Glossary

A symbolic identifier that represents an OID or a component of a structured attribute. An OID abbreviation can be used for matching rules, object classes, supported application contexts, administrative roles, access control schemes, encoded information types and attribute types. DirX Directory provides a set of abbreviation-element mappings in the dirxabbr file, which is provided with the DirX Directory product.

A security mechanism that regulates access to information on the basis of identity.

A DSA name and address that can be used to establish a communication association.

A subtree of the DIT viewed from the perspective of administration.

The agent of a Domain Management Organization (DMO) that has administrative control of the entries stored within DSAs belonging to the organization.

An entry located at an administrative point. Administrative entries are the only kind of entry that can have subentries as immediate subordinate entries, and are distinguished by having an administrative-role attribute that regulates their relationship with for example access control, and collective attributes.

The root vertex of an administrative area.

An alternative name for an object.

A bind operation that does not use authentication (no credentials are passed in the bind).

A type of DirX Directory replication protocol in which a DAP or LDAP client’s update operation returns immediately after the master DSA commits the operation. Asynchronous shadowing allows a high rate of update operations between supplier and consumer DSAs, even over long distances, but can lead to loss of recent update operations at the consumer DSAs if the master DSA fails. See also synchronous shadowing.

Information of a particular type to be associated with an object, and typically accessible within a directory entry. An attribute consists of an attribute type and one or more attribute values.

The attribute component that identifies the class of information given by the attribute.

The information on how an attribute’s value is to be represented. The dirxabbr file contains the mappings between the attributes defined for the DirX Directory product and their default attribute syntaxes.

An instance of the class of information indicated by the attribute type.

A security mechanism that verifies the identity of a user or directory service component.

A subtree of the DIT whose entries are all administered by the same administrative authority.

An object class that describes entries or classes of entries and is not used for the structural specification of the DIT. An auxiliary object class is typically associated with objects of a variety of classes.

The operation that initiates an association between a DUA and a DSA, or between two DSAs. A bind optionally authenticates a user to the directory service. Within the association, one or more operations can be performed. An association is terminated by an unbind operation or an abort.

An attribute value that is used by the directory as a highly reliable means of publishing the public key of some party (e.g. a user or other object). It contains the name of the certification authority issuing the certificate, the name and public key of the party, together with expiration time and other information. The certificate is made tamper-proof by being signed using the private key of the issuing certification authority.

A reliable authority for the publication of public keys to be used for authentication and other purposes. A certification authority guarantees that the certificate is truly associated with the party named by the certificate, and, in particular, that the named party owns the corresponding private key.

An ordered sequence of certificates of objects in the DIT that, together with the public key of the initial object in the path, can be processed to verify the ownership of the public key of the final object in the path, based on a chain of trust. For example, if the verifying party P trusts a certification authority A, which trusts a certification authority B, which trusts a certification authority C, which issued a certificate to the party Q, this certificate may be considered reliable in authenticating information signed by Q.

A type of DSA-to-DSA communication in which a DSA forwards an operation to another DSA for execution, then returns the result to the original requester.

An attribute whose values can be associated with a defined set of entries. A collective attribute is accessed as if it were a normal attribute of the entries.

An operational attribute that specifies one or more collective attributes to be excluded from an entry.

The sequence of Relative Distinguished Names (RDNs) that lead from the root of the DIT to the starting point of a naming context. A context prefix corresponds to the distinguished name of the starting point of a naming context.

A data object that describes how the performance of all or part of an operations can be continued at a different DSA or DSAs. Continuation references can be returned embedded in partial results by a DSA that can only partially process an operation, to indicate the DSA or DSAs that can help to complete the operation. See also referral.

Information used to establish the identity of a user or resource. Credentials usually consist of a username and password; more reliable credentials (“strong credentials”) involve passing a certificate or a name with an associated public key.

A knowledge reference that contains information about a DSA that holds a naming context frequently used by the DSA that holds the cross-reference.

A structure that links physical "raw" devices to the DirX Directory DBAM data storage model. A profile contains configuration information and is not part of the database data. Profiles are stored in the registry on Windows and in a file on Linux.

See Directory Basic Access Method.

The DirX Directory database component. The DBAM database stores the Directory Information Base (DIB).

