ISO/IEC 9594-3:2020

INTERNATIONAL ISO/IEC
STANDARD 9594-3
Ninth edition
2020-11
Information technology — Open
systems interconnection —
Part 3:
The Directory: Abstract service
definition
Reference number
©
ISO/IEC 2020
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of document should be noted (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details
of any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent
declarations received (see http://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT),
see www.iso.org/iso/foreword.html.
This document was prepared by ITU-T as ITU-T X.511 (10/2019) and drafted in accordance with
its editorial rules, in collaboration with Joint Technical Committee ISO/IEC JTC 1,
Information technology, Subcommittee SC 6, Telecommunications and information exchange between
systems.
This ninth edition cancels and replaces the eighth edition (ISO/IEC 9594-3:2017), which has been
technically revised.
A list of all parts in the ISO/IEC 9594 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body.
A complete listing of these bodies can be found at www.iso.org/members.html.
© ISO/IEC 2020 – All rights reserved iii

CONTENTS
Page
1 Scope . 1
2 Normative references. 1
2.1 Identical Recommendations | International Standards . 1
2.2 Paired Recommendations | International Standards equivalent in technical content . 1
2.3 Additional references . 2
3 Definitions . 2
3.1 OSI Reference Model security architecture definitions. 2
3.2 Basic Directory definitions . 2
3.3 Directory model definitions . 2
3.4 Directory information base definitions . 2
3.5 Directory entry definitions . 2
3.6 Name definitions . 3
3.7 Distributed operations definitions . 3
3.8 Abstract service definitions . 3
4 Abbreviations . 4
5 Conventions . 4
6 Overview of the Directory service . 5
7 Information types and common procedures . 5
7.1 Introduction . 5
7.2 Information types defined elsewhere . 5
7.3 Common arguments . 6
7.4 Common results . 9
7.5 Service controls . 10
7.6 Entry information selection . 12
7.7 Entry information . 15
7.8 Filter . 17
7.9 Paged results. 20
7.10 Security parameters . 22
7.11 Common elements of procedure for access control . 23
7.12 Managing the DSA Information Tree . 25
7.13 Procedures for families of entries . 25
8 Directory authentication . 26
8.1 Simple authentication procedure . 26
8.2 Password policy . 28
9 Bind, Unbind operations, Change Password and Administer Password operations . 31
9.1 Directory Bind . 31
9.2 Directory Unbind . 34
10 Directory Read operations . 34
10.1 Read . 34
10.2 Compare . 37
10.3 Abandon . 40
11 Directory Search operations . 40
11.1 List . 40
11.2 Search . 44
12 Directory Modify operations . 55
12.1 Add Entry . 55
12.2 Remove Entry. 57
12.3 Modify Entry . 59
12.4 Modify DN . 63
12.5 Change Password . 65
12.6 Administer Password. 66
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.511 (10/2019) v
Page
13 Operations for LDAP messages . 66
13.1 LDAP Transport operation . 67
13.2 Linked LDAP operation . 69
14 Errors . 69
14.1 Error precedence . 69
14.2 Abandoned . 70
14.3 Abandon Failed . 70
14.4 Attribute Error . 71
14.5 Name Error . 72
14.6 Referral . 73
14.7 Security Error . 73
14.8 Service Error . 74
14.9 Update Error . 76
15 Analysis of search arguments . 77
15.1 General check of search filter . 78
15.2 Check of request-attribute-profiles . 79
15.3 Check of controls and hierarchy selections . 80
15.4 Check of matching use . 81
Annex A – Abstract Service in ASN.1 . 82
Annex B – Operational semantics for Basic Access Control . 98
Annex C – Examples of searching families of entries . 111
C.1 Single family example . 111
C.2 Multiple families example . 112
Annex D – External ASN.1 module . 115
Annex E – Use of protected passwords for Bind operations . 119
Annex F – Amendments and corrigenda . 120
© ISO/IEC 2020 – All rights reserved
vi Rec. ITU-T X.511 (10/2019)
Introduction
This Recommendation | International Standard, together with the other Recommendations | International Standards, has
been produced to facilitate the interconnection of information processing systems to provide directory services. A set of
such systems, together with the directory information that they hold, can be viewed as an integrated whole, called the
Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is
typically used to facilitate communication between, with or about objects such as application entities, people, terminals,
and distribution lists.
