Network Working Group J. Strassner
Request for Comments: 3703 Intelliden Corporation
Category: Standards Track B. Moore
IBM Corporation
R. Moats
Lemur Networks, Inc.
E. Ellesson
February 2004
Network Working Group J. Strassner
Request for Comments: 3703 Intelliden Corporation
Category: Standards Track B. Moore
IBM Corporation
R. Moats
Lemur Networks, Inc.
E. Ellesson
February 2004
Policy Core Lightweight Directory Access Protocol (LDAP) Schema
策略核心轻型目录访问协议(LDAP)架构
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document defines a mapping of the Policy Core Information Model to a form that can be implemented in a directory that uses Lightweight Directory Access Protocol (LDAP) as its access protocol. This model defines two hierarchies of object classes: structural classes representing information for representing and controlling policy data as specified in RFC 3060, and relationship classes that indicate how instances of the structural classes are related to each other. Classes are also added to the LDAP schema to improve the performance of a client's interactions with an LDAP server when the client is retrieving large amounts of policy-related information. These classes exist only to optimize LDAP retrievals: there are no classes in the information model that correspond to them.
本文档定义了策略核心信息模型到表单的映射,该表单可以在使用轻量级目录访问协议(LDAP)作为其访问协议的目录中实现。该模型定义了对象类的两个层次结构:表示RFC 3060中指定的用于表示和控制策略数据的信息的结构类,以及表示结构类实例如何相互关联的关系类。类还添加到LDAP模式中,以提高客户端在检索大量策略相关信息时与LDAP服务器交互的性能。这些类的存在只是为了优化LDAP检索:信息模型中没有与它们对应的类。
Table of Contents
目录
1. Introduction ................................................. 2
2. The Policy Core Information Model ............................ 4
3. Inheritance Hierarchy for the PCLS ........................... 5
4. General Discussion of Mapping the Information Model to LDAP .. 6
4.1. Summary of Class and Association Mappings .............. 7
4.2. Usage of DIT Content and Structure Rules and Name Forms. 9
4.3. Naming Attributes in the PCLS .......................... 10
1. Introduction ................................................. 2
2. The Policy Core Information Model ............................ 4
3. Inheritance Hierarchy for the PCLS ........................... 5
4. General Discussion of Mapping the Information Model to LDAP .. 6
4.1. Summary of Class and Association Mappings .............. 7
4.2. Usage of DIT Content and Structure Rules and Name Forms. 9
4.3. Naming Attributes in the PCLS .......................... 10
4.4. Rule-Specific and Reusable Conditions and Actions ...... 11
4.5. Location and Retrieval of Policy Objects in the
Directory .............................................. 16
4.5.1. Aliases and Other DIT-Optimization Techniques .. 19
5. Class Definitions ............................................ 19
5.1. The Abstract Class "pcimPolicy" ........................ 21
5.2. The Three Policy Group Classes ......................... 22
5.3. The Three Policy Rule Classes .......................... 23
5.4. The Class pcimRuleConditionAssociation ................. 30
5.5. The Class pcimRuleValidityAssociation .................. 32
5.6. The Class pcimRuleActionAssociation .................... 34
5.7. The Auxiliary Class pcimConditionAuxClass .............. 36
5.8. The Auxiliary Class pcimTPCAuxClass .................... 36
5.9. The Auxiliary Class pcimConditionVendorAuxClass ........ 40
5.10. The Auxiliary Class pcimActionAuxClass ................. 41
5.11. The Auxiliary Class pcimActionVendorAuxClass ........... 42
5.12. The Class pcimPolicyInstance ........................... 43
5.13. The Auxiliary Class pcimElementAuxClass ................ 44
5.14. The Three Policy Repository Classes .................... 45
5.15. The Auxiliary Class pcimSubtreesPtrAuxClass ............ 46
5.16. The Auxiliary Class pcimGroupContainmentAuxClass ....... 48
5.17. The Auxiliary Class pcimRuleContainmentAuxClass ........ 49
6. Extending the Classes Defined in This Document ............... 50
6.1. Subclassing pcimConditionAuxClass and pcimActionAuxClass 50
6.2. Using the Vendor Policy Attributes ..................... 50
6.3. Using Time Validity Periods ............................ 51
7. Security Considerations ...................................... 51
8. IANA Considerations .......................................... 53
8.1. Object Identifiers ..................................... 53
8.2. Object Identifier Descriptors .......................... 53
9. Acknowledgments .............................................. 56
10. Appendix: Constructing the Value of orderedCIMKeys .......... 57
11. References ................................................... 58
11.1. Normative References ................................... 58
11.2. Informative References ................................. 59
12. Authors' Addresses ........................................... 60
13. Full Copyright Statement ..................................... 61
4.4. Rule-Specific and Reusable Conditions and Actions ...... 11
4.5. Location and Retrieval of Policy Objects in the
Directory .............................................. 16
4.5.1. Aliases and Other DIT-Optimization Techniques .. 19
5. Class Definitions ............................................ 19
5.1. The Abstract Class "pcimPolicy" ........................ 21
5.2. The Three Policy Group Classes ......................... 22
5.3. The Three Policy Rule Classes .......................... 23
5.4. The Class pcimRuleConditionAssociation ................. 30
5.5. The Class pcimRuleValidityAssociation .................. 32
5.6. The Class pcimRuleActionAssociation .................... 34
5.7. The Auxiliary Class pcimConditionAuxClass .............. 36
5.8. The Auxiliary Class pcimTPCAuxClass .................... 36
5.9. The Auxiliary Class pcimConditionVendorAuxClass ........ 40
5.10. The Auxiliary Class pcimActionAuxClass ................. 41
5.11. The Auxiliary Class pcimActionVendorAuxClass ........... 42
5.12. The Class pcimPolicyInstance ........................... 43
5.13. The Auxiliary Class pcimElementAuxClass ................ 44
5.14. The Three Policy Repository Classes .................... 45
5.15. The Auxiliary Class pcimSubtreesPtrAuxClass ............ 46
5.16. The Auxiliary Class pcimGroupContainmentAuxClass ....... 48
5.17. The Auxiliary Class pcimRuleContainmentAuxClass ........ 49
6. Extending the Classes Defined in This Document ............... 50
6.1. Subclassing pcimConditionAuxClass and pcimActionAuxClass 50
6.2. Using the Vendor Policy Attributes ..................... 50
6.3. Using Time Validity Periods ............................ 51
7. Security Considerations ...................................... 51
8. IANA Considerations .......................................... 53
8.1. Object Identifiers ..................................... 53
8.2. Object Identifier Descriptors .......................... 53
9. Acknowledgments .............................................. 56
10. Appendix: Constructing the Value of orderedCIMKeys .......... 57
11. References ................................................... 58
11.1. Normative References ................................... 58
11.2. Informative References ................................. 59
12. Authors' Addresses ........................................... 60
13. Full Copyright Statement ..................................... 61
This document takes as its starting point the object-oriented information model for representing information for representing and controlling policy data as specified in [1]. Lightweight Directory Access Protocol (LDAP) [2] implementers, please note that the use of the term "policy" in this document does not refer to the use of the term "policy" as defined in X.501 [4]. Rather, the use of the term "policy" throughout this document is defined as follows:
本文档以面向对象的信息模型为起点,用于表示[1]中指定的用于表示和控制策略数据的信息。轻量级目录访问协议(LDAP)[2]实施者,请注意,本文档中术语“策略”的使用并非指X.501[4]中定义的术语“策略”的使用。相反,本文件中“政策”一词的使用定义如下:
Policy is defined as a set of rules to administer, manage, and control access to network resources.
策略定义为一组规则,用于管理和控制对网络资源的访问。
This work is currently under joint development in the IETF's Policy Framework working group and in the Policy working group of the Distributed Management Task Force (DMTF). This model defines two hierarchies of object classes: structural classes representing policy information and control of policies, and relationship classes that indicate how instances of the structural classes are related to each other. In general, both of these class hierarchies will need to be mapped to a particular data store.
这项工作目前正在IETF的政策框架工作组和分布式管理任务组(DMTF)的政策工作组中共同开发。该模型定义了对象类的两个层次结构:表示策略信息和策略控制的结构类,以及表示结构类实例如何相互关联的关系类。通常,这两个类层次结构都需要映射到特定的数据存储。
This document defines the mapping of these information model classes to a directory that uses LDAP as its access protocol. Two types of mappings are involved:
本文档定义了这些信息模型类到使用LDAP作为其访问协议的目录的映射。涉及两种类型的映射:
- For the structural classes in the information model, the mapping is basically one-for-one: information model classes map to LDAP classes, information model properties map to LDAP attributes.
- 对于信息模型中的结构类,映射基本上是一对一的:信息模型类映射到LDAP类,信息模型属性映射到LDAP属性。
- For the relationship classes in the information model, different mappings are possible. In this document, the Policy Core Information Model's (PCIM's) relationship classes and their properties are mapped in three ways: to LDAP auxiliary classes, to attributes representing distinguished name (DN) references, and to superior-subordinate relationships in the Directory Information Tree (DIT).
- 对于信息模型中的关系类,可以使用不同的映射。在本文档中,策略核心信息模型(PCIM)的关系类及其属性以三种方式映射:LDAP辅助类、表示可分辨名称(DN)引用的属性以及目录信息树(DIT)中的上下级关系。
Implementations that use an LDAP directory as their policy repository and want to implement policy information according to RFC 3060 [1] SHALL use the LDAP schema defined in this document, or a schema that subclasses from the schema defined in this document. The use of the information model defined in reference [1] as the starting point enables the inheritance and the relationship class hierarchies to be extensible, such that other types of policy repositories, such as relational databases, can also use this information.
使用LDAP目录作为策略存储库并希望根据RFC 3060[1]实现策略信息的实现应使用本文档中定义的LDAP模式,或使用本文档中定义的模式的子类的模式。使用参考文献[1]中定义的信息模型作为起点,可以扩展继承和关系类层次结构,从而使其他类型的策略存储库(如关系数据库)也可以使用此信息。
This document fits into the overall framework for representing, deploying, and managing policies being developed by the Policy Framework Working Group.
本文档适用于表示、部署和管理政策框架工作组正在制定的政策的总体框架。
The LDAP schema described in this document uses the prefix "pcim" to identify its classes and attributes. It consists of ten very general classes: pcimPolicy (an abstract class), three policy group classes (pcimGroup, pcimGroupAuxClass, and pcimGroupInstance), three policy rule classes (pcimRule, pcimRuleAuxClass, and pcimRuleInstance), and three special auxiliary classes (pcimConditionAuxClass,
本文档中描述的LDAP模式使用前缀“pcim”来标识其类和属性。它由十个非常通用的类组成:pcimPolicy(抽象类)、三个策略组类(pcimGroup、pcimGroupAuxClass和pcimGroupInstance)、三个策略规则类(pcimRule、pcimRuleAuxClass和pcimRuleInstance)和三个特殊辅助类(pcimConditionAuxClass、,
pcimTPCAuxClass, and pcimActionAuxClass). (Note that the PolicyTimePeriodCondition auxiliary class defined in [1] would normally have been named pcimTimePeriodConditionAuxClass, but this name is too long for some directories. Therefore, we have abbreviated this name to be pcimTPCAuxClass).
pcimTPCAuxClass和pcimActionAuxClass)。(请注意,[1]中定义的PolicyTimePeriodCondition辅助类通常会被命名为pcimTimePeriodConditionAuxClass,但对于某些目录,此名称太长。因此,我们将此名称缩写为pcimTPCAuxClass)。
The mapping for the PCIM classes pcimGroup and pcimRule is designed to be as flexible as possible. Three classes are defined for these two PCIM classes. First, an abstract superclass is defined that contains all required properties of each PCIM class. Then, both an auxiliary class as well as a structural class are derived from the abstract superclass. This provides maximum flexibility for the developer.
PCIM类pcimGroup和pcimRule的映射设计得尽可能灵活。为这两个PCIM类定义了三个类。首先,定义一个抽象超类,它包含每个PCIM类所需的所有属性。然后,从抽象超类派生出辅助类和结构类。这为开发人员提供了最大的灵活性。
The schema also contains two less general classes: pcimConditionVendorAuxClass and pcimActionVendorAuxClass. To achieve the mapping of the information model's relationships, the schema also contains two auxiliary classes: pcimGroupContainmentAuxClass and pcimRuleContainmentAuxClass. Capturing the distinction between rule-specific and reusable policy conditions and policy actions introduces seven other classes: pcimRuleConditionAssociation, pcimRuleValidityAssociation, pcimRuleActionAssociation, pcimPolicyInstance, and three policy repository classes (pcimRepository, pcimRepositoryAuxClass, and pcimRepositoryInstance). Finally, the schema includes two classes (pcimSubtreesPtrAuxClass and pcimElementAuxClass) for optimizing LDAP retrievals. In all, the schema contains 23 classes.