See Directory Information Base.

A mechanism to ensure the integrity and authenticity of the originator of a piece of electronic information.

A repository of information about objects that also provides services to its users that allow access to the stored information.

The protocol that a Directory User Agent uses to communicate with the Directory System Agents that provide the directory service.

The database kernel of DirX Directory that is tailored to the handling of directory data and directory applications environments.

The collection of information held by the directory as a whole (typically in many DSAs).

The X.500 standards specification that describes directory service entries, their contents, and the way in which the entries are named. It also describes the schema and other aspects of the information to which the directory provides access.

The protocol that passes entry information from a shadow supplier DSA to a shadow consumer DSA.

The Directory Information Base viewed as hierarchical tree-structure.

The collection of DSAs and DUAs owned by a specific organization (see Domain Management Organization).

An operational attribute that stores directory service-specific information within an entry, for example, access control information or the time the entry was last modified.

The protocol that serves the pair-wise automatic coordination of DSAs, for example to maintain a hierarchical operational binding or to coordinate shadowing agreements.

The set of rules and constraints governing object classes, attribute types, attribute syntaxes, and matching rules which characterize the Directory Information Base.

The service that provides access to the Directory Information Base.

A method for expressing directory information, directory queries and updates and the results of these operations as XML documents. The DSML standard is defined by the Organization for the Advancement of Structured Information Standards (OASIS).

The component that provides the directory service. The collection of entries that comprise the Directory Information Base is distributed between the DSAs in the directory.

The protocol that a Directory System Agent uses to communicate with other Directory System Agents that provide the directory service.

The component that represents users in accessing the directory; it communicates user requests to the DSAs providing the directory service and passes their responses back to the user.

The DirX Directory command line-driven program that system administrators can use to manage DSAs.

The DirX Directory command line-driven Directory User Agent (DUA) that users and system administrators can use to communicate with a DSA.

The standards-compliant, high-performance, highly available and reliable securable identity management platform with very high linear scalability for workgroup, enterprise, and e-business applications. DirX Directory implements the LDAPv3 and X.500 directory standards.

The DirX Directory graphical user interface (GUI) that system administrators can use to configure and manage DirX DSAs over LDAP on Windows and Linux systems.

The sequence of Relative Distinguished Names (RDNs) leading from the root of the DIT to a specific object. In DirX Directory, the string representation uses forward slashes (/) to separate the RDNs, for example /C=DE/O=PQR. See also Relative Distinguished Name.

See Directory Information Tree.

See Directory Management Domain.

See Domain Management Organization.

See Domain Name System.

The organization that owns and manages a collection of DSAs and DUAs.

A service that translates names into Internet Protocol (IP) addresses.

See Directory System Agent.

An operational attribute used to store information needed by DSAs to operate a distributed directory. Values of a particular DSA-shared operational attribute should be the same on each DSA. Specific knowledge information is of this kind. See also operational attribute.

An entry in the DIT viewed from the perspective of a single DSA.

An operational attribute used to store information needed by DSAs to operate a distributed directory. Values of a particular DSA-specific operational attribute are different on each DSA. Superior knowledge information is of this kind. See also operational attribute.

See Directory Operational binding management Protocol.

See DSA-specific entry.

See Directory System Protocol.

See Directory User Agent.

A part of the Directory Information Base that contains information about an object.

A DSA that holds a naming context immediately beneath the root of the DIT.

The context prefix and access point of a DSA that holds a naming context immediately beneath the root of the DIT.

A software technique for providing high availability for all directory service operations, in which all directory information on a master DSA is replicated to a specific shadow DSA that can operate as the master should the master fail or be taken out of service for maintenance. A floating master configuration permits the directory service to be "always available" and ensures that there is a master for directory update operations during maintenance periods. See also master and shadow.

A relationship between two DSAs that hold (as masters) naming contexts, one immediately subordinate to the other. The superior DSA holds a subordinate reference to the subordinate DSA. The information held by the subordinate reference is maintained within the scope of the HOB as well as policy information (e.g. access control) held by the superior DSA but relevant to the subordinate DSA.

