs dere vil finne katalogtjenesten en nyttig tjeneste og gjennom gj re den tilgjengelig for lokale datamaskinbrukere v re med bringe utviklingen av katalogtjenesten videre Dersom dere har sp rsm l eller kommentarer er dere velkommen til ta kontakt med oss gjerne vha elektronisk post til directory ADM UNINETT NO Vennlig hilsen JULA MEIR L Turusoft 0 LEK Geir Pedersen Prosjektleder UNINETT
22. rch object c NO o University of Oslo subtree filter sumame pedersen amp cn g ou Institutt for Informatikk cn Geir Pedersen ou Institutt for Informatikk cn Geir Kenneth Pedersen ou Institutt for Informatikk cn Gisli O Petursson ou nstitutt for Informatikk cn Geir Foss Pedersen Dish gt search object c NO o University of Oslo ou institutt for Informatikk filter username geir type ric822mailbox cn Geir Pedersen rfc822Mailbox geirpBifi uio no cn Geir Hardt ric822Mailbox geirh ifi uio no cn Geir Ove Bjoerkedal ric822Mailbox geirove ifi uio no cn Geir Ivar Thorud rc822Mailbox geint ifi uio no Option subtree indicates that all subtrees of the DIT below the object are searched Filter predicate means approximate match and is a wild card Abandon Applies to an outstanding interrogation and informs the Directory that the re quest can be cancelled The directory may then cease processing the request and discard any results so far achieved Abandon has not been implemented in the current version of QUIPU DAP The remaining four directory operations Add Entry Remove Entry Modify Entry and Modify Relative Distinguished Name are available for adding and removing entries modifying the attributes of an entry and changing the distinguished name of an entry Add Entry Causes a new leaf entry to be added to the DIT Example Adding an entry for a person Dish gt add c Fi o Tampere
23. s 4 Directory Services Referring back to Section 2 the Directory can be viewed as an abstract object that pro vides services to its users in response to requests from DUAs The requests allow interrogation and modifying the Directory The Directory gives a response to each request by reporting an outcome Besides normal outcomes that are specific to each request there are abnormal outcomes that are common to several requests Abnormal outcomes may be errors due to problems with user sup plied parameters violations of security policy schema rules etc A request may also fail because of a referral to another DSA Before a DUA can start issuing requests to a DSA the DUA must set up an association with a Directory access point using a Bind operation Bind has arguments for user au thentication and for selecting a common version of the Directory implementation In its simplest form the authentication parameters consist of the DN of the user and optionally a password that is matched against the userPassword attribute in the user s directory entry The Directory will then either confirm or deny its service without requir ing further authentication for subsequent requests Example Binding a user to a DSA called Jaguar Dish gt bind user c Fl o Tampere University of Technology ou Software Systems Labo ratory cn Juha Heinanen password secret call Jaguar The version information is supplied automatically by the Dish program whi
24. sed in the next section This hierarchy assigns each DSA except the ones just below the top one superior DSA and zero or more subordinate DSAs In order to improve response time and to solve the missing top problem a DSA can also maintain direct cross references to other DSAs 3 Structure of Directory Information As explained above the DIB holds information of real world objects Each such object is represented in the DIB as an object entry An object entry is structured into a number of attributes each with a type and one or more values Figure 6 The types of attributes that must and may be present in an entry are specified by the class of the object PE Attribute Values Figure 6 Structure of an Object Entry For example a person entry of object class internetPerson might have an entry consist ing of the following attributes only the first two being obligatory commonName Juha Heinanen surname Heinanen roomNumber SL408 telephoneNumber 358 31 162578 amp 358 31 162111 ric822Mailbox jhOtut fi userid jh userPassword secret In order to manage a possibly large DIB the object entries are arranged hierarchically as vertices of a tree called the Directory Information Tree DIT Entries close to the root of the tree usually represent countries or organizations and the leaf entries persons or appli Cation processes Every entry in the DIT has a Distinguished Name DN which identifies it unique
25. telephoneNum ber instead of the full form 1 Dish gt search object c Fi o Tampere University of Technology ou Software Systems Laboratory filter surname Virtanen type telephoneNumber Other useful extensions could include shadowing of cached entries maintaining a position in the DIT and distributing attributes of entries among several DSAs The latter capabil ity might be used for example to store telephone numbers in separate DSAs operated by telephone companies References Hui88 Huitema C The X 500 Directory Services Computer Networks and ISDN Systems 16 1988 1989 161 166 IS088a ISO The Directory Part 1 Overview of Concepts Models and Services ISO DIS 9594 1 1988 ISO88b ISO The Directory Part 2 Information Framework ISO DIS 9594 2 1988 ISO88c ISO The Directory Part 3 Access and System Services Definition ISO DIS 9594 3 1988 ISO88d ISO The Directory Part 4 Procedures for Distributed Operation ISO DIS 9594 4 1988 ISO88e ISO The Directory Part 5 Access and System Protocols Specification ISO DIS 9594 5 1988 ISO88f ISO The Directory Part 6 Selected Attribute Types ISO DIS 9594 6 1988 ISO88g ISO The Directory Part 7 Selected Object Classes ISO DIS 9594 7 1988 ISO88h ISO The Directory Part 1 Authentication Framework ISO DIS 9594 8 1988 Ki188 Kile S E The QUIPU directory service Proc IFIP WG 6 5 Conference on Message Handling Systems and Distribut
26. volve several DSAs if the request references a part of the DIB not contained in the DSA that originally received the request In such a case there exists three basic strategies on how the request will be processed e Chaining The DSA passes the request to another DSA which again can forward it to another DSA etc The responses return along the reverse path and finally the initial DSA returns the answer to the DUA Figure 3 The DUA can ask the DSA not to do chaining and or restrict the scope or time taken for the operation result Figure 3 Chaining Operation Referral The DSA determines which DSAs should be more able to process the request and returns the names and addresses of those DSAs back to the DUA or in case of chaining back to the DSA Figure 4 The DUA or DSA may either inform its client about the result or automatically redirect the operation on to an other DSA DSA B Figure 4 Referral Operation e Multicasting The DSA sends the same request in parallel or sequentially to mul tiple other DSAs in order to resolve it Figure 5 The results are then combined and returned to the requestor Multicasting is normally used only when the DSA for some reason doesn t have a complete knowledge of which DSAs hold which parts of the DIB result result request Figure 5 Multicasting Operation The knowledge about other DSAs is normally provided by the strict hierarchical structure of the DIB as discus

UNINtrTT

Contents

Download Pdf Manuals

Related Search

Related Contents