📄 rfc1943.txt
字号:
RFC 1943 Building an X.500 Directory Service in the US May 1996
directory information tree. The DITs may vary slightly, but each must
contain an organization, and a person. The nature of the directory
and the structure of the actual organization for whom the directory
is being provided contribute to the overall DIT structure. The
following is a list of commonly used attributes:
commonName physicalDeliveryOfficeName stateOrProvinceName
description photo streetAddress
userid postOfficeBox surname
favouriteDrink postalAddress telephoneNumber
title rfc822Mailbox facsimileTelephoneNumber
4.3 DUA Interfaces for End Users
There are a variety of user interfaces on the market today that will
provide Directory User Agent access to the X.500 Directory. Standard
protocols such as fred, whois, whois++, finger, are used widely.
Interfaces are also available via World-wide Web browsers and
electronic mail.
Vendors providing DUAs include ISODE Consortium, NeXor, and Control
Data Corporation. These applications operate in conjunction with the
vendor provided DSAs.
Historically DUA interfaces were difficult to implement and required
the entire OSI stack. Implementing such a product on a PC or Apple
platform required skillful programming. The executable for these
platforms were usually very large. The IETF has since defined and
standardized the Lightweight Directory Access Protocol (LDAP) [11]; a
protocol for accessing on-line Directory services which offers
comparable functionality to the Directory Access Protocol (DAP). It
runs directly over TCP and is used by nearly all X.500 clients. LDAP
does not have the overhead of the various OSI layers and runs on top
of TCP/IP.
The functionality varies by specific DUA. Each offers access to the
X.500 Directory. Most offer the ability to make modifications to
entries. There are a few that offer Kerberos authentication.
Further information on LDAP clients for specific platforms can be
found on the University of Michigan WWW server:
http://www.umich.edu/~rsug/ldap.
Another interface that has been tested and recommended for users by
our Dutch (Surfnet) colleagues is Directory Enquiry (DE). Originally
developed by University College London for the Paradise project in
Europe, the engineers at Surfnet have selected DE as the best
interface for "dumb" terminals. They have also translated the
Jennings Informational [Page 12]
RFC 1943 Building an X.500 Directory Service in the US May 1996
interface into Dutch for their local users [12].
Ideally, users should be able to access X.500 directly from their
electronic mail applications. Vendors (other than the ones mentioned
above) have been slow to incorporate the X.500 Standards into their
electronic mail applications.
5.0 Datamanagement & Pilot Projects
5.1 Simple Internet White Pages Service
A wide variety of directory services retrieval protocols has emerged
in the time since the original Internet White Pages was begun in
1989. To ensure that decentralized implementations will have
interoperability with other providers, the IETF Integrated Directory
Services Working Group, is working to create a draft focusing on the
common information and operational modeling issues to which all
Internet White Pages Services (IWPS) must conform to.
Utilizing current information servers, the conceptual model described
includes issues regarding naming, schema, query and response issues
for a narrowly defined subset of directory services. The goal of this
paper is to establish a simple set of information objects, coupled
with a basic set of process requirements that will form a basis which
can lead to ubiquitous IWPS. With this goal in mind, it will be
easier to proved a consistent User view of the various directory
services.
5.2 InterNIC
The InterNIC [9] is a collaborative project of two organizations
working together to offer the Internet community a full scope of
network information services. Established in January 1993 by the
National Science Foundation, the InterNIC provides registration
services and directory and database services to the Internet.
(Internet a global network of more than 13,000 computers networks,
connecting over 1.7 million computers and used by an estimated 13
million people.) In keeping up with the exponential growth of the
Internet, the InterNIC provides a guide to navigate the maze of
available resources.
InterNIC provides two types of services; InterNIC directory and
database services and registration services. AT&T provides the
directory and database services, acting as the pointer to numerous
resources on the network offering X.500 to help users easily locate
other users and organizations on the Internet.
Jennings Informational [Page 13]
RFC 1943 Building an X.500 Directory Service in the US May 1996
5.3 ESnet
The Energy Sciences Network [10], is a nationwide computer data
communications network whose primary purpose is support multiple
program, open scientific research. As part of this support, ESnet
offers networking services including information access and
retrieval, directory services, group communications series, remote
file access services and infrastructure services. As a early member
of the White-Pages Pilot Project, ESnet continues to be a part of the
worldwide distributed directory service based on the ISO/OSI X.500
standard. There are over nineteen ESnet organization represented in
the directory, comprising over 120,000 entries. ESnet provides access
to seven other sites via the X.500 DSAs.
6.0 Recommendations
6.1 General
The X.500 Directory technology is available through several options.
Vendors can provide consultation for schema design as well as supply,
install, and support the software to perform the operations required.
For smaller organizations or companies who do not want to administer
their own DSA, there are providers available who will maintain the
DSAs remotely and provide this service to the Internet. Those with
network and management expertise, can either operate independently or
join one of several white pages directory projects. Careful
consideration must be given to the initial investment required and
the required maintenance process.
