IDS Working Group David Chadwick Internet-Draft University of Salford DANTE IN PRINT 18 January 21 1996 draft-ietf-ids-root-naming-00.txt Expires: July 21 1996 Managing the X.500 Root Naming Context Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months. Internet-Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet-Drafts as reference material or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet-Drafts Shadow Directories on ds.internic.net, nic.nordu.net, ftp.nisc.sri.com, or munnari.oz.au. Abstract The X.500 Standard [X.500 93] has the concept of first level DSAs, whose administrators must collectively manage the root naming context through bi-lateral agreements or other private means which are outside the scope of the Standard. The Paradise-NameFLOW X.500 service has an established procedure for managing the root naming context, which currently uses Quipu proprietary replication mechanisms and a root DSA. The benefits that derive from this are twofold: - firstly it is much easier to co-ordinate the management of the root context information, when there is a central point of administration, - secondly the performance of one-level Search operations is greatly improved because the Quipu distribution and replication mechanism does not have a restriction that exists in the 1988 and 1993 Standard. The Paradise-NameFLOW project is moving towards 1993 Standard replication protocols and wants to standardise the protocol and procedure for managing the root naming context which will be based on 1993 Standard protocols. Such a protocol and procedure will be useful to private X.500 domains as well as to the Internet X.500 public domain. It is imperative that overall system performance is not degraded by this transition. This document describes the use of 1993 Standard protocols for managing the root context. Whilst the ASN.1 is compatible with that of the Standard, the actual settings of the parameters are supplementary to that of the Standard. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . .3 2 Migration Plan . . . . . . . . . . . . . . . . . . . . . . . .3 3 Technical Solution . . . . . . . . . . . . . . . . . . . . . .4 4 Interim Solution . . . . . . . . . . . . . . . . . . . . . . .7 5 Security Considerations. . . . . . . . . . . . . . . . . . . .8 6 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .8 References . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . .9 Annex 1 Solution Text of Defect Reports submitted to ISO/ITU-T by the UK . . . . . . . . . . . . . . . . . . . . . . . . 10 1 Introduction The Paradise-NameFLOW service has a proprietary way of managing the set of first level DSAs and the root naming context. There is a single root DSA (Giant Tortoise) which holds all of the country entries, and the country entries are then replicated to every country (first level) DSA by Quipu replication [RFC 1276] from the root DSA. The root DSA is not a feature of the X.500 Standard [X.500 93]. It was introduced because of the non-standard nature of the original Quipu knowledge model (also described in RFC 1276). However, it does have significant advantages both in managing the root naming context and in the performance of one-level Searches of the root. Performance is increased because each country DSA holds all the entry information of every country. By comparison, the 1988 Standard root context which is replicated to all the country DSAs, only holds knowledge information and a boolean (to say if the entry is an alias or not) for each country entry. This is sufficient to perform a List operation, but not a one-level Search operation. When access controls were added to the 1993 Standard, the root context information was increased (erroneously as it happens - this is the subject of defect report 140 - see Annex 1) to hold the access controls for each country entry, but a note in the Standard restricted its use to the List operation, in order to remain compatible with the 1988 edition of the Standard. 2 Migration Plan The Paradise-NameFLOW service is now migrating to 1993 Standard [X.500 93] conforming products, and it is essential to replace the Quipu replication protocol with the 1993 shadowing and operational binding protocols, but without losing the performance improvement that has been gained for one-level Searches. It is still the intention of the Paradise-NameFLOW service to have one master root DSA. This root DSA will not support user Directory operations via the DAP or the DSP, but each country (first level) DSA will be able to shadow the root context from this root DSA, using the DISP. Each first level DSA then only needs to have one bi-lateral agreement, between itself and the root DSA. This agreement will ensure that the first level DSA keeps the root DSA up to date with its country level information, and in turn, that the root DSA keeps the first level DSA up to date with the complete root naming context. When a new first level DSA comes on line, it only needs to establish a bi-lateral agreement with the root DSA, in order to obtain the complete root context. This is a much easier configuration to manage than simply a set of first level DSAs without a root DSA, as suggested in the Standard. In this case each first level DSA must have bi-lateral agreements with all of the other first level DSAs. When a new first level DSA comes on line, it must establish agreements with all the existing first level DSAs. As the number of first level DSAs grows, the process becomes unmanageable. However, it is also important to increase the amount of information that is held about every country entry, so that a one-level Search operation can be performed in each first level DSA, without it needing to chain or refer the operation to all the other first level DSAs (as is currently the case with a Standard conformant system.) 