该模式还包含两个不太通用的类:pcimConditionVendorAuxClass和pcimActionVendorAuxClass。为了实现信息模型关系的映射,模式还包含两个辅助类:pcimGroupContainmentAuxClass和pcimRuleContainmentAuxClass。捕获特定于规则和可重用策略条件与策略操作之间的区别将引入其他七个类:pcimRuleConditionAssociation、pcimRuleValidityAssociation、pcimRuleActionAssociation、PCIMImpolicInstance和三个策略存储库类(pcimRepository、pcimRepositoryAuxClass和pcimRepositoryInstance)。最后,该模式包括两个类(pcimSubtreesPtrAuxClass和pcimElementAuxClass),用于优化LDAP检索。该模式总共包含23个类。
Within the context of this document, the term "PCLS" (Policy Core LDAP Schema) is used to refer to the LDAP class definitions that this document contains. The term "PCIM" refers to classes defined in [1].
在本文档的上下文中,术语“PCLS”(策略核心LDAP模式)用于指代本文档包含的LDAP类定义。术语“PCIM”指[1]中定义的类。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [10].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[10]中所述进行解释。
This document contains an LDAP schema representing the classes defined in the companion document "Policy Core Information Model -- Version 1 Specification" [1]. Other documents may subsequently be produced, with mappings of this same PCIM to other storage technologies. Since the detailed semantics of the PCIM classes appear only in [1], that document is a prerequisite for reading and understanding this document.
本文档包含一个LDAP模式,表示配套文档“策略核心信息模型——版本1规范”[1]中定义的类。随后可能会生成其他文档,并将该PCIM映射到其他存储技术。由于PCIM类的详细语义仅出现在[1]中,因此该文档是阅读和理解本文档的先决条件。
The following diagram illustrates the class hierarchy for the LDAP Classes defined in this document:
下图说明了本文档中定义的LDAP类的类层次结构:
top
|
+--dlm1ManagedElement (abstract)
| |
| +--pcimPolicy (abstract)
| | |
| | +--pcimGroup (abstract)
| | | |
| | | +--pcimGroupAuxClass (auxiliary)
| | | |
| | | +--pcimGroupInstance (structural)
| | |
| | +--pcimRule (abstract)
| | | |
| | | +--pcimRuleAuxClass (auxiliary)
| | | |
| | | +--pcimRuleInstance (structural)
| | |
| | +--pcimRuleConditionAssociation (structural)
| | |
| | +--pcimRuleValidityAssociation (structural)
| | |
| | +--pcimRuleActionAssociation (structural)
| | |
| | +--pcimPolicyInstance (structural)
| | |
| | +--pcimElementAuxClass (auxiliary)
| |
| +--dlm1ManagedSystemElement (abstract)
| |
| +--dlm1LogicalElement (abstract)
| |
| +--dlm1System (abstract)
| |
| +--dlm1AdminDomain (abstract)
| |
| +--pcimRepository (abstract)
| |
| +--pcimRepositoryAuxClass (auxiliary)
top
|
+--dlm1ManagedElement (abstract)
| |
| +--pcimPolicy (abstract)
| | |
| | +--pcimGroup (abstract)
| | | |
| | | +--pcimGroupAuxClass (auxiliary)
| | | |
| | | +--pcimGroupInstance (structural)
| | |
| | +--pcimRule (abstract)
| | | |
| | | +--pcimRuleAuxClass (auxiliary)
| | | |
| | | +--pcimRuleInstance (structural)
| | |
| | +--pcimRuleConditionAssociation (structural)
| | |
| | +--pcimRuleValidityAssociation (structural)
| | |
| | +--pcimRuleActionAssociation (structural)
| | |
| | +--pcimPolicyInstance (structural)
| | |
| | +--pcimElementAuxClass (auxiliary)
| |
| +--dlm1ManagedSystemElement (abstract)
| |
| +--dlm1LogicalElement (abstract)
| |
| +--dlm1System (abstract)
| |
| +--dlm1AdminDomain (abstract)
| |
| +--pcimRepository (abstract)
| |
| +--pcimRepositoryAuxClass (auxiliary)
top
| |
| +--pcimRepositoryInstance
| (structural)
|
+--pcimConditionAuxClass (auxiliary)
| |
| +---pcimTPCAuxClass (auxiliary)
| |
| +---pcimConditionVendorAuxClass (auxiliary)
|
+--pcimActionAuxClass (auxiliary)
| |
| +---pcimActionVendorAuxClass (auxiliary)
|
+--pcimSubtreesPtrAuxClass (auxiliary)
|
+--pcimGroupContainmentAuxClass (auxiliary)
|
+--pcimRuleContainmentAuxClass (auxiliary)
top
| |
| +--pcimRepositoryInstance
| (structural)
|
+--pcimConditionAuxClass (auxiliary)
| |
| +---pcimTPCAuxClass (auxiliary)
| |
| +---pcimConditionVendorAuxClass (auxiliary)
|
+--pcimActionAuxClass (auxiliary)
| |
| +---pcimActionVendorAuxClass (auxiliary)
|
+--pcimSubtreesPtrAuxClass (auxiliary)
|
+--pcimGroupContainmentAuxClass (auxiliary)
|
+--pcimRuleContainmentAuxClass (auxiliary)
Figure 1. LDAP Class Inheritance Hierarchy for the PCLS
图1。PCLS的LDAP类继承层次结构
The classes described in Section 5 below contain certain optimizations for a directory that uses LDAP as its access protocol. One example of this is the use of auxiliary classes to represent some of the associations defined in the information model. Other data stores might need to implement these associations differently. A second example is the introduction of classes specifically designed to optimize retrieval of large amounts of policy-related data from a directory. This section discusses some general topics related to the mapping from the information model to LDAP.
下面第5节中描述的类包含对使用LDAP作为其访问协议的目录的某些优化。其中一个例子是使用辅助类来表示信息模型中定义的一些关联。其他数据存储可能需要以不同的方式实现这些关联。第二个例子是引入了专门设计用于优化从目录检索大量策略相关数据的类。本节讨论与从信息模型到LDAP的映射相关的一些一般主题。
The remainder of this section will discuss the following topics. Section 4.1 will discuss the strategy used in mapping the classes and associations defined in [1] to a form that can be represented in a directory that uses LDAP as its access protocol. Section 4.2 discusses DIT content and structure rules, as well as name forms. Section 4.3 describes the strategy used in defining naming attributes for the schema described in Section 5 of this document. Section 4.4 defines the strategy recommended for locating and retrieving PCIM-derived objects in the directory.
本节的其余部分将讨论以下主题。第4.1节将讨论将[1]中定义的类和关联映射到可以在使用LDAP作为其访问协议的目录中表示的表单时使用的策略。第4.2节讨论了DIT内容和结构规则,以及名称形式。第4.3节描述了定义本文件第5节所述模式命名属性时使用的策略。第4.4节定义了在目录中查找和检索PCIM派生对象的推荐策略。
Fifteen of the classes in the PCLS come directly from the nine corresponding classes in the information model. Note that names of classes begin with an upper case character in the information model (although for CIM in particular, case is not significant in class and property names), but with a lower case character in LDAP. This is because although LDAP doesn't care, X.500 doesn't allow class names to begin with an uppercase character. Note also that the prefix "pcim" is used to identify these LDAP classes.
PCLS中的15个类直接来自信息模型中的9个对应类。请注意,类的名称在信息模型中以大写字符开头(尽管对于CIM来说,尤其是在类和属性名称中,大小写并不重要),但在LDAP中以小写字符开头。这是因为尽管LDAP不关心,但X.500不允许类名以大写字符开头。还要注意,前缀“pcim”用于标识这些LDAP类。
+---------------------------+-------------------------------+
| Information Model | LDAP Class(es) |
+---------------------------+-------------------------------+
+---------------------------+-------------------------------+
| Policy | pcimPolicy |
+---------------------------+-------------------------------+
| PolicyGroup | pcimGroup |
| | pcimGroupAuxClass |
| | pcimGroupInstance |
+---------------------------+-------------------------------+
| PolicyRule | pcimRule |
| | pcimRuleAuxClass |
| | pcimRuleInstance |
+---------------------------+-------------------------------+
| PolicyCondition | pcimConditionAuxClass |
+---------------------------+-------------------------------+
| PolicyAction | pcimActionAuxClass |
+---------------------------+-------------------------------+
| VendorPolicyCondition | pcimConditionVendorAuxClass |
+---------------------------+-------------------------------+
| VendorPolicyAction | pcimActionVendorAuxClass |
+---------------------------+-------------------------------+
| PolicyTimePeriodCondition | pcimTPCAuxClass |
+---------------------------+-------------------------------+
| PolicyRepository | pcimRepository |
| | pcimRepositoryAuxClass |
| | pcimRepositoryInstance |
+---------------------------+-------------------------------+
+---------------------------+-------------------------------+
| Information Model | LDAP Class(es) |
+---------------------------+-------------------------------+
+---------------------------+-------------------------------+
| Policy | pcimPolicy |
+---------------------------+-------------------------------+
| PolicyGroup | pcimGroup |
| | pcimGroupAuxClass |
| | pcimGroupInstance |
+---------------------------+-------------------------------+
| PolicyRule | pcimRule |
| | pcimRuleAuxClass |
| | pcimRuleInstance |
+---------------------------+-------------------------------+
| PolicyCondition | pcimConditionAuxClass |
+---------------------------+-------------------------------+
| PolicyAction | pcimActionAuxClass |
+---------------------------+-------------------------------+
| VendorPolicyCondition | pcimConditionVendorAuxClass |
+---------------------------+-------------------------------+
| VendorPolicyAction | pcimActionVendorAuxClass |
+---------------------------+-------------------------------+
| PolicyTimePeriodCondition | pcimTPCAuxClass |
+---------------------------+-------------------------------+
| PolicyRepository | pcimRepository |
| | pcimRepositoryAuxClass |
| | pcimRepositoryInstance |
+---------------------------+-------------------------------+
Figure 2. Mapping of Information Model Classes to LDAP
图2。信息模型类到LDAP的映射
The associations in the information model map to attributes that reference DNs (Distinguished Names) or to Directory Information Tree (DIT) containment (i.e., superior-subordinate relationships) in LDAP. Two of the attributes that reference DNs appear in auxiliary classes, which allow each of them to represent several relationships from the information model.
信息模型中的关联映射到LDAP中引用DNs(可分辨名称)或目录信息树(DIT)包含(即,上下级关系)的属性。引用DNs的两个属性出现在辅助类中,这些辅助类允许每个属性表示信息模型中的多个关系。
+----------------------------------+----------------------------------+
| Information Model Association | LDAP Attribute / Class |
+-----------------------------------+---------------------------------+
+-----------------------------------+---------------------------------+
| PolicyGroupInPolicyGroup | pcimGroupsAuxContainedSet in |
| | pcimGroupContainmentAuxClass |
+-----------------------------------+---------------------------------+
| PolicyRuleInPolicyGroup | pcimRulesAuxContainedSet in |
| | pcimRuleContainmentAuxClass |
+-----------------------------------+---------------------------------+
| PolicyConditionInPolicyRule | DIT containment or |
| | pcimRuleConditionList in |
| | pcimRule or |
| | pcimConditionDN in |
| | pcimRuleConditionAssociation |
+-----------------------------------+---------------------------------+
| PolicyActionInPolicyRule | DIT containment or |
| | pcimRuleActionList in |
| | pcimRule or |
| | pcimActionDN in |
| | pcimRuleActionAssociation |
+-----------------------------------+---------------------------------+
| PolicyRuleValidityPeriod | pcimRuleValidityPeriodList |
| | in pcimRule or (if reusable) |
| | referenced through the |
| | pcimTimePeriodConditionDN in |
| | pcimRuleValidityAssociation |
+-----------------------------------+---------------------------------+
| PolicyConditionInPolicyRepository | DIT containment |
+-----------------------------------+---------------------------------+
| PolicyActionInPolicyRepository | DIT containment |
+-----------------------------------+---------------------------------+
| PolicyRepositoryInPolicyRepository| DIT containment |
+-----------------------------------+---------------------------------+
+----------------------------------+----------------------------------+
| Information Model Association | LDAP Attribute / Class |
+-----------------------------------+---------------------------------+
+-----------------------------------+---------------------------------+
| PolicyGroupInPolicyGroup | pcimGroupsAuxContainedSet in |
| | pcimGroupContainmentAuxClass |
+-----------------------------------+---------------------------------+
| PolicyRuleInPolicyGroup | pcimRulesAuxContainedSet in |
| | pcimRuleContainmentAuxClass |
+-----------------------------------+---------------------------------+
| PolicyConditionInPolicyRule | DIT containment or |
| | pcimRuleConditionList in |
| | pcimRule or |
| | pcimConditionDN in |
| | pcimRuleConditionAssociation |
+-----------------------------------+---------------------------------+
| PolicyActionInPolicyRule | DIT containment or |
| | pcimRuleActionList in |
| | pcimRule or |
| | pcimActionDN in |
| | pcimRuleActionAssociation |
+-----------------------------------+---------------------------------+
| PolicyRuleValidityPeriod | pcimRuleValidityPeriodList |
| | in pcimRule or (if reusable) |
| | referenced through the |
| | pcimTimePeriodConditionDN in |
| | pcimRuleValidityAssociation |
+-----------------------------------+---------------------------------+
| PolicyConditionInPolicyRepository | DIT containment |
+-----------------------------------+---------------------------------+
| PolicyActionInPolicyRepository | DIT containment |
+-----------------------------------+---------------------------------+
| PolicyRepositoryInPolicyRepository| DIT containment |
+-----------------------------------+---------------------------------+
Figure 3. Mapping of Information Model Associations to LDAP
图3。信息模型关联到LDAP的映射
Of the remaining classes in the PCLS, two (pcimElementAuxClass and pcimSubtreesPtrAuxClass) are included to make navigation through the DIT and retrieval of the entries found there more efficient. This topic is discussed below in Section 4.5.
