home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Internet
/
Collection of Internet.iso
/
protocol
/
standard
/
ccitt
/
1992
/
x
/
x511_1.asc
< prev
next >
Wrap
Text File
|
1993-07-14
|
76KB
|
1,578 lines
Recommendation X.511
THE DIRECTORY - ABSTRACT SERVICE DEFINITION 1)
(Melbourne, 1988)
CONTENTS
0 Introduction
1 Scope and field of application
SECTION 1 - General
2 References
3 Definitions
4 Abbreviations
5 Conventions
SECTION 2 - Abstract service
6 Overview of the directory service
7 Information types
8 Bind and unbind operations
9 Directory read operations
10 Directory search operations
11 Directory modify operations
12 Errors
Annex A - Abstract service in ASN.1
Annex B - Directory object identifiers
0 Introduction
0.1 This document, together with the others of the series, has been produced to facilitate the interconnection of
information processing systems to provide directory services. The set of all such systems, together with the directory
information which they hold, can be viewed as an integrated whole, called the Directory. The information held by the
1 Fascicle VIII.8 - Rec. X.511
Directory, collectively known as the Directory Information Base (DIB), is typically used to facilitate communication between,
with or about objects such as application-entities, people, terminals, and distribution lists.
0.2 The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of
technical agreement outside of the interconnection standards themselves, the interconnection of information processing
systems:
- from different manufacturers;
- under different managements;
- of different levels of complexity; and
- of different ages.
0.3 This Recommendation defines the capabilities provided by the Directory to its users.
0.4 Annex A provides the ASN.1 module which contains all the definitions associated with the abstract service.
1 Scope and field of application
1.1 This Recommendation defines in an abstract way the externally visible service provided by the Directory.
1.2 This Recommendation does not specify individual implementation or products.
SECTION 1 - General
2 References
Recommendation X.200 - Open Systems Interconnection - Basic Reference Model.
Recommendation X.208 - Specification of Abstract Syntax Notation One (ASN.1).
Recommendation X.500 - The Directory - Overview of Concepts, Models and Services.
Recommendation X.501 - The Directory - Models.
Recommendation X.518 - The Directory - Procedures for Distributed Operation.
Recommendation X.519 - The Directory - Protocol Specifications.
Recommendation X.520 - The Directory - Selected Attribute Types.
Recommendation X.521 - The Directory - Selected Object Classes.
Recommendation X.509 - The Directory - Authentication Framework.
Recommendation X.219 - Remote Operations - Model, Notation and Service Definition.
Recommendation X.229 - Remote Operations - Protocol Specification.
Recommendation X.407 - Abstract Service Definition Conventions.
3 Definitions
3.1 Basic Directory definitions
This Recommendation makes use of the following terms defined in Recommendation X.500:
a) Directory;
b) Directory Information Base (DIB);
c) (Directory) User.
Fascicle VIII.8 - Rec. X.511 2
3.2 Directory model definitions
This Recommendation makes use of the following terms defined in Recommendation X.501:
a) Directory System Agent;
b) Directory User Agent.
3.3 Directory information base definitions
This Recommendation makes use of the following terms defined in Recommendation X.501:
a) alias entry;
b) Directory Information Tree;
c) (Directory) entry;
d) immediate superior;
e) immediately superior entry/object;
f) object;
g) object class;
h) object entry;
i) subordinate;
j) superior.
3.4 Directory entry definitions
This Recommendation makes use of the following terms defined in Recommendation X.501:
a) attribute;
b) attribute type;
c) attribute value;
d) attribute value assertion.
3.5 Name definitions
This Recommendation makes use of the following terms defined in Recommendation X.501:
a) alias, alias name;
b) distinguished name;
c) (directory) name;
d) purported name;
e) relative distinguished name.
3.6 Distributed operations definitions
This Recommendation makes use of the following terms defined in Recommendation X.518:
a) chaining;
b) referral.
3.7 Abstract service definitions
This Recommendation defines the following terms:
a) filter: an assertion about the presence or value of certain attributes of an entry in order to limit the scope of
a search;
b) service controls: parameters conveyed as part of an abstract-operation which constrain various aspects of its
3 Fascicle VIII.8 - Rec. X.511
performance;
c) originator: the user that originated an operation.
4 Abbreviations
This Recommendation makes use of the following abbreviations:
AVA Attribute Value Assertion
DIB Directory Information Base
DIT Directory Information Tree
DMD Directory Management Domain
DSA Directory System Agent
DUA Directory User Agent
RDN Relative Distinguished Name
5 Conventions
This Recommendation makes use of the abstract service definition conventions defined in Recommendation X.407.
SECTION 2 - Abstract service
6 Overview of the directory service
6.1 As described in Recommendation X.501 the services of the Directory are provided through access points to DUAs,
each acting on behalf of a user. These concepts are depicted in Figure 1/X.511.
FIGURE 1/X.511
Access to the Directory
6.2 In principle, access points to the Directory may be of different types, providing different combinations of services. It
is valuable to consider the Directory as an object, supporting a number of types of port. Each port defines a particular kind of
interaction which the Directory can participate in with a DUA. Each access point corresponds to a particular combination of
port types.
6.3 Using the notation defined in Recommendation X.407 the Directory can be defined as follows:
directory
OBJECT
PORTS { readPort [S],
searchPort [S],
modifyPort [S]}
::= id-ot-directory
The Directory supplies operations via: Read Ports, which support reading information from a particular named entry
in the DIB; Search Ports, which allow more "exploration" of the DIB; and Modify Ports, which enable the modification of
entries in the DIB.
Note - It is intended that in the future there may be other types of Directory port.
Fascicle VIII.8 - Rec. X.511 4
6.4 Similarly, a DUA (from the viewpoint of the Directory) can be defined as follows:
dua
OBJECT
PORTS { readPort [C],
searchPort [C],
modifyPort [C]}
::= id-ot-dua
The DUA consumes the services provided by the Directory.
6.5 The ports cited from 6.2 to 6.4 can be defined as follows:
readPort
PORT
CONSUMER INVOKES {
Read, Compare, Abandon}
::= id-pt-search
searchPort
PORT
CONSUMER INVOKES {
List, Search}
::= id-pt-search
modifyPort
PORT
CONSUMER INVOKES {
AddEntry, RemoveEntry,
ModifyEntry, ModifyRDN}
::= id-pt-modify
6.6 The operations from the readPort, searchPort and the modifyPort are defined in 9, 10, and 11 respectively.
6.7 These ports are used only as a method of structuring the description of the Directory service. Conformance to the
Directory operations is specified in Recommendation X.519.
7 Information types
7.1 Introduction
7.1.1 This paragraph identifies, and in some cases defines, a number of information types which are subsequently used in
the definition of Directory operations. The information types concerned are those which are common to more than one
operation, are likely to be in the future, or which are sufficiently complex or self-contained as to merit being defined
separately from the operation which uses them.
7.1.2 Several of the information types used in the definition of the Directory service are actually defined elsewhere.
Paragraph 7.2 identifies types and indicates the source of their definition. Each of the remaining (7.3 to 7.10) identifies
and defines an information type.
7.2 Information types defined elsewhere
7.2.1 The following information types are defined in Recommendation X.501:
a) Attribute;
b) AttributeType;
c) AttributeValue;
d) AttributeValueAssertion;
e) DistinguishedName;
f) Name;
g) RelativeDistinguishedName.
