The drawings contained in this Recommendation have been done in AUTOCAD Recommendation X.521 THE DIRECTORY - SELECTED OBJECT CLASSES 1) (Melbourne, 1988) CONTENTS 0 Introduction 1 Scope and field of application 2 References 3 Definitions and abbreviations 3.1 OSI Reference Model Definitions 3.2 Directory Model Definitions 4 Notation SECTION 1 - Selected Object Classes 5 Definitions of Useful Attribute Sets 5.1 Telecommunication Attribute Set 5.2 Postal Attribute Set 5.3 Locale Attribute Set 5.4 Organizational Attribute Set 6 Definition of Selected Object Classes 6.1 Top 6.2 Alias 6.3 Country 6.4 Locality 6.5 Organization 6.6 Organizational Unit 6.7 Person 6.8 Organizational Person 6.9 Organizational R“le 6.10 Group of Names 6.11 Residential Person 6.12 Application Process 6.13 Application Entity 6.14 DSA 6.15 Device 6.16 Strong Authentication User 6.17 Certification Authority Annex A - Selected Object Classes in ASN.1 Annex B - Suggested Name Forms and DIT Structures 0 Introduction 0.1 This document, together with the others of the series, has been produced to facilitate the interconnection of information processing systems to provide directory services. The set of all such systems, together with the directory information which they hold, can be viewed as an integrated whole, called the Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is typically used to facilitate communication between, with or about objects such as application entities, people, terminals, and distribution lists. 0.2 The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of technical agreement outside of the interconnection standards themselves, the interconnection of information processing systems: - from different manufacturers; - under different managements; - of different levels of complexity; and - of different ages. 0.3 This Recommendation defines (in section one) a number of attribute sets and object classes which may be found useful across a range of applications of the Directory. 0.4 Annex A, which is a part of the standard, provides an ASN.1 module containing all of the type and value definitions which appear in this document. 0.5 Annex B, which is not part of the Recommendation provides some common naming and structure rules which may or may not be used by Administrative 1) Recommendation X.521 and ISO 9594-7, Information Processing Systems - Open Systems Interconnection - The Directory - Selected object classes, were developed in close collaboration and are technically aligned. Fascicle VIII.8 - Rec. X.521 PAGE1 authorities. 1 Scope and field of application 1.1 This Recommendation defines a number of selected attribute sets and object classes which may be found useful across a range of applications of the Directory. The definition of an attribute set involves identifying the attributes that it contains, and facilitates the definition of object classes. The definition of an object class involves optionally allocating an Object Identifier to it, and listing a number of attribute types which are relevant to objects of that class. These definitions are used by the administrative authority which is responsible for the management of the Directory information. 1.2 Any Administrative Authority can define its own object classes and subclasses for any purpose. Note 1 - These definitions may or may not use the notation specified in Recommendation X.501. Note 2 - It is recommended that an object class defined in this document, or a subclass derived from one, be used in preference to the generation of a new one, whenever the semantics is appropriate for the application. 1.3 Administrative authorities may support some or all the selected object classes, and may also add object classes. All Administrative authorities shall support the object classes which the directory uses for its own purpose (the top, alias and DSA object classes). PAGE14 Fascicle VIII.8 - Rec. X.521 2 References Recommendation X.200 - Open Systems Interconnection - Basic Reference Model (see also ISO 7498) Recommendation X.500 - The Directory - Overview of Concepts, Models and Services (see also ISO 9594-1) Recommendation X.501 - The Directory - Models (see also ISO 9594-2) 3 Definitions and abbreviations 3.1 OSI Reference Model Definitions This Recommendation makes use of the following definitions from Recommendation X.200: a) application-entity; b) application-process. 3.2 Directory Model Definitions This Recommendation makes use of the following definitions from Recommendation X.501. a) attribute; b) attribute type; c) Directory Information Tree (DIT); d) Directory System Agent (DSA); e) attribute set; f) entry; g) name; h) object class; i) subclass. 