在PCLS中的其余类中,包括两个(pcimElementAuxClass和pcimSubtreesPtrAuxClass),以使通过DIT的导航和检索在其中找到的条目更加高效。本主题将在下文第4.5节中讨论。
The remaining four classes in the PCLS, pcimRuleConditionAssociation, pcimRuleValidityAssociation, pcimRuleActionAssociation, and pcimPolicyInstance, are all involved with the representation of policy conditions and policy actions in an LDAP directory. This topic is discussed below in Section 4.4.
PCLS中的其余四个类pcimRuleConditionAssociation、pcimRuleValidityAssociation、pcimRuleActionAssociation和PCIMImpolicInstance都涉及LDAP目录中策略条件和策略操作的表示。本主题将在下文第4.4节中讨论。
There are three powerful tools that can be used to help define schemata. The first, DIT content rules, is a way of defining the content of an entry for a structural object class. It can be used to specify the following characteristics of the entry:
有三个强大的工具可以用来帮助定义模式。第一种是DIT内容规则,它是为结构对象类定义条目内容的一种方法。它可用于指定条目的以下特征:
- additional mandatory attributes that the entries are required to contain - additional optional attributes the entries are allowed to contain - the set of additional auxiliary object classes that these entries are allowed to be members of - any optional attributes from the structural and auxiliary object class definitions that the entries are required to preclude
- 项目需要包含的其他强制属性-项目允许包含的其他可选属性-这些项目允许作为成员的其他辅助对象类集-项目所属结构和辅助对象类定义中的任何可选属性需要排除
DIT content rules are NOT mandatory for any structural object class.
DIT内容规则对于任何结构对象类都不是必需的。
A DIT structure rule, together with a name form, controls the placement and naming of an entry within the scope of a subschema. Name forms define which attribute type(s) are required and are allowed to be used in forming the Relative Distinguished Names (RDNs) of entries. DIT structure rules specify which entries are allowed to be superior to other entries, and hence control the way that RDNs are added together to make DNs.
DIT结构规则与名称表单一起控制子模式范围内条目的放置和命名。名称表单定义了在形成条目的相对可分辨名称(RDN)时需要并允许使用的属性类型。DIT结构规则指定允许哪些条目优于其他条目,从而控制将RDN添加到一起以生成DNs的方式。
A name form specifies the following:
名称表单指定以下内容:
- the structural object class of the entries named by this name form - attributes that are required to be used in forming the RDNs of these entries - attributes that are allowed to be used in forming the RDNs of these entries - an object identifier to uniquely identify this name form
- 以该名称形式命名的条目的结构对象类-形成这些条目的RDN时需要使用的属性-形成这些条目的RDN时允许使用的属性-唯一标识该名称形式的对象标识符
Note that name forms can only be specified for structural object classes. However, every entry in the DIT must have a name form controlling it.
请注意,只能为结构对象类指定名称形式。但是,DIT中的每个条目都必须有一个名称表单来控制它。
Unfortunately, current LDAP servers vary quite a lot in their support of these features. There are also three crucial implementation points that must be followed. First, X.500 use of structure rules requires that a structural object class with no superior structure rule be a subschema administrative point. This is exactly NOT what we want for policy information. Second, when an auxiliary class is subclassed, if a content rule exists for the structural class that
不幸的是,当前的LDAP服务器在支持这些功能方面差异很大。还必须遵循三个关键的实施要点。首先,X.500使用结构规则要求没有高级结构规则的结构对象类是子模式管理点。这并不是我们想要的政策信息。第二,当一个辅助类被子类化时,如果该结构类存在内容规则
the auxiliary class refers to, then that content rule needs to be augmented. Finally, most LDAP servers unfortunately do not support inheritance of structure and content rules.
辅助类引用,则需要扩充该内容规则。最后,不幸的是,大多数LDAP服务器不支持结构和内容规则的继承。
Given these concerns, DIT structure and content rules have been removed from the PCLS. This is because, if included, they would be normative references and would require OIDs. However, we don't want to lose the insight gained in building the structure and content rules of the previous version of the schema. Therefore, we describe where such rules could be used in this schema, what they would control, and what their effect would be.
考虑到这些问题,已从PCL中删除DIT结构和内容规则。这是因为,如果包含,它们将是规范性参考文件,并且需要OID。但是,我们不想失去在构建架构的早期版本的结构和内容规则时获得的洞察力。因此,我们描述了这些规则可以在这个模式中的何处使用,它们将控制什么,以及它们的效果如何。
Instances in a directory are identified by distinguished names (DNs), which provide the same type of hierarchical organization that a file system provides in a computer system. A distinguished name is a sequence of RDNs. An RDN provides a unique identifier for an instance within the context of its immediate superior, in the same way that a filename provides a unique identifier for a file within the context of the folder in which it resides.
目录中的实例由可分辨名称(DNs)标识,可分辨名称提供与文件系统在计算机系统中提供的相同类型的层次结构。可分辨名称是一个RDN序列。RDN在其直接上级的上下文中为实例提供唯一标识符,就像文件名在其所在文件夹的上下文中为文件提供唯一标识符一样。
To preserve maximum naming flexibility for policy administrators, three optional (i.e., "MAY") naming attributes have been defined. They are:
为使策略管理员保持最大的命名灵活性,定义了三个可选(即“可能”)命名属性。他们是:
- Each of the structural classes defined in this schema has its own unique ("MAY") naming attribute. Since the naming attributes are different, a policy administrator can, by using these attributes, guarantee that there will be no name collisions between instances of different classes, even if the same value is assigned to the instances' respective naming attributes.
- 此模式中定义的每个结构类都有自己独特的(“可能”)命名属性。由于命名属性不同,策略管理员可以通过使用这些属性来保证不同类的实例之间不会发生名称冲突,即使为实例各自的命名属性分配了相同的值也是如此。
- The LDAP attribute cn (corresponding to X.500's commonName) is included as a MAY attribute in the abstract class pcimPolicy, and thus by inheritance in all of its subclasses. In X.500, commonName typically functions as an RDN attribute, for naming instances of many classes (e.g., X.500's person class).
- LDAP属性cn(对应于X.500的commonName)作为MAY属性包含在抽象类pcimPolicy中,因此通过继承包含在其所有子类中。在X.500中,commonName通常用作RDN属性,用于命名许多类的实例(例如,X.500的person类)。
- A special attribute is provided for implementations that expect to map between native CIM and LDAP representations of policy information. This attribute, called orderedCimKeys, is defined in the class dlm1ManagedElement [6]. The value of this attribute is derived algorithmically from values that are already present in a CIM policy instance. The normative reference for this algorithm is contained in [6]. See the appendix of this document for a description of the algorithm.
- 为期望在策略信息的本机CIM和LDAP表示之间映射的实现提供了一个特殊属性。此属性称为orderedCimKeys,在类dlm1ManagedElement[6]中定义。此属性的值通过算法从CIM策略实例中已存在的值派生而来。该算法的规范性参考文献包含在[6]中。有关算法的说明,请参见本文档的附录。
Since any of these naming attributes MAY be used for naming an instance of a PCLS class, implementations MUST be able to accommodate instances named in any of these ways.
因为这些命名属性中的任何一个都可以用于命名PCLS类的实例,所以实现必须能够容纳以这些方式命名的实例。
Note that it is recommended that two or more of these attributes SHOULD NOT be used together to form a multi-part RDN, since support for multi-part RDNs is limited among existing directory implementations.
请注意,建议不要同时使用这些属性中的两个或多个来形成多部分RDN,因为对多部分RDN的支持在现有目录实现中是有限的。
The PCIM [1] distinguishes between two types of policy conditions and policy actions: those associated with a single policy rule, and those that are reusable, in the sense that they may be associated with more than one policy rule. While there is no inherent functional difference between a rule-specific condition or action and a reusable one, there is both a usage, as well as, an implementation difference between them.
PCIM[1]区分了两种类型的策略条件和策略操作:与单个策略规则关联的策略条件和策略操作,以及可重用的策略条件和策略操作,因为它们可能与多个策略规则关联。虽然特定于规则的条件或操作与可重用的条件或操作之间没有内在的功能差异,但它们之间既有用法上的差异,也有实现上的差异。
Defining a condition or action as reusable vs. rule-specific reflects a conscious decision on the part of the administrator in defining how they are used. In addition, there are variations that reflect implementing rule-specific vs. reusable policy conditions and actions and how they are treated in a policy repository. The major implementation differences between a rule-specific and a reusable condition or action are delineated below:
将条件或操作定义为可重用或特定于规则反映了管理员在定义如何使用它们时的自觉决定。此外,还有一些变化反映了实现特定于规则的策略条件和操作与可重用的策略条件和操作,以及它们在策略存储库中的处理方式。以下描述了特定于规则和可重用条件或操作之间的主要实现差异:
1. It is natural for a rule-specific condition or action to be removed from the policy repository at the same time the rule is. It is just the opposite for reusable conditions and actions. This is because the condition or action is conceptually attached to the rule in the rule-specific case, whereas it is referenced (e.g., pointed at) in the reusable case. The persistence of a pcimRepository instance is independent of the persistence of a pcimRule instance. 2. Access permissions for a rule-specific condition or action are usually identical to those for the rule itself. On the other hand, access permissions of reusable conditions and actions must be expressible without reference to a policy rule. 3. Rule-specific conditions and actions require fewer accesses, because the conditions and actions are "attached" to the rule. In contrast, reusable conditions and actions require more accesses, because each condition or action that is reusable requires a separate access. 4. Rule-specific conditions and actions are designed for use by a single rule. As the number of rules that use the same rule-specific condition increase, subtle problems are created (the most obvious being how to keep the rule-specific conditions
1. 在删除规则的同时,从策略存储库中删除特定于规则的条件或操作是很自然的。对于可重用的条件和操作,情况正好相反。这是因为在特定于规则的情况下,条件或操作在概念上附加到规则,而在可重用的情况下,它被引用(例如,指向)。pcimRepository实例的持久性独立于pcimRule实例的持久性。2.特定于规则的条件或操作的访问权限通常与规则本身的访问权限相同。另一方面,可重用条件和操作的访问权限必须是可表达的,而无需参考策略规则。3.特定于规则的条件和操作需要较少的访问,因为条件和操作“附加”到规则。相反,可重用的条件和操作需要更多的访问,因为每个可重用的条件或操作都需要单独的访问。4.特定于规则的条件和操作是为单个规则设计的。随着使用相同规则特定条件的规则数量的增加,会产生一些微妙的问题(最明显的是如何保持规则特定条件)
and actions updated to reflect the same value). Reusable conditions and actions lend themselves for use by multiple independent rules. 5. Reusable conditions and actions offer an optimization when multiple rules are using the same condition or action. This is because the reusable condition or action only needs be updated once, and by virtue of DN reference, the policy rules will be automatically updated.
并更新操作以反映相同的值)。可重用的条件和操作可供多个独立规则使用。5.当多个规则使用相同的条件或操作时,可重用的条件和操作提供了优化。这是因为可重用条件或操作只需要更新一次,并且凭借DN引用,策略规则将自动更新。
The preceding paragraph does not contain an exhaustive list of the ways in which reusable and rule-specific conditions should be treated differently. Its purpose is merely to justify making a semantic distinction between rule-specific and reusable, and then reflecting this distinction in the policy repository itself.
上一段并未详尽列出应以何种方式区别对待可重用条件和特定于规则的条件。其目的仅仅是为了证明在规则特定和可重用之间进行语义区分的合理性,然后在策略存储库本身中反映这种区分。
When the policy repository is realized in an LDAP-accessible directory, the distinction between rule-specific and reusable conditions and actions is realized via placement of auxiliary classes and via DIT containment. Figure 4 illustrates a policy rule Rule1 with one rule-specific condition CA and one rule-specific action AB.
当策略存储库在LDAP可访问目录中实现时,通过放置辅助类和DIT包含实现特定于规则和可重用条件与操作之间的区别。图4演示了一个策略规则Rule1,其中包含一个特定于规则的条件CA和一个特定于规则的操作AB。
+-----+
|Rule1|
| |
+-----|- -|-----+
| +-----+ |
| * * |
| * * |
| **** **** |
| * * |
v * * v
+--------+ +--------+
| CA+ca | | AB+ab |
+--------+ +--------+
+-----+
|Rule1|
| |
+-----|- -|-----+
| +-----+ |
| * * |
| * * |
| **** **** |
| * * |
v * * v
+--------+ +--------+
| CA+ca | | AB+ab |
+--------+ +--------+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
Figure 4 Rule-Specific Policy Conditions and Actions
图4特定于规则的策略条件和操作
Because the condition and action are specific to Rule1, the auxiliary classes ca and ab that represent them are attached, respectively, to the structural classes CA and AB. These structural classes represent not the condition ca and action ab themselves, but rather the associations between Rule1 and ca, and between Rule1 and ab.