5 Fascicle VIII.8 - Rec. X.511
7.2.2 The following information type is defined in Recommendation X.520:
a) PresentationAddress.
7.2.3 The following information types are defined in Recommendation X.509:
a) Certificate;
b) SIGNED;
c) CertificationPath.
7.2.4 The following information type is defined in Recommendation X.219:
a) InvokeID.
7.2.5 The following information types are defined in Recommendation X.518:
a) OperationProgress;
b) ContinuationReference.
7.3 Common arguments
7.3.1 The CommonArguments information may be present to qualify the invocation of each operation that the Directory
can perform.
CommonArguments ::=SET {
[30] ServiceControls DEFAULT { },
[29] SecurityParameters DEFAULT { },
requestor [28] DistinguishedName
OPTIONAL,
[27] OperationProgress DEFAULT notStarted,
aliasedRDNs [26] INTEGER OPTIONAL,
extensions [25] SET OF EXTENSION OPTIONAL}
Extension ::= SET {
identifier[0] INTEGER,
critical [1] BOOLEAN DEFAULT FALSE,
item [2] ANY DEFINED BY identifier}
7.3.2 The various components have the meanings as defined in 7.3.2.1 to 7.3.2.4.
7.3.2.1The ServiceControls component is specified in 7.5. Its absence is deemed equivalent to there being an empty set
of controls.
7.3.2.2The SecurityParameters component is specified in 7.9. Its absence is deemed equivalent to there being an empty
set of security parameters.
7.3.2.3The requestor DistinguishedName identifies the originator of a particular abstract- operation. It holds the name of
the user as identified at the time of binding to the Directory. It may be required when the request is to be signed (see
7.10), and shall hold the name of the user who initiated the request.
7.3.2.4The OperationProgress defines the role that the DSA is to play in the distributed evaluation of the request. It is
more fully defined in Recommendation X.518.
7.3.2.5The aliasedRDNs component indicates to the DSA that the object component of the operation was created by the
dereferencing of an alias on an earlier operation attempt. The integer value indicates the number of RDNs in the object that
came from dereferencing the alias. (The value would have been set in the referral response of the previous operation.)
7.3.2.6The extensions component provides a mechanism to express standardized extensions to the form of the argument
of a Directory abstract-operation.
Note - The form of the result of such an extended abstract-operation is identical to that of the non-extended version.
(Nonetheless, the result of a particular extended abstract-operation may differ from its non-extended counterpart).
The subcomponents are as defined in 7.3.2.6.1 to 7.3.2.6.3.
7.3.2.6.1 The identifier serves to identify a particular extension. Values of this component shall be assigned only by future
versions of this series of Recommendations.
7.3.2.6.2 The critical subcomponent allows the originator of the extended abstract-operation to indicate that the performance
Fascicle VIII.8 - Rec. X.511 6
of only the extended form of the abstract-operation is acceptable (i.e. that the non-extended form is not acceptable). In this
case the extension is a critical extension. If the Directory, or some part of it, is unable to perform a critical extension it
returns an indication of unavailableCriticalExtension (as a ServiceError or PartialOutcomeQualifier). If the Directory is
unable to perform an extension which is not critical, it ignores the presence of the extension.
7.3.2.6.3 The item subcomponent provides the information needed for the Directory to perform the extended form of the
abstract-operation.
7.4 Common results
7.4.1 The CommonResults information should be present to qualify the result of each retrieval operation that the
Directory can perform.
CommonResults ::= SET {
[30] SecurityParameters OPTIONAL,
performer [29] DistinguishedName
OPTIONAL,
aliasDereferenced [28]BOOLEAN
DEFAULT FALSE}
7.4.2 The various components have the meanings as defined in 7.4.2.1 to 7.4.2.3.
7.4.2.1The SecurityParameters component is specified in 7.9. Its absence is deemed equivalent to there being an empty
set of security parameters.
7.4.2.2The performer DistinguishedName identifies the performer of a particular operation. It may be required when the
result is to be signed (see 7.10), and shall hold the name of the DSA which signed the result.
7.4.2.3The aliasDereferenced Component is set to TRUE when the purported name of an object or base object which is
the target of the operation included on alias which was dereferenced.
7.5 Service controls
7.5.1 A ServiceControls parameter contains the controls, if any, that are to direct or constrain the provision of the
service.
ServiceControls::= SET {
options [0] BIT STRING {
preferChaining(0)
chainingProhibited (1),
localScope (2),
dontUseCopy (3),
dontDereferenceAliases(4)}
DEFAULT {},
priority [1] INTEGER {
low (0),
medium (1),
high (2) } DEFAULT medium,
7 Fascicle VIII.8 - Rec. X.511
timeLimit [2] INTEGER OPTIONAL,
sizeLimit [3] INTEGER OPTIONAL,
scopeOfReferral [4] INTEGER {
dmd(0),
country(1)}
OPTIONAL }
7.5.2 The various components have the meanings as defined in 7.5.2.1 to 7.5.2.5.
7.5.2.1The options component contains a number of indications, each of which, if set, asserts the condition suggested.
Thus:
a) preferChaining indicates that the preference is that chaining, rather than referrals, be used to provide the
service. The Directory is not obliged to follow this preference;
b) chainingProhibited indicates that chaining, and other methods of distributing the request around the
Directory, are prohibited;
c) localScope indicates that the operation is to be limited to a local scope. The definition of this option is itself
a local matter. For example, within a single DSA or a single DMD;
d) dontUseCopy indicates that copied information (as defined in Recommendation X.518) shall not be used to
provide the service;
e) dontDereferenceAliases indicate that any alias used to identify the entry affected by an operation is not to
be dereferenced;
Note - This is necessary to allow reference to an alias entry itself rather than the aliased entry, e.g. in order to read
the alias entry.
If this component is omitted, the following are assumed: no preference for chaining but chaining not prohibited, no
limit on the scope of the operation, use of copy permitted, and aliases will be dereferenced (except for modify operations
where aliases will never be dereferenced).
7.5.2.2The priority (low, medium or high) at which the service is to be provided. Note that this is not a guaranteed service
in that Directory, as a whole, does not implement queuing. There is no relationship implied with the use of "priorities" in
underlying layers.
7.5.2.3The timeLimit indicates the maximum elapsed time, in seconds, within which the service shall be provided. If the
constraint cannot be met, an error is reported. If this component is omitted, no time limit is implied. In the case of time limit
exceeded on a List or Search, the result is an arbitrary selection of the accumulated results.
Note - This component does not imply the length of time spent processing the request during the elapsed time: any
number of DSAs may be involved in processing the request during the elapsed time.
7.5.2.4The sizeLimit is only applicable to List and Search operations. It indicates the maximum number of objects to be
returned. In the case of size limit exceeded, the results of List and Search may be an arbitrary selection of the accumulated
results, equal in number to the size limit. Any further results shall be discarded.
7.5.2.5The scopeOfReferral indicates the scope to which a referral returned by a DSA should be relevant. Depending on
whether the value dmd or country are selected, only referrals to other DSAs within the selected scope will be returned.
This applies to the referrals in both a ReferralError and the unexplored parameter of List and Search results.
7.5.3 Certain combinations of priority, timeLimit, and sizeLimit may result in conflicts. For example, a short time limit
could conflict with low priority; a high size limit could conflict with a low time limit, etc.