3 Technical Solution 3.1 The solution is three-fold. Firstly, create a root DSA, and establish hierarchical operational bindings between it and each master first level DSA (3.2). Secondly, the Standard is enhanced to allow extra information to be carried to the root DSA via the HOB, and for this information to be used for one-level Search operations (3.3). Thirdly, each master first level DSA enters into a shadowing agreement with the root DSA, to shadow the enlarged root context information. In this way each first level DSA is then capable of independently performing List and one-level Search operations, and name resolving to all other first level DSAs (3.4). (Note 1. It is strongly recommended that non-specific subordinate references should not be allowed in the root context for efficiency reasons. This is directed by the European functional standard [ENV 41215] and the NADF standing document [NADF 7]. It is also preferred by the International Standardized Profile [ISP 10615-6].) (Note 2. It is recognised that manufacturers are taking a phased approach to implementing the features of the 1993 Standard, and are usually implementing the DISP prior to the DOP. For this reason, section 4 details an interim solution that relies entirely on the DISP for populating the root DSA.) 3.2 Each master first level DSA will have a hierarchical operational binding with the root DSA of the domain. Each master first level DSA will master one or more first level entries. The hierarchical operational binding will keep the appropriate subordinate reference(s) (of category shadow and master) up to date, as well as the other entry information that is needed for one-level Search operations (such as access controls, and attributes used in filtering). Whilst hierarchical agreements are standardised, this particular novel use of a HOB is not specifically recognised in the Standard. Although the ASN.1 will support it, there is no supporting text in the Standard. The following text supplements that in the Standard, and describes how a first level DSA may have a hierarchical operational binding with the root DSA of its domain. "Clause 24 of ISO/IEC 9594-4:1993 shall also apply when a first level DSA is a subordinate DSA, and the root DSA of the domain is the superior DSA. The naming context held by the superior (root) DSA is the root naming context (or root context - the terms are synonymous) of the domain. The root context consists of the root entry of the DIT (which is empty) plus a complete set of subordinate DSEs, one for each first level naming context in the domain. The subordinate DSEs will contain, in addition to specific knowledge attribute values of category master and shadow, sufficient attributes, including access control information, to allow List and one-level Search operations to be performed on them. In clause 24.1.2, the DistinguishedName of the immediateSuperior component of HierarchicalAgreement shall be null." 3.3 The ASN.1 of hierarchical operational bindings already allows any attributes to be passed from the subordinate DSA to the superior DSA (SubordinateToSuperior parameter in clause 24.1.4.2 of X.518). However, a note in the Standard limits this to those which are required to perform a List operation. The UK submitted a ballot comment to the PDAM on Minor Extensions to OSI Directory Service to support User Requirements, to remove this restriction, so that the attributes may also be used for a one-level Search operation. This amendment has been accepted, and the restriction has been removed in the current Draft Amendment to the 1996 version of the Standard [DAM User]. 1993 implementations of X.500 conforming to this RFC, shall also remove this restriction. 3.4 Each master first level DSA will enter into a shadowing agreement with the root DSA, for the purpose of shadowing the root naming context. The 1993 edition of the Standard explicitly recognises that there can be master and shadow first level DSAs (X.501 Section 18.5). (The 1988 edition of the standard does not explicitly recognise this, since it does not recognise shadowing.) A shadow first level DSA holds a copy of the root context, provided by a master first level DSA. In addition it holds shadow copies of the (one or more) country entries that the master first level DSA holds. There is currently an outstanding defect report [UK 142] on the 1993 Standard to clarify how a shadowing agreement is established between first level DSAs. Once this has been ratified, the only additional text needed in order to establish a shadowing agreement between the root DSA and a master first level DSA is as follows: "When clause 9.2 of ISO/IEC 9594-9:1993 is applied to the shadowing of the root context by a first level DSA from the root DSA of a domain, then UnitOfReplication shall be set as follows: contextPrefix of AreaSpecification shall be null, replicationArea of AreaSpecification shall be set to SEQUENCE { specificExclusions [1] SET OF { chopBefore [0] FirstLevelEntry}, maximum [3] 1 } where FirstLevelEntry is the RDN of a first level entry (e.g. country, locality or international organisation) held by the master first level DSA. specificExclusions shall contain one FirstLevelEntry for each first level entry mastered by this DSA, attributes of UnitofReplication shall be an empty SET OF SEQUENCE, knowledge of UnitofReplication shall be set to both (shadow and master). In other words, the information that will be replicated will be an empty root entry plus all the attributes of the complete set of subordinate DSEs of the root, excluding the DSEs that the first level DSA already masters." Note that the maximum component of replicationArea, although not strictly necessary, is there for pragmatic reasons, for example, where a community of users wish to use the root DSA to hold some country specific entries. 