4 Notation Object classes are defined in this document by the use of special notation, defined as an ASN.1 macro, OBJECT-CLASS, in Recommendation X.501. One "generic" object identifier (objectClass) is used in specifying the object identifiers being allocated to object classes. Its definition can be found in Annex B of the same Recommendation. Attribute sets are defined in this document by the use of special notation, defined as an ASN.1 macro ATTRIBUTE-SET, in Recommendation X.501. One "generic" object identifier (attributeSet) is used in specifying the object identifiers being allocated to attribute set definitions. Its definition can be found in Annex B of the same Recommendation. SECTION 1 - Selected Object Classes 5 Definition of Useful Attribute Sets 5.1 Telecommunication Attribute Set This set of attributes is used to define those which are commonly used for business communications. telecommunicationAttributeSet ATTRIBUTE-SET CONTAINS { facsimileTelephoneNumber, iSDNAddress, telephoneNumber, teletexTerminalIdentifier, telexNumber, X121Address, preferredDeliveryMethod, destinationIndicator, registeredAddress} ::= {attributeSet 0} 5.2 Postal Attribute Set This set of attributes is used to define those which are directly associated with postal delivery. postalAttributeSet ATTRIBUTE-SET Fascicle VIII.8 - Rec. X.521 PAGE1 CONTAINS { physicalDeliveryOfficeName, postalAddress, postalCode, postOfficeBox, streetAddress} ::= {attributeSet 1} 5.3 Locale Attribute Set This set of attributes is used to define those which are commonly used for search purposes to indicate the locale of an object. localeAttributeSet ATTRIBUTE-SET CONTAINS { localityName, stateOrProvinceName, streetAddress} ::= {attributeSet 2} 5.4 Organizational Attribute Set This set of attributes is used to define the attributes that an organization or organizational unit may typically possess. organizationalAttributeSet ATTRIBUTE-SET CONTAINS { description, localeAttributeSet, postalAttributeSet, telecommunicationAttributeSet, businessCategory, seeAlso, searchGuide, userPassword} ::= {attributeSet 3} 6 Definition of Selected Object Classes 6.1 Top The top object class, of which every other object class is a subclass, is defined, except for the allocation of an object identifier, in Recommendation X.501. top Top ::= {objectClass 0} 6.2 Alias The alias object class, from which classes for alias entries may be derived, is defined, except for the allocation of an object identifier, in Recommendation X.501. alias Alias ::= {objectClass 1} 6.3 Country A Country object class is used to define country entries in the DIT. country OBJECT-CLASS PAGE14 Fascicle VIII.8 - Rec. X.521 SUBCLASS OF top MUST CONTAIN { countryName} MAY CONTAIN { description, searchGuide} ::= {objectClass 2} 6.4 Locality The Locality object class is used to define locality in the DIT. Locaty OBJECT-CLASS SUBCLASS OF top MAY CONTAIN { description, localityName, stateOrProvinceName, searchGuide, seeAlso, streetAddress} ::= {objectClass 3} At least one of Locality Name or State or Province Name must be present. 6.5 Organization The Organization object class is used to define organization entries in the DIT. organization OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { organizationName} MAY CONTAIN { organizationalAttributeSet} ::= {objectClass 4} 6.6 Organizational Unit The Organizational Unit object class is used to define entries representing subdivisions or organizations. organizationalUnit OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { organizationalUnitName} MAY CONTAIN { Fascicle VIII.8 - Rec. X.521 PAGE1 organizationalAttributeSet} ::= {objectClass 5} PAGE14 Fascicle VIII.8 - Rec. X.521 6.7 Person The Person object class is used to define entries representing people generically. person OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName, surname} MAY CONTAIN { description, seeAlso, telephoneNumber, userPassword} ::= {objectClass 6} 6.8 Organizational Person The Organizational Person object class is used to define entries representing people employed by, or in some other important way associated with, an organization. organizationalPerson OBJECT-CLASS SUBCLASS OF person MAY CONTAIN { localeAttributeSet, organizationalUnitName, postalAttributeSet, telecommunicationAttributeSet, title} ::= {objectClass 7} 6.9 Organizational R“le The Organizational R“le object class is used to