7.6 Entry information selection
7.6.1 An EntryInformationSelection parameter indicates what information is being requested from an entry in a retrieval
service.
EntryInformationSelection ::= SET {
attributeTypes
CHOICE {
allAttributes [0] NULL,
select [1]] SET OF AttributeType
-- empty set implies no attributes
-- are requested --}
Fascicle VIII.8 - Rec. X.511 8
DEFAULT allAttributes NULL,
InfoTypes [2] INTEGER {
attributeTypesOnly (0),
attributeTypesAndValues (1) }
DEFAULT attributeTypesAndValues }
7.6.2 The various components have the meanings as defined in 7.6.2.1 and 7.6.2.2.
7.6.2.1The attributeTypes component specifies the set of attributes about which information is requested:
a) if the select option is chosen, then the attributes involved are listed. If the list is empty, then no attributes
will be returned. Information about a selected attribute shall be returned if the attribute is present. An
AttributeError with the noSuchAttribute problem shall only be returned if none of the attributes selected is
present;
b) if the allAttributes option is selected, then information is requested about all attributes in the entry.
Attribute information is only returned if access rights are sufficient. A SecurityError (with an
insufficientAccessRights problem) will only be returned in the case where access rights preclude the reading of all attribute
values requested.
7.6.2.2The infoTypes component specifies whether both attribute type and attribute value information (the default) or
attribute type information only is requested. If the attributeTypes component ( 7.6.2.1) is such as to request no attributes,
then this component is not meaningful.
7.7 Entry information
7.7.1 An EntryInformation parameter conveys selected information from an entry.
EntryInformation::= SEQUENCE {
DistinguishedName,
fromEntry BOOLEAN DEFAULT TRUE,
SET OF CHOICE {
AttributeType,
Attribute} OPTIONAL }
7.7.2 The DistinguishedName of the entry is always included.
7.7.3 The fromEntry parameter indicates whether the information was obtained from the entry (TRUE) or a copy of the
entry (FALSE).
7.7.4 A set of AttributeTypes or Attributes are included, if relevant, each of which may be alone or accompanied by one
or more attribute values.
7.8 Filter
7.8.1 A Filter parameter applies a test that is either satisfied or not by a particular entry. The filter is expressed in terms
of assertions about the presence or value of certain attributes of the entry, and is satisfied if and only if it evaluates to TRUE.
Note - A Filter may be TRUE, FALSE, or undefined.
Filter::= CHOICE {
item [0] FilterItem,
and [1] SET OF Filter,
or [2] SET OF Filter,
not [3] Filter }
FilterItem ::=CHOICE {
equality [0] AttributeValueAssertion,
substrings [1] SEQUENCE {
type AttributeType,
strings SEQUENCE OF CHOICE {
Initial[0]AttributeValue,
9 Fascicle VIII.8 - Rec. X.511
any [1]AttributeValue,
final [2]AttributeValue}},
greaterOrEqual[2] AttributeValueAssertion,
lessOrEqual [3]AttributeValueAssertion,
present [4] AttributeType,
approximateMatch[5] AttributeValueAssertion }
7.8.2 A Filter is either a FilterItem (see 7.8.3), or an expression involving simpler Filters composed together using the
logical operators and, or, and not. The Filter is undefined if it is a FilterItem which is undefined, or if it involves one or
more simpler Filters, all of which are undefined. Otherwise, where the Filter is:
a) an item, it is TRUE if and only if the corresponding FilterItem is TRUE;
b) an and, it is TRUE unless any of the nested Filters is FALSE;
Note - Thus, if there are no nested Filters the and evaluates to TRUE.
c) an or, it is FALSE unless any of the nested Filters is TRUE;
Note - Thus, if there are no nested Filters the or evaluates to FALSE.
d) a not, it is TRUE if and only if the nested Filter is FALSE.
7.8.3 A FilterItem is an assertion about the presence or value(s) of an attribute of a particular type in the entry under
test. Each such assertion is TRUE, FALSE, or undefined.
7.8.3.1Every FilterItem includes an AttributeType which identifies the particular attribute concerned.
7.8.3.2Any assertion about the value of such an attribute is only defined if the AttributeType is known, and the purported
AttributeValue(s) conforms to the attribute syntax defined for that attribute type.
Note 1 - Where these conditions are not met the FilterItem is undefined.
Note 2 - Access control restrictions may require that the FilterItem be considered undefined.
7.8.3.3Assertions about the value of an attribute are evaluated using the matching rules associated with the attribute syntax
defined for that attribute type. A matching rule not defined for a particular attribute syntax cannot be used to make assertions
about that attribute.
Note - Where this condition is not met, the FilterItem is undefined.
7.8.3.4A FilterItem may be undefined (as described in 7.8.3.2 and 7.8.3.3 above). Otherwise, where the FilterItem
asserts:
a) equality, it is TRUE if and only if there is a value of the attribute which is equal to that asserted;
b) substrings, it is TRUE if and only if there is a value of the attribute in which the specified substrings appear
in the given order. The substrings shall be non-overlapping, and may (but need not) be separated from the
ends of the attribute value and from one another by zero or more string elements.
If initial is present, the substring shall match the initial substring of the attribute value; if final is present, the
substring shall match the final substring of the attribute value; if any is present, the substring may match any
substring in the attribute value;
c) greaterOrEqual, it is TRUE if and only if the relative ordering (as defined by the appropriate ordering
algorithm) places the supplied value before or equal to any value of the attribute;
d) lessOrEqual, it is TRUE if and only if the relative ordering (as defined by the appropriate ordering algorithm)
places the supplied value after or equal to any value of the attribute;
e) present, it is TRUE if and only if such an attribute is present in the entry;
f) approximateMatch, it is TRUE if and only if there is a value of the attribute which matches that which is
asserted by some locally-defined approximate matching algorithm (e.g. spelling variations, phonetic match,
etc.). There are no specific guidelines for approximate matching in this version of the Recommendation. If
Fascicle VIII.8 - Rec. X.511 10
approximate matching is not supported, this FilterItem should be treated as a match for equality.
7.9 Security Parameters
7.9.1 The SecurityParameters govern the operation of various security features associated with a Directory operation.
Note - These parameters are conveyed from sender to recipient. Where the parameters appear in the argument of
an abstract-operation the requestor is the sender, and the performer is the recipient. In a result, the roles are reversed.
SecurityParameters::= SET {
certification-path [0]
CertificationPathOPTIONAL,
name [1] DistinguishedName
OPTIONAL,
time [2] UTCTime OPTIONAL,
random [3] BIT STRING OPTIONAL,
target [4] ProtectionRequest OPTIONAL
}
ProtectionRequest::= INTEGER {
none(0),
signed (1)}
7.9.2 The various components have the meanings as defined in 7.9.2.1 to 7.9.2.5.
7.9.2.1The CertificationPath component consists of the sender's certificate, and, optionally, a sequence of certificate pairs.
The certificate is used to associate the sender's public key and distinguished name, and may be used to verify the signature
on the argument or result. This parameter shall be present if the argument or result is signed. The sequence of certification
pairs consists of certification authority cross certificates. It is used to enable the sender's certificate to be validated. It is not
required if the recipient shares the same certification authority as the sender. If the recipient requires a valid set of certificate
pairs, and this parameter is not present, whether the recipient rejects the signature on the argument or result, or attempts to
generate the certification path, is a local matter.