由于条件和动作特定于规则1,因此表示它们的辅助类ca和ab分别附加到结构类ca和ab。这些结构类表示的不是条件ca和动作ab本身,而是规则1和ca之间以及规则1和ab之间的关联。
As Figure 4 illustrates, Rule1 contains DN references to the structural classes CA and AB that appear below it in the DIT. At first glance it might appear that these DN references are unnecessary, since a subtree search below Rule1 would find all of the structural classes representing the associations between Rule1 and its conditions and actions. Relying only on a subtree search, though, runs the risk of missing conditions or actions that should have appeared in the subtree, but for some reason did not, or of finding conditions or actions that were inadvertently placed in the subtree, or that should have been removed from the subtree, but for some reason were not. Implementation experience has suggested that many (but not all) of these risks are eliminated.
如图4所示,规则1包含对结构类CA和AB的DN引用,这些结构类在DIT中显示在其下方。乍一看,这些DN引用似乎是不必要的,因为Rule1下面的子树搜索将找到表示Rule1及其条件和操作之间关联的所有结构类。但是,仅依赖子树搜索可能会丢失本应出现在子树中但由于某种原因没有出现的条件或操作,或查找无意中放置在子树中的条件或操作,或本应从子树中删除但由于某种原因没有出现的条件或操作。实施经验表明,许多(但不是全部)风险都已消除。
However, it must be noted that this comes at a price. The use of DN references, as shown in Figure 4 above, thwarts inheritance of access control information as well as existence dependency information. It also is subject to referential integrity considerations. Therefore, it is being included as an option for the designer.
然而,必须指出的是,这是有代价的。如上图4所示,DN引用的使用阻碍了访问控制信息以及存在依赖信息的继承。它还受到引用完整性的考虑。因此,它被作为设计师的一个选项包括在内。
Figure 5 illustrates a second way of representing rule-specific conditions and actions in an LDAP-accessible directory: attachment of the auxiliary classes directly to the instance representing the policy rule. When all of the conditions and actions are attached to a policy rule in this way, the rule is termed a "simple" policy rule. When conditions and actions are not attached directly to a policy rule, the rule is termed a "complex" policy rule.
图5演示了在LDAP可访问目录中表示特定于规则的条件和操作的第二种方法:将辅助类直接附加到表示策略规则的实例。当所有条件和操作都以这种方式附加到策略规则时,该规则称为“简单”策略规则。如果条件和操作未直接附加到策略规则,则该规则称为“复杂”策略规则。
+-----------+
|Rule1+ca+ab|
| |
+-----------+
+-----------+
|Rule1+ca+ab|
| |
+-----------+
+------------------------------+
|LEGEND: |
| + auxiliary attachment |
+------------------------------+
+------------------------------+
|LEGEND: |
| + auxiliary attachment |
+------------------------------+
Figure 5. A Simple Policy Rule
图5。简单的政策规则
The simple/complex distinction for a policy rule is not all or nothing. A policy rule may have its conditions attached to itself and its actions attached to other entries, or it may have its actions attached to itself and its conditions attached to other entries. However, it SHALL NOT have either its conditions or its actions attached both to itself and to other entries, with one exception: a policy rule may reference its validity periods with the pcimRuleValidityPeriodList attribute, but have its other conditions attached to itself.
策略规则的简单/复杂区别不是全部或全部。策略规则可以将其条件附加到自身,将其操作附加到其他条目,也可以将其操作附加到自身,将其条件附加到其他条目。但是,不得将其条件或其操作同时附加到自身和其他条目,但有一个例外:策略规则可以使用pcimRuleValidityPeriodList属性引用其有效期,但将其其他条件附加到自身。
The tradeoffs between simple and complex policy rules are between the efficiency of simple rules and the flexibility and greater potential for reuse of complex rules. With a simple policy rule, the semantic options are limited:
简单策略规则和复杂策略规则之间的权衡是简单规则的效率与复杂规则的灵活性和更大的重用潜力之间的权衡。使用简单的策略规则,语义选项受到限制:
- All conditions are ANDed together. This combination can be represented in two ways in the Disjunctive Normal Form (DNF)/ Conjunctive Normal Form (CNF) (please see [1] for definitions of these terms) expressions characteristic of policy conditions: as a DNF expression with a single AND group, or as a CNF expression with multiple single-condition OR groups. The first of these is arbitrarily chosen as the representation for the ANDed conditions in a simple policy rule.
- 所有条件都是加在一起的。这种组合可以用策略条件特有的析取范式(DNF)/合取范式(CNF)(有关这些术语的定义,请参见[1])表达式以两种方式表示:作为具有单个AND组的DNF表达式,或作为具有多个单个条件或组的CNF表达式。在一个简单的策略规则中,任意选择其中的第一个作为ANDed条件的表示。
- If multiple actions are included, no order can be specified for them.
- 如果包含多个操作,则不能为它们指定顺序。
If a policy administrator needs to combine conditions in some other way, or if there is a set of actions that must be ordered, then the only option is to use a complex policy rule.
如果策略管理员需要以其他方式组合条件,或者如果有一组操作必须排序,则唯一的选项是使用复杂的策略规则。
Finally, Figure 6 illustrates the same policy rule Rule1, but this time its condition and action are reusable. The association classes CA and AB are still present, and they are still DIT contained under Rule1. But rather than having the auxiliary classes ca and ab attached directly to the association classes CA and AB, each now contains DN references to other entries to which these auxiliary classes are attached. These other entries, CIA and AIB, are DIT contained under RepositoryX, which is an instance of the class pcimRepository. Because they are named under an instance of pcimRepository, ca and ab are clearly identified as reusable.
最后,图6演示了相同的策略规则Rule1,但这次它的条件和操作是可重用的。关联类CA和AB仍然存在,它们仍然包含在规则1中。但是,与将辅助类ca和ab直接连接到关联类ca和ab不同,每个辅助类现在都包含对这些辅助类所连接的其他条目的DN引用。这些其他条目CIA和AIB包含在RepositoryX下,它是类pcimRepository的一个实例。因为它们是在pcimRepository实例下命名的,所以ca和ab被清楚地标识为可重用的。
+-----+ +-------------+
|Rule1| | RepositoryX |
+-|- -|--+ | |
| +-----+ | +-------------+
| * * | * *
| * * | * *
| *** **** | * *
| * * v * *
| * +---+ * *
| * |AB | +------+ *
v * | -|-------->|AIB+ab| *
+---+ +---+ +------+ *
|CA | +------+
| -|------------------------>|CIA+ca|
+---+ +------+
+-----+ +-------------+
|Rule1| | RepositoryX |
+-|- -|--+ | |
| +-----+ | +-------------+
| * * | * *
| * * | * *
| *** **** | * *
| * * v * *
| * +---+ * *
| * |AB | +------+ *
v * | -|-------->|AIB+ab| *
+---+ +---+ +------+ *
|CA | +------+
| -|------------------------>|CIA+ca|
+---+ +------+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
Figure 6. Reusable Policy Conditions and Actions
图6。可重用的策略条件和操作
The classes pcimConditionAuxClass and pcimActionAuxClass do not themselves represent actual conditions and actions: these are introduced in their subclasses. What pcimConditionAuxClass and pcimActionAuxClass do introduce are the semantics of being a policy condition or a policy action. These are the semantics that all the subclasses of pcimConditionAuxClass and pcimActionAuxClass inherit. Among these semantics are those of representing either a rule-specific or a reusable policy condition or policy action.
类pcimConditionAuxClass和pcimActionAuxClass本身并不表示实际情况和操作:它们是在它们的子类中引入的。pcimConditionAuxClass和pcimActionAuxClass引入的是作为策略条件或策略操作的语义。这些是pcimConditionAuxClass和pcimActionAuxClass的所有子类继承的语义。这些语义包括表示特定于规则或可重用策略条件或策略操作的语义。
In order to preserve the ability to represent a rule-specific or a reusable condition or action, as well as a simple policy rule, all the subclasses of pcimConditionAuxClass and pcimActionAuxClass MUST also be auxiliary classes.
为了保持表示特定于规则或可重用条件或操作以及简单策略规则的能力,pcimConditionAuxClass和pcimActionAuxClass的所有子类也必须是辅助类。
When a Policy Decision Point (PDP) goes to an LDAP directory to retrieve the policy object instances relevant to the Policy Enforcement Points (PEPs) it serves, it is faced with two related problems:
当策略决策点(PDP)转到LDAP目录以检索与其服务的策略实施点(PEP)相关的策略对象实例时,它将面临两个相关问题:
- How does it locate and retrieve the directory entries that apply to its PEPs? These entries may include instances of the PCLS classes, instances of domain-specific subclasses of these classes, and instances of other classes modeling such resources as user groups, interfaces, and address ranges.
- 它如何定位和检索应用于其PEP的目录条目?这些条目可以包括PCLS类的实例、这些类的特定于域的子类的实例以及对诸如用户组、接口和地址范围之类的资源进行建模的其他类的实例。
- How does it retrieve the directory entries it needs in an efficient manner, so that retrieval of policy information from the directory does not become a roadblock to scalability? There are two facets to this efficiency: retrieving only the relevant directory entries, and retrieving these entries using as few LDAP calls as possible.
- 它如何以高效的方式检索所需的目录条目,以便从目录检索策略信息不会成为可伸缩性的障碍?这种效率有两个方面:仅检索相关的目录条目,以及使用尽可能少的LDAP调用检索这些条目。
The placement of objects in the Directory Information Tree (DIT) involves considerations other than how the policy-related objects will be retrieved by a PDP. Consequently, all that the PCLS can do is to provide a "toolkit" of classes to assist the policy administrator as the DIT is being designed and built. A PDP SHOULD be able to take advantage of any tools that the policy administrator is able to build into the DIT, but it MUST be able to use a less efficient means of retrieval if that is all it has available to it.
在目录信息树(DIT)中放置对象涉及PDP检索策略相关对象以外的其他考虑事项。因此,PCL所能做的就是在设计和构建DIT时提供一个类的“工具箱”来帮助策略管理员。PDP应该能够利用策略管理员能够构建到DIT中的任何工具,但如果仅此而已,则必须能够使用效率较低的检索方法。
The basic idea behind the LDAP optimization classes is a simple one: make it possible for a PDP to retrieve all the policy-related objects it needs, and only those objects, using as few LDAP calls as possible. An important assumption underlying this approach is that the policy administrator has sufficient control over the underlying DIT structure to define subtrees for storing policy information. If the policy administrator does not have this level of control over DIT structure, a PDP can still retrieve the policy-related objects it needs individually. But it will require more LDAP access operations to do the retrieval in this way. Figure 7 illustrates how LDAP optimization is accomplished.
LDAP优化类背后的基本思想很简单:使用尽可能少的LDAP调用,使PDP能够检索其需要的所有与策略相关的对象,并且仅检索这些对象。此方法背后的一个重要假设是,策略管理员对底层DIT结构具有足够的控制权,可以定义用于存储策略信息的子树。如果策略管理员对DIT结构没有此级别的控制,PDP仍然可以单独检索所需的策略相关对象。但以这种方式进行检索需要更多的LDAP访问操作。图7说明了LDAP优化是如何完成的。
+-----+
---------------->| A |
DN reference to | | DN references to subtrees +---+
starting object +-----+ +-------------------------->| C |
| o--+----+ +---+ +---+
| o--+------------->| B | / \
+-----+ +---+ / \
/ \ / \ / ... \
/ \ / \
/ \ / ... \
+-----+
---------------->| A |
DN reference to | | DN references to subtrees +---+
starting object +-----+ +-------------------------->| C |
| o--+----+ +---+ +---+
| o--+------------->| B | / \
+-----+ +---+ / \
/ \ / \ / ... \
/ \ / \
/ \ / ... \
Figure 7. Using the pcimSubtreesPtrAuxClass to Locate Policies
图7。使用pcimSubtreesPtrAuxClass查找策略
The PDP is configured initially with a DN reference to some entry in the DIT. The structural class of this entry is not important; the PDP is interested only in the pcimSubtreesPtrAuxClass attached to it. This auxiliary class contains a multi-valued attribute with DN references to objects that anchor subtrees containing policy-related objects of interest to the PDP. Since pcimSubtreesPtrAuxClass is an auxiliary class, it can be attached to an entry that the PDP would need to access anyway - perhaps an entry containing initial configuration settings for the PDP, or for a PEP that uses the PDP.