The DISP operation that provides the shadow consumer DSA with updated copies of those entries that have changed in the unit of replication since the last update (and not the entire set of entries). Incremental updates can be configured to occur immediately on a change or at a predefined time. Also called incremental refresh. Contrast with total update.

A ROSE service element that contains a user request.

Pieces of information that one DSA has about another DSA and the directory information it holds.

A type of tagged data file format specified in "The LDAP Data Interchange Format (LDIF) - Technical Specification". LDIF format consists of an LDIF content format and an LDIF change format. LDIF content format contains a list of directory entries and their attributes. LDIF change format contains a list of directory modifications.

A type of Shadow Operational Binding (SOB) that is analogous to a shadowing agreement. In an LDIF agreement, the DSA is the LDIF file supplier and a directory synchronization tool is the LDIF file consumer.

A simplified version of the Directory Access Protocol (DAP) that provides X.500 access to platforms supporting TCP/IP. LDAP is the proposed industry-standard protocol for providing directory services on the Internet. It makes direct use of TCP/IP services (that is, without using an OSI upper-layer stack).

A DSA that holds the original copy of a directory entry. A DSA is master for all entries in a naming context. The term master is also used for the original copy of a directory entry.

A directory schema element that corresponds to a predefined rule or algorithm for comparing attribute information. A matching rule allows entries to be selected by making a matching rule assertion concerning their attribute values.

A proposition, which may be true, false, or undefined, that concerns the presence in an entry of attribute values that meet the criteria defined by the matching rule and user-supplied attribute information. For example, an entry containing a surname “Kitto” may be found by specifying an entry with a surname that sounds like “cat”. The object identifier for the algorithm specifying “sounds-like” is the matching rule; “sounds like ‘cat’” is the matching rule assertion.

An attribute type used by an entry in the attribute value assertion (or assertions) that form its relative distinguished name (RDN).

A partial subtree of the DIT that is entirely self-contained within a single DSA and mastered by it (i.e. all entries in the naming context are master entries). A naming context begins at a starting point in the DIT and extends downward to leaf entries or references to subordinate naming contexts.

See Network Address Translation.

A technology used to maintain private IP addresses (in a LAN) separately from public IP addresses, for example to increase security or to share Internet connections.

A relationship between two master DSAs holding naming contexts, one of which is immediately subordinate to the other, in which the superior DSA holds a non-specific subordinate reference to the subordinate DSA.

An identified family of objects which share certain characteristics; alternatively a special attribute of an entry whose values are object class identifiers that define or describe the object that the entry represents. For example, an organizational-person is a human being in the context of an organization, while a directory entry representing an organizational-person has an object class attribute which contains three values: top, person, organizational-person. Each such value defines mandatory or optional attributes. Every directory entry possesses an object class attribute.

A unique sequence of integers separated by periods (.). Object identifiers permit the global registration of objects and are assigned to attribute types, object classes, and matching rules (schema elements), etc. Object identifiers form a tree; registration authorities own particular sequences of integers, and can register their own objects by extending their sequence.

An attribute that represents information used to control the operation of the directory (e.g. access control information), or used by the directory to represent some aspects of its operation (e.g. knowledge references). See directory operational attributes, DSA-shared operational attributes, DSA-specific operational attributes for the specific kinds of operational attributes.

An expression by an administrative authority of general goals and acceptable procedures.

A generic term for an operational attribute that expresses policy (for example, an attribute that defines the type of access control which is to apply in an area of the DIT).

An entity with which a policy is associated (for example, an entry to which an access control policy can be directed).

The key of a key pair for public key cryptography known only by the owning user. The other part of a key pair is the public key. The private key is often called the secret key.

The publicly-known key of a key pair. Contrast with private key.

A method of DSA communication in which a DSA that cannot completely perform an operation returns a continuation reference which specifies how far it has been able to proceed with the operation, together with the name and communications address of one or more DSAs that may be able to complete the operation. See also continuation reference.

The portion of a distinguished name that uniquely names an entry relative to its immediately superior entry. Each RDN consists of one or more attribute value assertions which specify an attribute type and an attribute value for the entry. The RDN is selected to achieve uniqueness. In DirX Directory, the string representation for attribute value assertions is of the form type=value and a comma (,) is used to separate attribute value assertions, for example CN=Lynch,O=SNI.