7.9.2.2The name is the distinguished name of the first intended recipient of the argument or result. For example, if a DUA
generates a signed argument, the name is the distinguished name of the DSA to which the operation is submitted.
7.9.2.3The time is the intended expiry time for the validity of the signature, when signed arguments are used. It is used in
conjunction with the random number to enable the detection of replay attacks.
7.9.2.4The random component is a number which should be different for each unexpired token. It is used in conjunction
with the time parameter to enable the detection of replay attacks when the argument or result has been signed.
7.9.2.5The target ProtectionRequest may appear only in the request for an operation to be carried out, and indicates the
requestor's preference regarding the degree of protection to be provided to the result. Two levels are provided: none (no
protection requested), and signed (the Directory is requested to sign the result, the default). The degree of protection actually
provided to the result is indicated by the form of result and may be equal to or lower than that requested, based on the
limitations of the Directory.
7.10 OPTIONALLY-SIGNED
7.10.1 An OPTIONALLY-SIGNED information type is one whose values may, at the option of the generator, be
accompanied by their digital signature. This capability is specified by means of the following macro:
OPTIONALLY-SIGNED MACRO ::=
BEGIN
TYPE NOTATION ::= type (Type)
VALUE NOTATION ::= value (VALUE
CHOICE { Type, SIGNED Type})
END
7.10.2 The SIGNED macro, which describes the form of the signed form of the information, is specified in Recommendation
X.509.
8 Bind and unbind operations
The DirectoryBind and DirectoryUnbind operations, defined in 8.1 and 8.2 respectively, are used by the DUA
11 Fascicle VIII.8 - Rec. X.511
at the beginning and end of a particular period of accessing the Directory.
8.1 Directory bind
8.1.1 A DirectoryBind operation is used at the beginning of a period of accessing the Directory.
DirectoryBind ::= ABSTRACT-BIND
TO { readPort, searchPort, modifyPort }
BIND
ARGUMENT DirectoryBindArgument
RESULT DirectoryBindResult
BIND-ERROR DirectoryBindError
DirectoryBindArgument::= SET {
credentials[0] Credentials OPTIONAL,
versions [1] Versions DEFAULT
v1988}
Credentials::= CHOICE {
simple [0] SimpleCredentials,
strong [1] StrongCredentials,
externalProcedure [2] EXTERNAL }
SimpleCredentials::= SEQUENCE {
name [0] DistinguishedName,
validity [1] SET {
time1[0] UTCTime OPTIONAL,
Time2[1] UTCTime OPTIONAL,
random1 [2] BIT STRING OPTIONAL,
random2 [3] BIT STRING OPTIONAL } OPTIONAL,
-- in most instances the argument for
-- time and random are relevant in
-- dialogues employing protected password
-- mechanisms and derive their meaning
-- as per bilateral agreements
password [2] OCTET STRING OPTIONAL }
-- the value could be an unprotected
-- password or Protected1 or Protected2
-- as specified in Recommendation X.509.
StrongCredentials::= SET {
certification-path[0] CertificationPath
OPTIONAL,
bind-token[1] Token }
Token ::= SIGNED SEQUENCE {
algorithm[0] AlgorithmIdentifier,
name [1] DistinguishedName,
time [2] UTCTime,
random [3] BIT STRING }
Versions ::= BIT STRING {v1988(0)}
DirectoryBindResult::= DirectoryBindArgument
DirectoryBindError ::= SET {
versions [0] Versions DEFAULT v1988,
CHOICE {
serviceError[1] ServiceProblem
securityError[2] SecurityProblem
}}
8.1.2 The various arguments have the meanings as defined in 8.1.2.1 to 8.1.2.2.
8.1.2.1The Credentials of the DirectoryBindArgument allow the Directory to establish the identity of the user. They may
be either simple, strong (as described in Recommendation X.509) or externally defined (externalProcedure).
Fascicle VIII.8 - Rec. X.511 12
8.1.2.1.1SimpleCredentials consist of a name (always the distinguished name of an object) and (optionally) a password.
This provides a limited degree of security. If the password is protected as described in 5 of Recommendation X.509, then
SimpleCredentials includes name, password and (optionally) time and/or random numbers which are used to detect replay.
In some instances a protected password may be checked by an object which knows the password only after locally
regenerating the protection to its own copy of the password and computing the result with the value in the bind argument
(password). In other instances a direct compare may be possible.
8.1.2.1.2StrongCredentials consist of a bind token and, optionally, a certificate and sequence of certification-authority cross-
certificate (as defined in Recommendation X.509). This enables the Directory to authenticate the identity of the request
establishing the association, and vice versa. The arguments of the bind
token are used as follows: algorithm is the identifier of the algorithm employed to sign the information; name is the name of
the intended recipient. The time parameter contains the expiry time of the token. The random number is a number which
should be different for each unexpired token, and may be used by the recipient to detect replay attacks.
8.1.2.1.3If externalProcedure is used then the semantics of the authentication scheme being used is outside the scope of
the Directory document.
8.1.2.2The Versions argument of the DirectoryBindArgument identifies the versions of the service which the DUA is
prepared to participate in. For this version of the protocol the value shall be set to v1988(0).
8.1.2.3Migration to future versions of the Directory should be facilitated by:
a) any elements of DirectoryBindArgument other than those defined in this Recommendation shall be
accepted and ignored;
b) additional options for named bits of DirectoryBindArgument (e.g. Versions) not defined shall be accepted
and ignored.
8.1.3 Should the bind request succeed, a result will be returned. The result parameters have the meanings as defined in
8.1.3.1 and 8.1.3.2.
8.1.3.1The Credentials of the DirectoryBindResult allow the user to establish the identity of the DSA. They allow
information identifying the DSA (that is directly providing the Directory service) to be conveyed to the DUA. They shall be of
the same form (i.e. CHOICE) as those supplied by the user.
8.1.3.2The Versions parameter of the DirectoryBindResult indicates which of the versions of the service requested by the
DUA is actually going to be provided by this DSA.
8.1.4 Should the bind request fail, a bind error will be returned as defined in 8.1.4.1 and 8.1.4.2.
8.1.4.1The Versions parameter of the DirectoryBindError indicates which versions are supported by this DSA.
8.1.4.2A securityError or serviceError shall be supplied as follows:
- securityErrorinappropriateAuthentication
invalidCredentials
- serviceErrorunavailable.
8.2 Directory unbind
8.2.1 A DirectoryUnbind operation is used at the end of a period of accessing the Directory.
DirectoryUnbind::= ABSTRACT-UNBIND
FROM {readPort, searchPort, modifyPort }
8.2.2 The DirectoryUnbind has no arguments.
9 Directory read operations
There are two "read-like" operations: Read and Compare, defined in 9.1 and 9.2, respectively. The Abandon
operation, defined in 9.3, is grouped with the Read operations for convenience.
9.1 Read
9.1.1 A Read operation is used to extract information from an explicitly identified entry. It may also be used to verify a
distinguished name. The arguments of the operation may optionally be signed (see 7.10) by the requestor. If so requested,
13 Fascicle VIII.8 - Rec. X.511
the Directory may sign the result.
