If you are new to X.500, then I suggest that you read Chapters 1, 2, 4 and 10 first. If you know a little about X.500, then I suggest that you read through the chapter summaries below before taking your pick.
If you are already familiar with the '88 edition of the Standard, then you will be very interested in reading Chapters 6 and 8 which deal with the new '93 features of replication (shadowing) and access controls. Chapter 2 is also important since it describes the new information models. The last half of Chapter 4 (shadowing and Operational Bindings), and Chapter 9 (distributed operations) will also be of interest to you, as will be the new schema features described in Chapter 3 and the new service features described in Chapter 5.
If you need to be convinced that X.500 can provide a secure service in an open environment, then read Chapters 7 and 8.
Chapter 1 gives a few reasons why we need directory services, and in particular suggests why we need an International Directory Standard. The history of the ISO Directory Standard/X.500 Recommendation is summarised, and the preliminary experiences of running pilot X.500 services are presented. This chapter may be skipped by all those readers who already know something about X.500.
Chapter 2 describes the information models used in the Standard. These information models serve several purposes. They help us to understand what the Directory information comprises, how it is structured, and how it can be managed. The models also provide a fixed framework for all the different X.500 implementations to conform to, so that a common view is held by all. This is essential for interworking between the implementations. There are three information models and one administrative model defined in the Standard. The first information model, called the Directory User Information model, is used to describe how user information is stored in the Directory (as attributes and entries). It also says how the information is referenced (via distinguished names). Another information model is used by administrators for storing management information in the Directory (this is the Directory operational and administrative information model). The third information model is used to show how the Directory information is distributed between different computer processes. This model shows the additional replication and distribution information that is needed by an implementation, in order for it to 'hook' itself into the global Directory service (it is called the DSA information model). The final model, the Directory Administrative Authority model, describes how different administrators can control and manage different parts of the DIT. This chapter is essential reading by all.
Chapter 3 tells you about the set of rules (the schema) used for controlling the information that is stored in the Directory. It is quite a detailed chapter, and can be difficult to understand at times. It is not essential reading first time through, and newcomers may initially skip this chapter.
Chapter 4 introduces the concepts of a distributed Directory. It describes what the components of the Directory system are (DSAs and DUAs), and introduces the operations that each component can perform on the other. The way that DSAs co-operate, via Operational Bindings, is described, and this leads naturally into an overview of the way that data is replicated between DSAs. This chapter is essential reading by all, although readers conversant with the 1988 edition of the Standard will find some of it very familiar to them.
Chapter 5 gives the reader much greater detail about the operations available to the user of the Directory (the so called abstract service). This chapter can be skipped by those who do not require more depth than that given in Chapter 4.
Chapter 6 describes in detail how the information is replicated amongst components of the Directory system. Replication (or shadowing) is a major new feature added in 1993, and this chapter gives the reader considerably more depth than that provided in Chapter 4.
Chapter 7 describes the way that components of the Directory system can authenticate each other, as well as users of the Directory. This chapter is essential reading for those who want to know how X.500 can operate securely in an open environment. Chapter 7 is especially written for those people (99.9% of the population) who find X.509 tough reading!
Chapter 8 describes the access control framework added in 1993. This material will be new to most readers, and again, it is essential reading for those who want to know how the standard access control mechanism operates in an open environment. It describes the intricacies of the model, and details how access controls can affect the service provided to the user.
Chapter 9 describes in more detail how the distributed Directory system operates. This chapter may be skipped initially, except by those enquiring minds who want to know more about how the distributed Directory system hangs together. Directory administrators will find some parts of this chapter useful, since it describes aspects of managing a naming context (including the root context). Implementers will also find the detailed description of the Chaining Arguments and Operational Bindings useful.
Chapter 10 looks at how other OSI applications can use the Directory. Particular emphasis is placed upon how X.400, EDI and FTAM can make use of the Directory. Use of X.500 by the Internet community and library systems are also reviewed. Everyone should find something new and interesting in this chapter.
Appendix A describes the Object Identifier Tree, and shows how object identifiers have been allocated both globally and to the X.500 Standard. It briefly describes how organisations can obtain their own object identifiers, since these are needed in order to define organisation specific types of Directory information. It also describes a method whereby object identifiers can be mapped into Directory names, in order to look up information in the Directory. This appendix will be of particular interest to Directory administrators.
Name resolution is the essential first step in evaluating every Directory operation. Appendix B overviews how name resolution works in a distributed Directory system. This appendix may be skipped by all except the most inquisitive of minds.
At the end of each chapter is a section titled Weird and Wonderful which contains snippets of information that you might find interesting or amusing. They sometimes point to bugs in the Standard, and at other times give some pieces of history in the making and use of the Standard. Weird and Wonderful topics are numbered as 'Chapter.number'. They are referenced from the main text as 'w/w Chapter.number' (e.g. w/w 10.1 which means the first Weird and Wonderful in Chapter 10). Sections are referred to within the text using the '§' symbol to mean 'section' (e.g. § 2.11).
References in the text to other published works are shown either in square brackets, thus [1], when they refer to standards and other material without a named author, or in parentheses, thus (Author, Year), when they refer to material with a named author. The complete list of references is given at the end of the book.
Finally, a few stylistic points. Whenever I refer to the Standard, with a capital 'S', I am of course referring to the ISO/IEC Directory Standard/CCITT X.500 Recommendations. (They both have identical technical contents.) Similarly, whenever I refer to the Directory, with a capital 'D', I am referring to the directory that conforms to the Standard. Whenever I refer to a 'User' of the Directory, the gender neutral 'they' is usually used, even though this is strictly not grammatically correct. However, when the context demands the use of the singular in order to keep the semantics precise (and this is usually when talking about security issues) then either 'he' or 'she' is used.
David Chadwick
4 March 1994