PDP最初配置为对DIT中某个条目的DN引用。该条目的结构类别并不重要;PDP只对连接到它的pcimSubtreesPtrAuxClass感兴趣。此辅助类包含一个多值属性,该属性具有对对象的DN引用,这些对象锚定子树,子树包含PDP感兴趣的策略相关对象。由于pcimSubtreesPtrAuxClass是一个辅助类,因此它可以附加到PDP无论如何都需要访问的条目上-可能是包含PDP或使用PDP的PEP的初始配置设置的条目。
Once it has retrieved the DN references, the PDP will direct to each of the objects identified by them an LDAP request that all entries in its subtree be evaluated against the selection criteria specified in the request. The LDAP-enabled directory then returns all entries in that subtree that satisfy the specified criteria.
一旦检索到DN引用,PDP将向其标识的每个对象发出LDAP请求,根据请求中指定的选择标准对其子树中的所有条目进行评估。然后,启用LDAP的目录返回该子树中满足指定条件的所有条目。
The selection criteria always specify that object class="pcimPolicy". Since all classes representing policy rules, policy conditions, and policy actions, both in the PCLS and in any domain-specific schema derived from it, are subclasses of the abstract class policy, this criterion evaluates to TRUE for all instances of these classes. To accommodate special cases where a PDP needs to retrieve objects that are not inherently policy-related (for example, an IP address range object referenced by a subclass of pcimActionAuxClass representing the DHCP action "assign from this address range"), the auxiliary class pcimElementAuxClass can be used to "tag" an entry, so that it will be found by the selection criterion "object class=pcimPolicy".
选择条件始终指定对象类=“pcimPolicy”。由于在PCLS中以及从PCLS派生的任何特定于域的模式中,表示策略规则、策略条件和策略操作的所有类都是抽象类策略的子类,因此对于这些类的所有实例,此标准的计算结果都为TRUE。为了适应PDP需要检索本质上与策略无关的对象的特殊情况(例如,由表示DHCP操作“从此地址范围分配”的pcimActionAuxClass的子类引用的IP地址范围对象),可以使用辅助类pcimElementAuxClass“标记”条目,因此,它将通过选择标准“object class=pcimPolicy”找到。
The approach described in the preceding paragraph will not work for certain directory implementations, because these implementations do not support matching of auxiliary classes in the objectClass attribute. For environments where these implementations are expected to be present, the "tagging" of entries as relevant to policy can be
前段描述的方法不适用于某些目录实现,因为这些实现不支持objectClass属性中辅助类的匹配。对于预期会出现这些实现的环境,可以对与策略相关的条目进行“标记”
accomplished by inserting the special value "POLICY" into the list of values contained in the pcimKeywords attribute (provided by the pcimPolicy class).
通过将特殊值“POLICY”插入到pcimKeywords属性(由pcimPolicy类提供)中包含的值列表中来完成。
If a PDP needs only a subset of the policy-related objects in the indicated subtrees, then it can be configured with additional selection criteria based on the pcimKeywords attribute defined in the pcimPolicy class. This attribute supports both standardized and administrator- defined values. For example, a PDP could be configured to request only those policy-related objects containing the keywords "DHCP" and "Eastern US".
如果PDP只需要指示子树中策略相关对象的子集,则可以基于pcimKeywords类中定义的pcimKeywords属性使用其他选择标准对其进行配置。此属性支持标准化值和管理员定义的值。例如,PDP可以配置为仅请求包含关键字“DHCP”和“Eastern US”的那些策略相关对象。
To optimize what is expected to be a typical case, the initial request from the client includes not only the object to which its "seed" DN references, but also the subtree contained under this object. The filter for searching this subtree is whatever the client is going to use later to search the other subtrees: object class="pcimPolicy" or the presence of the keyword "POLICY", and/or presence of a more specific value of pcimKeywords (e.g., "QoS Edge Policy").
为了优化预期的典型情况,来自客户端的初始请求不仅包括其“种子”DN引用的对象,还包括该对象下包含的子树。用于搜索此子树的筛选器是客户端稍后将用于搜索其他子树的内容:object class=“pcimPolicy”或是否存在关键字“POLICY”,和/或是否存在更具体的pcimKeywords值(例如,“QoS边缘策略”)。
Returning to the example in Figure 7, we see that in the best case, a PDP can get all the policy-related objects it needs, and only those objects, with exactly three LDAP requests: one to its starting object A to get the references to B and C, as well as the policy-related objects it needs from the subtree under A, and then one each to B and C to get all the policy-related objects that pass the selection criteria with which it was configured. Once it has retrieved all of these objects, the PDP can then traverse their various DN references locally to understand the semantic relationships among them. The PDP should also be prepared to find a reference to another subtree attached to any of the objects it retrieves, and to follow this reference first, before it follows any of the semantically significant references it has received. This recursion permits a structured approach to identifying related policies. In Figure 7, for example, if the subtree under B includes departmental policies and the one under C includes divisional policies, then there might be a reference from the subtree under C to an object D that roots the subtree of corporate-level policies.
回到图7中的示例,我们看到在最好的情况下,PDP可以通过三个LDAP请求获得它需要的所有与策略相关的对象,并且只有这些对象:一个请求到它的起始对象a以获得对B和C的引用,以及它需要从a下的子树中获得的与策略相关的对象,然后分别向B和C发送一个,以获取通过其配置的选择条件的所有与策略相关的对象。一旦检索到所有这些对象,PDP就可以在本地遍历它们的各种DN引用,以了解它们之间的语义关系。PDP还应准备查找对附加到其检索的任何对象的另一子树的引用,并在其遵循其收到的任何语义上重要的引用之前,首先遵循该引用。这种递归允许采用结构化方法来识别相关策略。例如,在图7中,如果B下的子树包括部门策略,C下的子树包括部门策略,那么C下的子树可能会引用作为公司级策略子树根的对象D。
A PDP SHOULD understand the pcimSubtreesPtrAuxClass class, SHOULD be capable of retrieving and processing the entries in the subtrees it references, and SHOULD be capable of doing all of this recursively. The same requirements apply to any other entity needing to retrieve policy information from the directory. Thus, a Policy Management Tool that retrieves policy entries from the directory in order to perform validation and conflict detection SHOULD also understand and be capable of using the pcimSubtreesPtrAuxClass. All of these
PDP应该理解pcimSubtreesPtrAuxClass类,应该能够检索和处理它引用的子树中的条目,并且应该能够递归地执行所有这些操作。同样的要求也适用于需要从目录中检索策略信息的任何其他实体。因此,从目录检索策略条目以执行验证和冲突检测的策略管理工具也应该理解并能够使用pcimSubtreesPtrAuxClass。所有这些
requirements are "SHOULD"s rather than "MUST"s because an LDAP client that doesn't implement them can still access and retrieve the directory entries it needs. The process of doing so will just be less efficient than it would have been if the client had implemented these optimizations.
需求是“应该”而不是“必须”,因为没有实现它们的LDAP客户端仍然可以访问和检索它所需的目录条目。这样做的过程将比客户端实现这些优化时效率更低。
When it is serving as a tool for creating policy entries in the directory, a Policy Management Tool SHOULD support creation of pcimSubtreesPtrAuxClass entries and their references to object instances.
当它用作在目录中创建策略项的工具时,策略管理工具应支持创建pcimSubtreesPtrAuxClass项及其对对象实例的引用。
Additional flexibility in DIT structure is available to the policy administrator via LDAP aliasing and other techniques. Previous versions of this document have used aliases. However, because aliases are experimental, the use of aliases has been removed from this version of this document. This is because the IETF has yet to produce a specification on how aliases are represented in the directory or how server implementations are to process aliases.
通过LDAP别名和其他技术,策略管理员可以在DIT结构中获得更多的灵活性。本文档的早期版本使用了别名。但是,由于别名是实验性的,因此此版本的文档中已删除了别名的使用。这是因为IETF尚未产生一个关于如何在目录中表示别名或服务器实现如何处理别名的规范。
The semantics for the policy information classes that are to be mapped directly from the information model to an LDAP representation are detailed in [1]. Consequently, all that this document presents for these classes is the specification for how to do the mapping from the information model (which is independent of repository type and access protocol) to a form that can be accessed using LDAP. Remember that some new classes needed to be created (that were not part of [1]) to implement the LDAP mapping. These new LDAP-only classes are fully documented in this document.
[1]中详细介绍了将直接从信息模型映射到LDAP表示的策略信息类的语义。因此,本文档为这些类提供的所有内容都是如何从信息模型(独立于存储库类型和访问协议)映射到可以使用LDAP访问的表单的规范。请记住,需要创建一些新类(不属于[1])来实现LDAP映射。这些仅限LDAP的新类在本文档中有完整的文档记录。
The formal language for specifying the classes, attributes, and DIT structure and content rules is that defined in reference [3]. If your implementation does not support auxiliary class inheritance, you will have to list auxiliary classes in content rules explicitly or define them in another (implementation-specific) way.
用于指定类、属性、DIT结构和内容规则的正式语言如参考文献[3]所述。如果您的实现不支持辅助类继承,则必须在内容规则中明确列出辅助类,或以另一种(特定于实现的)方式定义它们。
The following notes apply to this section in its entirety.
以下注释适用于本节的全部内容。
Note 1: in the following definitions, the class and attribute definitions follow RFC 2252 [3] but they are line-wrapped to enhance human readability.
注1:在以下定义中,类和属性定义遵循RFC 2252[3],但它们是换行的,以增强可读性。
Note 2: where applicable, the possibilities for specifying DIT structure and content rules are noted. However, care must be taken in specifying DIT structure rules. This is because X.501 [4] states
注2:如适用,说明了指定DIT结构和内容规则的可能性。但是,在指定DIT结构规则时必须小心。这是因为X.501[4]指出
that an entry may only exist in the DIT as a subordinate to another superior entry (the superior) if a DIT structure rule exists in the governing subschema which:
如果管理子模式中存在DIT结构规则,则DIT中的一个条目只能作为另一个上级条目(上级)的下级条目存在:
1) indicates a name form for the structural object class of the subordinate entry, and 2) either includes the entry's superior structure rule as a possible superior structure rule, or 3) does not specify a superior structure rule.
1) 指示下级条目的结构对象类的名称表单,2)包含条目的上级结构规则作为可能的上级结构规则,或3)未指定上级结构规则。
If this last case (3) applies, then the entry is defined to be a subschema administrative point. This is not what is desired. Therefore, care must be taken in defining structure rules, and in particular, they must be locally augmented.
如果最后一种情况(3)适用,则条目被定义为子模式管理点。这不是我们想要的。因此,在定义结构规则时必须小心谨慎,尤其是必须对其进行局部扩充。
Note 3: Wherever possible, both an equality and a substring matching rule are defined for a particular attribute (as well as an ordering match rule to enable sorting of matching results). This provides two different choices for the developer for maximum flexibility.
注3:在可能的情况下,为特定属性定义了相等和子字符串匹配规则(以及用于对匹配结果进行排序的排序匹配规则)。这为开发人员提供了两种不同的选择,以获得最大的灵活性。
For example, consider the pcimRoles attribute (section 5.3). Suppose that a PEP has reported that it is interested in pcimRules for three roles R1, R2, and R3. If the goal is to minimize queries, then the PDP can supply three substring filters containing the three role names.
例如,考虑PCIMURBION属性(第5.3节)。假设政治公众人物已报告对三个角色R1、R2和R3的pcimRules感兴趣。如果目标是最小化查询,那么PDP可以提供包含三个角色名称的三个子字符串过滤器。
These queries will return all of the pcimRules that apply to the PEP, but they may also get some that do not apply (e.g., ones that contain one of the roles R1, R2, or R3 and one or more other roles present in a role-combination [1]).
这些查询将返回适用于PEP的所有pcimRules,但也可能会得到一些不适用的pcimRules(例如,包含角色R1、R2或R3之一以及角色组合中存在的一个或多个其他角色[1])。
Another strategy would be for the PDP to use only equality filters. This approach eliminates the extraneous replies, but it requires the PDP to explicitly build the desired role-combinations itself. It also requires extra queries. Note that this approach is practical only because the role names in a role combination are required to appear in alphabetical order.
另一种策略是PDP仅使用相等过滤器。这种方法消除了无关的回复,但它要求PDP自己显式构建所需的角色组合。它还需要额外的查询。请注意,这种方法是实用的,因为角色组合中的角色名称必须按字母顺序显示。
Note 4: in the following definitions, note that all LDAP matching rules are defined in [3] and in [9]. The corresponding X.500 matching rules are defined in [8].
注意4:在以下定义中,请注意所有LDAP匹配规则都在[3]和[9]中定义。[8]中定义了相应的X.500匹配规则。
Note 5: some of the following attribute definitions specify additional constraints on various data types (e.g., this integer has values that are valid from 1..10). Text has been added to instruct servers and applications what to do if a value outside of this range
注5:以下某些属性定义指定了各种数据类型的附加约束(例如,此整数的值的有效范围为1..10)。添加了文本,用于指示服务器和应用程序在值超出此范围时应采取的措施
is encountered. In all cases, if a constraint is violated, then the policy rule SHOULD be treated as being disabled, meaning that execution of the policy rule SHOULD be stopped.