define entries representing an organizational role, i.e. a position or r“le within an organization. An organizational r“le is normally considered to be filled by a particular organizational person. Over its lifetime, however, an organizational r“le may be filled by a number of different organizational people in succession. In general, an organizational r“le may be filled by a person or a non-human entity. organizationalRole OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName} MAY CONTAIN { description, localeAttributeSet, organizationalUnitName, postalAttributeSet, Fascicle VIII.8 - Rec. X.521 PAGE1 preferredDeliveryMethod, roleOccupant, seeAlso, telecommunicationAttributeSet} ::= {objectClass 8} 6.10 Group of Names The Group of Names object class is used to define entries representing an unordered set of names which represent individual objects or other groups of names. The membership of a group is static; that is, it is explicitly modified by administrative action, rather than dynamically determined each time the group is referred to. The membership of a group can be reduced to a set of individual object's names by replacing each group with its membership. This process could be carried out recursively until all constituent group names have been eliminated, and only the names of individual objects remain. groupOfNames OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName, member} MAY CONTAIN { description, organizationName, organizationalUnitName, owner, seeAlso, businessCategory} ::= {objectClass 9} 6.11 Residential Person The Residential Person object class is used to define entries representing a person in the residential environment. residentialPerson OBJECT-CLASS SUBCLASS OF person MUST CONTAIN { localityName} MAY CONTAIN { localeAttributeSet, postalAttributeSet, preferredDeliveryMethod, telecommunicationAttributeSet, businessCategory} ::= {objectClass 10} 6.12 Application Process The Application Process object class is used to define entries representing application processes. An application process is an element within a real open system which performs the information processing for a particular application (see Recommendation X.200). applicationProcess OBJECT-CLASS PAGE14 Fascicle VIII.8 - Rec. X.521 SUBCLASS OF top MUST CONTAIN { commonName} MAY CONTAIN { description, localityName, organizationalUnitName, seeAlso} ::= {objectClass 11} 6.13 Application Entity The Application Entity object class is used to define entries representing application entities. An application entity consists of those aspects of an application-process pertinent to OSI. applicationEntity OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName, presentationAddress} MAY CONTAIN { description, localityName, organizationName, organizationalUnitName, seeAlso, supportedApplicationContext} ::= {objectClass 12} Note - If Application Entity is represented as a Directory object that is distinct from an Application Process, the commonName attribute is used to carry the value of Application Entity Qualifier. 6.14 DSA The DSA object class is used to define entries representing DSAs. A DSA is as defined in Recommendation X.501. dSA OBJECT-CLASS SUBCLASS OF applicationEntity MAY CONTAIN { knowledgeInformation} ::= {objectClass 13} 6.15 Device The Device object class is used to define entries representing devices. A device is a physical unit which can communicate, such as a modem, disk drive, etc. device OBJECT-CLASS SUBCLASS OF top Fascicle VIII.8 - Rec. X.521 PAGE1 MUST CONTAIN { commonName} MAY CONTAIN { description, localityName, organizationName, organizationalUnitName, owner, seeAlso, serialNumber} ::= {objectClass 14} Note - At least one of localityName, serialNumber, owner, should be included. The choice is dependent on device type. 6.16 Strong Authentication User The Strong Authentication User object class is used in defining entries for objects which participate in strong authentication, as defined in Recommendation X.509. strongAuthenticationUser OBJECT-CLASS SUBCLASS OF top MUST CONTAIN {userCertificate} ::= {objectClass 15} The Certification Authority object class is used in defining entries for objects which act as certification authorities, as defined in Recommendation X.509. PAGE14 Fascicle VIII.8 - Rec. X.521 certificationAuthority OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { cACertificate, certificateRevocationList, authorityRevocationList } MAY CONTAIN {crossCertificatePair} ::= {objectClass 16} ANNEX A (to Recommendation X.521) Selected Object