rfc1309.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Network Working Group                                          C. Weider
Request for Comments: 1309                                           ANS
FYI: 14                                                      J. Reynolds
                                                                     ISI
                                                                S. Heker
                                                                    JvNC
                                                              March 1992


                Technical Overview of Directory Services
                        Using the X.500 Protocol

Status of this Memo

   This memo provides information for the Internet community. It does
   not specify an Internet standard.  Distribution of this memo is
   unlimited.

Abstract

   This document is an overview of the X.500 standard for people not
   familiar with the technology. It compares and contrasts Directory
   Services based on X.500 with several of the other Directory services
   currently in use in the Internet. This paper also describes the
   status of the standard and provides references for further
   information on X.500 implementations and technical information.

   A primary purpose of this paper is to illustrate the vast
   functionality of the X.500 protocol and to show how it can be used to
   provide a global directory for human use, and can support other
   applications which would benefit from directory services, such as
   main programs.

   This FYI RFC is a product of the Directory Information Services
   (pilot) Infrastructure Working Group (DISI).  A combined effort of
   the User Services and the OSI Integration Areas of the Internet
   Engineering Task Force (IETF).

1.  INTRODUCTION

   As the pace of industry, science, and technological development
   quickened over the past century, it became increasingly probable that
   someone in a geographically distant location would be trying to solve
   the same problems you were trying to solve, or that someone in a
   geographically distant location would have some vital information
   which impinged on your research or business.  The stupendous growth
   in the telecommunications industry, from telegraphs to telephones to
   computer networks, has alleviated the problem of being able to



DISI Working Group                                              [Page 1]

RFC 1309              Technical Overview of X.500             March 1992


   communicate with another person, PROVIDED THAT YOU KNOW HOW TO REACH
   THEM.

   Thus, along with the expansion of the telecommunications
   infrastructure came the development of Directory Services. In this
   paper, we will discuss various models of directory services, the
   limitations of current models, and some solutions provided by the
   X.500 standard to these limitations.

2  MODELS OF DIRECTORY SERVICES

2.1  The telephone company's directory services.

   A model many people think of when they hear the words "Directory
   Services" is the directory service provided by the local telephone
   company. A local telephone company keeps an on-line list of the names
   of people with phone service, along with their phone numbers and
   their address. This information is available by calling up Directory
   Assistance, giving the name and address of the party whose number you
   are seeking, and waiting for the operator to search his database. It
   is additionally available by looking in a phone book published yearly
   on paper.

   The phone companies are able to offer this invaluable service because
   they administer the pool of phone numbers. However, this service has
   some limitations. For instance, you can find someone's number only if
   you know their name and the city or location in which they live. If
   two or more people have listings for the same name in the same
   locality, there is no additional information which with to select the
   correct number. In addition, the printed phone book can have
   information which is as much as a year out of date, and the phone
   company's internal directory can be as much as two weeks out of date.
   A third problem is that one actually has to call Directory assistance
   in a given area code to get information for that area; one cannot
   call a single number consistently.

   For businesses which advertise in the Yellow Pages, there is some
   additional information stored for each business; unfortunately, that
   information is unavailable through Directory Assistance and must be
   gleaned from the phone book.

2.2 Some currently available directory services on the Internet.

   As the Internet is comprised of a vast conglomeration of different
   people, computers, and computer networks, with none of the hierarchy
   imposed by the phone system on the area codes and exchange prefixes,
   any directory service must be able to deal with the fact that the
   Internet is not structured; for example, the hosts foo.com and



DISI Working Group                                              [Page 2]

RFC 1309              Technical Overview of X.500             March 1992


   v2.foo.com may be on opposite sides of the world, the .edu domain
   maps onto an enormous number of organizations, etc.  Let's look at a
   few of the services currently available on the Internet for directory
   type services.

2.2.1 The finger protocol.

   The finger protocol, which has been implemented for UNIX systems and
   a small number of other machines, allows one to "finger" a specific
   person or username to a host running the protocol. This is invoked by
   typing, for example, "finger clw@mazatzal.merit.edu". A certain set
   of information is returned, as this example from a UNIX system finger
   operation shows, although the output format is not specified by the
   protocol:

      Login name: clw                   In real life: Chris Weider
      Directory: /usr/clw               Shell: /bin/csh
      On since Jul 25 09:43:42          4 hours 52 minutes Idle Time
      Plan:
      Home: 971-5581

   where the first three lines of information are taken from the UNIX
   operating systems information and the line(s) of information
   following the "Plan:" line are taken from a file named .plan which
   each user modifies.  Limitations of the fingerd program include: a)
   One must already know which host to finger to find a specific person,
   b) since primarily UNIX machines run fingerd, people who reside on
   other types of operating systems are not locateable by this method,
   c) fingerd is often disabled on UNIX systems for security purposes,
   d) if one wishes to be found on more than one system, one must make
   sure that all the .plan files are consistent, and e) there is no way
   to search the .plan files on a given host to (for example) find
   everyone on mazatzal.merit.edu who works on X.500.  Thus, fingerd has
   a limited usefulness as a piece of the Internet Directory.