遇到了。在所有情况下,如果违反了约束,则应将策略规则视为已禁用,这意味着应停止执行策略规则。
The abstract class pcimPolicy is a direct mapping of the abstract class Policy from the PCIM. The class value "pcimPolicy" is also used as the mechanism for identifying policy-related instances in the Directory Information Tree. An instance of any class may be "tagged" with this class value by attaching to it the auxiliary class pcimElementAuxClass. Since pcimPolicy is derived from the class dlm1ManagedElement defined in reference [6], this specification has a normative dependency on that element of reference [6].
抽象类pcimPolicy是抽象类策略与PCIM的直接映射。类值“pcimPolicy”还用作在目录信息树中标识策略相关实例的机制。任何类的实例都可以通过附加辅助类pcimElementAuxClass来使用该类值“标记”。由于pcimPolicy派生自参考文献[6]中定义的dlm1ManagedElement类,因此本规范对参考文献[6]中的该元素具有规范依赖性。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.1 NAME 'pcimPolicy' DESC 'An abstract class that is the base class for all classes that describe policy-related instances.' SUP dlm1ManagedElement ABSTRACT MAY ( cn $ dlmCaption $ dlmDescription $ orderedCimKeys $ pcimKeywords ) )
(1.3.6.1.1.6.1.1名称'pcimPolicy'描述'一个抽象类,它是描述策略相关实例的所有类的基类。'SUP dlm1ManagedElement abstract MAY(cn$dlmcoption$dlmDescription$orderedCimKeys$pcimKeywords))
The attribute cn is defined in RFC 2256 [7]. The dlmCaption, dlmDescription, and orderedCimKeys attributes are defined in [6].
属性cn在RFC 2256[7]中定义。[6]中定义了dlmcoption、dlmDescription和orderedCimKeys属性。
The pcimKeywords attribute is a multi-valued attribute that contains a set of keywords to assist directory clients in locating the policy objects identified by these keywords. It is defined as follows:
pcimKeywords属性是一个多值属性,它包含一组关键字,以帮助目录客户端定位由这些关键字标识的策略对象。其定义如下:
( 1.3.6.1.1.6.2.3 NAME 'pcimKeywords' DESC 'A set of keywords to assist directory clients in locating the policy objects applicable to them.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
(1.3.6.1.1.6.2.3命名“pcimKeywords”DESC“一组关键字,用于帮助目录客户端定位适用于它们的策略对象。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch OrderingMatch SubStrings匹配语法1.3.6.1.4.1.1466.115.121.1.15)
PCIM [1] defines the PolicyGroup class to serve as a generalized aggregation mechanism, enabling PolicyRules and/or PolicyGroups to be aggregated together. PCLS maps this class into three LDAP classes, called pcimGroup, pcimGroupAuxClass, and pcimGroupInstance. This is done in order to provide maximum flexibility for the DIT designer.
PCIM[1]将PolicyGroup类定义为通用聚合机制,使PolicyRules和/或PolicyGroup能够聚合在一起。PCLS将该类映射为三个LDAP类,分别称为pcimGroup、pcimGroupAuxClass和pcimGroupInstance。这样做是为了为DIT设计器提供最大的灵活性。
The class definitions for the three policy group classes are listed below. These class definitions do not include attributes to realize the PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup associations from the PCIM. This is because a pcimGroup object refers to instances of pcimGroup and pcimRule via, respectively, the attribute pcimGroupsAuxContainedSet in the pcimGroupContainmentAuxClass object class and the attribute pcimRulesAuxContainedSet in the pcimRuleContainmentAuxClass object class.
下面列出了三个策略组类的类定义。这些类定义不包括从PCIM实现PolicyRuleInPolicyGroup和PolicyGroupInPolicyGroup关联的属性。这是因为pcimGroup对象分别通过PCIMGroupContainementAuxClass对象类中的属性pcimGroupsAuxContainedSet和PCIMRuleContainedSet(PCIMRuleContainementAuxClass对象类中的属性pcimRulesAuxContainedSet)引用pcimGroup和pcimRule的实例。
To maximize flexibility, the pcimGroup class is defined as abstract. The subclass pcimGroupAuxClass provides for auxiliary attachment to another entry, while the structural subclass pcimGroupInstance is available to represent a policy group as a standalone entry.
为了最大限度地提高灵活性,pcimGroup类被定义为抽象类。子类pcimGroupAuxClass提供了到另一个条目的辅助附件,而结构子类pcimGroupInstance可用于将策略组表示为独立条目。
The class definitions are as follows. First, the definition of the abstract class pcimGroup:
类定义如下所示。首先,抽象类pcimGroup的定义:
( 1.3.6.1.1.6.1.2 NAME 'pcimGroup' DESC 'A container for a set of related pcimRules and/or a set of related pcimGroups.' SUP pcimPolicy ABSTRACT MAY ( pcimGroupName ) )
(1.3.6.1.1.6.1.2名称“pcimGroup”描述一组相关pcimRules和/或一组相关pcimGroup的容器。“SUP PCIMImplicy ABSTRACT MAY”(pcimGroupName))
The one attribute of pcimGroup is pcimGroupName. This attribute is used to define a user-friendly name of this policy group, and may be used as a naming attribute if desired. It is defined as follows:
pcimGroup的一个属性是pcimGroupName。此属性用于定义此策略组的用户友好名称,如果需要,还可以用作命名属性。其定义如下:
( 1.3.6.1.1.6.2.4 NAME 'pcimGroupName' DESC 'The user-friendly name of this policy group.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
(1.3.6.1.1.6.2.4 NAME'pcimGroupName'DESC'此策略组的用户友好名称。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubStrings匹配语法1.3.6.1.4.1.1466.115.121.1.15单值)
The two subclasses of pcimGroup are defined as follows. The class pcimGroupAuxClass is an auxiliary class that can be used to collect a set of related pcimRule and/or pcimGroup classes. It is defined as follows:
pcimGroup的两个子类定义如下。类pcimGroupAuxClass是一个辅助类,可用于收集一组相关的pcimRule和/或pcimGroup类。其定义如下:
( 1.3.6.1.1.6.1.3 NAME 'pcimGroupAuxClass' DESC 'An auxiliary class that collects a set of related pcimRule and/or pcimGroup entries.' SUP pcimGroup AUXILIARY )
(1.3.6.1.1.6.1.3名称'pcimGroupAuxClass'DESC'一个辅助类,用于收集一组相关的pcimRule和/或pcimGroup条目。'SUP pcimGroup auxiliary)
The class pcimGroupInstance is a structural class that can be used to collect a set of related pcimRule and/or pcimGroup classes. It is defined as follows:
类pcimGroupInstance是一个结构类,可用于收集一组相关的pcimRule和/或pcimGroup类。其定义如下:
( 1.3.6.1.1.6.1.4 NAME 'pcimGroupInstance' DESC 'A structural class that collects a set of related pcimRule and/or pcimGroup entries.' SUP pcimGroup STRUCTURAL )
(1.3.6.1.1.6.1.4名称“pcimGroupInstance”DESC“收集一组相关pcimRule和/或pcimGroup条目的结构类。SUP pcimGroup structural)
A DIT content rule could be written to enable an instance of pcimGroupInstance to have attached to it either references to one or more policy groups (using pcimGroupContainmentAuxClass) or references to one or more policy rules (using pcimRuleContainmentAuxClass). This would be used to formalize the semantics of the PolicyGroup class [1]. Since these semantics do not include specifying any properties of the PolicyGroup class, the content rule would not need to specify any attributes.
可以编写DIT内容规则,使pcimGroupInstance的实例能够附加到一个或多个策略组的引用(使用PCIMGroupContainementAuxClass)或一个或多个策略规则的引用(使用PCIMRuleContainementAuxClass)。这将用于形式化PolicyGroup类[1]的语义。由于这些语义不包括指定PolicyGroup类的任何属性,因此内容规则不需要指定任何属性。
Similarly, three separate DIT structure rules could be written, each of which would refer to a specific name form that identified one of the three possible naming attributes (i.e., pcimGroupName, cn, and orderedCIMKeys) for the pcimGroup object class. This structure rule SHOULD include a superiorStructureRule (see Note 2 at the beginning of section 5). The three name forms referenced by the three structure rules would each define one of the three naming attributes.
类似地,可以编写三个单独的DIT结构规则,每个规则都引用一个特定的名称形式,该形式标识了pcimGroup对象类的三个可能命名属性(即pcimGroupName、cn和orderedCIMKeys)之一。该结构规则应包括上级结构规则(见第5节开头的注释2)。三个结构规则引用的三个名称形式将分别定义三个命名属性中的一个。
The information model defines a PolicyRule class to represent the "If Condition then Action" semantics associated with processing policy information. For maximum flexibility, the PCLS maps this class into three LDAP classes.
信息模型定义了一个PolicyRule类,以表示与处理策略信息相关联的“If-Condition-then-Action”语义。为了获得最大的灵活性,PCLS将此类映射为三个LDAP类。
To maximize flexibility, the pcimRule class is defined as abstract. The subclass pcimRuleAuxClass provides for auxiliary attachment to another entry, while the structural subclass pcimRuleInstance is available to represent a policy rule as a standalone entry.
为了最大限度地提高灵活性,pcimRule类被定义为抽象类。子类pcimRuleAuxClass提供了到另一个条目的辅助附件,而结构子类pcimRuleInstance可用于将策略规则表示为独立条目。
The conditions and actions associated with a policy rule are modeled, respectively, with auxiliary subclasses of the auxiliary classes pcimConditionAuxClass and pcimActionAuxClass. Each of these auxiliary subclasses is attached to an instance of one of three structural classes. A subclass of pcimConditionAuxClass is attached to an instance of pcimRuleInstance, to an instance of pcimRuleConditionAssociation, or to an instance of pcimPolicyInstance. Similarly, a subclass of pcimActionAuxClass is attached to an instance of pcimRuleInstance, to an instance of pcimRuleActionAssociation, or to an instance of pcimPolicyInstance.
与策略规则关联的条件和操作分别使用辅助类pcimConditionAuxClass和pcimActionAuxClass的辅助子类进行建模。这些辅助子类中的每一个都附加到三个结构类之一的实例上。pcimConditionAuxClass的子类附加到pcimRuleInstance的实例、pcimRuleConditionAssociation的实例或PCIMImpolicyInstance的实例。类似地,pcimActionAuxClass的子类附加到pcimRuleInstance的实例、pcimRuleActionAssociation的实例或PCIMImpolicyInstance的实例。
The pcimRuleValidityPeriodList attribute (defined below) realizes the PolicyRuleValidityPeriod association defined in the PCIM. Since this association has no additional properties besides those that tie the association to its associated objects, this association can be realized by simply using an attribute. Thus, the pcimRuleValidityPeriodList attribute is simply a multi-valued attribute that provides an unordered set of DN references to one or more instances of the pcimTPCAuxClass, indicating when the policy rule is scheduled to be active and when it is scheduled to be inactive. A policy rule is scheduled to be active if it is active according to AT LEAST ONE of the pcimTPCAuxClass instances referenced by this attribute.
PCIMRuleValidityPeriod属性(定义如下)实现PCIM中定义的PolicyRuleValidityPeriod关联。由于此关联除了将关联与其关联对象关联的属性外,没有其他属性,因此可以通过简单使用属性来实现此关联。因此,pcimRuleValidityPeriodList属性只是一个多值属性,它提供了对pcimTPCAuxClass的一个或多个实例的无序DN引用集,指示策略规则计划何时处于活动状态以及何时处于非活动状态。如果策略规则根据此属性引用的至少一个pcimTPCAuxClass实例处于活动状态,则该规则将被计划为活动。
The PolicyConditionInPolicyRule and PolicyActionInPolicyRule associations, however, do have additional attributes. The association PolicyActionInPolicyRule defines an integer attribute to sequence the actions, and the association PolicyConditionInPolicyRule has both an integer attribute to group the condition terms as well as a Boolean property to specify whether a condition is to be negated.
但是,PolicyConditionInPolicyRule和PolicyActionInPolicyRule关联具有其他属性。association PolicyActionInPolicyRule定义了一个整数属性来对操作进行排序,association PolicyConditionInPolicyRule既有一个整数属性来对条件项进行分组,也有一个布尔属性来指定是否对条件求反。
In the PCLS, these additional association attributes are represented as attributes of two classes introduced specifically to model these associations. These classes are the pcimRuleConditionAssociation class and the pcimRuleActionAssociation class, which are defined in Sections 5.4 and 5.5, respectively. Thus, they do not appear as attributes of the class pcimRule. Instead, the pcimRuleConditionList and pcimRuleActionList attributes can be used to reference these classes.
在PCLS中,这些附加关联属性表示为专门为这些关联建模而引入的两个类的属性。这些类是pcimRuleConditionAssociation类和pcimRuleActionAssociation类,分别在第5.4节和第5.5节中定义。因此,它们不会显示为类pcimRule的属性。相反,pcimRuleConditionList和pcimRuleActionList属性可用于引用这些类。
The class definitions for the three pcimRule classes are as follows.
