X500: The X.500 Directory

This page gives a high-level overview of the X.500 Directory model and technology. Links to more detailed pages can be found above and at the bottom this page.

Page content:

The X.500 Directory

X.500 is developed jointly between ITU-T and ISO/IEC. A little historical background may be found here. The X.500 document structure and mapping between ISO/IEC Standards and ITU-T Recommendations are listed here.

The X.500 Directory is developed for storing information about objects, such as organizations, persons, distribution lists, groups, certification authorities, etc. The information stored about an object is identity information and other information associated with the object, e.g. its postal address.

The Directory Specifications provide an information structure model, protocols for communicating directory information between systems, and procedures that allow the directory information to be distributed among several independent systems, including procedures for navigation to the open system containing the information to be accessed.

A system can locally maintain its part of the directory information using any suitable database technique.

X.500 components and protocols

X.500 components and protocols
Figure 1 - X.500 components and protocols

Figure 1 illustrates the different components and protocols comprising an X.500 directory infrastructure.

A component that maintains and communicates directory information is called a Directory System Agent (DSA). An X.500 directory can be composed of any number of DSAs.

A component that represents the accessing user and interfaces to one of the DSAs in an X.500 directory is either a Directory User Agent (DUA) or a Lightweight Directory Access Protocol (LDAP) client. Only the DUA is part of the X.500 specification, while the LDAP client is specified in IETF RFCs. For more information may be found in Relationship with LDAP.

The protocol between a DUA and a DSA is called the Directory Access Protocol (DAP).

When a DAP request/response is forwarded from one DSA to another, it enveloped by the Directory System Protocol (DSP).

The X.500 allows one DSA to shadow information held by another DSA. The protocol to govern this is called the Directory Information Shadowing Protocol (DISP).

The last protocol, Directory Operational Binding Management Protocol (DOP) is used for establishing relationships between two DSAs.

The entry concept

Entry concept
Figure 2 - Entry concept

Information about an object is, at least conceptually, stored in an entry. A simplified representation of an entry is shown in figure 2. The information about an object is stored in so-called attributes. An attributes can be surname, given name, street name, telephone number, e-mail address, certificate, password, etc.

Next page

The next page to visit is Relationship with LDAP. However, if you want skip that page, you could go straight to Information structure and naming.

Retrieved from
Page last modified on March 15, 2009, at 01:16 AM