The topmost node of the Directory Information Tree. The root of the DIT has no name (its DN is an empty sequence); it also has no corresponding entry, since each entry in the DIT must belong to some owning organization, and no such organization can own the root. In DirX Directory the string representation for the root is the slash character (/).

The collection of context prefixes and access points of DSAs that hold naming contexts immediately beneath the root of the DIT; in other words: the complete collection of first level references.

A DSE that contains DSA-specific attributes that relate to the DSA as a whole, for example, the my-access-point attribute, which holds the name and address of the DSA itself.

The provision made within the directory standards whereby operational attributes are defined to describe the schema (attributes, object classes, etc.) applicable to the DIT. The schema publication attributes are held in the schema subentry; reading these attributes informs a DSA, DUA, LDAP client and server about the schema.

A protocol for enabling secure communications between clients and servers communicating over TCP/IP and other network protocols. The DirX Directory LDAP server supports SSL/TLS to ensure secure LDAP communication.

A copy of one or more directory entries, created by the use of the Directory Information Shadowing Protocol (DISP). Contrast with master.

A DSA that receives shadowed information by means of the Directory Information Shadowing Protocol (DISP). Contrast with shadow supplier.

The process of maintaining a copy of a set of DIT entries by means of the Directory Information Shadowing Protocol (DISP).

An agreement made between administrators of the two DSAs in a shadow operational binding that specifies the information to be shadowed, when it is to be shadowed, and the roles (supplier or consumer) to be played by each DSA. A shadowing agreement is represented by information within each DSA, and is maintained by a shadow operational binding.

A relationship between two DSAs in which one DSA acts as a supplier of replicated information and the other DSA acts as the consumer of the replicated information. A shadow operational binding maintains the shadowing agreement between the two DSAs.

A DSA that supplies shadowed information by means of the Directory Information Shadowing Protocol (DISP). Contrast with shadow consumer.

A knowledge reference held by a shadow consumer DSA that contains information about the shadow supplier DSA.

A set of standards that defines the communication between agents and their management stations to monitor and control devices in an IP network.

An authentication method for binding to a DSA in which a name and a protected (one-way-encrypted) password must be supplied when invoking the bind operation.

See Simple Network Management Protocol.

An unsolicited, unconfirmed message from an agent in a network to a manager notifying a specific event.

An authentication method for binding to a DSA that uses digital signatures employing public key cryptography.

A special entry used to hold policy information. There are several kinds of subentries, for example: access control subentries and collective attribute subentries; a subentry can be of more than one kind. Subentries can only be subordinate to administrative entries.

In a hierarchical operational binding the DSA that holds the subordinate naming. Contrast with superior DSA.

A knowledge reference that contains information about a DSA that holds a subordinate naming context. Subordinate references represent the transition from one DSA’s naming context to another. Contrast with superior reference.

A collection of entries that represent a subset of the DIT.

In a hierarchical operational binding the DSA that holds the superior naming context. Contrast with subordinate DSA.

A knowledge reference that contains information about a DSA that holds a superior naming context. A superior reference is used by a DSA as a reference for operations for which no more specific DSA can be identified. First-level DSAs must hold the root context, and so have no need of a superior reference. A superior reference normally specifies a DSA that has at least one entry closer to the root than any entry held in the present DSA. Contrast with subordinate reference.

A type of DirX Directory replication protocol in which a DAP or LDAP client’s update operation does not return until the master DSA and all synchronous consumer DSAs have committed the operation. Synchronous shadowing provides for high data integrity between master and shadow DSAs even in the event of a master failure because acknowledged update operations to the DAP/LDAP client are safely stored at the synchronous consumer DSAs. See also asynchronous shadowing.

The set of rules that regulate the use of operational attributes, administrative entries and subentries.

The special object class of which every other class is a subclass.

The DISP operation that replicates all the entries in the unit of replication on the shadow consumer DSA. Also called a total refresh. Contrast with incremental update.

The specification of the information to be shadowed or written to an LDIF file, including policy information in administrative entries and subentries, the replicated area containing the entries to be shadowed, and (optionally) subordinate knowledge information.

An attribute that represents user information.

A set of standards that describe how a global directory service can be built.