三个pcimRule类的类定义如下所示。
The abstract class pcimRule is a base class for representing the "If Condition then Action" semantics associated with a policy rule. It is defined as follows:
抽象类pcimRule是一个基类,用于表示与策略规则关联的“If-Condition-then-Action”语义。其定义如下:
( 1.3.6.1.1.6.1.5 NAME 'pcimRule' DESC 'The base class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimPolicy ABSTRACT MAY ( pcimRuleName $ pcimRuleEnabled $ pcimRuleConditionListType $ pcimRuleConditionList $ pcimRuleActionList $ pcimRuleValidityPeriodList $ pcimRuleUsage $ pcimRulePriority $ pcimRuleMandatory $ pcimRuleSequencedActions $ pcimRoles ) )
(1.3.6.1.1.6.1.5名称'pcimRule'DESC'表示与策略规则相关联的“如果条件然后操作”语义的基类。'SUP pcimPolicy ABSTRACT可以(pcimRuleName$pcimRuleEnabled$pcimRuleConditionListType$pcimRuleConditionList$pcimRuleActionList$pcimRuleValidityPeriodList$pcimRuleUsage$pcimRulePriority$pcimRuleMandatory$pcimRuleSequencedActions$pcimRoles))
The PCIM [1] defines seven properties for the PolicyRule class. The PCLS defines eleven attributes for the pcimRule class, which is the LDAP equivalent of the PolicyRule class. Of these eleven attributes, seven are mapped directly from corresponding properties in PCIM's PolicyRule class. The remaining four attributes are a class-specific optional naming attribute, and three attributes used to realize the three associations that the pcimRule class participates in.
PCIM[1]为PolicyRule类定义了七个属性。PCLS为pcimRule类定义了11个属性,pcimRule类是与PolicyRule类等效的LDAP。在这十一个属性中,有七个直接从PCIM的PolicyRule类中的相应属性映射而来。其余四个属性是一个特定于类的可选命名属性,三个属性用于实现pcimRule类参与的三个关联。
The pcimRuleName attribute is used as a user-friendly name of this policy rule, and can also serve as the class-specific optional naming attribute. It is defined as follows:
pcimRuleName属性用作此策略规则的用户友好名称,还可以用作特定于类的可选命名属性。其定义如下:
( 1.3.6.1.1.6.2.5 NAME 'pcimRuleName' DESC 'The user-friendly name of this policy rule.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
(1.3.6.1.1.6.2.5 NAME'pcimRuleName'DESC'此策略规则的用户友好名称。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubStrings匹配语法1.3.6.1.4.1.1466.115.121.1.15单值)
The pcimRuleEnabled attribute is an integer enumeration indicating whether a policy rule is administratively enabled (value=1), administratively disabled (value=2), or enabled for debug (value=3). It is defined as follows:
pcimRuleEnabled属性是一个整数枚举,指示策略规则是以管理方式启用(值=1)、以管理方式禁用(值=2)还是以调试方式启用(值=3)。其定义如下:
( 1.3.6.1.1.6.2.6 NAME 'pcimRuleEnabled' DESC 'An integer indicating whether a policy rule is administratively enabled (value=1), disabled
(1.3.6.1.1.6.2.6 NAME'pcimRuleEnabled'DESC'一个整数,指示策略规则是否以管理方式启用(值=1)、禁用
(value=2), or enabled for debug (value=3).' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
(值=2)或启用调试(值=3)。“相等整数匹配排序整数排序匹配语法1.3.6.1.4.1.1466.115.121.1.27单值)
Note: All other values for the pcimRuleEnabled attribute are considered errors, and the administrator SHOULD treat this rule as being disabled if an invalid value is found.
注意:pcimRuleEnabled属性的所有其他值都被视为错误,如果发现无效值,管理员应将此规则视为禁用。
The pcimRuleConditionListType attribute is used to indicate whether the list of policy conditions associated with this policy rule is in disjunctive normal form (DNF, value=1) or conjunctive normal form (CNF, value=2). It is defined as follows:
pcimRuleConditionListType属性用于指示与此策略规则关联的策略条件列表是采用析取范式(DNF,值=1)还是合取范式(CNF,值=2)。其定义如下:
( 1.3.6.1.1.6.2.7 NAME 'pcimRuleConditionListType' DESC 'A value of 1 means that this policy rule is in disjunctive normal form; a value of 2 means that this policy rule is in conjunctive normal form.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
(1.3.6.1.1.6.2.7 NAME'pcimRuleConditionListType'DESC'值为1表示此策略规则为析取范式;值为2表示此策略规则为析取范式。'EQUALITY integerMatch OrderingMatch integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27单值)
Note: any value other than 1 or 2 for the pcimRuleConditionListType attribute is considered an error. Administrators SHOULD treat this rule as being disabled if an invalid value is found, since it is unclear how to structure the condition list.
注意:对于pcimRuleConditionListType属性,除1或2之外的任何值都被视为错误。如果发现无效值,管理员应将此规则视为禁用,因为不清楚如何构造条件列表。
The pcimRuleConditionList attribute is a multi-valued attribute that is used to realize the policyRuleInPolicyCondition association defined in [1]. It contains a set of DNs of pcimRuleConditionAssociation entries representing associations between this policy rule and its conditions. No order is implied. It is defined as follows:
pcimRuleConditionList属性是一个多值属性,用于实现[1]中定义的policyRuleInPolicyCondition关联。它包含一组pcimRuleConditionAssociation条目的DNs,这些条目表示此策略规则及其条件之间的关联。没有暗示任何命令。其定义如下:
( 1.3.6.1.1.6.2.8 NAME 'pcimRuleConditionList' DESC 'Unordered set of DNs of pcimRuleConditionAssociation entries representing associations between this policy rule and its conditions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
(1.3.6.1.1.6.2.8名称“pcimRuleConditionList”DESC“pcimRuleConditionAssociation项的无序DNs集,表示此策略规则及其条件之间的关联。“相等区分名称匹配语法1.3.6.1.4.1.1466.115.121.1.12”)
The pcimRuleActionList attribute is a multi-valued attribute that is used to realize the policyRuleInPolicyAction association defined in [1]. It contains a set of DNs of pcimRuleActionAssociation entries representing associations between this policy rule and its actions. No order is implied. It is defined as follows:
pcimRuleActionList属性是一个多值属性,用于实现[1]中定义的policyRuleInPolicyAction关联。它包含一组pcimRuleActionAssociation条目的DNs,这些条目表示此策略规则及其操作之间的关联。没有暗示任何命令。其定义如下:
( 1.3.6.1.1.6.2.9 NAME 'pcimRuleActionList' DESC 'Unordered set of DNs of pcimRuleActionAssociation entries representing associations between this policy rule and its actions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
(1.3.6.1.1.6.2.9名称“pcimRuleActionList”DESC“pcimRuleActionAssociation项的无序DNs集,表示此策略规则及其操作之间的关联。“相等区分名称匹配语法1.3.6.1.4.1.1466.115.121.1.12”)
The pcimRuleValidityPeriodList attribute is a multi-valued attribute that is used to realize the pcimRuleValidityPeriod association that is defined in [1]. It contains a set of DNs of pcimRuleValidityAssociation entries that determine when the pcimRule is scheduled to be active or inactive. No order is implied. It is defined as follows:
pcimRuleValidityPeriod列表属性是一个多值属性,用于实现[1]中定义的pcimRuleValidityPeriod关联。它包含一组pcimRuleValidityAssociation条目的DNs,这些条目确定pcimRule计划何时处于活动或非活动状态。没有暗示任何命令。其定义如下:
( 1.3.6.1.1.6.2.10 NAME 'pcimRuleValidityPeriodList' DESC 'Unordered set of DNs of pcimRuleValidityAssociation entries that determine when the pcimRule is scheduled to be active or inactive.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
(1.3.6.1.1.6.2.10名称“pcimRuleValidityPeriodList”DESC“pcimRuleValidityAssociation条目的无序DNs集,用于确定pcimRule何时计划处于活动或非活动状态。'EQUALITY DifferencedNameMatch语法1.3.6.1.4.1.1466.115.121.1.12)
The pcimRuleUsage attribute is a free-form string providing guidelines on how this policy should be used. It is defined as follows:
pcimRuleUsage属性是一个自由格式的字符串,提供了如何使用此策略的指导原则。其定义如下:
( 1.3.6.1.1.6.2.11 NAME 'pcimRuleUsage' DESC 'This attribute is a free-form sting providing guidelines on how this policy should be used.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
(1.3.6.1.1.6.2.11名称'pcimRuleUsage'DESC'此属性是一个自由形式的sting,提供了如何使用此策略的指南。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch OrderingMatch SubStrings caseIgnoreMatch语法1.3.6.1.4.1.1466.115.121.1.15单值)
The pcimRulePriority attribute is a non-negative integer that is used to prioritize this pcimRule relative to other pcimRules. A larger value indicates a higher priority. It is defined as follows:
pcimRulePriority属性是一个非负整数,用于相对于其他pcimRules对该pcimRule进行优先级排序。值越大表示优先级越高。其定义如下:
( 1.3.6.1.1.6.2.12 NAME 'pcimRulePriority' DESC 'A non-negative integer for prioritizing this pcimRule relative to other pcimRules. A larger value indicates a higher priority.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
(1.3.6.1.1.6.2.12将“pcimRulePriority”命名为“DESC”一个非负整数,用于相对于其他pcimRules对该pcimRule进行优先级排序。值越大表示优先级越高。“相等整数匹配排序整数排序匹配语法1.3.6.1.4.1.1466.115.121.1.27单值”)
Note: if the value of the pcimRulePriority field is 0, then it SHOULD be treated as "don't care". On the other hand, if the value is negative, then it SHOULD be treated as an error and Administrators SHOULD treat this rule as being disabled.
注意:如果pcimRulePriority字段的值为0,则应将其视为“不在乎”。另一方面,如果该值为负值,则应将其视为错误,管理员应将此规则视为禁用。
The pcimRuleMandatory attribute is a Boolean attribute that, if TRUE, indicates that for this policy rule, the evaluation of its conditions and execution of its actions (if the condition is satisfied) is required. If it is FALSE, then the evaluation of its conditions and execution of its actions (if the condition is satisfied) is not required. This attribute is defined as follows:
pcimRuleMandatory属性是一个布尔属性,如果为TRUE,则表示此策略规则需要评估其条件并执行其操作(如果条件满足)。如果为假,则不需要评估其条件并执行其操作(如果条件满足)。该属性定义如下:
( 1.3.6.1.1.6.2.13 NAME 'pcimRuleMandatory' DESC 'If TRUE, indicates that for this policy rule, the evaluation of its conditions and execution of its actions (if the condition is satisfied) is required.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
(1.3.6.1.1.6.2.13名称'pcimRuleMandatory'DESC'如果为真,则表示对于此策略规则,需要评估其条件并执行其操作(如果满足条件)。'EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7单值)
The pcimRuleSequencedActions attribute is an integer enumeration that is used to indicate that the ordering of actions defined by the pcimActionOrder attribute is either mandatory(value=1), recommended(value=2), or dontCare(value=3). It is defined as follows:
pcimRuleSequencedActions属性是一个整数枚举,用于指示pcimActionOrder属性定义的操作顺序是强制的(值=1)、建议的(值=2)或dontCare(值=3)。其定义如下:
( 1.3.6.1.1.6.2.14 NAME 'pcimRuleSequencedActions' DESC 'An integer enumeration indicating that the ordering of actions defined by the pcimActionOrder attribute is mandatory(1), recommended(2), or dontCare(3).' EQUALITY integerMatch ORDERING integerOrderingMatch
(1.3.6.1.1.6.2.14 NAME'pcimRuleSequencedActions'DESC'是一个整数枚举,表示由pcimActionOrder属性定义的操作顺序是必需的(1)、建议的(2)或不需要的(3)。'EQUALITY integerMatch ordering integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
语法1.3.6.1.4.1.1466.115.121.1.27单值)
Note: if the value of pcimRulesSequencedActions field is not one of these three values, then Administrators SHOULD treat this rule as being disabled.
注意:如果pcimRulesSequencedActions字段的值不是这三个值之一,则管理员应将此规则视为已禁用。
The pcimRoles attribute represents the policyRoles property of [1]. Each value of this attribute represents a role-combination, which is a string of the form: <RoleName>[&&<RoleName>]* where the individual role names appear in alphabetical order according to the collating sequence for UCS-2. This attribute is defined as follows:
pcimRoles属性表示[1]的policyRoles属性。此属性的每个值表示一个角色组合,它是一个字符串,格式为:<RoleName>[&&&<RoleName>]*其中各个角色名称按照UCS-2的排序顺序按字母顺序显示。该属性定义如下:
( 1.3.6.1.1.6.2.15 NAME 'pcimRoles' DESC 'Each value of this attribute represents a role-combination.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
(1.3.6.1.1.6.2.15名称'pcimRoles'DESC'此属性的每个值表示角色组合。'EQUALITY caseIgnoreMatch ORDERING caseignoreordering match SUBSTR caseignore substrings匹配语法1.3.6.1.4.1.1466.115.121.1.15)
Note: if the value of the pcimRoles attribute does not conform to the format "<RoleName>[&&<RoleName>]*" (see Section 6.3.7 of [1]), then this attribute is malformed and its policy rule SHOULD be treated as being disabled.