The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of
technical agreement outside of the interconnection standards themselves, the interconnection of information processing
systems:
– from different manufacturers;
– under different managements;
– of different levels of complexity; and
– of different ages.
This Recommendation | International Standard defines the capabilities provided by the Directory to its users.
This Recommendation | International Standard provides the foundation frameworks upon which industry profiles can be
defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks may
be mandated for use in certain environments through profiles. This ninth edition technically revises and enhances the
eighth edition of this Recommendation | International Standard.
This ninth edition specifies versions 1 and 2 of the Directory protocols.
Rec. ITU-T X.511 (1993) | ISO/IEC 9594-3 (1995), Rec. ITU-T X.518 (1993) | ISO/IEC 9594-4 (1995) and Rec.
ITU-T X.519 (1993) | ISO/IEC 9594-5 (1995) and their previous edition specified only version 1. Most of the services
and protocols specified in this edition are designed to function under version 1. However, some enhanced services and
protocols, e.g., signed errors, will not function unless all Directory entities involved in the operation have negotiated
version 2. Whichever version has been negotiated, differences between the services and between the protocols defined in
the nine editions, except for those specifically assigned to version 2, are accommodated using the rules of extensibility
defined in Rec. ITU-T X.519 | ISO/IEC 9594-5.
Annex A, which is an integral part of this Recommendation | International Standard, provides the ASN.1 module for the
Directory abstract service.
Annex B, which is not an integral part of this Recommendation | International Standard, provides charts that describe the
semantics associated with Basic Access Control as it applies to the processing of a Directory operation.
Annex C, which is not an integral part of this Recommendation | International Standard, gives examples of the use of
families of entries.
Annex D, which is not an integral part of this Recommendation | International Standard, includes an updated copy of an
external ASN.1 module referenced by this Directory Specification.
Annex E, which is not an integral part of this Recommendation | International Standard, provides a suggested technique
for Bind protected password.
Annex F, which is not an integral part of this Recommendation | International Standard, lists the amendments and defect
reports that have been incorporated to form this edition of this Recommendation | International Standard.
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.511 (10/2019) vii

© ISO/IEC 2020 – All rights reserved

INTERNATIONAL STANDARD
ITU-T RECOMMENDATION
Information technology – Open Systems Interconnection – The Directory:
Abstract service definition
1 Scope
This Recommendation | International Standard defines in an abstract way the externally visible service provided by the
Directory.
This Recommendation | International Standard does not specify individual implementations or products.
2 Normative references
The following Recommendations and International Standards contain provisions which, through reference in this text,
constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition
of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid
International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid
ITU-T Recommendations.
2.1 Identical Recommendations | International Standards
– Recommendation ITU-T X.500 (2019) | ISO/IEC 9594-1:2020, Information technology – Open Systems
Interconnection – The Directory: Overview of concepts, models and services.
– Recommendation ITU-T X.501 (2019) | ISO/IEC 9594-2:2020, Information technology – Open Systems
Interconnection – The Directory: Models.
– Recommendation ITU-T X.509 (2019) | ISO/IEC 9594-8:2020, Information technology – Open Systems
Interconnection – The Directory: Public-key and attribute certificate frameworks.
– Recommendation ITU-T X.518 (2019) | ISO/IEC 9594-4:2020, Information technology – Open Systems
Interconnection – The Directory: Procedures for distributed operation.
– Recommendation ITU-T X.519 (2019) | ISO/IEC 9594-5:2020, Information technology – Open Systems
Interconnection – The Directory: Protocol specifications.
– Recommendation ITU-T X.520 (2019) | ISO/IEC 9594-6:2020, Information technology – Open Systems
Interconnection – The Directory: Selected attribute types.
– Recommendation ITU-T X.521 (2019) | ISO/IEC 9594-7:2020, Information technology – Open Systems
Interconnection – The Directory: Selected object classes.
– Recommendation ITU-T X.525 (2019) | ISO/IEC 9594-9:2020, Information technology – Open Systems
Interconnection – The Directory: Replication.