4 Interim Solution 4.1 The interim solution may be of use to systems which do not yet support the DOP for managing hierarchical operational bindings. The interim solution comprises of two replacement steps for HOB establishment between the root DSA and master first level DSAs. Step one (4.2) allows the root DSA to shadow first level entries from a master first level DSA. Step two (4.3) requires either the root DSA administrator or the root DSA implementation to massage the shadow first level entries so that they appear to have been created by a HOB. Managing the root context then continues as in 3.4 above. 4.2 The hierarchical operational binding between the root DSA and a master first level DSA can be replaced by a set of "spot" shadowing agreements, in which the first level DSA acts as the supplier, and the root DSA as the consumer. Each "spot" shadowing agreement replicates a first level entry which is mastered by the first level DSA. The UnitOfReplication shall be set as follows: contextPrefix of AreaSpecification shall be FirstLevelEntry, replicationArea of AreaSpecification shall be set to SEQUENCE { specificExclusions [1] SET OF { chopAfter [1] {null} } } where FirstLevelEntry is the Distinguished Name of a first level entry (e.g. country, locality or international organisation) held by the master first level DSA. attributes of UnitofReplication shall be an empty SET OF SEQUENCE, knowledge of UnitofReplication shall be absent. 4.3 The root DSA administrator, or the root DSA implementation (suitably tailored) must then administratively update each shadowed first level entry, so that they appear to have been created by a HOB, i.e. it is necessary to add a subordinate reference to each one of them. The subordinate reference will point to the respective master first level DSA, and will comprise of a specific knowledge attribute, and the DSE bit of type subr being set. The contents of the specific knowledge attribute can be created from the contents of the supplier knowledge attribute already present in the first level entry and created by the "spot" shadowing agreement. 5 Security Considerations Security considerations are not discussed in this memo. 6 Acknowledgements The author would like to thank DANTE, without whose funding this work would not have been possible. The author would also like to thank Nexor, who reviewed the document in detail and provided valuable comments, and who first suggested the Interim Solution as a stop-gap measure until the DOP is widely implemented. References [RFC 1276] Kille, S., "Replication and Distributed Operations extensions to provide an Internet Directory using X.500", UCL, November 1991. [X.500 93] X.500 | 9594.Part 1 Overview of Concepts, Models and Services X.501 | 9594.Part 2 Models X.511 | 9594.Part 3 Abstract Service Definition X.518 | 9594.Part 4 Procedures for Distributed Operations X.519 | 9594.Part 5 Protocol Specifications X.520 | 9594.Part 6 Selected Attribute Types X.521 | 9594.Part 7 Selected Object Classes X.509 | 9594.Part 8 Authentication Framework X.525 | 9594.Part 9 Replication [ENV 41215] "Behaviour of DSAs for Distributed Operations", European Pre-Standard, Dec 1992 [ISP 10615-6] "DSA Support of Distributed Operations", 5th draft pDISP, Oct 1994 [NADF 7] SD-7 "Mapping the North American DIT onto Directory Management Domains", North American Directory Forum, V 8.0, Jan 1993 [UK 142] Defect report number 142, submitted by the UK to ISO, March 1995. (Proposed solution text included in Annex 1) [DAM User] Draft Amendments on Minor Extensions to OSI Directory Service to support User Requirements, August 1995. Author's Address D W Chadwick IT Institute University of Salford Salford M5 4WT England Phone: +44 161 745 5351 Fax: +44 161 745 8169 E-mail: D.W.Chadwick@iti.salford.ac.uk Annex 1 Solution Text of Defect Reports submitted to ISO/ITU-T by the UK Defect Report 140 Nature of Defect In section 24.1.4.2 it is defined that the SubordinateToSuperior parameter of a HOB can pass an entryInfo parameter. This should contain entryACI which may be used in the resolution of the List operation. This is not correct as the prescriptive ACI from the relevant subentries is also required in the superior DSA. Solution Proposed by Source It is proposed that the following is added to the SubordinateToSuperior SEQUENCE of section 24.1.4.2 of X.518: subentries [2] SET OF SubentryInfo OPTIONAL This is used to pass the relevant subentries from the subordinate to the superior. This is similar to the way subentry information is passed in the SuperiorToSubordinate parameter defined in 24.1.4.1. Defect Report 142 Nature of Defect The text which describes AreaSpecification in clause 9.2 of X.525 is completely general. However, for the special case of replicating first level knowledge references between first level DSAs, a clarifying sentence should be added. Solution Proposed by Source In Section 9.2, under the ASN.1, after the description of area, and before the description of SubtreeSpecification, add the sentence: "For the case where a DSA is shadowing first level knowledge from a first level DSA, the contextPrefix component is empty."
Datatracker
Report a datatracker bug
draft-ietf-ids-root-naming-00
Internet-Draft
| Document | Document type |
This is an older version of an Internet-Draft that was ultimately published as RFC 2120.
Expired & archived
|
|
|---|---|---|---|
| Select version | |||
| Compare versions | |||
| Author | |||
| RFC stream |
|
||
| Other formats | |||
| Additional resources | Mailing list discussion |