CONTENTS Title Page Copyright Page Preface Part I Introduction 1 Directory Information and Directory Services 1.1 Directory Information 1.1.1 Entries 1.1.1.1 Attributes 1.1.2 Entry Names 1.1.2.1 Distinguished Names 1.1.2.2 Alias Names 1.1.3 Classes 1.1.3.1 Mandatory Attributes 1.1.3.2 Optional Attributes 1.1.3.3 Name Forms 1.1.3.4 Structure Rules 1.2 Directory Services 1.2.1 The Schema 1.2.2 Distributing Directory Information 1.2.3 Replicating Directory Information 1.2.4 Distributing Requests for Information 1.2.5 Controlling Access to Directory Entries 1.2.6 Accounting for Directory Service Use 1.3 Managing the DEC X.500 Directory Service Product 1.3.1 Managing Directory Information 1.3.2 Managing the Directory Service 2 Single Node X.500 Implementation Tutorial 2.1 Install the Product 2.2 Configure the DSA 2.3 Configure Application Defaults 2.4 Create Some Directory Entries 2.5 Experiment with the Example Directory Service 2.6 Destroy the Example Directory Service 3 Multi-Node X.500 Implementation Tutorial 3.1 The Characteristics of the Example Directory Service 3.2 Install the Product 3.2.1 Optionally Install the InfoBroker Server on DEC OSF/1 Systems 3.3 Configure CN=DSA1 3.3.1 Notes About the Configuration of CN=DSA1 3.4 Configure CN=DSA2 3.4.1 Notes About the Configuration of CN=DSA2 3.5 Configure Application Defaults on Both Systems 3.6 Create Some Entries 3.7 Summary of the Tasks Completed So Far 3.8 Setting Up Access Controls 3.9 Replicating Information Between the Two DSAs 3.10 Experimenting with the Example Directory Service 3.11 Starting the InfoBroker Server 3.12 Deleting the Example Directory Service Part II Planning 4 Planning Your Directory Information Tree 4.1 DIT Planning Considerations 4.1.1 Representing Hierarchical Details as Attributes of an Entry 4.2 Choosing Classes to Represent Objects 4.3 Positioning Your Directory Information Tree into a Global Context 4.4 Naming Your Entries 4.4.1 Resolving Naming Clashes 4.5 Planning Entries to Represent DSAs 4.5.1 Recommended Position of DSA Entries in Your DIT 4.5.2 Attributes of DSA Entries 5 Planning DSAs to Hold Your Directory Information Tree 5.1 Dividing Your Directory Information Tree into Naming Contexts 5.1.1 Implementing Your DIT as One Naming Context 5.1.2 Implementing Your DIT as Several Naming Contexts 5.1.3 Assigning Names to Naming Contexts 5.1.4 Distributing Naming Contexts 5.1.5 Replicating Naming Contexts 5.2 Planning DSA Configuration Information 5.2.1 DSA AE Titles and Passwords 5.2.2 DSA Presentation Addresses 5.2.2.1 CLNS Addresses 5.2.2.2 CONS Addresses 5.2.2.3 RFC1006 Addresses 5.2.2.4 Specifying a Combination of Network Addresses 5.2.3 Naming Context Entities 5.2.3.1 Planning Primary and Secondary Consumer Information 5.2.4 Subordinate Reference Entities 5.2.5 Superior Reference Entities 5.2.5.1 Using the Worksheets 6 Customizing the Schema 6.1 Schema Text Files 6.2 Compiling the Schema 6.3 Assigning Object Identifiers to New Definitions 6.4 Planning to Customize the Schema 6.5 Planning an Auxiliary Class 6.5.1 Defining an Auxiliary Class 6.5.2 DXIM Restrictions on the Use