Read ::= ABSTRACT-OPERATION
ARGUMENT ReadArgument
RESULT ReadResult
ERRORS {
AttributeError, NameError,
ServiceError, Referral, Abandoned,
SecurityError }
ReadArgument ::=OPTIONALLY-SIGNED SET {
object [0] Name,
selection[1] Selection F13 EntryInformationSelection
DEFAULT {}
COMPONENTS OF CommonArguments }
ReadResult::= OPTIONALLY-SIGNED SET {
entry [0] EntryInformation,
COMPONENTS OF CommonResults }
9.1.2 The various arguments have the meanings as defined in 9.1.2.1 to 9.1.2.3.
9.1.2.1The object argument identifies the object entry from which the information is requested. Should the Name involve
one or more aliases, they are dereferenced (unless this is prohibited by the relevant service controls).
9.1.2.2The selection argument indicates what information from the entry is requested (see 7.6).
9.1.2.3The CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the
purposes of this operation the sizeLimit component is not relevant and is ignored if provided.
9.1.3 Should the request succeed, the result will be returned. The result parameters have the meanings as defined in
9.1.3.1 and 7.4.
9.1.3.1The entry result parameter holds the requested information (see 7.7).
9.1.4 Should the request fail, one of the listed errors will be reported. If none of the attributes explicitly listed in selection
can be returned, then an AttributeError with problem noSuchAttribute will be reported. The circumstances under which
other errors will be reported are defined in 12.
9.2 Compare
9.2.1 A Compare operation is used to compare a value (which is supplied as an argument of the request) with the
value(s) of a particular attribute type in a particular object entry. The arguments of the operation may optionally be signed
(see 7.10) by the requestor. If so requested, the Directory may sign the result.
Compare ::= ABSTRACT-OPERATION
ARGUMENT CompareArgument
RESULT CompareResult
ERRORS {
AttributeError, NameError,
ServiceError, Referral, Abandoned,
SecurityError }
CompareArgument::=OPTIONALLY-SIGNED
SET {
object [0] Name,
purported[1]AttributeValueAssertion,
COMPONENTS OF CommonArguments }
CompareResult ::= OPTIONALLY-SIGNED
SET {
DistinguishedName OPTIONAL,
matched [0] BOOLEAN,
from Entry[1]BOOLEAN DEFAULT TRUE,
COMPONENTS OF CommonResults }
9.2.2 The various arguments have the meanings as defined in 9.2.2.1 to 9.2.2.3.
9.2.2.1The object argument is the name of the particular object entry concerned. Should the Name involve one or more
aliases, they are dereferenced (unless prohibited by the relevant service control).
Fascicle VIII.8 - Rec. X.511 14
9.2.2.2The purported argument identifies the attribute type and the value to be compared with that in the entry.
9.2.2.3The CommonArguments (see 7.3) specify the service controls applying to the request. For the purposes of this
operation the sizeLimit component is not relevant and is ignored, if provided.
9.2.3 Should the request succeed (i.e. the comparison is actually carried out), the result will be returned. The result
parameters have the meanings as described in 9.2.3.1, 9.2.3.2 and 7.4.
9.2.3.1The DistinguishedName is present if an alias was dereferenced and represents the distinguished name of the
object itself.
9.2.3.2The matched result parameter, holds the result of the comparison. The parameter takes the value TRUE if the
values were compared and matched, and FALSE if they did not.
9.2.3.3If fromEntry is TRUE the information was compared against the entry; if FALSE some of the information was
compared against a copy.
9.2.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors
will be reported are defined in 12.
9.3 Abandon
9.3.1 Operations that interrogate the Directory may be abandoned using the Abandon operation if the user is no longer
interested in the result.
Abandon ::=ABSTRACT-OPERATION
ARGUMENT AbandonArgument
RESULT AbandonResult
ERRORS {AbandonFailed}
AbandonArgument ::=SEQUENCE {
InvokeID [0] InvokeID}
AbandonResult ::= NULL
9.3.2 There is a single argument, the InvokeID which identifies the operation that is to be abandoned. The value of the
invokeID is the same invokeID which was used to invoke the operation which is to be abandoned.
9.3.3 Should the request succeed, a result will be returned, although no information will be conveyed with it. The original
operation will fail with an Abandoned error.
9.3.4 Should the request fail, the AbandonFailed error will be reported. This error is described in 12.3.
9.3.5 Abandon is only applicable to interrogation operations, i.e., Read, Compare, List and Search.
9.3.6 A DSA may abandon an operation locally. If the DSA has chained or multicasted the operation to other DSAs, it
may in turn request them to abandon the operation. A DSA may choose not to abandon the operation and shall then return
the AbandonFailed error.
10 Directory search operations
There are two "search-like" operations: List and Search, defined in 10.1 and 10.2 respectively.
10.1 List
10.1.1 A List operation is used to obtain a list of the immediate subordinates of an explicitly identified entry. Under some
circumstances, the list returned may be incomplete. The arguments of the operation may optionally be signed (see 7.10) by
the requestor. If so requested, the Directory may sign the result.
List ::= ABSTRACT-OPERATION
ARGUMENT ListArgument
RESULT ListResult
15 Fascicle VIII.8 - Rec. X.511
ERRORS {
NameError
ServiceError, Referral, Abandoned,
SecurityError }
List Argument::=OPTIONALLY-SIGNED SET {
object[0]Name,
COMPONENTS OF CommonArguments }
ListResult ::=OPTIONALLY-SIGNED
CHOICE {
listInfo SET {
DistinguishedName OPTIONAL,
subordinates [1] SET OF SEQUENCE {
RelativeDistinguishedName,
aliasEntry [0] BOOLEAN DEFAULT FALSE
fromEntry [1] BOOLEAN DEFAULT TRUE},
partialOutcomeQualifier [2]
PartialOutcomeQualifier OPTIONAL
COMPONENTS OF CommonResults },
uncorrelatedListInfo [0] SET OF
ListResult }
PartialOutcomeQualifier ::= SET {
limitProblem [0] LimitProblem
OPTIONAL,
unexplored [1] SET OF
ContinuationReference OPTIONAL,
unavailableCriticalExtensions [2] BOOLEAN DEFAULT FALSE }
LimitProblem ::= INTEGER {
timeLimitExceeded (0),
sizeLimitExceeded (1),
administrativeLimitExceeded (2) }
10.1.2 The various arguments have the meanings as defined in 10.1.2.1 and 7.3.
10.1.2.1The object argument identifies the object entry (or possibly the root) whose immediate subordinates are to be listed.
Should the Name involve one or more aliases, they are dereferenced (unless prohibited by the relevant service control).
10.1.3 The request succeeds if the object is located regardless of whether there is any subordinate information to return.
The result parameters have the meanings as defined in 10.1.3.1 to 10.1.3.4 and 7.4.
10.1.3.1The DistinguishedName is present if an alias was dereferenced. It represents the distinguished name of the object
itself.
10.1.3.2The subordinates parameter conveys the information on the immediate subordinate, if any, of the named entry.
Should any of the subordinate entries be aliases, they will not be dereferenced.
10.1.3.2.1 The RelativeDistinguishedName is that of the subordinate.
10.1.3.2.2 The fromEntry parameter indicates whether the information was obtained from the entry (TRUE) or a copy of
the entry (FALSE).
10.1.3.2.3 The aliasEntry parameter indicates whether the subordinate entry is an alias entry (TRUE) or not (FALSE).
10.1.3.3The PartialOutcomeQualifier consists of three subcomponents as defined in 10.1.3.3.1 to 10.1.3.3.3. This
parameter shall be present whenever the result is incomplete.
10.1.3.3.1 The LimitProblem parameter indicates whether the time limit, the size limit, or an administrative limit has
been exceeded. The results being returned are those which were available when the limit was reached.
10.1.3.3.2 The unexplored parameter shall be present if regions of the DIT were not explored. Its information allows
the DUA to continue the processing of the List operation by contacting other access points if it so chooses. The parameter
consists of a set (possibly empty) of ContinuationReferences, each consisting of the name of a base object from which the
operation may be progressed, an appropriate value of OperationProgress, and a set of access points from which the
request may be further progressed. The ContinuationReferences that are returned shall be within the scope of referral
requested in the operation service control.
Fascicle VIII.8 - Rec. X.511 16
10.1.3.3.3 The unavailableCriticalExtensions parameter indicates, if present, that one or more critical extensions were
unavailable in some part of the Directory.
10.1.3.4When the DUA has requested a protection request of signed, the uncorrelatedListInfo parameter may comprise a
number of sets of result parameters originating from and signed by different components of the Directory. If no DSA in the
chain can correlate all the results, the DUA must assemble the actual result from the various pieces.
10.1.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors
will be reported are defined in 12.
10.2 Search
10.2.1 A Search operation is used to search a portion of the DIT for entries of interest and to return selected information
from those entries. The arguments of the operation may optionally be signed (see 7.10) by the requestor. If so requested,
the Directory may sign the result.
Search ::=ABSTRACT-OPERATION
ARGUMENT SearchArgument
RESULT SearchResult
ERRORS {
AttributeError, NameError,
ServiceError, Referral, Abandoned,
SecurityError }
SearchArgument ::= OPTIONALLY-SIGNED
SET {
baseObject [0] Name,
subset [1] INTEGER {
baseObject (0),
oneLevel(1),
wholeSubtree(2)} DEFAULT baseObject,
filter [2] Filter DEFAULT and {}.
searchAliases [3] BOOLEAN DEFAULT TRUE,
selection[4] EntryInformationSelection DEFAULT {}
COMPONENTS OF CommonArguments }
SearchResult ::=OPTIONALLY-SIGNED
CHOICE {
searchInfo SET {
DistinguishedName OPTIONAL,
entries [0] SET OF EntryInformation,
partialOutcomeQualifier
[2]PartialOutcomeQualifier OPTIONAL,
COMPONENTS OF CommonResults },
uncorrelatedSearchInfo [0] SET OF
SearchResult }
10.2.2 The various arguments have the meanings as defined in 10.2.2.1 to 10.2.2.3, 10.2.2.5, and 7.3.
10.2.2.1The baseObject argument identifies the object entry (or possibly the root) relative to which the search is to take
place.
10.2.2.2The subset argument indicates whether the search is to be applied to:
a) the baseObject only;
b) the immediate subordinates of the base object only (oneLevel);
c) the base object and all its subordinates (wholeSubtree).
10.2.2.3The filter argument is used to eliminate entries from the search space which are not of interest. Information will only
17 Fascicle VIII.8 - Rec. X.511
be returned on entries which satisfy the filter (see 7.8).
10.2.2.4Aliases shall be dereferenced while locating the base object, subject to the setting of the
dontDereferenceAliasesServiceControl. Aliases among the subordinates of the base object shall be dereferenced during
the search, subject to the setting of the searchAliases parameter. If the searchAliases parameter is TRUE, aliases shall be
dereferenced, if the parameter is FALSE, aliases shall not be dereferenced. If the searchAliases parameter is TRUE, the
search shall continue in the subtree of the aliased object.
10.2.2.5The selection argument indicates what information from the entries is requested (see 7.6).
10.2.3 The request succeeds if the base object is located, regardless of whether there are any subordinates to return.
Note - As a corollary to this, the outcome of an (unfiltered) Search applied to a single entry may not be identical to
a Read which seeks to interrogate the same set of attributes of the entry. This is because the latter will return an
AttributeError if none of the selected attributes exist in the entry.
The result parameters have the meanings as defined in 10.2.3.1 to 10.2.3.4 and 7.3.
10.2.3.1The DistinguishedName is present if an alias was dereferenced, and represents the distinguished name of the base
object.
10.2.3.2The entries parameter conveys the requested information from each entry (zero or more) which satisfied the filter
(see 7.5).
10.2.3.3The PartialOutcomeQualifier consists of two subcomponents as described for the List operation in 10.1.3.4.
10.2.3.4The uncorrelatedSearchInfo parameter is as described for uncorrelatedListInfo in 10.1.3.4.
10.2.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors
will be reported are defined in 12.
11 Directory modify operations
There are four operations to modify the Directory: AddEntry, RemoveEntry, ModifyEntry and ModifyRDN defined
in 11.1 to 11.4 respectively.
Note 1 - Each of these abstract-operations identifies the target entry by means of its distinguished name.
Note 2 - The success of AddEntry, RemoveEntry, and ModifyRDN operations will be dependent on the physical
distribution of the DIB across the Directory. Failure will be reported with an UpdateError and problem affectsMultipleDSAs.
See Recommendation X.518.
11.1 Add entry
11.1.1 An AddEntry operation is used to add a leaf entry (either an object entry, or an alias entry) to the DIT. The
arguments of the operation may optionally be signed (see 7.10) by the requestor.
AddEntry ::= ABSTRACT-OPERATION
ARGUMENT AddEntryArgument
RESULT AddEntryResult
ERRORS {
AttributeError, NameError,
ServiceError, Referral, SecurityError,
UpdateError }
AddEntryArgument::= OPTIONALLY-SIGNED
SET {
object [0] DistinguishedName,
entry [1] SET OF Attribute,
COMPONENTS OF CommonArguments }
AddEntryResult ::=NULL
11.1.2 The various arguments have the meanings as defined in 11.1.2.1 to 11.1.2.3.
11.1.2.1The object argument identifies the entry to be added. Its immediate superior, which must already exist for the
operation to succeed, can be determined by removing the last RDN component (which belongs to the entry to be created).
11.1.2.2The entry argument contains the attribute information which, together with that from the RDN, constitutes the entry
to be created. The Directory shall ensure that the entry conforms to the Directory schema. Where the entry being created is
Fascicle VIII.8 - Rec. X.511 18
an alias, no check is made to ensure that the aliasedObjectName attribute points to a valid entry.
11.1.2.3The CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the
purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if
provided. Aliases are never dereferenced by this operation.
11.1.3 Should the request succeed, a result will be returned, although no information will be conveyed with it.
11.1.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors
will be reported are defined in 12.
11.2 Remove Entry
11.2.1 A RemoveEntry operation is used to remove a leaf entry (either an object entry or an alias entry) from the DIT. The
arguments of the operation may optionally be signed (see 7.10) by the requestor.
RemoveEntry ::=ABSTRACT-OPERATION
ARGUMENT RemoveEntryArgument
RESULT RemoveEntryResult
ERRORS {
NameError,
ServiceError, Referral, SecurityError,
UpdateError}
RemoveEntryArgument ::= OPTIONALLY-SIGNED SET {
object [0] DistinguishedName,
COMPONENTS OF CommonArguments }
RemoveEntryResult ::= NULL
11.2.2 The various arguments have the meanings as defined in 11.2.2.1 and 11.2.2.2.
11.2.2.1The object argument identifies the entry to be deleted. Aliases in the name will not be dereferenced.