Classes in ASN.1 This Annex includes all of the ASN.1 type and value definitions contained in this Recommendation in the form of the ASN.1 module, SelectedObjectClasses. SelectedObjectClasses {joint-ISO-CCITT ds(5) modules(1) selectedObjectClasses(6)} DEFINITIONS ::= BEGIN -- exports everything IMPORTS objectClass, attributeSet, informationFramework, selectedAttributeTypes FROM UsefulDefinitions {joint-iso-ccitt ds(5) modules(1) usefulDefinitions(0)} OBJECT-CLASS,ATTRIBUTE-SET, Top, Alias FROM InformationFramework informationFramework authorityRevocationList, businessCategory, CACertificate, certificateRevocationList, commonName, countryName, description, destinationIndicator, facsimileTelephoneNumber, internationalISDNNumber, knowledgeInformation, localityName, member, organizationName, organizationalUnitName, owner, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, presentationAddress, registeredAddress, roleOccupant, searchGuide, seeAlso, serialNumber, stateOrProvinceName, streetAddress, supportedApplicationContext, surname, telephoneNumber, teletexTerminalIdentifier, telexNumber, title, userCertificate, userPassword, x121Address FROM SelectedAttributeTypes selectedAttributeTypes; telecommunicationAttributeSet ATTRIBUTE-SET CONTAINS { facsimileTelephoneNumber, iSDNAddress, Fascicle VIII.8 - Rec. X.521 PAGE1 telephoneNumber, teletexTerminalIdentifier, telexNumber, x121Address, preferredDeliveryMethod, destinationIndicator, registeredAddress} ::= {attributeSet 0} postalAttributeSet ATTRIBUTE-SET CONTAINS { physicalDeliveryOfficeName, postalAddress, postalCode, postOfficeBox, streetAddress} ::= {attributeSet 1} PAGE14 Fascicle VIII.8 - Rec. X.521 localeAttributeSet ATTRIBUTE-SET CONTAINS { localityName, stateOrProvinceName, streetAddress} ::= {attributeSet 2} organizationalAttributeSet ATTRIBUTE-SET CONTAINS { description, localeAttributeSet, postalAttributeSet, telecommunicationAttributeSet, businessCategory, seeAlso, searchGuide, userPassword} ::= {attributeSet 3} top Top ::= {objectclass 0} alias Alias ::= {objectClass 1} country OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { countryName} MAY CONTAIN { description, searchGuide} ::= {objectClass 2} locality OBJECT-CLASS SUBCLASS OF top MAY CONTAIN { description, localityName, stateOrProvinceName, Fascicle VIII.8 - Rec. X.521 PAGE1 searchGuide, seeAlso, streetAddress} ::= {objectClass 3} organization OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { organizationName} MAY CONTAIN { organizationalAttributeSet} ::= {objectClass 4} organizationalUnit OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { organizationalUnitName} MAY CONTAIN { organizationalAttributeSet} ::= {objectClass 5} person OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName, surname} MAY CONTAN { description, seeAlso, telephoneNumber, userPassword} ::= {objectClass 6} organizationalPerson OBJECT-CLASS SUBCLASS OF person MAY CONTAIN { localeAttributeSet, PAGE14 Fascicle VIII.8 - Rec. X.521 organizationalUnitName, postalAttributeSet, telecommunicationAttributeSet, title} ::= {objectClass 7} organizationalRole OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName} MAY CONTAIN { description, localeAttributeSet, organizationalUnitName, postalAttributeSet, preferredDeliveryMethod, roleOccupant, seeAlso, telecommunicationAttributeSet} ::= {objectClass 8} groupOfNames OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName, member} MAY CONTAIN { description, organizationName, organizationalUnitName, owner, seeAlso, businessCategory} ::= {objectClass 9} residentialPerson OBJECT-CLASS Fascicle VIII.8 - Rec. X.521 PAGE1 SUBCLASS OF person MUST CONTAIN { localityName} MAY CONTAIN { localeAttributeSet, postalAttributeSet, preferredDeliveryMethod, telecommunicationAttributeSet, businessCategory} ::= {objectClass 10} applicationProcess OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName} MAY CONTAIN { description, localityName, organizationalUnitName, seeAlso} ::= {objectClass 11} applicationEntity OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName, presentationAddress} MAY CONTAIN { description, localityName, organizationName, organizationalUnitName, seeAlso, supportedApplicationContext} ::= {objectClass 12} PAGE14 Fascicle VIII.8 - Rec. X.521 dSA OBJECT-CLASS SUBCLASS OF applicationEntity MAY CONTAIN { knowledgeInformation} ::= {objectClass 13} device OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { commonName} MAY CONTAIN { description, localityName, organizationName, organizationalUnitName, owner, seeAlso, serialNumber} ::= {objectClass 