– Recommendation ITU-T X.680 (2015) | ISO/IEC 8824-1:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Specification of basic notation.
– Recommendation ITU-T X.681 (2015) | ISO/IEC 8824-2:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Information object specification.
– Recommendation ITU-T X.682 (2015) | ISO/IEC 8824-3:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Constraint specification.
– Recommendation ITU-T X.683 (2015) | ISO/IEC 8824-4:2015, Information technology – Abstract Syntax
Notation One (ASN.1): Parameterization of ASN.1 specifications.
2.2 Paired Recommendations | International Standards equivalent in technical content
– Recommendation ITU-T X.800 (1991), Security architecture for Open Systems Interconnection for CCITT
applications.
ISO 7498-2:1989, Information processing systems – Open Systems Interconnection – Basic Reference
Model – Part 2: Security Architecture.
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.511 (10/2019) 1
2.3 Additional references
– Recommendation ITU-T X.200 (1994) | ISO/IEC 7498-1:1994, Information technology – Open Systems
Interconnection – Basic Reference Model: The basic model.
– IETF RFC 2025 (1996), The Simple Public-Key GSS-API Mechanism (SPKM).
– IETF RFC 4422 (2006), Simple Authentication and Security Layer (SASL).
– IETF RFC 4511 (2006), Lightweight Directory Access Protocol (LDAP): The Protocol.
3 Definitions
For the purposes of this Recommendation | International Standard, the following definitions apply.
3.1 OSI Reference Model security architecture definitions
The following terms are defined in Rec. ITU-T X.800 | ISO 7498-2:
a) password.
3.2 Basic Directory definitions
The following terms are defined in Rec. ITU-T X.500 | ISO/IEC 9594-1:
a) Directory;
b) Directory Information Base;
c) (Directory) User.
3.3 Directory model definitions
The following terms are defined in Rec. ITU-T X.501 | ISO/IEC 9594-2:
a) Directory System Agent;
b) Directory User Agent.
3.4 Directory information base definitions
The following terms are defined in Rec. ITU-T X.501 | ISO/IEC 9594-2:
a) alias entry;
b) ancestor;
c) compound entry;
d) (Directory) entry;
e) Directory Information Tree;
f) family (of entries);
g) immediate superior;
h) immediately superior entry/object;
i) object;
j) object class;
k) object entry;
l) subordinate;
m) superior.
3.5 Directory entry definitions
The following terms are defined in Rec. ITU-T X.501 | ISO/IEC 9594-2:
a) attribute;
b) attribute type;
c) attribute value;
© ISO/IEC 2020 – All rights reserved
2 Rec. ITU-T X.511 (10/2019)
d) attribute value assertion;
e) context;
f) context type;
g) context value;
h) operational attribute;
i) matching rule;
j) user attribute.
3.6 Name definitions
The following terms are defined in Rec. ITU-T X.501 | ISO/IEC 9594-2:
a) alias, alias name;
b) distinguished name;
c) (directory) name;
d) purported name;
e) relative distinguished name.
3.7 Distributed operations definitions
The following terms are defined in Rec. ITU-T X.518 | ISO/IEC 9594-4:
a) bound DSA;
b) chaining;
c) initial performer;
d) LDAP requester;
e) referral.
3.8 Abstract service definitions
For the purposes of this Recommendation | International Standard, the following definitions apply.
3.8.1 additional search: A search that starts from joinBaseObject as specified by the originator in the search
request.
3.8.2 contributing member: A family member within a compound entry, which has made a contribution to either a
Read, Search or Modify Entry operation.
3.8.3 explicitly unmarked entry: An entry or a family member that is excluded from the SearchResult according
to a specification given in a control attribute referenced by the governing-search-rule.
3.8.4 family grouping: A set of members of a compound attribute that are grouped together for the purpose of
operation evaluation.
3.8.5 filter: An assertion about the presence or value of certain attributes of an entry in order to limit the scope of a
search.
3.8.6 originator: The user that originated an operation.
3.8.7 participating member: A family member that is either a contributing member or is a member of a family
grouping that as a whole matched a search filter.