6.2 Getting Started
Successful initialization of a directory service requires a
systematic approach. The complexity of offering this type of service
becomes more apparent as implementation progresses. Several aspects
must be considered as this service becomes a cooperative effort among
the technical, administrative, organizational, and legal disciplines.
Procedures must be defined and agreed to at the initial phase of
implementing an X.500 Directory service [13]. The following are
issues that should be addressed in these procedures.
6.3 Who are the Customers?
Defining the customer and the customer requirements will determine
the scope of service to offer. What is the primary purpose for the
directory service? A company may find it desirable to do away with a
paper directory while simultaneously providing the current directory
information. The directory may be for internal use only or expanded
to any users with Internet access. Will the customer use the
Jennings Informational [Page 14]
RFC 1943 Building an X.500 Directory Service in the US May 1996
directory for e-mail address only or is other locational information
such as postal address and telephone number a requirement?
The directory may provide information to electronic customers such as
distributed computing applications as well. In this case, the data
must be provided in machine readable format.
Will the customers extend across country boundaries? Information may
be considered private by one country and not by another. It is
necessary to be aware of the legalities and restrictions for the
locality using the data. Some counties have published a Code of
Conduct with the IETF, explicitly stating the legal restrictions on
directory and list data. Check the archives to determine if the
country with whom information will be shared has presented such
information.
6.4 What are the contents of the Directory?
The information presented in the directory is tightly coupled with
the purpose. If the purpose is to provide addressing information for
individuals, then customary information would include: Name, address,
phone, e-mail address, facsimile number, pager, etc. If the use of
the directory is to facilitate electronic mail routing then the
destination mail address needs to be included for each user. No other
information should be presented in the directory if it is not
directly related to the purpose.
If the directory is internal only, it may be desirable to include the
registrants title as well. Remember that information available on the
Internet is generally open to anyone who wants to access it.
Individuals wishing to target a specific market may access
directories to create customer mailing lists.
The structure or schema of the X.500 Directory must be an initial
consideration. Will the hierarchy follow the company structure or is
a different approach more practical? How many entries will there be
in the directory five or 50,000? A complex hierarchyfor thousands of
users may affect the efficiency of queries.
6.5 What are the rights of the individuals?
The subjects included in the directory shall have well defined
rights. These may be mandated by company policy, legal restrictions,
and the ultimate use of the directory. For a basic Internet White
Pages Service these rights may include:
Jennings Informational [Page 15]
RFC 1943 Building an X.500 Directory Service in the US May 1996
1. the option of inclusion in the directory
2. the right of access to the information
3. the right to have inaccurate entries corrected
The terms and conditions for employees of an organization may affect
these rights. On becoming an employee of any organization, an
individual inevitably agrees to forego certain personal privacies and
to accept restrictions.
Every organization should develop and publish the "rights" that can
be expected by the list registrants.
6.6 Data Integrity
Information that needs to be included in the directory may come from
various sources. Demographic information may originate from the human
resources department. Electronic mail addresses may be provided by
the computer network department. To guarantee data integrity, it is
advised that the data be identified and maintained as corporate
information.
The required timeliness of the data is unique for each DSA. Updates
to the data may be a frequent as once a day or once a month. Updates
to the data must be provided on a regular basis. In cases where data
is time sensitive, an attribute should be included to display the
most recent maintenance date.
A regular check for data accuracy should be included in the directory
administration. Faulty information may put an organization in breach
of any data protection laws and possibly render the company as
unreliable.
6.7 Data Security
Securing networked information resources is inherently complex.
Attempts must be made to preserve the security of the data. These may
include access control lists (ACLs), limiting the number or responses
allowed to queries, or internal/external access to the directory.
The 1993 recommendations have added a complex access control model
that is designed to tightly restrict the access that users may have
to the information in the Directory. Local protection is configured
by the implementor. A secure X.500 Directory should provide tools to
protect against destruction, falsification, and loss of data.
There is not a tool yet that will protect against the misuse of data.
There are flags and limits that can be set from within the
application that will serve somewhat as a barrier to such unwanted
Jennings Informational [Page 16]
RFC 1943 Building an X.500 Directory Service in the US May 1996
use. Any restrictions however, also will affect the legitimate users.
One suggestion is to post a notice of illegitimate use within each
entry. This of course will only serve as a deterrent and as an asset
should legal action be required.
Again, caution must be taken when transferring data between country
and state borders. In the US data regulations differ from state to
state.
6.8 Data Administration
The decentralized nature of the X.500 Directory service means that
each organization has complete control over the data. As part of a
global service however, it is important that the operation of the DSA
be monitored and maintained in a consistent manner. Authorization
must be given to the local manager of the information and in some
cases, the subjects included in the directory may also have
modification privileges.
Once the service is running, the importance of guaranteed operation
can not be overstated. Maintenance of the local Directory will be an
integral part of normal administrative procedures within the
organization and must be defined and agreed upon in the initial
stages of development.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -