![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to introduction.tex CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / whitepages / administrator|
Return to introduction.tex CVS log | Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / whitepages / administrator |
1.1 root 1: % run this through LaTeX with the appropriate wrapper
2:
3:
\chapter {Introduction}
4: This document is {\em The Administrator's Guide\/} for the
5: NYSERNet/PSI White Pages Pilot.
6: The goal of \theguide/ is to provide a site administrator
7: with enough information to be able to participate in the White Pages
8: Pilot.
9: In practical terms,
10: this means that \theguide/ provides information on how
11: to install and maintain an OSI Directory at your site.
12:
13: The OSI Directory is used to provide the white pages service.
14: \theguide/ is not intended as a tutorial nor a detailed description
15: of the OSI Directory.
16: However, as administrative responsibilities and procedures are
17: outlined,
18: the appropriate Directory concepts will be introduced.%
19: \footnote{Actually this paragraph is a lie:
20: you can't administer the white pages without knowing what you're
21: doing,
22: and you don't know what you're doing unless you understand both
23: the basics of the OSI Directory and how the pilot project software
24: implements the Directory Service.
25: As such,
26: this entire chapter is really a thinly-veiled primer on these
27: two topics.}
28:
29: Your comments are welcome!
30: The OSI Directory is a new, complex technology.
31: Although \theguide/ attempts to be straight-forward it probably doesn't
32: succeed all the time.
33: If you have comments on this document, send them to the Internet
34: mailbox
35: \begin{quote}\begin{verbatim}
36: [email protected]
37: \end{verbatim}\end{quote}
38: so that \theguide/ can be improved.
39:
40: \newpage
41:
42:
\section* {Related Documentation}
43: The white paper
44: {\em An Introduction to a NYSERNet White Pages Pilot Project\/}
45: introduces the goals and phases of the pilot project.
46: Administrators should familiarize themselves with this document
47: before proceeding.
48:
49: There is also a document which you should provide to the user community at
50: your organization.
51: It is called
52: {\em NYSERNet/PSI White Pages Pilot Project: User's Handbook},
53: or simply \thebook/.
54:
55: The OSI Directory standard is defined in \cite{ISO.Directory,CCITT.Directory}.
56:
57: The research note {\em The Design of QUIPU\/} \cite{QUIPU.Design}
58: describes the design of the software used for the pilot project,
59: whilst {\em Volume Five\/} of the ISODE User's Manual \cite{QUIPU.Manual},
60: henceforth termed \volfive/,
61: describes the implementation of the software.
62: \theguide/ is intended to replace these later two documents as the
63: primary reference for administrators of the pilot project.
64:
65: PostScript versions of these documents are available via anonymous FTP
66: from host \verb"nisc.nyser.net" (\verb"[192.33.4.10]"):
67: \begin{quote}\small\begin{verbatim}
68: % cd /usr/src/local/
69: % ftp nisc.nyser.net
70: Connected to nisc.nyser.net.
71: 220 nisc.nyser.net FTP server ready
72: Name (nisc.nyser.net:user): anonymous
73: Password (nisc.nyser.net:anonymous): guest
74: 331 Guest login ok, send ident as password.
75: 230 Guest login ok, access restrictions apply.
76: ftp> binary
77: 200 Type set to I.
78: ftp> cd pub/isode
79: ftp> get isode-ps.tar.Z
80: ftp> get pilot-ps.tar.Z
81: ftp> quit
82: % uncompress < isode-ps.tar.Z | tar xf -
83: % uncompress < pilot-ps.tar.Z | tar xf -
84: % rm isode-ps.tar.Z pilot-ps.tar.Z
85: \end{verbatim}\end{quote}
86:
87: \newpage
88:
\section {Informational Model}
89: From a theoretical standpoint,
90: the internals of the white pages service can be viewed from
91: four different perspectives.
92: We begin with the Informational Model which describes the service in terms of
93: information objects.
94: The Directory's representation of an information object,
95: typically called an {\em entry},
96: contains information about a person, a place, an organization, etc.
97: Each entry consists of one or more attributes.
98:
99: Each attribute consists of a type,\index{attribute types}
100: indicating what kind of attribute it is,
101: and one or more values
102: (one of which is termed the {\em distinguished value\/}).
103: Attribute values are structured using a data definition language
104: called Abstract Syntax Notation One (ASN.1).
105: As such,
106: different programs using the Directory will interpret information in the same
107: way.
108: In addition,
109: the Directory will perform type-checking on the values in order
110: to keep things consistent.
111:
112: \subsection {Naming}
113: One of the attributes of an entry is particularly special:
114: it is referred to as the {\em Relative Distinguished Name\/} (RDN) of
115: the entry.
116: The RDN is formed by taking the name of the attribute and its
117: distinguished value.
118: For example,
119: if the attribute in question was called \verb"countryName" and it had
120: a distinguished value of \verb"US", then we might say that the RDN
121: for the entry was \verb"countryName=US".
122: Of course,
123: this is strictly a ``user-friendly'' notation:
124: the Directory uses a concise binary format for representing an RDN.
125: Fortunately,
126: the pilot project software allows simple textual strings to be used in their
127: place and converts back and forth accordingly.
128:
129: In the OSI Directory,
130: information is primarily organized according to a hierarchical tree
131: structure.
132: The top of the tree is termed the {\em root},
133: and has no explicit name.
134: To find the name of an object,
135: termed its {\em Distinguished Name\/} (DN),
136: one concatenates the RDNs found when traversing the tree by starting
137: at the root and proceeding directly to the object's entry.
138:
139: For purposes of discussion,
140: we write a Distinguished Name as an ordered series of RDNs separated by
141: an \verb"`@'"-sign with the most significant RDN appearing at the left;
142: e.g.,
143: \begin{quote}\small\begin{verbatim}
144: countryName=US@organizationName=NYSERNet Inc.
145: \end{verbatim}\end{quote}
146: refers to an entry with an RDN of \verb"organizationName=NYSERNet Inc."
147: whose parent has an RDN of \verb"countryName=US".
148: In turn,
149: this parent entry is an immediate child of the root.
150:
151: To avoid any potential ambiguity when using an interface to the Directory
152: such as \man fred(1c) or \man dish(1c),
153: one prefixes a \verb"`@'"-sign to a string when referring to a fully
154: qualified Distinguished Name;
155: e.g.,
156: \begin{quote}\small\begin{verbatim}
157: @countryName=US@organizationName=NYSERNet Inc.
158: \end{verbatim}\end{quote}
159: always refers to the same entry regardless of context.
160: Note that this is a convention only for interface programs such as these.
161:
162: As a rule,
163: unless searching,
164: text before the \verb"`='"-sign is not case sensitive,
165: neither is text after the \verb"`='"-sign.
166:
167: Of course, names like \verb"countryName",
168: while more friendly than binary strings,
169: are still rather long,
170: so there are several abbreviations that the pilot project software permits.
171: Table~\ref{attribute-types} lists the attribute types supported by
172: the pilot project, any abbreviations, and the syntax associated with
173: each attribute's value.
174: Throughout \theguide/,
175: the semantics of these attributes will be introduced.
176: When using this document later on,
177: refer to the Index to quickly find a particular attribute you are interested
178: in.
179: \tagtable[tp]{INT-1}{Supported Attribute Types}{attribute-types}
180:
181: The entities which access the Directory on behalf of a user
182: are termed {\em Directory User Agents\/} (DUAs).
183: The entities which provide the Directory service are termed
184: {\em Directory System Agents\/} (DSAs).
185: Both kinds of entities are identified by their Distinguished Name.
186: That is,
187: the DSAs and DUAs are not only network processes,
188: they are also objects which have entries in the Directory.
189:
190: \subsection {How Entries and Objects are Described}\label{edb:format}
191: It is now time to explain the notation used to describe entries.
192: This notation is termed the ``EDB format'',
193: and is named after the disk-resident data structures used by the
194: pilot project software.
195:
196: An entry is textually described in an ASCII formatted file.
197: The format of the file is simple:
198: \begin{itemize}
199: \item Each entry consists of two or more lines followed by a blank line.
200:
201: \item Each line consists of an attribute type/value pair using
202: the familiar
203: \begin{quote}\small\begin{verbatim}
204: name=value
205: \end{verbatim}\end{quote}
206: notation,
207: such as:
208: \begin{quote}\small\begin{verbatim}
209: c=US
210: \end{verbatim}\end{quote}
211:
212: \item If multiple values are present for an entry,
213: then either multiple lines may be used or the values may
214: be separated by the \verb"`&'"-sign.
215: The first value occurring is the distinguished value.
216: Hence,
217: \begin{quote}\small\begin{verbatim}
218: co=US
219: co=United States of America
220: \end{verbatim}\end{quote}
221: and
222: \begin{quote}\small\begin{verbatim}
223: co=US & United States of America
224: \end{verbatim}\end{quote}
225: are identical:
226: both say that the attribute \verb"friendlyCountryName" has two values:
227: the distinguished value is \verb"US" and an alternate value is
228: \verb"United States of America".
229:
230: \item Most attributes take textual strings for their value.
231: However, for a large number of attributes,
232: the actual characters used are limited to a subset of the
233: ``printable'' characters:
234: \begin{quote}\begin{tabular}{l}
235: \verb"A" through \verb"Z"\\
236: \verb"a" through \verb"z"\\
237: \verb"0" through \verb"9"\\
238: \verb"'" (apostrophe)\\
239: \verb"(" (left parenthesis)\\
240: \verb")" (right parenthesis)\\
241: \verb"+" (plus-sign)\\
242: \verb"," (comma)\\
243: \verb"-" (hyphen)\\
244: \verb"." (period)\\
245: \verb"/" (solidus)\\
246: \verb":" (colon)\\
247: \verb"?" (question-mark)\\
248: space
249: \end{tabular}\end{quote}
250: In particular, note that the characters \verb"`='", \verb"`&'",
251: \verb"`$'" and \verb"`#'" are not allowed.
252:
253: If it makes sense to use a particular character, e.g., \verb"`@'"
254: in a mail address,
255: then this usage is usually permitted.
256:
257: If it is necessary to characters from the restricted set,
258: proceed the value with \verb"{T.61}", e.g.,
259: \begin{quote}\small
260: \begin{verbatim}
261: {T.61}whatever$you$want
262: \end{verbatim}\end{quote}
263:
264: Always use the appropriate case (upper or lower) when entering
265: values.
266: Although the Directory supports imprecise matching for searching,
267: direct lookup is made on the basis of an exact match.
268:
269: When strings are read by the pilot project software,
270: it strips leading and trailing blanks and also compresses multiple
271: blanks to a single blank space.
272:
273: \item Another common kind of attribute value is a Distinguished
274: Name, which is specified using the DN notation described earlier.
275: Note that a DN is always interpreted in absolute form when it is
276: written in an EDB file.
277: Hence, the leading \verb"`@'"-sign is never written.
278:
279: \item Of course,
280: there are a few attributes with very special syntaxes,
281: when these attributes are introduced,
282: the associated notation will be discussed.
283: \end{itemize}
284: Note that the first line for an entry gives the object's RDN.
285: This line should be repeated later on in the entry,
286: this causes it to be included in the attributes for the object.
287: (The pilot software includes this attribute automatically,
288: but it is a good practice regardless.)
289:
290: An EDB file contains all of the child objects of a node in the tree.
291: The first line of the file consists of a single keyword, one of:
292: \begin{describe}
293: \item[MASTER:] indicating that this EDB file is the original source of the
294: information;
295:
296: \item[SLAVE:] indicating that this EDB file is a copy of the information
297: from an authoritative source;
298: and,
299:
300: \item[CACHE:] indicating that this EDB file is a partial, unauthoriative
301: copy of the information.
302: \end{describe}
303: The second line of the file contains the creation date of the information
304: in the file.
305: This is expressed as a \verb"UniversalTime".
306: Put simply,
307: the format used is:\label{UniversalTime}
308: \begin{quote}\small\begin{verbatim}
309: yymmddhhmmssZ
310: \end{verbatim}\end{quote}
311: as in:
312: \begin{quote}\small\begin{verbatim}
313: 890509213614Z
314: \end{verbatim}\end{quote}
315: which is May 9$^{\underline{\mbox{\scriptsize th}}}$, {\oldstyle 1989},
316: 21:36:14 hours at UT.
317:
318: Hence,
319: the format of an EDB file is:
320: \begin{quote}\small\begin{verbatim}
321: <keyword>
322: yymmddhhmmssZ
323: <entries>
324: \end{verbatim}\end{quote}
325: (remember that each entry ends with a blank line).
326: Figure~\ref{edb-example} shows an example of a simple EDB file
327: containing two entries.
328: \tagfigure[tp]{INT-1}{An Example of an EDB file}{edb-example}
329:
330: \subsection {Object Classes}\index{object classes}\index{attribute types, objectClass}
331: One attribute of an entry,
332: its \verb"objectClass",
333: determines what kind of object this entry corresponds to (e.g., a person).
334: The value of this attribute indicates what types of attributes the
335: entry {\em must\/} and {\em may\/} contain.
336: For example,
337: if the value of \verb"objectClass" indicates that the entry corresponds
338: to a person,
339: then it would make sense for that entry to have a \verb"surName"
340: attribute.
341: On the other hand,
342: if the value of \verb"objectClass" indicates that the entry corresponds
343: to an organization,
344: then a \verb"surName" attribute would be inappropriate.
345:
346: The OSI Directory is flexible in that it defines several common
347: types of objects,
348: and then allows users to define their own objects.
349: Further,
350: object definition is based on the notion of {\em class inheritance}.
351: This means that an object class can be defined as a ``subclass'' of
352: a previously defined object class with additional refinements.
353: As a subclass,
354: the newly defined object ``inherits'' all the semantics of its
355: superclass,
356: in addition to having additional semantics.
357:
358: For example,
359: the Directory defines an object class called \verb"person".
360: This object class defines the attributes which a person in
361: the real world might have.
362: It may be useful to refine this somewhat to talk about persons
363: who have Internet access.
364: So, we need a new object class, e.g., \verb"internetPerson".
365: This can be defined in a straight-forward fashion:
366: \begin{quote}
367: The object class \verb"internetPerson" is a subclass of the object class
368: \verb"person" which {\em may\/} contain an additional attribute,
369: \verb"internetMailbox".
370:
371: The syntax of an \verb"internetMailbox" is a simple string of printable
372: characters which is not case sensitive when performing comparisons.
373: \end{quote}
374: Thus,
375: when entries are defined with an \verb"objectClass" attribute which contains
376: the value \verb"internetPerson":
377: \begin{itemize}
378: \item they {\em must\/} contain whatever attributes an entry with
379: \verb"objectClass" \verb"person" {\em must\/} contain;
380:
381: \item they {\em may\/} contain whatever attributes an entry with
382: \verb"objectClass" \verb"person" {\em may\/} contain;
383: and,
384:
385: \item they {\em may\/} contain the \verb"internetMailbox" attribute.
386: \end{itemize}
387:
388: As was seen in Figure~\ref{edb-example} on page~\pageref{edb-example},
389: the \verb"objectClass" attribute is multi-valued.
390: For our purposes,
391: object class values fall into one of two categories:
392: \begin{itemize}
393: \item the primary class,
394: of which each object has one
395: (this is the class that inherited all the properties from the
396: superclasses);
397: and,
398:
399: \item one or more superclasses.
400: \end{itemize}
401: In order to limit the focus of the pilot project,
402: only a few primary classes are supported.
403: Further,
404: of those classes,
405: not all optional attributes are supported.%
406: \footnote{This limitation is specific to the pilot project;
407: the pilot project software can support the entire range of object classes
408: and attribute types.}
409: Before discussing the primary classes and their class-specific attributes,
410: there are a few attributes which are required for every object.
411: These are introduced by looking at a few key superclasses.
412:
413: \subsubsection {The top objectClass}\index{object classes, top}
414: The Directory requires that every object have \verb"top" as a super
415: class.
416: Only one attribute is required for members of this class:
417: \begin{describe}
418: \item[objectClass:]\index{attribute types, objectClass}
419: which defines all the classes that this object belongs
420: to.
421: \end{describe}
422:
423: \subsubsection {The quipuObject objectClass}\index{object classes, quipuObject}
424: In addition,
425: the pilot project software requires that every object also have the object
426: class \verb"quipuObject" as a superclass.
427: Only one attribute is required for members of this class:
428: \begin{describe}
429: \item[accessControlList:]\index{attribute types, accessControlList}\index{attribute types, acl (accessControlList)}
430: which defines how users of the Directory may
431: access the entry.
432: \end{describe}
433: The \verb"accessControlList" attribute uses a special notation to enter
434: its value in the EDB file:
435: \begin{quote}\small\begin{verbatim}
436: <syntax> ::= <who> "#" <action> "#" <what>
437:
438: <who> ::= "group" "#" DN
439: | "prefix" "#" DN
440: | "others"
441: | "self"
442:
443: <action> ::= "none"
444: | "detect"
445: | "compare"
446: | "read"
447: | "add"
448: | "write"
449:
450: <what> ::= "child"
451: | "entry"
452: | "default"
453: | "attributes" "#" <attribute-list>
454:
455: <attribute-list> ::=
456: attribute-name
457: | attribute-name "$" <attribute-list>
458: \end{verbatim}\end{quote}
459: The \verb"<who>" part indicates who the rule applies to.
460: Recall that when a user connects to the Directory,
461: the user {\em binds\/} on behalf of a Distinguished Name.
462: This DN is used to determine which rules apply to the user:
463: \begin{describe}
464: \item[group:] indicates a DN which has an \verb"objectClass" attribute
465: of \verb"groupOfNames" or \verb"organizationalRole",
466: or it indicates a particular DN, which is the most
467: common case.
468:
469: \item[prefix:] indicates all DNs which start with the indicated
470: prefix. Thus, access may be granted to all users
471: at or below a particular part of the tree.
472:
473: \item[self:] indicates the DN which corresponds to this object.
474:
475: \item[others:] the default case.
476: \end{describe}
477: The \verb"<what>" part indicates what part of the entry the rule applies
478: to:
479: \begin{describe}
480: \item[child:] the access control rule applies to children immediately below
481: the entry.
482:
483: \item[entry:] the access control rule applies to the entry itself.
484:
485: \item[attributes:] the access control rule applies to exactly those
486: attributes listed.
487: Multiple attributes pertaining to the same rule are
488: separated by the \verb"`$'"-sign.
489:
490: \item[default:] the default rule for attributes.
491: \end{describe}
492: The \verb"<action>" part indicates the actions which are permitted.
493: The semantics of this part vary, depending on the \verb"<what>" part.
494: However,
495: the \verb"<action>" values are ordered from least- to most-significant;
496: e.g., having ``read'' permission implies both ``compare'' and ``detect''
497: permission.
498: \begin{describe}
499: \item[none:]
500: \begin{tabular}[t]{rp{3.35in}}
501: for entries:& any knowledge of the entry is hidden\\
502: for attributes:& any knowledge of the attribute is hidden\\
503: for children:& downwards progress is blocked
504: \end{tabular}
505:
506: \item[detect:]
507: \begin{tabular}[t]{rp{3.35in}}
508: for entries:& determination of the entry's existence is permitted\\
509: for attributes:& determination of the attribute's existence is permitted\\
510: for children:& the existence of children is admitted, but downwards progress is still blocked\\
511: \end{tabular}
512:
513: \item[compare:]
514: \begin{tabular}[t]{rp{3.35in}}
515: for entries:& the RDN may be compared\\
516: for attributes:& the values of the attribute may be compared\\
517: for children:& exactly specified RDNs may be matched\\
518: \end{tabular}
519:
520: \item[read:]
521: \begin{tabular}[t]{rp{3.35in}}
522: for entries:& the RDN may be read\\
523: for attributes:& the attribute values may be read\\
524: for children:& the child information may be listed, and downward searches are permitted\\
525: \end{tabular}
526:
527: \item[add:]
528: \begin{tabular}[t]{rp{3.35in}}
529: for entries:& new attributes may be added\\
530: for attributes:& new attribute values may be added\\
531: for children:& new children may be added\\
532: \end{tabular}
533:
534: \item[write:]
535: \begin{tabular}[t]{rp{3.35in}}
536: for entries:& the RDN may be changed and existing attributes may be added\\
537: for attributes:& values may be modified or removed\\
538: for children:& children may be removed\\
539: \end{tabular}
540: \end{describe}
541: The only exception to these rules is the \verb"accessControlList" attribute
542: itself: access control rules may be added only to the extent access is
543: allowed by the user.
544:
545: The default access control list is
546: \begin{quote}\small\begin{verbatim}
547: acl=
548: \end{verbatim}\end{quote}
549: which simply means ``read'' access for everything and also
550: \begin{quote}\small\begin{verbatim}
551: self # write # entry
552: self # write # default
553: \end{verbatim}\end{quote}
554:
555: There are two optional attributes.
556: These are maintained automatically by the Directory:
557: \begin{describe}
558: \item[lastModifiedBy:]\index{attribute types, lastModifiedBy}
559: identifies the Directory entity which last modified
560: this entry.
561: The value is a Distinguished Name.
562:
563: \item[lastModifiedTime:]\index{attribute types, lastModifiedTime}
564: identifies the time at which this entry was last
565: modified.
566: The value is a \verb"UniversalTime",
567: the syntax of which was described earlier on
568: page~\pageref{UniversalTime}.
569: \end{describe}
570:
571: \subsubsection {The quipuNonLeafObject objectClass}\index{object classes, quipuNonLeafObject}
572: If an object is permitted children,
573: the pilot project software requires that that object also have
574: \verb"quipuNonLeafObject" as a superclass.
575:
576: This class has one mandatory attribute:
577: \begin{describe}
578: \item[masterDSA:]\index{attribute types, masterDSA}
579: identifies the Directory entity which is responsible
580: for maintaining the MASTER EDB for the children of
581: this entry.
582: The value is a Distinguished Name.
583: \end{describe}
584: There is typically a single MASTER for a particular entry in the tree.
585: Hence, this value is usually single-valued.
586: When an entry is to be modified,
587: the Directory must contact the entity responsible for the MASTER EDB for
588: that entry in order to perform the modification.
589:
590: This class has two optional attributes:
591: \begin{describe}
592: \item[slaveDSA:]\index{attribute types, slaveDSA}
593: identifies any Directory entities which have
594: authoritative copies of the EDB for the children
595: of this entry.
596: The value is one or more Distinguished Names.
597:
598: \item[treeStructure:]\index{attribute types, treeStructure}
599: identifies the object classes which may exist
600: immediately below this entry.
601: The value is one or more object classes.
602: \end{describe}
603: Since a fundamental assumption of the Directory is that reads (queries)
604: occur much more frequently than writes (updates),
605: it is common to have several entities containing authoritative copies of an
606: EDB.
607: By keeping copies locally,
608: queries can be answered with less latency.
609:
610: \subsubsection {The domainRelatedObject objectClass}\index{object classes, domainRelatedObject}
611: If an object has some relationship to the Internet Domain Name System (DNS),
612: the pilot project software requires that that object also have
613: \verb"domainRelatedObject" as a superclass.
614:
615: This class has one mandatory attribute:
616: \begin{describe}
617: \item[associatedDomain:]\index{attribute types, associatedDomain}
618: identifies the domain which corresponds to this object.
619: The value is a domain string, e.g.,
620: \begin{quote}\small\begin{verbatim}
621: nyser.net
622: \end{verbatim}\end{quote}
623: \end{describe}
624: There is typically a single MASTER for a particular entry in the tree.
625: Hence, this value is usually single-valued.
626: When an entry is to be modified,
627: the Directory must contact the entity responsible for the MASTER EDB for
628: that entry in order to perform the modification.
629:
630: Now we look at the primary object classes.
631: Keep in mind that these all have both \verb"top" and \verb"quipuObject" as
632: superclasses.
633: Further,
634: the primary classes which are permitted children all have
635: \verb"quipuNonLeafObject" as a superclass.
636:
637: \subsubsection {The friendlyCountry objectClass}\index{object classes, friendlyCountry}
638: Objects of this class represent a sovereign nation.
639: For the purposes of the NYSERNet/PSI White Pages Pilot,
640: there is only one of these,
641: although the pilot project is attached to a world-wide Directory service.
642:
643: Table~\ref{friendlyCountry-attributes} summarizes the attributes types for
644: a \verb"friendlyCountry" object.
645: There are two mandatory attributes:
646: \begin{describe}
647: \item[countryName:]\index{attribute types, countryName}\index{attribute types, c (countryName)}
648: which gives the name of the country.
649: The value of this attribute is a two-letter ISO~3166
650: code; e.g.,
651: \begin{quote}\small\begin{verbatim}
652: US
653: \end{verbatim}\end{quote}
654:
655: \item[friendlyCountryName:]\index{attribute types, friendlyCountryName}\index{attribute types, co (friendlyCountryName)}
656: which gives a user-friendly rendition of the
657: country's name (hence the term \verb"friendlyCountry").
658: The value of this attribute is a string; e.g.,
659: \begin{quote}\small\begin{verbatim}
660: United States of America
661: \end{verbatim}\end{quote}
662: \end{describe}
663: \tagtable[tp]{INT-2}{Attribute Types for the friendlyCountry Object Class}%
664: {friendlyCountry-attributes}
665:
666: In addition,
667: there is one attribute that may be present:
668: \begin{describe}
669: \item[description:]\index{attribute types, description}
670: which is a simple textual description;
671: e.g.,
672: \begin{quote}\small\begin{verbatim}
673: the land of the free and the home of the brave
674: \end{verbatim}\end{quote}
675: \end{describe}
676:
677: Putting everything together,
678: one could describe an entry for an object of class \verb"friendlyCountry"
679: thusly:
680: \begin{quote}\small\begin{verbatim}
681: c=US
682: masterDSA= cn=Alpaca#
683: slaveDSA= cn=Fruit Bat#
684: slaveDSA= cn=Giant Tortoise#
685: acl= others # read # entry
686: acl= group # c=US@cn=Manager # write # entry
687: acl= others # read # default
688: acl= group # c=US@cn=Manager # write # default
689: treeStructure= quipuNonLeafObject & organization & locality
690: treeStructure= quipuDSA & alias & organizationalRole
691: c= US
692: co= USA & US & United States of America
693: objectClass= top & quipuObject & quipuNonLeafObject
694: objectClass= country & friendlyCountry
695: \end{verbatim}\end{quote}
696: These lines indicate that:
697: \begin{itemize}
698: \item The RDN for this object is \verb"c=US"
699: (read ``country name is US'').
700:
701: \item The user-friendly name for this country takes on one of three values
702: \begin{quote}\small\begin{verbatim}
703: USA
704: US
705: United States of America
706: \end{verbatim}\end{quote}
707:
708: \item There are two DSAs which have SLAVE copies of the EDB for this
709: object, one is called \verb"cn=Giant Tortoise" and the other
710: is called \verb"cn=Fruit Bat".
711: (We'll discuss how these colorful names are chosen later on.)
712:
713: \item The DSA responsible for maintaining the MASTER copy of the EDB
714: is called \verb"cn=Alpaca".
715: Note that all three of these DSAs live directly under the ROOT of
716: the Directory tree.
717:
718: \item Everyone is allowed to read the entry and all of its attributes,
719: and only \verb"c=US@cn=Manager" is allowed to change anything.
720:
721: \item The \verb"treeStructure" attribute says that the children immediately
722: below this object:
723: \begin{itemize}
724: \item may have children themselves (\verb"quipuNonLeafObject"),
725: in which case, the objects under \verb"c=US" are either
726: \verb"organization" or \verb"locality" objects; or,
727:
728: \item needn't have children, being a DSA
729: (of object class \verb"quipuDSA")
730: or an \verb"organizationalRole";
731: or,
732:
733: \item may be an \verb"alias".
734: \end{itemize}
735:
736: \item The official name of this country is \verb"US".
737:
738: \item This object belongs to five object classes:
739: \begin{itemize}
740: \item \verb"top" and \verb"quipuObject" because membership is
741: mandatory;
742:
743: \item \verb"quipuNonLeafObject" so that children may reside
744: under the entry;
745:
746: \item \verb"friendlyCountry" which is the primary object class; and,
747:
748: \item \verb"country" which is a superclass of \verb"friendlyCountry".
749: \end{itemize}
750: \end{itemize}
751:
752: \subsubsection {The organization objectClass}\index{object classes, organization}
753: Objects of this class represent a top-level organizational entity,
754: such as a corporation, university, government entity, and so on.
755: There is an \verb"organization" object for each organization participating in
756: the NYSERNet/PSI White Pages Pilot.
757:
758: Table~\ref{organization-attributes} summarizes the attributes types for
759: an \verb"organization" object.
760: There is one mandatory attribute:
761: \begin{describe}
762: \item[organizationName:]\index{attribute types, organizationName}\index{attribute types, o (organizationName)}
763: which gives the name of the organization.
764: The value of this attribute is a string; e.g.,
765: \begin{quote}\small\begin{verbatim}
766: NYSERNet Inc.
767: \end{verbatim}\end{quote}
768: \end{describe}
769: \tagtable[tp]{INT-3}{Attribute Types for the organization Object Class}%
770: {organization-attributes}
771:
772: There are several attributes that may be present,
773: which are divided into three groups:
774: physical address, telecommunications address, and miscellaneous information.
775:
776: The first group describes the physical address of the object:
777: \begin{describe}
778: \item[postalAddress:]\index{attribute types, postalAddress}
779: which describes how physical mail is addressed to the
780: object.
781: The syntax of this attribute's value is special:
782: it consists of~1 to~6 fields, seperated by the
783: ``\verb"$"''-sign, each field being from~1 to~30
784: characters long; e.g.
785: \begin{quote}\small\begin{verbatim}
786: NYSERNet Inc. $ 165 Jordan Road $ Troy, NY 12180
787: \end{verbatim}\end{quote}
788:
789: \item[registeredAddress:]\index{attribute types, registeredAddress}
790: which defines how registered physical mail is
791: addressed to the object.
792: The syntax is identical to that of the
793: \verb"postalAddress" attribute.
794:
795: \item[streetAddress:]\index{attribute types, streetAddress}
796: which is a string describing where the object
797: physically resides
798: (i.e., the street name, place, avenue, and building
799: number); e.g.,
800: object
801: \begin{quote}\small\begin{verbatim}
802: 165 Jordan Road
803: \end{verbatim}\end{quote}
804: This need have no relationship to the object's
805: postal address.
806:
807: \item[postOfficeBox:]\index{attribute types, postOfficeBox}
808: which is a string describing the box at which the
809: object will receive physical postal delivery; e.g.,
810: \begin{quote}\small\begin{verbatim}
811: 1010
812: \end{verbatim}\end{quote}
813:
814: \item[physicalDeliveryOfficeName:]\index{attribute types, physicalDeliveryOfficeName}
815: which is a string describing the geographical location
816: of the physical delivery office which services the
817: postal address of this object; e.g.,
818: \begin{quote}\small\begin{verbatim}
819: Troy
820: \end{verbatim}\end{quote}
821:
822: \item[stateOrProvinceName:]\index{attribute types, stateOrProvinceName}
823: which is a string describing the state in which
824: the \verb"locality" is found; e.g.,
825: \begin{quote}\small\begin{verbatim}
826: New York
827: \end{verbatim}\end{quote}
828:
829: \item[postalCode:]\index{attribute types, postalCode}
830: which is a string containing the ZIP code; e.g.,
831: \begin{quote}\small\begin{verbatim}
832: 12180
833: \end{verbatim}\end{quote}
834: or
835: \begin{quote}\small\begin{verbatim}
836: 94043-2112
837: \end{verbatim}\end{quote}
838:
839: \item[localityName:]\index{attribute types, localityName}\index{attribute types, l (localityName)}
840: which is a string describing the geographical
841: area containing the \verb"streetAddress"; e.g.,
842: \begin{quote}\small\begin{verbatim}
843: Troy, New York
844: \end{verbatim}\end{quote}
845: \end{describe}
846: The second optional group describes telecommunications addressing information
847: for the object.
848: \begin{describe}
849: \item[telephoneNumber:]\index{attribute types, telephoneNumber}
850: which is a string describing the phone number of the object
851: using the international notation; e.g.,
852: \begin{quote}\small\begin{verbatim}
853: +1 518-283-8860
854: \end{verbatim}\end{quote}
855: or
856: \begin{quote}\small\begin{verbatim}
857: +1 518-283-8860 x1234
858: \end{verbatim}\end{quote}
859: In general, the syntax is:
860: \begin{quote}\smaller\begin{verbatim}
861: +<<country code>> <<national number>> [x<<extension>>]
862: \end{verbatim}\end{quote}
863:
864: \item[facsimileTelephoneNumber:]\index{attribute types, facsimileTelephoneNumber}
865: which is a string describing the fax number of the object
866: using the international notation; e.g.,
867: \begin{quote}\small\begin{verbatim}
868: +1 518-283-8904
869: \end{verbatim}\end{quote}
870:
871: \item[telexNumber:]\index{attribute types, telexNumber}
872: which is defines the TELEX address of the object in a
873: three-field format:
874: \begin{quote}\small\begin{verbatim}
875: number $ country $ answerback
876: \end{verbatim}\end{quote}
877: e.g.,
878: \begin{quote}\small\begin{verbatim}
879: 650 103 7390 $ US $ MCI UW
880: \end{verbatim}\end{quote}
881: \end{describe}
882: The final optional group contains one miscellaneous attribute:
883: \begin{describe}
884: \item[description:]\index{attribute types, description}
885: which is a simple textual description;
886: e.g.,
887: \begin{quote}\small\begin{verbatim}
888: Not-for-profit organization providing network services
889: \end{verbatim}\end{quote}
890: \end{describe}
891: Figure~\ref{organization-edb} shows an entry for an \verb"organization" object.
892: \tagfigure[tp]{INT-2}{An Example of an Entry for the organization Object Class}%
893: {organization-edb}
894:
895: \subsubsection {The organizationalUnit objectClass}\index{object classes, organizationalUnit}
896: Objects of this class represent a unit within an organization,
897: such as a division or department.
898: Each organization participating in the NYSERNet/PSI White Pages Pilot decides
899: how many organizational units it wishes to maintain as subordinates to
900: its organization entry.
901:
902: Table~\ref{organizationalUnit-attributes} summarizes the attributes types for
903: an \verb"organizationalUnit" object.
904: There is one mandatory attribute:
905: \begin{describe}
906: \item[organizationalUnitName:]\index{attribute types, organizationUnitName}\index{attribute types, ou (organizationUnitName)}
907: which gives the name of the organizational unit.
908: The value of this attribute is a string; e.g.,
909: \begin{quote}\small\begin{verbatim}
910: Research and Development
911: \end{verbatim}\end{quote}
912: \end{describe}
913: \tagtable[tp]{INT-4}{Attribute Types for the organizationalUnit Object Class}%
914: {organizationalUnit-attributes}
915:
916: There are several attributes that may be present.
917: They belong to the physical address, telecommunications address,
918: and miscellaneous information groups described earlier.
919:
920: Figure~\ref{organizationalUnit-edb} shows an entry for an
921: \verb"organizationalUnit" object.
922: \tagfigure[tp]{INT-3}%
923: {An Example of an Entry for the organizationalUnit Object Class}%
924: {organizationalUnit-edb}
925:
926: \subsubsection {The locality objectClass}\index{object classes, locality}
927: Objects of this class represent a geographical area,
928: such as a state, county, or city.
929: The sponsors of the NYSERNet/PSI White Pages Pilot maintain such an entry for
930: the State of New York.
931: This is used to contain objects corresponding to individuals who are
932: associated with organizations that are not participating in the pilot
933: project.
934:
935: Table~\ref{locality-attributes} summarizes the attributes types for
936: a \verb"locality" object.
937: There is one mandatory attribute:
938: \begin{describe}
939: \item[localityName:]\index{attribute types, localityName}\index{attribute types, l (localityName)}
940: which gives the name of the locality.
941: The value of this attribute is a string; e.g.,
942: \begin{quote}\small\begin{verbatim}
943: NY
944: \end{verbatim}\end{quote}
945: or
946: \begin{quote}\small\begin{verbatim}
947: Rensselaer County
948: \end{verbatim}\end{quote}
949: \end{describe}
950: \tagtable[tp]{INT-5}{Attribute Types for the locality Object Class}%
951: {locality-attributes}
952:
953: There is only one attribute that may be present,
954: it belongs to the miscellaneous information group described earlier.
955:
956: Figure~\ref{sony-edb} shows the entry for the State of New York,
957: whilst Figure~\ref{locality-edb} shows an entry for a subordinate
958: \verb"locality" object.
959: \tagfigure[tp]{INT-4}{The Entry for The State of New York}{sony-edb}
960: \tagfigure[tp]{INT-5}{An Example of an Entry for the locality Object Class}%
961: {locality-edb}
962:
963: \subsubsection {The pilotPerson objectClass}\index{object classes, pilotPerson}
964: Objects of this class represent a person participating in the pilot project.
965:
966: Table~\ref{pilotPerson-attributes} summarizes the attributes types for
967: a \verb"pilotPerson" object.
968: There are two mandatory attributes:
969: \begin{describe}
970: \item[commonName:]\index{attribute types, commonName}\index{attribute types, cn (commonName)}
971: which gives a (potentially ambiguous) name for
972: the person.
973: The value of this attribute is a string usually
974: containing the person's first and last names; e.g.,
975: \begin{quote}\small\begin{verbatim}
976: Marshall Rose
977: \end{verbatim}\end{quote}
978: This attribute is usually multi-valued, containing
979: variations on the first, middle, and last names; e.g.,
980: \begin{quote}\small\begin{verbatim}
981: Colin Robbins
982: Colin John Robbins
983: Colin J. Robbins
984: \end{verbatim}\end{quote}
985: For purposes of the pilot project, the distinguished
986: value of the attribute usually contains only the
987: person's first and last names.
988: (See Section~\ref{naming:people} on
989: page~\pageref{naming:people} for a discussion of this.)
990:
991: \item[surName:]\index{attribute types, surName}
992: which gives the person's last name.
993: The value of this attribute is a string; e.g.,
994: \begin{quote}\small\begin{verbatim}
995: Rose
996: \end{verbatim}\end{quote}
997: \end{describe}
998: \tagtable[tp]{INT-6}{Attribute Types for the pilotPerson Object Class}%
999: {pilotPerson-attributes}
1000:
1001: There are several attributes that may be present,
1002: which are divided into five groups:
1003: physical address, telecommunication information,
1004: computer environment,
1005: miscellaneous information,
1006: and home information.
1007: The first two groups have been previously described.
1008:
1009: The third group describes information relating to the person's
1010: computer environment:
1011: \begin{describe}
1012: \item[rfc822Mailbox:]\index{attribute types, rfc822Mailbox}
1013: which is the user's computer mail address,
1014: e.g.,
1015: \begin{quote}\small\begin{verbatim}
1016: [email protected]
1017: \end{verbatim}\end{quote}
1018:
1019: \item[otherMailbox:]\index{attribute types, otherMailbox}
1020: which is the user's computer mail address
1021: in various domains.
1022: The syntax of this attribute's value is special:
1023: \begin{quote}\small\begin{verbatim}
1024: <domain> $ <mailbox>
1025: \end{verbatim}\end{quote}
1026: e.g.,
1027: \begin{quote}\small\begin{verbatim}
1028: internet $ [email protected]
1029: \end{verbatim}\end{quote}
1030: The current list of mail domains are:
1031: \[\begin{tabular}{l}
1032: applelink\\
1033: bitnet\\
1034: compuserve\\
1035: genie\\
1036: internet\\
1037: mcimail\\
1038: nasamail\\
1039: preferred\\
1040: uucp
1041: \end{tabular}\]
1042:
1043: \item[userid:]\index{attribute types, userid}
1044: which is the user's login name; e.g.,
1045: \begin{quote}\small\begin{verbatim}
1046: mrose
1047: \end{verbatim}\end{quote}
1048:
1049: \item[userClass:]\index{attribute types, userClass}
1050: which describe's the user's classification; e.g.,
1051: \begin{quote}\small\begin{verbatim}
1052: staff
1053: \end{verbatim}\end{quote}
1054: \end{describe}
1055: The next optional group contains a few miscellaneous attributes:
1056: \begin{describe}
1057: \item[description:]\index{attribute types, description}
1058: which is a simple textual description;
1059: e.g.,
1060: \begin{quote}\small\begin{verbatim}
1061: Principal Implementor of the ISO Development Environment
1062: \end{verbatim}\end{quote}
1063:
1064: \item[info:]\index{attribute types, info}
1065: which is additional information about the object;
1066: e.g.,
1067: \begin{quote}\small\begin{verbatim}
1068: It's nearly as good as BIND
1069: \end{verbatim}\end{quote}
1070:
1071: \item[businessCategory:]\index{attribute types, businessCategory}
1072: which describes the person's business,
1073: e.g.,
1074: \begin{quote}\small\begin{verbatim}
1075: networking
1076: \end{verbatim}\end{quote}
1077:
1078: \item[title:]\index{attribute types, title}
1079: which is the person's job title,
1080: e.g.,
1081: \begin{quote}\small\begin{verbatim}
1082: Senior Scientist
1083: \end{verbatim}\end{quote}
1084:
1085: \item[roomNumber:]\index{attribute types, roomNumber}
1086: which is a string describing where the object resides
1087: at the location, e.g.,
1088: \begin{quote}\small\begin{verbatim}
1089: Building T-30
1090: \end{verbatim}\end{quote}
1091:
1092: \item[userPassword:]\index{attribute types, userPassword}
1093: which is a string containing the object's
1094: password in the Directory. This is used,
1095: for example, when the user wants to update
1096: the entry.
1097: The password is kept in the clear
1098: (the security ramifications of this are
1099: discussed later on); e.g.,
1100: \begin{quote}\small\begin{verbatim}
1101: secret
1102: \end{verbatim}\end{quote}
1103:
1104: \item[mobileTelephoneNumber:]\index{attribute types, mobileTelephoneNumber}\index{attribute types, mobile (mobileTelephoneNumber)}
1105: which is a string describing the user's mobile
1106: number (e.g., for a cellular phone).
1107:
1108: \item[pagerTelephoneNumber:]\index{attribute types, pagerTelephoneNumber}\index{attribute types, pager (pagerTelephoneNumber)}
1109: which is a string describing the user's pager number.
1110:
1111: \item[favouriteDrink:]\index{attribute types, favouriteDrink}\index{attribute types, drink (favouriteDrink)}
1112: which is a string describing the user's favorite drink.
1113:
1114: \item[secretary:]\index{attribute types, secretary}
1115: which is the Distinguished Name of the user's
1116: secretary.
1117:
1118: \item[seeAlso:]\index{attribute types, seeAlso}
1119: which is a Distinguished Name pointing to another
1120: entry related to the user (perhaps in a different
1121: role).
1122:
1123: \item[photo:]\index{attribute types, photo}
1124: which is a facsimile bitmap of the user's face.
1125: \end{describe}
1126: The final optional group contains a few attributes about the person at home:
1127: \begin{describe}
1128: \item[homePostalAddress:]\index{attribute types, homePostalAddress}
1129: which describes how physical mail is addressed to the
1130: person's home.
1131: The syntax of this attribute's value is special:
1132: it consists of~1 to~6 fields, seperated by the
1133: ``\verb"$"''-sign, each field being from~1 to~30
1134: characters long; e.g.
1135: \begin{quote}\small\begin{verbatim}
1136: NYSERNet Inc. $ 165 Jordan Road $ Troy, NY 12180
1137: \end{verbatim}\end{quote}
1138:
1139: \item[homePhone:]\index{attribute types, homePhone}
1140: which is a string describing the phone number of the object
1141: using the international notation; e.g.,
1142: \begin{quote}\small\begin{verbatim}
1143: +1 518-283-8860
1144: \end{verbatim}\end{quote}
1145: \end{describe}
1146: Figure~\ref{pilotPerson-edb} shows an entry for a \verb"pilotPerson" object.
1147: \tagfigure[tp]{INT-6}{An Example of an Entry for the pilotPerson Object Class}%
1148: {pilotPerson-edb}
1149:
1150: \subsubsection {The alias objectClass}\index{object classes, alias}
1151: Objects of this class represent an alias to some other entry in the
1152: NYSERNet/PSI White Pages Pilot.
1153: Each organization participating in the pilot must define at least two of
1154: these:
1155: \begin{itemize}
1156: \item a manager responsible for the organization's portion of the Directory
1157: tree;
1158: and,
1159:
1160: \item a postmaster responsible for the organization's electronic mail.
1161: \end{itemize}
1162:
1163: Table~\ref{alias-attributes} summarizes the attributes types for
1164: an \verb"alias".
1165: There are two mandatory attributes:
1166: \begin{describe}
1167: \item[commonName:]\index{attribute types, commonName}\index{attribute types, cn (commonName)}
1168: which gives the name of the alias.
1169: The value of this attribute is a string; e.g.,
1170: \begin{quote}\small\begin{verbatim}
1171: PostMaster
1172: \end{verbatim}\end{quote}
1173:
1174: \item[aliasedObjectName:]\index{attribute types, aliasedObjectName}
1175: which is a pointer to another object in the Directory;
1176: e.g.,
1177: \begin{quote}\small\begin{verbatim}
1178: c=US@o=NYSERNet Inc.@ou=Operations@cn=Chris Kolb
1179: \end{verbatim}\end{quote}
1180: \[\fbox{\begin{tabular}{lp{0.4\textwidth}}
1181: \bf NOTE:& The value of this attribute must not be another alias:
1182: each alias must point to a non-aliased entry!
1183: \end{tabular}}\]
1184: \end{describe}
1185: There are no optional attributes for this object class.
1186: Figure~\ref{alias-edb} shows an entry for an \verb"alias" object.
1187: \tagtable[tp]{INT-7}{Attribute Types for the alias Object Class}%
1188: {alias-attributes}
1189: \tagfigure[tp]{INT-7}{An Example of an Entry for the alias Object Class}%
1190: {alias-edb}
1191:
1192: \subsubsection {The organizationalRole objectClass}\index{object classes, organizationalRole}
1193: Objects of this class represent a position filled by a person.
1194:
1195: Table~\ref{organizationalRole-attributes} summarizes the attributes types for
1196: a \verb"organizationalRole".
1197: There is one mandatory attribute:
1198: \begin{describe}
1199: \item[commonName:]\index{attribute types, commonName}\index{attribute types, cn (commonName)}
1200: which gives the name of the role.
1201: The value of this attribute is a string; e.g.,
1202: \begin{quote}\small\begin{verbatim}
1203: Manager
1204: \end{verbatim}\end{quote}
1205: \end{describe}
1206: There are several attributes that may be present,
1207: which are divided into three groups:
1208: physical address, telecommunication information,
1209: and miscellaneous information.
1210: The first two groups have been previously described.
1211: The final optional group contains two miscellaneous attributes:
1212: \begin{describe}
1213: \item[description:]\index{attribute types, description}
1214: which is a simple textual description;
1215: e.g.,
1216: \begin{quote}\small\begin{verbatim}
1217: Manager of the Troy Office
1218: \end{verbatim}\end{quote}
1219:
1220: \item[roleOccupant:]\index{attribute types, roleOccupant}
1221: which is a pointer to another object in the Directory,
1222: referring to the person who currently fills the role.
1223: e.g.,
1224: \begin{quote}\small\begin{verbatim}
1225: c=US@o=NYSERNet Inc.@ou=Administration@cn=Kimberly Brown
1226: \end{verbatim}\end{quote}
1227: \end{describe}
1228: Figure~\ref{organizationalRole-edb} shows an entry for a \verb"organizationalRole"
1229: object.
1230: \tagtable[tp]{INT-9}{Attribute Types for the organizationalRole Object Class}%
1231: {organizationalRole-attributes}
1232: \tagfigure[tp]{INT-14}%
1233: {An Example of an Entry for the organizationalRole Object Class}%
1234: {organizationalRole-edb}
1235:
1236: \subsubsection {The quipuDSA objectClass}\index{object classes, quipuDSA}
1237: Objects of this class represent a Directory System Agent (DSA) running
1238: the pilot project software.
1239: Each organization participating in the NYSERNet/PSI White Pages Pilot typically
1240: runs at least one DSA.
1241:
1242: Table~\ref{quipuDSA-attributes} summarizes the attributes types for
1243: a \verb"quipuDSA".
1244: There are several mandatory attributes:
1245: \begin{describe}
1246: \item[commonName:]\index{attribute types, commonName}\index{attribute types, cn (commonName)}
1247: which gives the name of the DSA,
1248: by convention this is the name of an endangered species
1249: in South America; e.g.,
1250: \begin{quote}\small\begin{verbatim}
1251: Fruit Bat
1252: \end{verbatim}\end{quote}
1253:
1254: \item[eDBinfo:]\index{attribute types, eDBinfo}
1255: which indicates how the DSA participates when
1256: propagating authoritative EDB information
1257: (this is the dual
1258: of the \verb"masterDSA" and \verb"slaveDSA"
1259: attribute types discussed earlier).
1260: The syntax of this attribute's value is special:
1261: \begin{quote}\small\begin{verbatim}
1262: <name> # <upstream> # <downstream>
1263: \end{verbatim}\end{quote}
1264: The \verb"<name>" field is a Distinguished Name referring to the object
1265: containing the EDB.
1266: By convention, if absent this refers to the ROOT (unnamed) EDB.
1267: The \verb"<upstream>" field is the Distinguished Name of a DSA which is
1268: considered to be ``closer'' to the MASTER of this EDB.
1269: It may be the name of the actual DSA containing the MASTER EDB,
1270: but it might also be the name of an intermediate DSA (containing a SLAVE copy).
1271: If this field is empty,
1272: then this DSA does not pull the EDB from another DSA
1273: (this needn't mean that it holds the MASTER EDB,
1274: though usually this is the case).
1275: The \verb"<downstream>" field is the Distinguished Name of a DSA which is
1276: allowed to copy the EDB from this DSA.
1277: If this field is empty,
1278: then this DSA does not allow other DSAs to copy the EDB.
1279: If the \verb"<downstream>" field is to contain more than one DSA,
1280: either enter multiple \verb"eDBinfo" lines or separate the Distinguished
1281: Names of the downstream DSAs with the \verb"`$'"-sign.
1282:
1283: A few examples:
1284: \begin{quote}\small\begin{verbatim}
1285: # cn=Giant Tortoise # cn=Fruit Bat
1286: c=US # # cn=Fruit Bat
1287: c=US # # c=US@cn=Spectacled Bear
1288: c=US@l=NY # cn=Fruit Bat #
1289: \end{verbatim}\end{quote}
1290: Note that there is no harm to using multiple \verb"eDBinfo" lines,
1291: even if they refer to the same EDB.
1292: These lines indicate that:
1293: \begin{itemize}
1294: \item The ROOT EDB is read from the \verb"cn=Giant Tortoise" DSA,
1295: further the \verb"cn=Fruit Bat" DSA is allowed to read the
1296: ROOT EDB from this DSA.
1297:
1298: \item The \verb"cn=Fruit Bat" DSA and the \verb"c=US@cn=Spectacled Bear" DSA
1299: are allowed to read the EDB for \verb"c=US".
1300: Note that the second and third line could be combined as:
1301: \begin{quote}\small\begin{verbatim}
1302: c=US # # cn=Fruit Bat$c=US@cn=Spectacled Bear
1303: \end{verbatim}\end{quote}
1304: While more concise,
1305: this format is not recommended as it is probably more difficult to read.
1306:
1307: \item The DSA named \verb"cn=Fruit Bat" supplies the EDB for \verb"c=US@l=NY"
1308: to this DSA.
1309: \end{itemize}
1310:
1311: \item[presentationAddress:]\index{attribute types, presentationAddress}
1312: which is the OSI presentation address that the DSA
1313: resides at.
1314: The syntax of this attribute's value is special:
1315: \begin{quote}\small\begin{verbatim}
1316: '0101'H/Internet=<quad>+<port>
1317: \end{verbatim}\end{quote}
1318: or
1319: \begin{quote}\small\begin{verbatim}
1320: '0101'H/Internet=<quad-1>+<port>|Internet=<quad-2>+<port>
1321: \end{verbatim}\end{quote}
1322: if the DSA is capable of listing on multiple IP addresses.%
1323: \footnote{Actually, the rules for forming OSI presentation addresses are
1324: {\em much\/} more complicated;
1325: however, for the purposes of the pilot project,
1326: this should suffice.}
1327: The \verb"<quad>" field is a 32-bit IP address expressed in the
1328: usual quad notation (e.g., \verb"130.117.128.2").
1329: The \verb"<port>" field is a decimal TCP port which isn't likely to
1330: be used on your system.
1331: The value \verb"17003" is recommended for the purposes of the pilot project.