3.8.8 Password expiration: The situation where a user password has reached the end of its validity period: the
account is locked and the user has to change the password before doing any other directory operation.
3.8.9 Password quality attributes: Attributes that specify how a password shall be constructed. Password quality
attributes include things like minimum length, mixture of characters (uppercase, lowercase, figures, punctuations, etc),
and avoidance of trivial passwords.
3.8.10 Password history: List of old passwords and the times they were inserted in the history.
3.8.11 primary search: The search that starts from baseObject as specified by the originator in the search request.
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.511 (10/2019) 3
3.8.12 relaxation: A progressive modification of the behaviour of a filter during a search operation so as to achieve
more matched entries if too few are received, or fewer matched entries if too many are received.
3.8.13 reply: A DAP/DSP result or an error; or an LDAP result.
3.8.14 request: Information consisting of an operation code and associated components to convey a directory operation
from a requester to a performer.
3.8.15 requester: A DUA, an LDAP client or a DSA sending a request to perform (i.e., invoke) an operation.
3.8.16 service controls: Parameters conveyed as part of an operation, which constrain various aspects of its
performance.
3.8.17 strand: A family grouping comprising all the members in a path from a leaf family member up to the ancestor
inclusive. A family member will reside in as many strands as there are leaf family members below it (as immediate or
non-immediate subordinates).
4 Abbreviations
For the purposes of this Recommendation | International Standard, the following abbreviations apply:
ACI Access Control Information
AVA Attribute Value Assertion
DIB Directory Information Base
DIT Directory Information Tree
DMD Directory Management Domain
DSA Directory System Agent
DUA Directory User Agent
LDAP Lightweight Directory Access Protocol
RDN Relative Distinguished Name
5 Conventions
The term "Directory Specification" (as in "this Directory Specification") shall be taken to mean Rec. ITU-T X.511 |
ISO/IEC 9594-3. The term "Directory Specifications" shall be taken to mean the Rec. ITU-T X.500 | ISO/IEC 9594-1,
Rec. ITU-T X.501 | ISO/IEC 9594-2, Rec. ITU-T X.511 | ISO/IEC 9594-3, Rec. ITU-T X.518 | ISO/IEC 9594-4, Rec.
ITU-T X.519 | ISO/IEC 9594-5, Rec. ITU-T X.520 | ISO/IEC 9594-6, Rec ITU-T X.521 | ISO/IEC 9594-7 and Rec. ITU-
T X.525 | ISO/IEC 9594-9.
If an International Standard or ITU-T Recommendation is referenced within normal text without an indication of the
edition, the edition shall be taken to be the latest one as specified in the normative references clause.
Prior to year 2020, the parts making up the Directory Specifications progressed together and can therefore collectively be
identified as the Directory Specifications of a specific edition using the format: Rec. ITU-T X.5** (yyyy) | ISO/IEC 9594-
*:yyyy (e.g.; Rec ITU-T X.5** (1993) | ISO/IEC 9594-*:1995).
This Directory Specification makes extensive use of Abstract Syntax Notation One (ASN.1) for the formal specification
of data types and values, as it is specified in Rec. ITU-T X.680 | ISO/IEC 8824-1, ITU-T X.681 (2015) | ISO/IEC 8824-
2, ITU-T X.682 (2015) | ISO/IEC 8824-3, ITU-T X.683 (2015) | ISO/IEC 8824-4 and Rec. ITU-T X.690 | ISO/IEC 8825-
1.
This Directory Specification presents ASN.1 notation in the bold Courier New typeface. When ASN.1 types and values
are referenced in normal text, they are differentiated from normal text by presenting them in the bold Courier New
typeface. The names of procedures, typically referenced when specifying the semantics of processing, are differentiated
from normal text by displaying them in bold Times New Roman. Access control permissions are presented in italicized
Times New Roman.
If the items in a list are numbered (as opposed to using "–" or letters), then the items shall be considered steps in a
procedure.
© ISO/IEC 2020 – All rights reserved
4 Rec. ITU-T X.511 (10/2019)
6 Overview of the Directory service
As described in Rec. ITU-T X.501 | ISO/IEC 9594-2, the services of the Directory are provided through access points to
directory user agents (DUAs), each acting on behalf of a user. These concepts are depicted in Figure 1. Through an access
point, the Directory provides service to its users by means of a number of Directory operations.