of Auxiliary Classes 6.5.3 Defining Attributes 6.5.4 Planning to Index Attribute Values 6.5.4.1 The Purpose of Indexes 6.5.4.2 Making a DSA Index a Given Attribute's Values 6.5.4.3 Notes About Indexing Attribute Values 6.6 Defining a Label 6.7 Planning a Structural Class 6.7.1 Defining a Structural Class 6.7.2 Defining Name Forms 6.7.3 Defining Structure Rules 6.7.3.1 Structure Rules for Entries Immediately Beneath the Root 6.7.3.2 Structure Rules for Entries Beneath Other Entries 6.7.3.3 Assigning Structure Rule Identifiers 6.7.3.4 Structure Rule Definitions: An Example 6.7.4 Defining Window Definitions 6.8 Planning Alias Classes 6.9 Defining Search Filters and Filter Fields for the Windows Utility 6.9.1 Search Filter Definitions 6.9.1.1 Customizing Search Filter Definitions 6.9.2 Filter Field Definitions 6.9.2.1 Customizing Filter Field Definitions 7 Controlling Access to Your Directory Information and Services 7.1 The Default Access Control 7.2 The Access Control Template File 7.3 Planning the Name of the Access Control Subentry 7.4 What the Access Control Template File Does 7.5 Customizing Access Controls 7.5.1 Access Controls Required for Normal Operation of the Directory Service 7.5.2 Access Controls Required by Directory Information Managers 7.5.3 The Composition of Access Control Definitions 7.5.3.1 Specifying What Users an ACIitem Applies To 7.5.3.2 Specifying What Information an ACIitem Applies To 7.5.3.3 Specifying What Types of Request an ACIitem Applies To 7.5.4 How ACIitems are Ranked According to Precedence and Specificity 7.6 Access Control Scope and Inheritance 7.7 Alternative Method of Controlling Access to DSAs 7.7.1 Alternative Method of Configuring DSA Trust 7.7.2 Alternative Method of Configuring User Security Part III Set Up 8 Configuring DSAs 8.1 Notes on Configuring a DSA 8.1.1 Entities Must Be Configured in Order of Superiority 8.1.2 Configuring Entities of Different Types with the Same Name 8.1.3 Configuring a DSA that Already Holds Information 8.1.4 Configuring a DSA Remotely 8.1.5 DSA Configuration Details are Permanent 8.1.6 NCL Command Line Help is Available Online 8.2 Creating DSAs 8.2.1 Setting DSA AE Titles 8.2.2 Setting DSA Presentation Addresses 8.2.3 Setting DSA Passwords 8.2.4 Setting DSA Volatile Modifications 8.3 Creating a Naming Context Entity 8.4 Creating a Subordinate Reference Entity 8.5 Creating a Superior Reference Entity 8.6 Enabling DSAs 8.7 Summary of Configuration 8.7.1 Examples of Configuring DSAs 8.8 Implementing Replication 8.8.1 Notes About Shadowing Agreements 8.8.2 Terminating Replication Agreements 8.9 Disabling DSAs 8.10 Deleting DSAs 8.11 Starting the DSA as Part of OpenVMS System Startup 9 Configuring and Running Directory Applications 9.1 Using the DUA Configuration Utility 9.2 System-wide Defaults 9.3 User Defaults 9.4 Configuring DXIM to Use Another Vendor's DSA 9.5 DXIM Command Line Initialization Files 9.6 Running DXIM 9.7 Running InfoBroker Server 10 Creating Directory Entries 10.1 Using a Script File to Populate a Naming Context 10.2 Creating Entries Interactively 11 Using the Access Control