Paper number 1 from DISI (Executive Overview)
"Chris Weider" <clw> Fri, 26 July 1991 17:23 UTC
Received: by merit.edu (5.65/1123-1.0) id AA07396; Fri, 26 Jul 91 13:23:12 -0400
Received: by merit.edu (5.65/1123-1.0) id AA07392; Fri, 26 Jul 91 13:23:08 -0400
Date: Fri, 26 Jul 1991 13:23:08 -0400
From: Chris Weider <clw>
Message-Id: <9107261723.AA07392@merit.edu>
To: disi
Subject: Paper number 1 from DISI (Executive Overview)
Here it is, gang... Sorry it's so hideously close to Atlanta time. Directory Information Services Chris Weider (pilot) Infrastructure Working Group Merit Network INTERNET--DRAFT Joyce Reynolds ISI Sergio Heker JvNC July 1991 An Executive Introduction to Directory Services Using the X.500 Protocol Status of this Memo This paper expounds on the pressing need for Directory Services and proposes a solution to the problem in the form of the X.500 protocols. This document is for informational purposes only and is not intended to mandate the use of a particular protocol, implementation, or philosophy. Distribution is unlimited. INTERNET--DRAFT Executive Introduction to X.500 July 1991 1: INTRODUCTION As the pace of industry, science, and technological develpment quickened over the past century, it became increasingly probable that someone in a geographically distant location would be trying to solve the same problems you were trying to solve, or that someone in a geographically distant location would have some vital information which impinged on your research or business. The stupendous growth in the telecommunications industry, from telegraphs to telephones to computer networks, has alleviated the problem of being able to communicate with other people, PROVIDED THAT YOU KNOW HOW TO REACH THAT PERSON. Thus, along with the expansion of the telecommunications infrastructure came the development of Directory Services. In this paper, we will discuss various models of directory services, the limitations of current models, and some solutions provided by the X.500 standard to these limitations. 2: MODELS OF DIRECTORY SERVICES 2.1 The telephone company's directory services. A model many people think of when they hear the words 'Directory Services' is the directory service provided by the local telephone company. A local telephone company keeps an on-line list of the names of people with phone service, along with their phone numbers and their address. This information is available by calling up Directory Assistance, giving the name and address of the party whose number you are seeking, and waiting for the operator to search his database. It is additionally available by looking in a phone book published yearly on paper. The phone companies are able to offer this invaluable service because they administer the pool of phone numbers. However, this service has some limitations. For instance, you can find someone's number only if you know their name and the city or location in which they live. If two or more people have listings for the same name in the same locality, there is no additional information which with to select the correct number. In addition, the printed phone book can have information which is as much as a year out of date, and the phone company's internal directory can be as much as two weeks out of date. A third problem is that one actually has to call Directory assistance in a given area code to get information for that area; one cannot call a single number consistantly. For businesses which advertise in the Yellow Pages, there is some additional information stored for each business; unfortunately, that information is unavailable through Directory Assistance and must be gleaned from the phone book. 2.2 Some currently available directory services on the Internet. As the Internet is comprised of a vast conglomeration of different people, computers, and computer networks, with none of the heirarchy imposed by the phone system on the area codes and exchange prefixes, the directory service must be able to deal with the fact that the machines foo.com and v2.foo.com may be on opposite sides of the world, and that the .edu domain maps onto an enormous number of organizations. Let's look at a few of the services currently available on the Internet for directory type services. INTERNET--DRAFT Executive Introduction to X.500 July 1991 2.2.1 fingerd The fingerd utility, which is available on many UNIX systems, allows one to 'finger' a specific person or username at a given UNIX host. This is invoked, for example, by typing 'finger clw@mazatzal.merit.edu'. This returns a set of information like this: Login name: clw In real life: Chris Weider Directory: /usr/clw Shell: /bin/csh On since Jul 25 09:43:42 on console 4 hours 52 minutes Idle Time Plan: Home: 971-5581 where the first three lines of information are taken from the UNIX operating systems information and the line(s) of information following the 'Plan:' line are taken from a file named .plan which each user modifies. Limitations of the fingerd program include: a) only available on UNIX systems, which is an ENORMOUS limitation, b) fingerd is often disabled on UNIX systems for security purposes; c) If one wishes to be reached on more than one system, one must make sure all the .plan files are consistent, and d) there is no way to search the .plan files on a given system to (for example) look for everyone on mazatzal.merit.edu who works on X.500. Thus, fingerd cannot be used as the basis of a worldwide directory. 