11.2.2.2The CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the
purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if
provided. Aliases are never dereferenced by this operation.
11.2.3 Should the request succeed, a result will be returned, although no information will be conveyed with it.
11.2.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors
will be reported are defined in 12.
11.3 Modify Entry
11.3.1 The ModifyEntry operation is used to perform a series of one or more of the following modifications to a single
entry:
a) add a new attribute;
b) remove an attribute;
c) add attribute values;
d) remove attribute values;
e) replace attribute values;
f) modify an alias.
The arguments of the operation may optionally be signed (see 7.10) by the requestor.
ModifyEntry ::=ABSTRACT-OPERATION
ARGUMENT ModifyEntryArgument
RESULT ModifyEntryResult
ERRORS {
AttributeError, NameError,
ServiceError, Referral, SecurityError,
UpdateError }
ModifyEntryArgument ::= OPTIONALLY-SIGNED SET {
19 Fascicle VIII.8 - Rec. X.511
object [0] DistinguishedName,
changes [1] SEQUENCE OF EntryModification,
COMPONENTS OF CommonArguments }
ModifyEntryResult ::=NULL
EntryModification ::=CHOICE {
addAttribute [0] Attribute,
removeAttribute [1] AttributeType,
addValues [2] Attribute,
removeValues [3] Attribute }
11.3.2 The various arguments have the meanings as defined in 11.3.2.1 and 11.3.2.2.
11.3.2.1The object argument identifies the entry to which the modifications should be applied. Any aliases in the name will
not be dereferenced.
11.3.2.2The changes argument defines a sequence of modifications, which are applied in the order specified. If any of the
individual modifications fails, then an AttributeError is generated and the entry left in the state it was prior to the operation.
That is, the operation is atomic. The end result of the sequence of modifications shall not violate the Directory schema.
However, it is possible, and sometimes necessary, for the individual EntryModification changes to appear to do so. The
following types of modification may occur:
a) addAttribute: This identifies a new attribute to be added to the entry, which is fully specified by the
argument. Any attempt to add an already existing attribute results in an AttributeError;
b) removeAttribute: The argument identifies (by its type) an attribute to be removed from the entry. Any
attempt to remove a non-existing attribute results in an AttributeError;
Note - This operation is not allowed if the attribute type is present in the RDN.
c) addValues: This identifies an attribute by the attribute type in the argument, and specifies one or more
attribute values to be added to the attribute. An attempt to add an already existing value results in an error.
An attempt to add a value to a non-existent type results in an error;
d) removeValues: This identifies an attribute by the attribute type in the argument and specifies one or more
attribute values to be removed from the attribute. If the values are not present in the attribute, this results in
an AttributeError. If an attempt is made to modify the object class attribute, an update error is returned.
Note - This operation is now allowed if one of the values is present in the RDN.
Values may be replaced by a combination of addValues and removeValues in a single ModifyEntry operation.
11.3.2.3The CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the
purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if
provided. Aliases are never dereferenced by this operation.
11.3.3 Should the request succeed, a result will be returned although no information will be conveyed with it.
11.3.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors
will be reported are defined in 12.
11.4 Modify RDN
11.4.1 The ModifyRDN operation is used to change the Relative Distinguished Name of a leaf entry (either an object entry
or an alias entry) in the DIT. The arguments of the operation may optionally be signed (see 7.10) by the requestor.
ModifyRDN ::= ABSTRACT-OPERATION
ARGUMENT ModifyRDNArgument
RESULT ModifyRDNResult
ERRORS {
NameError,
ServiceError, Referral, SecurityError,
UpdateError }
ModifyRDNArgument ::=OPTIONALLY-SIGNED SET {
object [0] DistinguishedName,
newRDN [1] RelativeDistinguishedName,
deleteOldRDN [2] BOOLEAN DEFAULT FALSE,
COMPONENTS OF CommonArguments }
ModifyRDNResult::= NULL
11.4.2 The various parameters have the meanings as defined in 11.4.2.1 to 11.4.2.5.
Fascicle VIII.8 - Rec. X.511 20
11.4.2.1The object argument identifies the entry whose Relative Distinguished Name is to be modified. Aliases in the name
will not be dereferenced. The immediate superior entry shall not have any Non-Specific Subordinate References (see
Recommendation X.518).
11.4.2.2The newRDN argument specifies the new RDN of the entry.
11.4.2.3If an attribute value in the new RDN does not already exist in the entry (either as part of the old RDN or as a non-
distinguished value) it is added. If it cannot be added, an error is returned.
11.4.2.4If the deleteOldRDN flag is set, all attribute values in the old RDN which are not in the new RDN are deleted. If
this flag is not set, the old values should remain in the entry (not as a part of the RDN). The flag shall be set where a single
value attribute in the RDN has its value changed by the operation. If this operation removes the last attribute value of an
attribute, that attribute shall be deleted.
11.4.2.5The Common Arguments (see 7.3) include a specification of the service controls applying to the request. For the
purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if
provided. Aliases are never dereferenced by this operation.
11.4.3 Should the request succeed, a result will be returned, although no information will be conveyed with it.
11.4.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors
will be returned are defined in 12.
11.4.5 As defined in this Recommendation this operation may only be used on a leaf entry.
12 Errors
12.1 Error Precedence
12.1.1 The Directory does not continue to perform an operation beyond the point at which it determines that an error is to
be reported.
Note 1 - An implication of this rule is that the first error encountered can differ for repeated instances of the same
query, as there is not a specific logical order in which to process a given query. For example, DSAs may be searched in
different orders.
Note 2 - The rules of error precedence specified here apply only to the abstract service provided by the Directory as
a whole. Different rules apply when the internal structure of the Directory is taken into account.
12.1.2 Should the Directory simultaneously detect more than one error, the following list determines which error is reported.
An error higher in the list has a higher logical precedence than one below it and is the error which is reported.
a) NameError
b) UpdateError
c) AttributeError
d) SecurityError
e) ServiceError.
12.1.3 The following errors do not present any precedence conflicts:
a) AbandonFailed, because it is specific to one operation, Abandon, which can encounter no other error;
b) Abandoned, which is not reported if an Abandon operation is received simultaneously with the detection of
an error. In this case an AbandonFailed error, reporting the problem tooLate is reported along with the
report of the actual error encountered;
c) Referral, which is not a "real" error, only an indication that the Directory has detected that the DUA must
present its request to another access point.
12.2 Abandoned
12.2.1 This outcome may be reported for any outstanding directory enquiry operation (i.e. Read, Search, Compare, List) if
the DUA invokes an Abandon operation with the appropriate InvokeID.
Abandoned ::= ABSTRACT-ERROR -- not literally an "error"
12.2.2 There are no parameters associated with this error.
21 Fascicle VIII.8 - Rec. X.511
12.3 Abandon Failed
12.3.1 The AbandonFailed error reports a problem encountered during an attempt to abandon an operation.
AbandonFailed ::=ABSTRACT-ERROR
PARAMETER SET {
problem [0] AbandonProblem,
operation [1] InvokeID}
AbandonProblem ::=INTEGER
noSuchOperation (1),
tooLate (2),
cannotAbandon (3) }
12.3.2 The various parameters have the meanings as defined in 12.3.2.1 and 12.3.2.2.
12.3.2.1The particular problem encountered is specified. Any of the following problems may be indicated:
a) noSuchOperation, when the Directory has no knowledge of the operation which is to be abandoned (this
could be because no such invoke took place or because the Directory has forgotten about it);
b) tooLate, when the Directory has already responded to the operation;
c) cannotAbandon, when an attempt has been made to abandon an operation for which this is prohibited (e.g.
modify), or the abandon could not be performed.