Template File A Default Schema Definitions A.1 Object Classes A.1.1 accessControlSubentry A.1.2 alias A.1.3 applicationEntity A.1.4 applicationEntityAlias A.1.5 applicationProcess A.1.6 applicationProcessAlias A.1.7 country A.1.8 countryAlias A.1.9 decDSA A.1.10 decDSAAlias A.1.11 device A.1.12 deviceAlias A.1.13 dSA A.1.14 dSAAlias A.1.15 groupOfNames A.1.16 groupOfNamesAlias A.1.17 locality A.1.18 localityAlias A.1.19 mhs-user A.1.20 organization A.1.21 organizationAlias A.1.22 organizationalPerson A.1.23 organizationalPersonAlias A.1.24 organizationalRole A.1.25 organizationalRoleAlias A.1.26 organizationalUnit A.1.27 organizationalUnitAlias A.1.28 person A.1.29 residentialPerson A.1.30 residentialPersonAlias A.1.31 subentry A.1.32 top A.2 Structure Rules Quick Reference A.3 Attributes A.3.1 administrativeRole A.3.2 aliasedObjectName A.3.3 businessCategory A.3.4 commonName A.3.5 consumerKnowledge A.3.6 countryName A.3.7 createTimeStamp A.3.8 description A.3.9 destinationIndicator A.3.10 dseType A.3.11 dxdUid A.3.12 facsimileTelephoneNumber A.3.13 generationalQualifier A.3.14 givenName A.3.15 governingStructureRule A.3.16 initials A.3.17 internationalISDNNumber A.3.18 knowledgeInformation A.3.19 lastUpdateReceived A.3.20 localityName A.3.21 member A.3.22 mhs-or-address A.3.23 modifyTimeStamp A.3.24 myAccessPoint A.3.25 objectClass A.3.26 organizationName A.3.27 organizationalUnitName A.3.28 owner A.3.29 physicalDeliveryOfficeName A.3.30 postalAddress A.3.31 postalCode A.3.32 postOfficeBox A.3.33 preferredDeliveryMethod A.3.34 prescriptiveACI A.3.35 presentationAddress A.3.35.1 Further Syntax Details A.3.35.1.1 Examples A.3.36 protocolInformation A.3.37 registeredAddress A.3.38 roleOccupant A.3.39 searchGuide A.3.40 seeAlso A.3.41 serialNumber A.3.42 specificKnowledge A.3.43 stateOrProvinceName A.3.44 streetAddress A.3.45 subordinateDeletedTimeStamp A.3.46 superiorKnowledge A.3.47 supplierKnowledge A.3.48 supportedApplicationContext A.3.49 surname A.3.50 trustedDSAName A.3.51 telephoneNumber A.3.52 teletexTerminalIdentifier A.3.53 telexNumber A.3.54 title A.3.55 userPassword A.3.56 x121Address A.4 Syntaxes A.4.1 aciSyntax A.4.2 bitStringSyntax A.4.3 booleanSyntax A.4.4 countryNameSyntax A.4.5 distinguishedNameSyntax A.4.6 facsimileTelephoneNumberSyntax A.4.7 generalizedTimeSyntax A.4.8 iA5StringSyntax A.4.9 integerListSyntax A.4.10 integerSyntax A.4.11 mhs-or-address-syntax A.4.12 numericStringSyntax A.4.13 objectIdentifierSyntax A.4.14 octetStringSyntax A.4.15 postalAddressSyntax A.4.16 presentationAddressSyntax A.4.17 printableStringSyntax A.4.18 protocolInformationSyntax A.4.19 stringListSyntax A.4.20 stringSyntax A.4.21 telephoneNumberSyntax A.4.22 teletexTerminalIdentifierSyntax A.4.23 telexNumberSyntax A.4.24 undefinedSyntax A.4.25 userPasswordSyntax A.4.26 uTCTimeSyntax A.5 Matching Rules A.5.1 Equality Matching Rules A.5.1.1 aciItemMatch A.5.1.2 booleanMatch A.5.1.3 caseExactIA5StringMatch A.5.1.4 caseExactStringMatch A.5.1.5 caseIgnoreListMatch A.5.1.6 caseIgnoreIA5StringMatch A.5.1.7 caseIgnoreStringMatch A.5.1.8 distinguishedNameMatch A.5.1.9 