1332:
1333: A simple example:
1334: \begin{quote}\small\begin{verbatim}
1335: '0101'H/Internet=130.117.128.2+17003
1336: \end{verbatim}\end{quote}
1337: Note that multiple values for the \verb"presentationAddress" attribute type
1338: should not be used:
1339: multiple IP addresses (up to~4) can be specified using a single attribute value.
1340:
1341: \item[manager:]\index{attribute types, manager}
1342: which is a pointer to another object in the Directory
1343: of the person who manages this DSA;
1344: e.g.,
1345: \begin{quote}\small\begin{verbatim}
1346: c=US@o=NYSERNet Inc.@cn=Manager
1347: \end{verbatim}\end{quote}
1348:
1349: \item[userPassword:]\index{attribute types, userPassword}
1350: which is a string containing the DSA's
1351: password in the Directory. This is used
1352: when the manager of the DSA wants to
1353: change the entry for the DSA itself
1354: (as opposed to the entries held by the DSA).
1355: The password is kept in the clear
1356: (the security ramifications of this are
1357: discussed later on); e.g.,
1358: \begin{quote}\small\begin{verbatim}
1359: secret
1360: \end{verbatim}\end{quote}
1361:
1362: \item[quipuVersion:]\index{attribute types, quipuVersion}
1363: which is a simple string relating the version of
1364: the pilot project software being run by this DSA;
1365: e.g.,
1366: \begin{quote}\small\begin{verbatim}
1367: Version 5.0
1368: \end{verbatim}\end{quote}
1369: \end{describe}
1370: There are two optional attributes:
1371: \begin{describe}
1372: \item[description:]\index{attribute types, description}
1373: which, by convention, is multi-valued.
1374: The distinguished value is the wildlife description
1375: of the \verb"commonName" attribute whilst the other
1376: values describe the role that the DSA plays in
1377: the pilot project;
1378: e.g.,
1379: \begin{quote}\small\begin{verbatim}
1380: The Mischevous Varmint
1381: A MASTER DSA for l=NY under c=US
1382: A SLAVE DSA for ROOT and c=US
1383: \end{verbatim}\end{quote}
1384:
1385: \item[supportedApplicationContext:]\index{attribute types, supportedApplicationContext}
1386: which defines the application ports offerred by this
1387: process.
1388: The current values are:
1389: \begin{quote}\small\begin{verbatim}
1390: x500DSP & x500DAP & quipuDSP
1391: \end{verbatim}\end{quote}
1392: \end{describe}
1393: Figure~\ref{quipuDSA-edb} shows an entry for a \verb"quipuDSA" object.
1394: \tagtable[tp]{INT-8}{Attribute Types for the quipuDSA Object Class}%
1395: {quipuDSA-attributes}
1396: \tagfigure[tp]{INT-8}{An Example of an Entry for the quipuDSA Object Class}%
1397: {quipuDSA-edb}
1398:
1399:
\section {Functional Model}
1400: The Functional Model describes the service in terms of entities.
1401: As noted earlier,
1402: two kinds of entities exist:
1403: {\em Directory User Agents\/} (DUAs),
1404: which operate on behalf of a user,
1405: and
1406: {\em Directory System Agents\/} (DSAs),
1407: which provide the service.
1408:
1409: The key aspect of the functional model is deciding how information
1410: is transferred through the system.
1411: When a DUA requests some action from a DSA
1412: (e.g., to read an entry),
1413: the DSA may not have that information resident.
1414: In this case,
1415: the DSA has a choice:
1416: it may either contact another DSA which is ``closer'' to the information
1417: and propagate the request (this is called {\em chaining\/}),
1418: or it may return information about this ``closer'' DSA to the DUA,
1419: and let the DUA re-issue its request
1420: (this is called {\em referral\/}).
1421: WHen DSAs communicate between themselves,
1422: they may also chain or refer requests.
1423:
1424: For the purposes of the pilot,
1425: it is important to understand what the term ``resident'' means with respect
1426: to information.
1427: This residency requirement is:
1428: \[\begin{tabular}{|l|l|}
1429: \hline
1430: \multicolumn{1}{|c|}{\bf Operation Requested}&
1431: \multicolumn{1}{|c|}{\bf EDB Required for Residency}\\
1432: \hline
1433: read, compare& MASTER, SLAVE, or CACHE\\
1434: list, search& MASTER, or SLAVE\\
1435: update& MASTER\\
1436: \hline
1437: \end{tabular}\]
1438: Note that after an update occurs,
1439: the DSA actually performing the update (the one holding the MASTER EDB)
1440: will write the in-core EDB structure to disk prior to returning the result
1441: of the operation.
1442: Of course,
1443: once a MASTER DSA updates its copy of the EDB,
1444: there is still the question of how DSAs with SLAVE copies receive this
1445: new information.
1446: The MASTER DSA does not explicitly inform them.
1447: A polling model is used instead.
1448:
1449:
1450: At present,
1451: a SLAVE DSA will reload its copy of an EDB when it starts,
1452: or when its \verb"manager" issues a management command directing it to do so.
1453: Later on,
1454: a script will be discussed which performs this task.
1455: The frequency at which the script runs (or how often a DSA reboots)
1456: determines how out of date a SLAVE copy of an EDB can become.
1457:
1458: Prior to requesting a copy of an EDB,
1459: a DSA checks to see if the timestamp has changed.
1460: If so,
1461: the EDB is updated.
1462: As noted earlier,
1463: the timestamp is the second line of an EDB file.
1464: Whenever a modification is made to an entry in an EDB file,
1465: the MASTER DSA for that EDB will update the timestamp accordingly.
1466: Similarly,
1467: whenever a text editor is used to modify an EDB file,
1468: the user should update the timestamp.
1469: The actual value is unimportant:
1470: when a DSA examines the timestamp,
1471: it looks only for a change;
1472: it does not consider whether the EDB is newer or older.
1473:
1474: Thus, while replication in the pilot is important to speed queries,
1475: updates still rely on a centralized entity being available.
1476: (This is the best compromise which can be taken without making the system
1477: tremendously more complex.)
1478:
1479:
\section {Organizational Model}
1480: The Organizational Model describes the service in terms of the policy
1481: defining interactions between entities and the information they hold.
1482: That is,
1483: this model describes how portions of the Directory tree map onto the DSAs.
1484: This includes issues of replication and access control.
1485: A {\em Directory Management Domain\/} (DMD) defines a portion of the
1486: Directory Tree and how it is managed.
1487:
1488: For the purposes of the pilot project,
1489: DSAs are divided into three categories:
1490: \begin{describe}
1491: \item[Level-0:] These DSAs are run by the sponsors of the NYSERNet/PSI White
1492: Pages Pilot. Their goal is to be highly-available
1493: authoritative servers.
1494:
1495: \item[Level-1:] Each organization participating in the pilot project runs
1496: a Level-1 DSA.%
1497: \footnote{The pilot project sponsors may run the Level-1 DSA on behalf of an
1498: organization so requested.
1499: This is discouraged, but may be necessary for resource constrained sites.}
1500: The Level-1 DSA for a participating organization holds authoritative
1501: information about that organization object.
1502:
1503: \item[Level-2:] As the size of the organization's subtree requires,
1504: an organization runs one or more Level-2 DSA to hold a portion of that subtree.
1505: Typically,
1506: a Level-2 DSA is run for each top-level organizational unit in the
1507: participating organization.
1508: \end{describe}
1509: Figure~\ref{dmd-topology} shows the top-level topology of the pilot project DMD.
1510: Each participating organization is represented by an \verb"organization"
1511: object ($O_1$ through $O_n$) under the \verb"c=US" tree.
1512: Underneath each \verb"c=US@o=O_i" object,
1513: one or more objects of class \verb"organizationalUnit" are placed.
1514: The structure beneath each \verb"c=US@o=O_i@ou=U_j" object
1515: is decided by the participating organization.
1516: The pilot project sponsors suggest that only \verb"pilotPerson" objects
1517: be placed underneath the organizational units.
1518: \tagfigure[tp]{INT-9}{Topology of the Pilot Project Directory Management Domain}%
1519: {dmd-topology}
1520:
1521: Now that the general structure is outlined,
1522: how does this portion of the Directory tree map onto DSAs?
1523:
1524: \subsection {Level-0 DSAs}
1525: There are two Level-0 DSAs.
1526: Both reside directly under the ROOT.
1527:
1528: The first Level-0 DSA, \verb"cn=Alpaca",
1529: contains a copy of the ROOT EDB which it obtains directly from the
1530: DSA holding the MASTER copy of the ROOT EDB.
1531: In addition,
1532: \verb"cn=Alpaca" is a MASTER DSA for \verb"c=US".
1533: It propagates this EDB to the second Level-0 DSA,
1534: and to the Level-1 DSAs of all participating organizations
1535: (e.g., each DSA holding the MASTER of the \verb"c=US@o=O_i" EDB).
1536: In addition,
1537: these Level-1 DSAs propagate a copy of their EDB for \verb"c=US@o=O_i"
1538: to this Level-0 DSA.