Access point
The
Directory
DUA
Directory
user
X.511(12)_F01
Figure 1 – Access to the Directory
The Directory operations are of three different kinds:
a) Directory Read operations, which interrogate a single Directory entry;
b) Directory Search operations, which interrogate potentially several Directory entries; and
c) Directory Modify operations.
The Directory Read operations, the Directory Search operations and the Directory Modify operations are specified in
clauses 10, 11, and 12, respectively. Conformance to Directory operations is specified in Rec. ITU-T X.519 |
ISO/IEC 9594-5.
7 Information types and common procedures
7.1 Introduction
This clause identifies, and in some cases defines, a number of information types which are subsequently used in the
definition of Directory operations. The information types concerned are those which are common to more than one
operation, are likely to be in the future, or which are sufficiently complex or self-contained as to merit being defined
separately from the operation which uses them.
Several of the information types used in the definition of the Directory Service are actually defined elsewhere. Clause 7.2
identifies these types and indicates the source of their definition. Each of the clauses (7.3 to 7.10) identifies and defines
an information type.
This clause also specifies some common elements of procedure that apply to most or all of the Directory operations.
7.2 Information types defined elsewhere
The following information types are defined in Rec. ITU-T X.501 | ISO/IEC 9594-2:
a) Attribute;
b) AttributeType;
c) AttributeValue;
d) AttributeValueAssertion;
e) Context;
f) ContextAssertion;
g) DistinguishedName;
h) Name;
i) OPTIONALLY-PROTECTED;
j) OPTIONALLY-PROTECTED-SEQ;
k) RelativeDistinguishedName.
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.511 (10/2019) 5
The following information type is defined in Rec. ITU-T X.520 | ISO/IEC 9594-6:
a) PresentationAddress.
The following information types are defined in Rec. ITU-T X.509 | ISO/IEC 9594-8:
a) Certificate;
b) SIGNED;
c) CertificationPath.
The following information type is defined in Rec. ITU-T X.880 | ISO/IEC 13712-1:
a) InvokeId.
The following information types are defined in Rec. ITU-T X.518 | ISO/IEC 9594-4:
a) OperationProgress;
b) ContinuationReference.
7.3 Common arguments
The CommonArguments information may be present to qualify the invocation of each operation that the Directory can
perform.
CommonArguments ::= SET {
serviceControls   [30] ServiceControls  DEFAULT {},
securityParameters  [29] SecurityParameters OPTIONAL,
requestor      [28] DistinguishedName OPTIONAL,
operationProgress  [27] OperationProgress
DEFAULT {nameResolutionPhase notStarted},
aliasedRDNs     [26] INTEGER      OPTIONAL,
criticalExtensions  [25] BIT STRING     OPTIONAL,
referenceType    [24] ReferenceType   OPTIONAL,
entryOnly      [23] BOOLEAN      DEFAULT TRUE,
exclusions      [22] Exclusions     OPTIONAL,
nameResolveOnMaster [21] BOOLEAN      DEFAULT FALSE,
operationContexts  [20] ContextSelection  OPTIONAL,
familyGrouping    [19] FamilyGrouping   DEFAULT entryOnly,
... }
NOTE 1 – The above data type can only be used when included in set-constructs. An alternative data type CommonArgumentsSeq
has been defined to be used in sequence-constructs (see Annex A).
The ServiceControls component is specified in clause 7.5. Its absence is deemed equivalent to there being an empty
set of controls.
The SecurityParameters component is specified in clause 7.10. If the argument of the operation is to be signed by
the requester, the SecurityParameters component shall be included. The absence of the SecurityParameters
component is deemed equivalent to an empty set.
The requestor component, when present, shall hold the distinguished name of the originator (requester) of the
operation. If the distinguished name of the requester was established at bind time, the requestor component shall be
equal to that distinguished name. Likewise, it shall be equal to the distinguished name in subject field of the end-entity
public-key certificate of the requester if the certification-path component of the SecurityParameters is present.