14} strongAuthenticationUser OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { userCertificate} ::= {objectClass 15} certificationAuthority OBJECT-CLASS SUBCLASS OF top MUST CONTAIN { cACertificate, certificateRevocationList, authorityRevocationList} MAY CONTAIN { crossCertificatePair} ::={objectClass 16} END Fascicle VIII.8 - Rec. X.521 PAGE1 ANNEX B (to Recommendation X.521) Suggested Name Forms and DIT Structures This Annex is not part of this Recommendation. This Annex suggests some common naming practices and DIT structures that may or may not be used by an Administrative authority. Naming practices and DIT structure definitions for an object class include specification of the attributes used for naming and which object classes its superior entry or its subordinate entry in the DIT can have. All entries of a given object class must include at least the attributes used for naming. Users of the Directory should be informed of the suggested name forms to be able to predict names of objects with which they communicate. The following paragraphs suggest naming and structure rules for some object classes. The structure rules are depicted in Figure B-1/X.521. FIGURE B-1/X.521 - 0704680-88 B.1 Country Attribute countryName is used for naming. The Root is the immediate superior to entries of object class country. B.2 Organization Attribute organizationName is used for naming. The Root, country or locality can be immediate superior to entries of object class organization. Note - When the organization is directly under the root, this denotes an international organization. The values of the organizationName attribute for international organizations must all be distinct. B.3 Locality Attribute localityName or stateOrprovinceName is used for naming. The Root, country, locality, organization or organizationalUnit can be immediate superior to entries of object class locality. B.4 Organizational Unit Attribute organizationalUnitName is used for naming. organization, organizationalUnit or locality can be immediate superior to entries of object class organizationalUnit. PAGE14 Fascicle VIII.8 - Rec. X.521 B.5 Organizational Person Attribute commonName and optionally organizationalUnitName is used for naming. organization or organizationalUnit can be immediate superior to entries of object class organizationalPerson. Note - There are two ways that an organizationalUnitName attribute may be acquired in names: by having an organizationalUnit object as superior or by having such an attribute directly. B.6 Organizational R“le Attribute commonName is used for naming. organization or organizationalUnit can be immediate superior to entries of object class organizationalRole. Note - There are two ways that an organizationalUnitName attribute may be acquired in names: by having an organizationalUnit object as superior or by having such an attribute directly. B.7 Group of Names Attribute commonName is used for naming. locality, organization or organizationalUnit can be immediate superior to entries of object class groupOfNames. Note - There are two ways that an organizationalUnitName attribute may be acquired in names: by having an organizationalUnit object as superior or by having such an attribute directly. B.8 Residential Person Attribute commonName and optionally streetAddress is used for naming. locality is the immediate superior to entries of object class residentialPerson. B.9 Application Entity Attribute commonName is used for naming. The commonName should contain an application-entity qualifier (see Recommendation X.200). applicationProcess is the immediate superior to entries of object class applicationEntity. B.10 Device Attribute commonName is used for naming. organization or organizationalUnit can be immediate superior to entries of object class device. Note - There are two ways that an organizationalUnitName attribute may be acquired in names: by having an organizationalUnit object as superior or by having such an attribute directly. B.11 Application Process Attribute commonName is used for naming. organization or organizationalUnit can be immediate superior to entries of object class applicationProcess. Note 1 - How commonName should be chosen for an Application Entity is documented in Recommendation X.200. Note 2 - There are two ways that an organizationalUnitName attribute may be acquired in names: by having an organizationalUnit object as superior or by having such an attribute directly. Fascicle VIII.8 - Rec. X.521 PAGE1