X.500 Directory Services

X.500 is a standard for directory services developed by the International Telecommunications Union (ITU), the most recent version of which was published in 1993. It uses a distributed approach to implement a global directory service. Systems based on X.500 include the Lightweight Directory Application Protocol (LDAP), Novell's Novell Directory Services (now eDirectory), and Microsoft's Active Directory (now Active Directory Domain Services).

Directory information for an organisation is held in a database called a directory system agent (DSA). A single DSA may hold information for more than one organisation, or conversely, directory information for a single organisation can reside in multiple DSAs. All DSAs within an X.500 directory service are interconnected in a virtual hierarchical data structure called the directory information tree (DIT), and can exchange data with each other using the Directory System Protocol (DSP).

Each DSA can hold all or part of the global directory, and data can be replicated in two or more DSAs, reducing access time, and ensuring the availability of information in the event of a single DSA failure. The distribution of information among DSAs is transparent to users.

Directory information is stored as entries, each of which refers to an object of a specific class. The defined object classes include country, organisation, organisational unit and person. The object at the top of the directory information tree is called the root object, and contains all the other objects in the tree.

The country, organisation and organisational unit objects are all container objects, and can contain other objects. The person object is a leaf object, and as such cannot contain other objects. The hierarchical structure of the directory information tree is illustrated below.

The hierarchical structure of the directory information tree

The hierarchical structure of the directory information tree

The information contained in an entry consists of various object attributes, the number and nature of which will depend on the object class to which the entry belongs. The object class person, for example, has attributes like common name, telephone number, and e-mail address. The example entry shown below would appear in the DIT as the node 'cwells' (the name of an entry must be unique within the container object in which it appears).

Typical Attribute-Value Pairs
Object Classperson
Common Namecwells
Postal AddressTechnologyUK, North Prospect, Plymouth PL2 2QA
Telephone Number01752 123456

A user can access and modify the information in the directory information tree using a directory user agent (DUA), which will be a client application of some kind, usually offering a graphical user interface. Access to the information is restricted to authorised users, and information about which users have access to which objects (and at what level) is held in the directory information tree itself.

Searches can be carried out within the directory, or within a sub-tree of the directory, for objects having specific attributes and attribute values. For example, the directory could be searched for all persons having a particular common name. Searches can usually be made on the basis of an exact match or an approximate match (using wildcards).

Entries in the DIT are uniquely identified by their full distinguished name, consisting of the object's common name concatenated to the name of the container object in which it resides, and that of any other container objects in the hierarchical path between the object itself and the root object. The full distinguished name of the object 'cwells' in the directory information tree illustrated above would therefore appear as follows: