X.500 Standard status
(Implementors' Guide)

X.509 Related activities

How to be involved

More Information

Tutorial section 1
X.500 General

Tutorial section 2
X.509 specific

Other PKI organizations

edit SideBar


Information structure and naming

Page content:

Directory Information Tree (DIT)

Directory Information Tree
Figure 1 - The Directory Information Tree

A directory object is represented by an entry in the directory. To store and retrieve information about objects, objects have to be named. Each object and its corresponding entry have one or more names.

Directory names are hierarchical in nature and form a naming tree. A name consists of one or more components reflecting this hierarchy. This naming tree is called the Directory Information Tree (DIT), as a directory entry is associated with each vertex of this tree, where the entry holds information about the object having the corresponding name.

The first level of names below the root is assumed to be names of countries and international organizations. (A country's name must be its code taken from ISO 3166-1, "Codes for the representation of names of countries and their subdivisions -- Part 1: Country codes” ).

In the example shown in figure 1, the next level is the organizations, like a company or governmental institution. The full name of an organizations is then the country name concatenated with the organizations name component, e.g. {C=DK, O=Fallit A/S}.

The next two levels in the example are the organizational unit and person. The corresponding names could be {C=DK, O=Fallit A/S, OU=Sales} and {C=DK, O=Fallit A/S, OU=Sales, CN=Jensen}, respectively.

The name component added as we move one step down the naming tree is called the Relative Distinguished Name (RDN) for the corresponding entry (and object). The name of an entry is therefore the concatenation of the RDNs from the root down to and including the entry in question. The root does not add any name component.

For names to be unambiguous, the RDNs for entries just below a particular entry all have to be different. This requires the presence of some naming authority or possibly a hierarchy of naming authorities.

An object represented by an X.500 directory always has a so-called distinguished name structured as described above, which is the principal name for the object. An object may also have one or more alias names, which are structured in a similar way.

The DIT concept is the very basic directory concept on which most other concepts are built.

Several independent directories, i.e. several independent DITs, may be created. However, if the names of the objects represented by these directories are all drawn from the same name space, such directories can be merged into a single directory (provided that they have compatible implementations, information structures, etc.). It was initially a generally held vision that eventually, with a very few exceptions, all directory information will be part of one "global directory", global in the sense that it is world wide, and global in the sense that it will be common for all directory uses, such as for Message Handling (X.400), EDI, general Internet, etc. The X.500 Specifications have been developed with that view in mind. However, it seems likely that this vision will not materialize. A single, world-wide directory is not going to appear within a foreseeable future.

Directory entry structure

Directory Entry Model
Figure 2 - Directory entry structure

Figure 2 above shows the X.500 (and LDAP) entry model. An entry holds a number of attributes each holding some particular piece of information. The type of information held by an attribute is indicated by the attribute type field within the attribute. The actual information is held by one or more attribute values.

As an example, attribute type may be "telephone number", and an attribute of this type will then hold one or more telephone numbers.

A DSA storing an attribute in some entry or a DUA retrieving that attribute needs to have an understanding of the attribute type. Based on the attribute type and its knowledge about the attribute type in question, a DUA or a DSA knows what syntax the attribute value or values have. Without knowing the syntax, the values are just unstructured strings of bits. It is therefore necessary to clearly define all attribute types and make such specifications available to DUAs and DSAs.

Relative Distinguished Name (RDN)

Relative Distinguished Name (RDN)
Figure 3 - Relative Distinguished Name (RDN)

An entry's (and object's) RDN is comprised of one or more (attribute type, attribute value) pairs.

Typically, only a single (attribute type, attribute value) pair is for an RDN. The reason for the added complexity by allowing several (attribute type, attribute value) pairs was as follows:

If there are two Joe Smiths in an organizational unit, they would be upset if one is called Joe Smith 1 and the other one is called Joe Smith 2. By adding a second (attribute type, attribute value) pair might makes them distinct.

An example of a more complex RDN is given here:

RDN = { (Common Name, Bo Jensen);(Title, Clerk) }
RDN = { (Title, Clerk);(Common Name, Bo Jensen) }

An attribute may have several values. The one that together with the attribute value comprises the RDN component is called the Distinguished Attribute value, as illustrated in figure 3.

The Distributed DIT

The Distributed DIT
Figure 4 - The Distributed DIT

Figure 4 shows a rather simple DIT distributed among four DSAs. The figure also illustrates that the way a DIT can be distributed is very flexible. The entries can be distributed in any way among the DSAs and a DSA does not need to hold a contiguous set of entries.

Note, that the Root is not an actual entry and it is not representing an object.

The Distributed Directory

The Distributed Directory
Figure 5 - The Distributed Directory

Figure 5 illustrates the distribution of directory information among DSAs in another way. A user can access directory information by connecting to one of the DSAs. The function supporting the user in this access is called a Directory User Agent (DUA). The DSAs interact in such a way that the user can access information in the directory without needing to know the exact whereabouts of the particular piece of information to be accessed. The DSAs co-operate by use of distributed operations to provide this service to the users. The protocol used between two DSAs is called the Directory System Protocol (DSP). The protocol used between a DUA and a DSA is called the Directory Access Protocol (DAP). There is an alternative access protocol called Lightweight Directory Access Protocol (LDAP), developed within the Internet Society.

Several Web browsers support LDAP. In addition, there are also several implementations of Web server/DUA gateways.

Directory Management Domains

Directory Management Domains
Figure 6 - Directory Management Domains

One or more DSAs, and possibly some DUAs, may be managed by a single organization. Such a set of systems is called a Directory Management Domain (DMD). A directory is therefore composed of one or more DMDs.

The concept of DMDs is only to a limited degree reflected in the X.500 Directory standard. It is more related to how a directory is established with respect to interconnection and with respect to the scope of operation and management. The concept of DMD does not in itself impose restriction on how DSAs are interconnected, but a DMD may for security and management reasons select only to have external communication with other DMDs through a dedicated DSA.

For almost historic reasons, two different types of DMDs have been identified.

A Private Directory Management Domain (PRDMD) is a DMD that serves the internal needs of a corporation, organization, or institution.

An Administrative Directory Management Domain (ADDMD) is a DMD run by a public service provider to serve the needs of a public service, like telephony, e-mail, etc. In addition, ADDMDs provide services to PRDMDs by providing the backbone of a directory infrastructure.

The next page is X.500 protocols.

Page Actions

Recent Changes

Group & Page

Back Links