exactEncodingMatch A.5.1.10 generalizedTimeEqualityMatch A.5.1.11 integerMatch A.5.1.12 mhs-or-address-match A.5.1.13 numericStringMatch A.5.1.14 objectIdentifierMatch A.5.1.15 octetStringMatch A.5.1.16 presentationAddressMatch A.5.1.17 telephoneNumberMatch A.5.1.18 uTCTimeMatch A.5.2 Ordering Matching Rules A.5.2.1 caseExactIA5StringMatch A.5.2.2 caseExactStringMatch A.5.2.3 caseIgnoreIA5StringMatch A.5.2.4 caseIgnoreListMatch A.5.2.5 caseIgnoreStringMatch A.5.2.6 distinguishedNameMatch A.5.2.7 generalizedTimeOrderingMatch A.5.2.8 integerMatch A.5.2.9 numericStringMatch A.5.2.10 objectIdentifierMatch A.5.2.11 octetStringMatch A.5.2.12 telephoneNumberMatch A.5.2.13 uTCTimeMatch A.5.3 Substring Matching Rules A.5.3.1 caseExactIA5SubstringMatch A.5.3.2 caseExactSubstringMatch A.5.3.3 caseIgnoreListSubstringMatch A.5.3.4 caseIgnoreIA5SubstringMatch A.5.3.5 caseIgnoreSubstringMatch A.5.3.6 numericSubstringMatch A.5.3.7 telephoneNumberSubstringMatch A.5.4 Approximate Matching Rules A.5.4.1 allWordApproximateMatch A.5.4.2 initialLetterApproximateMatch A.5.4.3 initialWordApproximateMatch A.5.4.4 lastWordSoundexMatch B The PrescriptiveACI Attribute B.1 User-First ACIitems B.2 Item-First ACIitems B.3 Item Classes B.4 User Classes B.5 Permissions B.6 Access Control Template File Glossary FIGURES 1-1 The Hierarchical or Tree Structure of Directory Information 1-2 A Typical Directory Entry 1-3 Distinguished Names 1-4 The X.500 Model of Directory Services 1-5 A DIT Divided and Distributed Amongst Four DSAs 1-6 A DIT Distributed and Replicated Amongst Four DSAs 3-1 Structure and Distribution of the Example DIT 3-2 Structure and Distribution of the Example DIT 3-3 DSA1 After All Tasks Are Completed 3-4 DSA2 After All Tasks Are Completed 4-1 A DIT Based on Organizational Units 4-2 A DIT Based on Geographical Distribution 4-3 A DIT Based on Geographical and Organizational Elements 4-4 Accommodating Resource Mobility 4-5 Two Ways to Represent Organizational and Geographical Details 4-6 The Most Frequently Used Default Structure Rules 4-7 The Abacus DIT with its Global Prefix 4-8 The Abacus DIT with its Entries Named 4-9 DSA Entries Beneath the Organization Entry 5-1 Dividing a DIT into Naming Contexts 5-2 Distributing Naming Contexts to Their Master DSAs 5-3 Primary and Secondary Shadowing of Naming Contexts 5-4 Replicating Naming Contexts to Their Shadow DSAs 5-5 Worksheet for CN=DSA1 Listing AE Title and Password 5-6 Worksheet for CN=DSA2 Listing Naming Contexts 5-7 Worksheet for CN=DSA2 Listing Consumers 5-8 Worksheet for CN=DSA2 Listing Suppliers 5-9 Master DSA for Contiguous Naming Contexts 5-10 Worksheet for CN=DSA1 Listing Subordinate Naming Contexts 5-11 A Multi-Layered Division of a DIT 6-1 DXIM Find Window 6-2 DXIM Find Window Showing Filter Fields 7-1 Recommended Position for Creating an Access Control Subentry 7-2 Access Control in a DSA 8-1 Contiguous Naming Contexts 8-2 Worksheet for CN=DSA1 8-3 Planned Replication of Naming Contexts A-1 Structure Rules for Classes: Part I A-2 Structure Rules for Classes: Part II TABLES 4-1 Naming Attributes of Commonly Used Classes