2.2.2 whois The whois utility, which is available on a wide of variety of systems, works by querying a centralized database located at SRI International in Menlo Park, California. This database contains a large amount of information which primarily deals with people and equipment which is used to build the Internet. For example, in many cases a network administrator will be in the WHOIS database, while the administrator's backup, boss, or subordinates will not be in the WHOIS database. SRI has been able to collect this information as part of its role as the Network Information Center for the TCP/IP portion of the Internet. Every organization wishing to run a TCP/IP network must apply to the NIC for their network numbers. The whois utility is ubiquitous, and has a very simple interface. A typical whois query look like: whois Reynolds and returns information like: Reynolds, John F. (JFR22) 532JFR@DOM1.NWAC.SEA06.NAVY.MIL (702) 426-2604 (DSN) 830-2604 Reynolds, John J. (JJR40) amsel-lg-pl-a@MONMOUTH-EMH3.ARMY.MIL (908) 532-3817 (DSN) 992-3817 Reynolds, John W. (JWR46) EAAV-AP@SEOUL-EMH1.ARMY.MIL (DSN) 723-3358 Reynolds, Joseph T. (JTR10) JREYNOLDS@PAXRV-NES.NAVY.MIL 011-63-47-885-3194 (DSN) 885-3194 Reynolds, Joyce K. (JKR1) JKREY@ISI.EDU (213) 822-1511 Reynolds, Keith (KR35) keithr@SCO.COM (408) 425-7222 Reynolds, Kenneth (KR94) (502) 454-2950 Reynolds, Kevin A. (KR39) REYNOLDS@DUGWAY-EMH1.ARMY.MIL (801) 831-5441 (DSN) 789-5441 Reynolds, Lee B. (LBR9) reynolds@TECHNET.NM.ORG (505) 345-6555 INTERNET--DRAFT Executive Introduction to X.500 July 1991 a further lookup on Joyce Reynolds with this command line: whois JKR1 returns: Reynolds, Joyce K. (JKR1) JKREY@ISI.EDU University of Southern California Information Sciences Institute 4676 Admiralty Way Marina del Rey, CA 90292 (213) 822-1511 Record last updated on 07-Jan-91. The whois database also contains information about Domain Name System (DNS) and has some information about hosts, major regional networks, and large parts of the MILNET system. As the WHOIS service currently works, all the changes to this database are made by sending update to the hostmaster at nic.ddn.mil. Then, they are processed by a person who reads the message and types it into the database. As the Internet has grown and grown, the overhead involved with this process threatens to hamper timely updates of the database. Also, only a fixed amount of information can be kept on any one machine, no matter how large. 3: THE X.500 MODEL OF DIRECTORY SERVICE X.500 is an OSI protocol which is designed to build a distributed, global directory. It offers the following features: * Decentralized Maintenance: Each site running X.500 is responsible ONLY for its local part of the Directory, so updates and maintenance can be done instantly. * Authoritative Local Information: Since each site is responsible only for local information, backups need only be kept locally. * Structured Directory Information: Since each site's information resides in a specified location in the global heirarchy, Directory searches are made much more efficient. 3.1 How it works. The abstract X.500 server contains two pieces: a Directory User Agent (DUA) and a Directory Service Agent (DSA). The worldwide collection of DSAs form a vast distributed directory; the fact that the DSAs are heirarchically ordered allows each DSA to contact all the others without maintaining huge location tables. The heirarchical arrangement of DSAs is called the Directory Information Tree or DIT. The DIT has a null root "@", and an array of branches "o=Internet", which contains information about the Internet; "c=uk", which contains information about the U.K., etc. Each of these braches has subbranches, and one can INTERNET--DRAFT Executive Introduction to X.500 July 1991 traverse the DIT to either a) locate the desired information directly, or b) narrow the breadth of searching. As an example, NSFNet's site contact information resides under "@o=Internet@ou=Site Contacts". Access to the DIT is gained by using a Directory User Agent, or DUA. Each DUA is configured to talk to the closest DSA. If a DUA asks the local DSA for information which the local DSA does not contain, the DSA will either a) tell the DUA where the information is and how to contact the DSA which contains it ( a process known as 'referral' ) or b) pass on the request to the required DSA without informing the DUA ( a process known as 'chaining' ). In either case, the local DSA does not need to keep a large location table because it knows where its parent node's DSA is. As an example, if I start a DUA to talk to the Directory, my DUA will contact the local DSA, which contains the information for, say, @c=US@o=Foo Corp. This DSA will know where all the children of @o=Foo Corp are, and it will also know which DSA contains @c=US. If I ask the DUA to move to @c=us@o=Mega Corp., it will talk to the DSA which contains @c=US, which will tell it where @c=us@o=Mega Corp. is. Thus, the Directory traverses the tree until it finds a DSA which can give you the information you have requested. 