2.2.2 whois

   The whois utility, which is available on a wide of variety of
   systems, works by querying a centralized database maintained at the
   DDN NIC, which was for many years located at SRI International in
   Menlo Park, California, and is now located at GSI. This database
   contains a large amount of information which primarily deals with
   people and equipment which is used to build the Internet.  SRI (and
   now GSI) has been able to collect the information in the WHOIS
   database as part of its role as the Network Information Center for
   the TCP/IP portion of the Internet.

   The whois utility is ubiquitous, and has a very simple interface. A



DISI Working Group                                              [Page 3]

RFC 1309              Technical Overview of X.500             March 1992


   typical whois query look like:

      whois Reynolds

   and returns information like:

      Reynolds, John F. (JFR22) 532JFR@DOM1.NWAC.SEA06.NAVY.MIL
                                           (702) 426-2604 (DSN) 830-2604
      Reynolds, John J. (JJR40) amsel-lg-pl-a@MONMOUTH-EMH3.ARMY.MIL
                                           (908) 532-3817 (DSN) 992-3817
      Reynolds, John W. (JWR46) EAAV-AP@SEOUL-EMH1.ARMY.MIL
                                           (DSN) 723-3358
      Reynolds, Joseph T. (JTR10)  JREYNOLDS@PAXRV-NES.NAVY.MIL
                                       011-63-47-885-3194 (DSN) 885-3194
      Reynolds, Joyce K. (JKR1) JKREY@ISI.EDU             (213) 822-1511
      Reynolds, Keith (KR35)    keithr@SCO.CO             (408) 425-7222
      Reynolds, Kenneth (KR94)                            (502) 454-2950
      Reynolds, Kevin A. (KR39)    REYNOLDS@DUGWAY-EMH1.ARMY.MIL
                                           (801) 831-5441 (DSN) 789-5441
      Reynolds, Lee B. (LBR9)   reynolds@TECHNET.NM.ORG   (505) 345-6555

      a further lookup on Joyce Reynolds with this command line:

      whois JKR1

   returns:

      Reynolds, Joyce K. (JKR1)               JKREY@ISI.EDU
         University of Southern California
         Information Sciences Institute
         4676 Admiralty Way
         Marina del Rey, CA 90292
         (310) 822-1511

         Record last updated on 07-Jan-91.

   The whois database also contains information about Domain Name System
   (DNS) and has some information about hosts, major regional networks,
   and large parts of the MILNET system.

   The WHOIS database is large enough and comprehensive enough to
   exhibit many of the flaws of a large centralized database: a) As the
   database is maintained on one machine, a processor bottleneck forces
   slow response during times of peak querying activity, even if many of
   these queries are unrelated, b) as the database is maintained on one
   machine, a storage bottleneck forces the database administrators to
   severely limit the amount of information which can be kept on each
   entry in the database, c) all changes to the database have to be



DISI Working Group                                              [Page 4]

RFC 1309              Technical Overview of X.500             March 1992


   mailed to a "hostmaster" and then physically reentered into the
   database, increasing both the turnaround time and the likelihood for
   a mistake in transcription.

2.2.3 The Domain Name System

   The Domain Name System is used in the Internet to keep track of host
   to IP address mapping. The basic mechanism is that each domain, such
   as merit.edu or k-12.edu, is registered with the NIC, and at time of
   registration, a primary and (perhaps) some secondary nameservers are
   identified for that domain. Each of these nameservers must provide
   host name to IP address mapping for each host in the domain. Thus,
   the nameservice is supplied in a distributed fashion. It is also
   possible to split a domain into subdomains, with a different
   nameserver for each subdomain.

   Although in many cases one uses the DNS without being aware of it,
   because humans prefer to remember names and not IP addresses, it is
   possible to interactively query the DNS with the nslookup utility. A
   sample session using the nslookup utility:

      home.merit.edu(1): nslookup
      Default Server:  merit.edu
      Address:  35.42.1.42

      > scanf.merit.edu
      Server:  merit.edu
      Address:  35.42.1.42

      Name:   scanf.merit.edu
      Address: 35.42.1.92

      > 35.42.1.92
      Server:  merit.edu
      Address: 35.42.1.42

      Name:  [35.42.1.92]
      Address: 35.42.1.92

   Thus, we can explicitly determine the address associated with a given
   host.  Reverse name mapping is also possible with the DNS, as in this
   example:









DISI Working Group                                              [Page 5]

RFC 1309              Technical Overview of X.500             March 1992


      home.merit.edu(2): traceroute ans.net
      traceroute to ans.net (147.225.1.2), 30 hops max, 40 byte packets
        1 t3peer (35.1.1.33) 11 ms 5 ms 5 ms
        2 enss (35.1.1.1) 6 ms 6 ms 6 ms
              .................
        9 192.77.154.1 (192.77.154.1) 51 ms 43 ms 49 ms
       10 nis.ans.net (147.225.1.2) 53 ms 53 ms 46 ms

   At each hop of the traceroute, the program attempts to do a reverse
   lookup through the DNS and displays the results when successful.

   Although the DNS has served superlatively for the purpose it was
   developed, i.e. to allow maintenance of the namespace in a
   distributed fashion, and to provide very rapid lookups in the