1539: Finally,
1540: this DSA receives a copy of the EDB for \verb"c=US@l=NY".
1541:
1542: Figure~\ref{alpaca-edb} shows the entry corresponding to this DSA.
1543: A single participating organization is shown in this entry.
1544: \tagfigure[tp]{INT-10}{The Entry for the Level-0 DSA, cn=Alpaca}{alpaca-edb}
1545:
1546: The second Level-0 DSA, \verb"cn=Fruit Bat",
1547: contains a copy of the ROOT and \verb"c=US" EDBs which it obtains from
1548: \verb"cn=Alpaca".
1549: It may propagate these EDBs to any Level-1 DSA
1550: (in case \verb"cn=Alpaca" is unavailable for an extended period of time).
1551: In addition,
1552: these Level-1 DSAs
1553: propagate a copy of their MASTER EDB to this Level-0 DSA.
1554: Finally,
1555: \verb"cn=Fruit Bat" is a MASTER DSA for \verb"c=US@l=NY",
1556: which it propagates to \verb"cn=Alpaca".
1557:
1558: Figure~\ref{fruitbat-edb} shows the entry corresponding to this DSA.
1559: As with the \verb"cn=Alpaca" DSA,
1560: a single participating organization is shown.
1561: \tagfigure[tp]{INT-11}{The Entry for the Level-0 DSA, cn=Fruit Bat}%
1562: {fruitbat-edb}
1563:
1564: Level-0 DSAs perform chaining when handling requests from other DSAs.
1565:
1566: \subsection {Level-1 DSAs}
1567: Each participating organization runs a DSA which contains the MASTER EDB
1568: for that organization.
1569: This DSA resides directly under \verb"c=US".
1570:
1571: This DSA receives a copy of the ROOT and \verb"c=US" EDBs from
1572: one of the Level-0 DSAs (usually \verb"cn=Alpaca").
1573: It also propagates its MASTER copy of the \verb"c=US@o=O_i" EDB to
1574: both Level-0 DSAs.
1575:
1576: In addition,
1577: this DSA propagates its EDB and a copy of the ROOT and \verb"c=US" EDBs
1578: to all Level-2 DSAs run by this organization.
1579: Similarly,
1580: each of these Level-2 DSAs propagate {\em all\/} of the EDBs they
1581: MASTER (e.g., \verb"c=US@o=O_i@ou=U_j") to this Level-1 DSA.
1582:
1583: Level-1 DSAs perform chaining when handling requests from other DSAs.
1584:
1585: Figure~\ref{spectacledbear-edb} shows the entry corresponding to a Level-1 DSA,
1586: which might be named \verb"c=US@cn=Spectacled Bear".
1587: A single subordinate Level-2 DSA is shown in this entry.
1588: \tagfigure[tp]{INT-12}{The Entry for a Level-1 DSA}{spectacledbear-edb}
1589:
1590: \subsection {Level-2 DSAs}
1591: Each participating organization runs zero or more Level-2 DSAs as the size of
1592: their organizational units require.
1593: These DSAs reside directly under \verb"c=US@o=O_i".
1594:
1595: \[\fbox{\begin{tabular}{lp{0.8\textwidth}}
1596: \bf NOTE:& At present, the pilot sponsors discourage the use of Level-2
1597: DSAs.
1598:
1599: Nevertheless,
1600: it is important to structure an organization so that it
1601: contains organizational units.
1602: In this fashion,
1603: when a Level-1 DSA is too large to run on an available system,
1604: a Level-2 DSA can be used to reduce the memory requirements
1605: on the system running the Level-1 DSA.
1606: \end{tabular}}\]
1607:
1608: Level-2 DSAs receive a copy of the \verb"c=US@o=O_i" EDB from their
1609: superior Level-1 DSA,
1610: along with SLAVE copies of the ROOT and \verb"c=US" EDBs.
1611: They also propagate all MASTER copies of the EDBs they hold to this Level-1
1612: DSA.
1613:
1614: Level-1 DSAs perform referrals when handling requests from other DSAs.
1615:
1616: Figure~\ref{toucan-edb} shows the entry corresponding to a Level-2 DSA,
1617: which might be named \verb"c=US@o=NYSERNet Inc.@cn=Toucan".
1618: \tagfigure[tp]{INT-13}{The Entry for a Level-2 DSA}{toucan-edb}
1619:
1620: \subsection {DUAs}
1621: In terms of the pilot project,
1622: DUAs conceptually exist at the same level as Level-2 DSAs.
1623: When a DUA associates with a DSA to access the Directory service,
1624: chaining is preferred over referrals,
1625: so that the associated DSA may cache the results to any query made by the DUA.
1626: This will slightly enhance the performance for other DUAs which later
1627: associate with this particular DSA.
1628:
1629: The preference to be used when associating with a DSA is:
1630: \begin{itemize}
1631: \item ``closest'' Level-2 DSA; followed by
1632:
1633: \item Level-1 DSA; followed by
1634:
1635: \item \verb"cn=Fruit Bat"; followed by
1636:
1637: \item \verb"cn=Alpaca".
1638: \end{itemize}
1639:
1640:
\section {Security Model}
1641: The Security Model describes the service in terms of authentication
1642: and authorization.
1643: For the purposes of the pilot project,
1644: ``simple'' authentication is performed (i.e., passwords).
1645: The pilot project supports an anonymous DN, termed the NULL DN,
1646: which may be used for public, read-only access.
1647: Otherwise,
1648: users are required to bind to the Distinguished Name which corresponds
1649: to them.
1650:
1651: Note that an important feature of the DMD topology presented in the
1652: Organizational Model is that information on users
1653: (and hence their passwords and any other sensitive information)
1654: is kept only on Level-1 and Level-2 DSAs.
1655: Since,
1656: in general,
1657: these DSAs are run by each participating organization,
1658: each organization may safeguard the disk-resident EDB files accordingly.
1659:
1660: Because the ROOT, \verb"c=US", and \verb"c=US@o=O_i" EDBs are widely
1661: replicated,
1662: entries contained therein should not rely on \verb"self" access control
1663: for modification.
1664: That is,
1665: the entries contained in this EDBs should:
1666: \begin{itemize}
1667: \item if of object class \verb"quipuDSA", have a \verb"manager"
1668: attribute which resolves to an entry which is not propagated outside
1669: of the associated organization; e.g.,
1670: \begin{quote}\small\begin{verbatim}
1671: manager= c=US@o=O_i@cn=Manager
1672: \end{verbatim}\end{quote}
1673: which is an object of classe \verb"alias" to
1674: \begin{quote}\small\begin{verbatim}
1675: c=US@o=O_i@ou=Development@cn=FirstName LastName
1676: \end{verbatim}\end{quote}
1677: and,
1678:
1679: \item regardless of the object class,
1680: always use \verb"group" access to specify an entry which is not
1681: propagated outside of the associated organization; e.g.,
1682: \begin{quote}\scriptsize\begin{verbatim}
1683: acl= others # read # entry
1684: acl= group # c=US@o=O_i@cn=Manager # write # entry
1685: acl= others # read # default
1686: acl= group # c=US@o=O_i@cn=Manager # write # default
1687: acl= others # compare # attributes # accessControlList$userPassword
1688: acl= group # c=US@o=O_i@cn=Manager # write # attributes # accessControlList$userPassword
1689: \end{verbatim}\end{quote}
1690: \end{itemize}
1691: Note that the object associated with the \verb"manager" attribute of a DSA
1692: is effectively the ``super user'' for all EDBs which that DSA MASTERs.
1693: As such,
1694: the \verb"userPassword" associated with the corresponding object should be
1695: protected to the greatest extent practical.
1696:
1697: Since there is no hope of protecting the passwords for a DSA or any object
1698: residing in the ROOT, \verb"c=US", and possibly \verb"c=US@o=O_i" EDBs,
1699: this policy effectively revokes any privileges assocated with the passwords of
1700: the entries contained in these EDBs.
1701:
1702:
\section {Running your DMD}
1703: The pilot sponsors prefer that you administer your own DMD by running the
1704: pilot software on one of your own systems,
1705: doing maintenance,
1706: and so on.
1707: You should now continue with Chapter~\ref{installation}.
1708:
1709: However,
1710: if your site is a member of NYSERNet, Inc.,
1711: then the pilot sponsors will administer the DMD for you,
1712: if you lack the facilities to do so.
1713: In this case,
1714: you will be required to provide EDB files to the pilot sponsors.
1715: Contact
1716: \begin{quote}\small\begin{verbatim}
1717: [email protected]
1718: \end{verbatim}\end{quote}
1719: to find out the full details.
1720:
1721: For now,
1722: note that entries are formatted as described above,
1723: but with a few read-only modifications:
1724: \begin{itemize}
1725: \item The \verb"accessControlList" attribute is simply:
1726: \begin{quote}\small\begin{verbatim}
1727: acl=
1728: \end{verbatim}\end{quote}
1729:
1730: \item The \verb"userPassword" attribute is not present.
1731: \end{itemize}
1732:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.