NOTE 2 – The bound directory system agent (DSA) should check the equality of the distinguished names as indicated above
(implementations based on Rec. ITU-T X.511 (2008) | ISO/IEC 9594-3:2008) or earlier editions may not do that).
NOTE 3 – If the distinguished name of the requester was not established at bind time and the certification-path component
of the SecurityParameters is not present in the request, a possible value in the requester component should not be considered
reliable for access control purposes.
The operationProgress, referenceType, entryOnly, exclusions and nameResolveOnMaster components are
defined in Rec. ITU-T X.518 | ISO/IEC 9594-4. They are supplied by a DUA either:
a) when acting on a continuation reference returned by a DSA in response to an earlier operation, and their
values are copied by the DUA from the continuation reference; or
b) when the DUA represents an administrative user that is managing the DSA Information Tree and the
manageDSAIT option is set in the service controls.
© ISO/IEC 2020 – All rights reserved
6 Rec. ITU-T X.511 (10/2019)
The aliasedRDNs component indicates to the DSA that the object component of the operation was created by the
dereferencing of an alias on an earlier operation attempt. The integer value indicates the number of relative distinguished
names (RDNs) in the name that came from dereferencing the alias. (The value would have been set in the referral response
of the previous operation.)
NOTE 4 – This component is provided for compatibility with implementations based on Rec CCITT X.511 (1988) | IEC 9594:1990.
DUAs (and DSAs) implemented according to later editions of the Directory Specifications shall always omit this parameter from
the CommonArguments of a subsequent request. In this way, the Directory will not signal an error if aliases dereference to further
aliases.
The operationContexts component supplies a set of context assertions which are applied to attribute value assertions
and entry information selection made within this operation, which do not otherwise contain context assertions for the
same attribute type and context type. If operationContexts is not present or does not address a particular attribute
type or context type, then default context assertions shall be applied by the DSA as described in clause 7.6.1 and in
clauses 8.9.2.2 and 12.8 of Rec. ITU-T X.501 | ISO/IEC 9594-2. If allContexts is chosen, then all contexts for all
attribute types are valid and context defaults that might have been supplied by the DSA are overridden.
(ContextSelection is defined in clause 7.6).
familyGrouping is used to describe which family members should be selected for processing by a given operation. It is
described more fully in clause 7.3.2.
7.3.1 Critical extensions
The criticalExtensions component provides a mechanism to list a set of extensions that are critical to the
performance of a Directory operation. If the originator of the extended operation wishes to indicate that the operation
shall be performed with one or more extensions (i.e., that performing the operation without these extensions is not
acceptable), it does so by setting the criticalExtensions bit(s) which corresponds to the extension(s). If the Directory,
or some part of it, is unable to perform a critical extension, it returns an indication of unavailableCriticalExtension
(as a serviceError or PartialOutcomeQualifier). If the Directory is unable to perform an extension that is not
critical, it ignores the presence of the extension.
This Directory Specification does not establish rules regarding the order in which a performing DSA is to decode and
process PDUs that it receives. A DSA that receives an unknown critical extension shall return a ServiceError with
problem unavailableCriticalExtension to signal that the operation failed.
These Directory Specifications define a number of extensions. The extensions take such forms as additional numbered
bits in a BIT STRING, or additional components of a SET or SEQUENCE, and are ignored by implementations based on
the 1988 edition of the CCITT X.500 Recommendations series or the ISO/IEC 9594:1990 edition. Each such extension
is assigned an integer identifier, which is the number of the bit that may be set in criticalExtensions. If the criticality
of an extension is defined to be critical, the DUA shall set the corresponding bit in criticalExtensions. If the defined
criticality is non-critical, the DUA may or may not set the corresponding bit in criticalExtensions.
The extensions, their identifiers, the operations in which they are permitted, the recommended criticality, the clauses in
which they are defined, and the corresponding lightweight directory access protocol (LDAP) controls (if any) are shown
in Table 1.
