Figure 12.1: Structure of an entry.
This section describes the basic model of how information in the Directory is organized. The model defines terms for the units of information in the Directory; it also defines the relationships among the units. There are essentially three kinds of information held by the Directory:
Server information is outside the scope of this introduction. The basic units of user information and operational information is illustrated in 12.1. The Directory database consists of a collection of entries each of which contains of one or more attributes. Each attribute, in turn, consists of a type and one or more values. Thus, an entry containing information about Michael Ransom might contain attributes of type common name, surname, phone number, fax number, e-mail address, and public key certificate. Each entry must contain an attribute type called object class that defines the kind of real world object the entry represents; the object class for the example entry for Michael Ransom might have object class organizational person. Object classes are used to define the types of attributes that can appear in each entry; they can also be used in selecting entries during a Directory query operation. Typical object classes include people, computers, and software applications.
Each entry must also contain at least one attribute that is used in forming a name (i.e., access key) for the entry. The attribute value that is designated to participate in the name is called a distinguished attribute value. For the entry representing Michael Ransom, the name of the entry could be built using a value of the surname attribute or perhaps a value of the common name attribute. The attribute(s) to be used in naming entries of each object class is(are) defined by an administrative authority and enforced by the Directory.
Naming an entry in the Directory, however, involves more than just distinguishing attribute values in each entry. To facilitate the scalability of the database, entries are arranged into a tree structure such that each subtree can be assigned to different administrative authorities as needed when the database is world-wide. The tree structure is defined by the full name of each entry in the database. This means that each entry, in effect, inherits part of its name from the entries that are on the same branch and closer to the root of the tree. The administrators of a subtree are responsible for resolving naming conflicts within that subtree.
The structure of the tree is flexible but the branching points closest to the root are usually thought of as demarking a subtree for each country; under each country there is expected to be subtree branch points for organizations, organizational units, and localities. Entries representing people will most likely occur within the subtree for an organization, organizational unit, or locality. The tree is usually drawn upside-down with the root at the top of the drawing and leaf nodes at the bottom boundary. Figure 12.2 illustrates an example of the tree structure. In the example, the boxes represent entries in the tree. The middle box immediately below the root represents the entry for the United States; this entry is named using the attribute type COUNTRY with distinguished value US. Since this entry is immediately below the root, its full name is COUNTRY = US (abbreviated C=US).
The middle box immediately below the C=US entry represents the Department of Commerce (DoC) and is named using the attribute type ORGANIZATION with distinguished value DoC (abbreviated O = DoC). The full name of the DoC entry is made up of a combination of its distinguished attribute value and the names of all the entries above it on the same branch. The full name of the DoC entry is written { C = US, O = DoC }.
Similarly, below that entry is an entry representing NIST as an organizational unit of the DoC. It is named using the Organizational Unit attribute type with a distinguished value of NIST. The full name of the NIST entry is written { C = US, O = DoC, OU = NIST }.
Finally, below the NIST entry is the entry representing the person whose name is Michael Ransom. It is named using the Surname attribute type with a distinguished value of Ransom. The full name of this entry is written { C = US, O = DoC, OU = NIST, S = Ransom }.
The term Directory Information Tree is used to refer to the tree structure view of the Directory database.
Figure 12.2: Example of the Directory Information Tree.