3.2 The incredible functionality of X.500 X.500, while not the greatest thing since sliced bread (you can't make a sandwich with X.500), is an enormously flexible system. Some of the fuctionality includes: a) The ability to keep large amounts of data on people, organizations, and resources. b) The ability to search those large amounts of data in a flexible manner. c) The ability to rapidly retrieve individual entries once thay have been located. d) The ability to provide a truly authoritative Directory as each person and organization is responsible for their own entry. e) The ability to allow each organization to determine to which extent they would like to participate. f) The ability to allow external access to an organizations data in a very secure fashion. g) The potential to build a truly global, standards-based Directory. Taking each of these points in turn: a) Each type of entry in the Directory contains a certain number of allowable "attributes". Attributes can be viewed as 'fields' in the person's record. For example, a person's entry contains their name, telephone and FAX numbers, their title, their postal and e-mail address, their favorite drink, and a large number of other attributes. Searches can be made on each attribute or any combination of attributes. INTERNET--DRAFT Executive Introduction to X.500 July 1991 b) Each subtree of the DIT is searchable, and allows wildcarding and soundex matching on many attributes. c) Retrieval of an individual's record is very rapid; the major time constraint is the speed of the network transmitting the request. d) As each person and organization can be made responsible for the update of their own information, and the updates do not go through a central updating authority, each person's data can be as timely as they like. e) The X.500 standard does not mandate the amount of information kept in each entry, so an organization can determine how much data they'd like to keep. In addition, the security features of X.500 enable, for example, those inside FOOCorp to read all of the attributes of their fellow employees, while allowing access only to the name and telephone number attributes to those outside FOO Corp. f) The X.500 standards define an 'access control list' method of security which allows setting read, write, compare, and detect access for individual attributes in an entry. The compare access sets permissions for searches against a given attribute, while detect access allows detection of the existence of a given attribute. This schema allows almost infinitely flexible access control, and is simple to invoke. In addition, there are mechanisms for password control of read and write capabilities at an individual entry level. g) The potential to build a truly global, standards-based Directory is perhaps the most exciting advantage of X.500. Even at this moment one can use a single interface program to access Directory data from London to Melbourne. As more organizations (including yours!) bring up Directories, they are automatically tied into the world-wide mesh. Also, work is proceeding apace to incorporate new types of Directory information, from on-line resource information to directories of special interest news groups, which is making the Directory the foundation of a global 'yellow pages' service. In addition to the global benefits of X.500, there are many local benefits. One can use their local DSA for company or campus wide directory services; for example, the University of Michigan is providing all the campus directory services through X.500. The DUAs are available for many platforms, including X windows, Macintoshes, and IBM PC compatibles. Some organizations are also pioneering automated Directory services through X.500 for such things as email address lookup and resoultions, and for automated call forwarding. Also, several organizations are laying the framework for an e-mail based interface to the Directory, which will allow those without the resources to run DSAs to access the Directory. 3.3 Current limitations of the X.500 standard and implementations. As flexible and forward-looking as X.500 is, it certainly was not designed to solve everyone's needs for all time to come. X.500 is not a database (although there is a NIST project to build an X.500 front end to a SQL database) and it is not a Data Base Management System (DBMS). X.500 defines no standards for output formats, and it certainly doesn't have a report generation capability. Searches across widely distributed sets of subtrees can take quite a while (for example, searching @c=US for 'surname= Smith'). Finally, X.500 was not designed to provide more specialized forms of information retrieval, as say Z39.50 is designed, and X.500 does not currently have all the functionality required to build robust Yellow Pages service. However, X.500 is very good at what it is designed to do; i.e. to provide primary directory services for a wide band of types of information. INTERNET--DRAFT Executive Introduction to X.500 July 1991 4: FOR FURTHER INFORMATION AND SOFTWARE 4.1 For further information. For further information, the authors recommend the Ruth Lang and Russ Wright DISI paper for a catalog of currently available implementations of X.500, and the Third DISI paper for an overview of some advanced applications involving X.500. More technical information about X.500 can be found in the standard, and papers available from the OSI-DS working group detail the current extensions and technical decisions for the Internet part of the Directory. 5: WHO WE ARE 5.1 Author's addresses Chris Weider, clw@merit.edu 1075 Beal Avenue, Ann Arbor, MI 48109 Joyce Reynolds, jkrey@isi.edu University of Southern California Information Sciences Institute 4676 Admirality Way Marina del Rey, CA 90292 Sergio Heker, heker@nisc.jvnc.net Princeton University 6 von Neumann Hall Princeton, NJ 08544
- Paper number 1 from DISI (Executive Overview) Chris Weider