Table 1 – Extensions
Defined
Extension Identifier Operations Criticality LDAP control
(clauses)
subentries 1 All Non-critical 7.5 1.3.6.1.4.1.4203.1.10.1
copyShallDo 2 Read, Compare, List, Non-critical 7.5
Search
attribute size limit 3 Read, Search Non-critical 7.5
extraAttributes 4 Read, Search Non-critical 7.6
modifyRightsRequest 5 Read Non-critical 10.1
pagedResultsRequest 6 List, Search Non-critical 11.1 1.2.840.113556.1.4.319
matchedValuesOnly 7 Search Non-critical 11.2 1.2.826.0.1.3344810.2.3
extendedFilter 8 Search Non-critical 11.2
targetSystem 9 Add Entry Critical 12.1
useAliasOnUpdate 10 Add Entry, Remove Critical 12.1
Entry, Modify Entry
newSuperior 11 Modify DN Critical 12.4
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.511 (10/2019) 7
Table 1 – Extensions
Defined
Extension Identifier Operations Criticality LDAP control
(clauses)
manageDSAIT 12 All Critical 7.5, 7.12 2.16.840.1.113730.3.4.2
Use of contexts 13 Read, Compare, List, Non-critical 7.6, 7.8
Search, Add Entry,
Modify Entry, Modify
DN
partialNameResolution 14 Read, Search Non-critical 7.5
overspecFilter 15 Search Non-critical 11.1.3 f)
selectionOnModify 16 Modify Entry Non-critical 12.3.2
17 Reserved 7.10
Security parameters – 18 All Non-critical 7.10
Operation code
Security parameters – 19 All Non-critical 7.10
Attribute certification
path
Security parameters – 20 All Non-critical 7.10
Error Protection
21-24 Reserved
Service administration 25 Read, Search, Critical 11.2.2, 13,
ModifyEntry clause 16 of Rec.
ITU-T X.501 |
ISO/IEC 9594-2
entryCount 26 Search Non-critical 11.1.3
hierarchySelections 27 Search Non-critical 11.2.2
relaxation 28 Search Non-critical 7.8
familyGrouping 29 Compare, Non-critical 7.3.2, 7.8.3
Search, Non-critical &
RemoveEntry Critical 10.2.2
11.2
12.2.2
familyReturn 30 Read, Non-critical 7.6.4, 7.7.1
Search, Non-critical &
ModifyEntry Non-critical 10.1.3
11.2.3
12.3.3
dnAttributes 31 Search Non-critical 11.2.2
friend attributes 32 Read, Search Non-critical 7.6, 7.8.2
Abandon of paged 33 List, Search critical 7.9
results
Paged results on the 34 List, Search Non-critical 7.9
DSP
replaceValues 35 ModifyEntry critical 12.3.1, 12.3.2 1.3.6.1.1.14
NOTE 1 – The first extension is given the identifier 1 and corresponds to bit 1 of the BIT STRING. Bit 0 of the BIT STRING is
not used.
NOTE 2 – Use of signing on errors Add Entry, Remove Entry, Modify Entry, Modify DN requires version 2 or higher of the
protocol.
NOTE 3 – The SPKM credentials extension shall be critical unless used in associations established using version 2 or higher.
7.3.2 Family grouping
Family grouping allows a single family member, several family members or all family members of a compound entry, to
be grouped together for joint consideration prior to operation evaluation. These semantics can then be applied to the
following operations (as indicated in the descriptions below): Compare (to define the scope within which the compared
attribute might lie), Search (to define the groupings for which filtering might take place), Remove Entry (to define the
groupings for removal). The following ASN.1 is used to select members of a family:

FamilyGrouping ::= ENUMERATED {
entryOnly   (1),
© ISO/IEC 2020 – All rights reserved
8 Rec. ITU-T X.511 (10/2019)
compoundEntry (2),
strands    (3),
multiStrand  (4),
... }
entryOnly means that the specific family member selected by the operation is to be considered in the group. This is the
default value, and ensures backward compatibility with previous editions of the Directory Specifications.
compoundEntry means that the complete compound entry selected by the operation is to be considered as a unit by
combining all the attributes. For Remove Entry operations, it is only applicable when the object name specified is that of
an ancestor of a compound entry, and it causes all family members to be removed by the same operation (subject to access
control).
strands means that all the strands associated with the family member are to be selected by the operation. This option is
not valid for the Remove Entry oper
...