12.3.2.2The identification of the particular operation (invocation) to be abandoned.
12.4 Attribute Error
12.4.1 An AttributeError reports an attribute-related problem.
AttributeError ::= ABSTRACT-ERROR
PARAMETER SET {
object [0] Name,
problems [1] SET OF SEQUENCE {
problem [0] AttributeProblem,
type [1] AttributeType,
value [2] AttributeValue
OPTIONAL }}
AttributeProblem ::= INTEGER {
noSuchAttributeOrValue (1),
InvalidAttributeSyntax (2),
undefinedAttributeType (3),
InappropriateMatching (4),
constraintViolation (5)
attributeOrValueAlreadyExists (6) }
12.4.2 The various parameters have the meanings as described in 12.4.2.1 and 12.4.2.2.
12.4.2.1The object parameter identifies the entry to which the operation was being applied when the error occurred.
12.4.2.2One or more problems may be specified. Each problem identified below is accompanied by an indication of the
attribute type, and if necessary to avoid ambiguity, the value, which caused the problem:
a) noSuchAttributeOrValue: The named entry lacks one of the attributes or attribute values specified as an
argument of the operation;
b) invalidAttributeSyntax: A purported attribute value, specified as an argument of the operation, does not
conform to the attribute syntax of the attribute type;
c) undefinedAttributeType: An undefined attribute type was provided as an argument to the operation. This
error may occur only in relation to Add, Remove, Modify or ModifyRDN operations;
d) inappropriateMatching: An attempt was made, e.g. in a filter, to use a matching rule not defined for the
attribute type concerned;
e) constraintViolation: An attribute or attribute value supplied in the argument of abstract- operation does not
conform to the constraints imposed by Recommendation X.501 or by the attribute definition (e.g. the value
Fascicle VIII.8 - Rec. X.511 22
exceeds the maximum size allowed);
f) attributeOrValueAlreadyExists: An attempt was made to add an attribute which already existed in the entry,
or a value which already existed in the attribute.
12.5 Name Error
12.5.1 A NameError reports a problem related to the name provided as an argument to an operation.
NameError ::= ABSTRACT-ERROR
PARAMETER SET {
problem [0] NameProblem,
matched [1] Name}
NameProblem ::= INTEGER {
noSuchObject (1),
aliasProblem (2),
invalidAttributeSyntax (3),
aliasDereferencingProblem (4) }
12.5.2 The various parameters have the meanings as described in 12.5.2.1 and 12.5.2.2.
12.5.2.1The particular problem encountered. Any of the following problems may be indicated:
a) noSuchObject: The name supplied does not match the name of any object;
b) aliasProblem: An alias has been dereferenced which names no object;
c) invalidAttributeSyntax: An attribute type and its accompanying attribute value in AVA in the name are
incompatible;
d) aliasDereferencingProblem: An alias was encountered in a situation where it was not allowed.
12.5.2.2The matched parameter contains the name of the lowest entry (object or alias) in the DIT that was matched and is
a truncated form of the name provided or, if an alias has been dereferenced, of the resulting name.
Note - If there is a problem with the attribute types and/or values in the name offered in a directory operation
argument, this is reported via a NameError (with problem invalidAttributeSyntax) rather than as an AttributeError or an
UpdateError.
12.6 Referral
12.6.1 A Referral redirects the service-user to one or more access points better equipped to carry out the requested
operation.
Referral ::= ABSTRACT-ERROR -- not literally an "error"
PARAMETER SET {
candidate[0] ContinuationReference }
12.6.2 The error has a single parameter which contains a ContinuationReference which can be used to progress the
operation (see Recommendation X.518).
12.7 Security Error
12.7.1 A SecurityError reports a problem in carrying out an operation for security reasons.
SecurityError ::=ABSTRACT-ERROR
PARAMETER SET {
problem [0] SecurityProblem }
SecurityProblem ::= INTEGER {
InappropriateAuthentication (1),
InvalidCredentials (2),
InsufficientAccessRights (3),
InvalidSignature (4),
protectionRequired (5),
noInformation (6) }
12.7.2 The error has a single parameter, which reports the particular problem encountered. The following problems may be
indicated:
23 Fascicle VIII.8 - Rec. X.511
a) inappropriateAuthentication: The level of security associated with the requestor's credentials is inconsistent
with the level of protection requested, e.g. simple credentials were supplied while strong credentials were
required;
b) invalidCredentials: The supplied credentials were invalid;
c) insufficientAccessRights: The requestor does not have the right to carry out the requested operation;
d) invalidSignature: The signature of the request was found to be invalid;
e) protectionRequired: The Directory was unwilling to carry out the requested operation because the argument
was not signed;
f) noInformation: The requested operation produced a security error for which no information is available.
12.8 Service Error
12.8.1 A ServiceError reports a problem related to the provision of the service.
ServiceError ::= ABSTRACT-ERROR
PARAMETER SET {
problem [0] ServiceProblem },
ServiceProblem ::= INTEGER {
busy (1),
unavailable (2),
unwillingToPerform (3),
chainingRequired (4),
unableToProceed (5),
invalidReference (6),
timeLimitExceeded (7),
administrativeLimitExceeded (8),
loopDetected (9),
unavailableCriticalExtension (10),
outOfScope (11),
ditError (12) }
12.8.2 The error has a single parameter, which reports the particular problem encountered. The following problems may be
indicated:
a) busy: The Directory, or some part of it, is presently too busy to perform the requested operation, but may be
able to do so after a short while;
b) unavailable: The Directory, or some part of it, is currently unavailable;
c) unwillingToPerform: The Directory, or some part of it, is not prepared to execute this request, e.g. because
it would lead to excessive consumption of resources or violate the policy of an Administrative Authority
involved;
d) chainingRequired: The Directory is unable to accomplish the request other than by chaining, however
chaining was prohibited by means of the chainingProhibited service control option;
e) unableToProceed: The DSA returning this error did not have administrative authority for the appropriate
naming context and as a consequence was not able to participate in name resolution;
f) invalidReference: The DSA was unable to perform the request as directed by the DUA (in
OperationProgress). This may have arisen due to using an invalid referral;
g) timeLimitExceeded: The Directory has reached the limit of time set by the user in a service control. No
partial results are available to return to the user;
h) administrativeLimitExceeded: The Directory has reached some limit set by an administrative authority, and
Fascicle VIII.8 - Rec. X.511 24
no partial results are available to return to the user;
i) loopDetected: The Directory is unable to accomplish the request due to an internal loop;
j) unavailableCriticalExtension: The Directory was unable to execute the request because one or more critical
extensions were not available;
) Recommendation X.511 and ISO 9594-3, Information Processing Systems - Open Systems
Interconnection - The Directory - Abstract Service Definition, were developed in close
collaboration and are technically aligned.
25 Fascicle VIII.8 - Rec. X.511