注意:如果pcimRoles属性的值不符合“<RoleName>[&&<RoleName>]*”格式(请参见[1]的第6.3.7节),则此属性的格式不正确,其策略规则应视为已禁用。
The two subclasses of the pcimRule class are defined as follows. First, the pcimRuleAuxClass is an auxiliary class for representing the "If Condition then Action" semantics associated with a policy rule. Its class definition is as follows:
pcimRule类的两个子类定义如下。首先,pcimRuleAuxClass是一个辅助类,用于表示与策略规则关联的“If Condition then Action”语义。其类别定义如下:
( 1.3.6.1.1.6.1.6 NAME 'pcimRuleAuxClass' DESC 'An auxiliary class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimRule AUXILIARY )
(1.3.6.1.1.6.1.6名称'pcimRuleAuxClass'DESC'一个辅助类,用于表示与策略规则关联的“如果条件然后操作”语义。'SUP pcimRule auxclass'DESC'
The pcimRuleInstance is a structural class for representing the "If Condition then Action" semantics associated with a policy rule. Its class definition is as follows:
pcimRuleInstance是一个结构类,用于表示与策略规则关联的“If-Condition-then-Action”语义。其类别定义如下:
( 1.3.6.1.1.6.1.7 NAME 'pcimRuleInstance' DESC 'A structural class for representing the "If Condition then Action" semantics associated with a policy rule.'
(1.3.6.1.1.6.1.7名称'pcimRuleInstance'DESC'是一个结构类,用于表示与策略规则关联的“如果条件然后操作”语义。”
SUP pcimRule STRUCTURAL )
辅助pcimRule(结构)
A DIT content rule could be written to enable an instance of pcimRuleInstance to have attached to it either references to one or more policy conditions (using pcimConditionAuxClass) or references to one or more policy actions (using pcimActionAuxClass). This would be used to formalize the semantics of the PolicyRule class [1]. Since these semantics do not include specifying any properties of the PolicyRule class, the content rule would not need to specify any attributes.
可以编写DIT内容规则,以使pcimRuleInstance的实例能够附加对一个或多个策略条件的引用(使用pcimConditionAuxClass)或对一个或多个策略操作的引用(使用pcimActionAuxClass)。这将用于形式化PolicyRule类[1]的语义。由于这些语义不包括指定PolicyRule类的任何属性,因此内容规则不需要指定任何属性。
Similarly, three separate DIT structure rules could be written, each of which would refer to a specific name form that identified one of its three possible naming attributes (i.e., pcimRuleName, cn, and orderedCIMKeys). This structure rule SHOULD include a superiorStructureRule (see Note 2 at the beginning of section 5). The three name forms referenced by the three structure rules would each define one of the three naming attributes.
类似地,可以编写三个独立的DIT结构规则,每个规则都引用一个特定的名称表单,该表单标识了其三个可能的命名属性之一(即pcimRuleName、cn和orderedCIMKeys)。该结构规则应包括上级结构规则(见第5节开头的注释2)。三个结构规则引用的三个名称形式将分别定义三个命名属性中的一个。
This class contains attributes to represent the properties of the PCIM's PolicyConditionInPolicyRule association. Instances of this class are related to an instance of pcimRule via DIT containment. The policy conditions themselves are represented by auxiliary subclasses of the auxiliary class pcimConditionAuxClass. These auxiliary classes are attached directly to instances of pcimRuleConditionAssociation for rule-specific policy conditions. For a reusable policy condition, the policyCondition auxiliary subclass is attached to an instance of the class pcimPolicyInstance (which is presumably associated with a pcimRepository by DIT containment), and the policyConditionDN attribute (of this class) is used to reference the reusable policyCondition instance.
此类包含表示PCIM的PolicyConditionInPolicyRule关联属性的属性。此类的实例通过DIT包含与pcimRule的实例相关。策略条件本身由辅助类pcimConditionAuxClass的辅助子类表示。这些辅助类直接附加到pcimRuleConditionAssociation的实例,用于特定于规则的策略条件。对于可重用的策略条件,policyCondition辅助子类附加到类pcimPolicyInstance的实例(该类可能通过DIT包含与pcimRepository关联),并且(该类的)policyConditionDN属性用于引用可重用的policyCondition实例。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.8 NAME 'pcimRuleConditionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy rule and one of its policy conditions.' SUP pcimPolicy MUST ( pcimConditionGroupNumber $ pcimConditionNegated ) MAY ( pcimConditionName $ pcimConditionDN ) )
(1.3.6.1.1.6.1.8 NAME'pcimRuleConditionAssociation'DESC'此类包含表征策略规则与其策略条件之一之间关系的属性。'SUP pcimPolicy MUST(pcimConditionGroupNumber$pcimConditionNegatived)MAY(pcimConditionName$pcimConditionDN))
The attributes of this class are defined as follows.
此类的属性定义如下。
The pcimConditionGroupNumber attribute is a non-negative integer. It is used to identify the group to which the condition referenced by this association is assigned. This attribute is defined as follows:
pcimConditionGroupNumber属性是非负整数。它用于标识将此关联引用的条件分配给的组。该属性定义如下:
( 1.3.6.1.1.6.2.16 NAME 'pcimConditionGroupNumber' DESC 'The number of the group to which a policy condition belongs. This is used to form the DNF or CNF expression associated with a policy rule.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
(1.3.6.1.1.6.2.16 NAME'pcimConditionGroupNumber'DESC'策略条件所属组的编号。用于形成与策略规则关联的DNF或CNF表达式。'EQUALITY integerMatch ORDERING integerordering SYNTAX 1.3.6.1.4.1.1466.115.121.1.27单值)
Note that this number is non-negative. A negative value for this attribute is invalid, and any policy rule that refers to an invalid entry SHOULD be treated as being disabled.
请注意,这个数字是非负的。此属性的负值无效,引用无效项的任何策略规则都应视为已禁用。
The pcimConditionNegated attribute is a Boolean attribute that indicates whether this policy condition is to be negated or not. If it is TRUE (FALSE), it indicates that a policy condition IS (IS NOT) negated in the DNF or CNF expression associated with a policy rule. This attribute is defined as follows:
pcimConditionNegated属性是一个布尔属性,用于指示是否要否定此策略条件。如果为TRUE(FALSE),则表示策略条件在与策略规则关联的DNF或CNF表达式中被(未)否定。该属性定义如下:
( 1.3.6.1.1.6.2.17 NAME 'pcimConditionNegated' DESC 'If TRUE (FALSE), it indicates that a policy condition IS (IS NOT) negated in the DNF or CNF expression associated with a policy rule.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
(1.3.6.1.1.6.2.17 NAME'pcimConditionNegated'DESC'如果为真(假),则表示策略条件在与策略规则关联的DNF或CNF表达式中被(未)否定。'EQUALITY booleanMatch语法1.3.6.1.4.1.1466.115.121.1.7单值)
The pcimConditionName is a user-friendly name for identifying this policy condition, and may be used as a naming attribute if desired. This attribute is defined as follows:
pcimConditionName是用于标识此策略条件的用户友好名称,如果需要,可以用作命名属性。该属性定义如下:
( 1.3.6.1.1.6.2.18 NAME 'pcimConditionName' DESC 'A user-friendly name for a policy condition.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
(1.3.6.1.1.6.2.18 NAME'pcimConditionName'DESC'是策略条件的用户友好名称。'EQUALITY caseIgnoreMatch ORDERING caseignoreordering match SUBSTR caseignoreordering caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
语法1.3.6.1.4.1.1466.115.121.1.15单值)
The pcimConditionDN attribute is a DN that references an instance of a reusable policy condition. This attribute is defined as follows:
pcimConditionDN属性是引用可重用策略条件实例的DN。该属性定义如下:
( 1.3.6.1.1.6.2.19 NAME 'pcimConditionDN' DESC 'A DN that references an instance of a reusable policy condition.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
(1.3.6.1.1.6.2.19名称'pcimConditionDN'DESC'引用可重用策略条件实例的DN。'EQUALITY DifferencedNameMatch语法1.3.6.1.4.1.1466.115.121.1.12单值)
A DIT content rule could be written to enable an instance of pcimRuleConditionAssociation to have attached to it an instance of the auxiliary class pcimConditionAuxClass, or one of its subclasses. This would be used to formalize the semantics of the PolicyConditionInPolicyRule association. Specifically, this would be used to represent a rule-specific policy condition [1]. Similarly, three separate DIT structure rules could be written. Each of these DIT structure rules would refer to a specific name form that defined two important semantics. First, each name form would identify one of the three possible naming attributes (i.e., pcimConditionName, cn, and orderedCIMKeys) for the pcimRuleConditionAssociation object class. Second, each name form would require that an instance of the pcimRuleConditionAssociation class have as its superior an instance of the pcimRule class. This structure rule SHOULD also include a superiorStructureRule (see Note 2 at the beginning of section 5).
可以编写DIT内容规则,以使pcimRuleConditionAssociation的实例附加辅助类pcimConditionAuxClass或其子类之一的实例。这将用于形式化PolicyConditionInPolicyRule关联的语义。具体而言,这将用于表示特定于规则的策略条件[1]。类似地,可以编写三个单独的DIT结构规则。这些DIT结构规则中的每一个都会引用一个特定的名称形式,该名称形式定义了两个重要的语义。首先,每个名称表单将标识pcimRuleConditionAssociation对象类的三个可能命名属性(即pcimConditionName、cn和orderedCIMKeys)之一。其次,每个名称表单都要求pcimRuleConditionAssociation类的一个实例具有pcimRule类的一个实例作为其上级。该结构规则还应包括上级结构规则(见第5节开头的注释2)。
The policyRuleValidityPeriod aggregation is mapped to the PCLS pcimRuleValidityAssociation class. This class represents the scheduled activation and deactivation of a policy rule by binding the definition of times that the policy is active to the policy rule itself. The "scheduled" times are either identified through an attached auxiliary class pcimTPCAuxClass, or are referenced through its pcimTimePeriodConditionDN attribute.
policyRuleValidityPeriod聚合映射到PCLS pcimRuleValidityAssociation类。此类通过将策略处于活动状态的时间定义绑定到策略规则本身,表示策略规则的计划激活和停用。“计划”时间可以通过附加的辅助类pcimTPCAuxClass标识,也可以通过其pcimTimePeriodConditionDN属性引用。
This class is defined as follows:
此类定义如下:
( 1.3.6.1.1.6.1.9 NAME 'pcimRuleValidityAssociation' DESC 'This defines the scheduled activation or deactivation of a policy rule.'
(1.3.6.1.1.6.1.9名称“pcimRuleValidityAssociation”DESC“定义策略规则的计划激活或停用。”
SUP pcimPolicy STRUCTURAL MAY ( pcimValidityConditionName $ pcimTimePeriodConditionDN ) )
辅助PCIMPLICY结构可能(pcimValidityConditionName$pcimTimePeriodConditionDN))
The attributes of this class are defined as follows:
此类的属性定义如下:
The pcimValidityConditionName attribute is used to define a user-friendly name of this condition, and may be used as a naming attribute if desired. This attribute is defined as follows:
pcimValidityConditionName属性用于定义此条件的用户友好名称,如果需要,还可以用作命名属性。该属性定义如下:
( 1.3.6.1.1.6.2.20 NAME 'pcimValidityConditionName' DESC 'A user-friendly name for identifying an instance of a pcimRuleValidityAssociation entry.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
(1.3.6.1.1.6.2.20名称“pcimValidityConditionName”DESC“一个用户友好的名称,用于标识pcimRuleValidityAssociation条目的实例。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch语法1.3.6.1.4.1466.115.121.1.15单值)
The pcimTimePeriodConditionDN attribute is a DN that references a reusable time period condition. It is defined as follows:
pcimTimePeriodConditionDN属性是引用可重用时间段条件的DN。其定义如下:
( 1.3.6.1.1.6.2.21 NAME 'pcimTimePeriodConditionDN' DESC 'A reference to a reusable policy time period condition.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
(1.3.6.1.1.6.2.21名称“pcimTimePeriodConditionDN”描述“对可重用策略时间段条件的引用。”相等区分名称匹配语法1.3.6.1.4.1.1466.115.121.1.12单值)
A DIT content rule could be written to enable an instance of pcimRuleValidityAssociation to have attached to it an instance of the auxiliary class pcimTPCAuxClass, or one of its subclasses. This would be used to formalize the semantics of the PolicyRuleValidityPeriod aggregation [1].
可以编写DIT内容规则,以使pcimRuleValidityAssociation的实例附加辅助类pcimTPCAuxClass或其子类之一的实例。这将用于形式化PolicyRuleValidityPeriod聚合的语义[1]。
Similarly, three separate DIT structure rules could be written. Each of these DIT structure rules would refer to a specific name form that defined two important semantics. First, each name form would identify one of the three possible naming attributes (i.e., pcimValidityConditionName, cn, and orderedCIMKeys) for the pcimRuleValidityAssociation object class. Second, each name form would require that an instance of the pcimRuleValidityAssociation class have as its superior an instance of the pcimRule class. This
类似地,可以编写三个单独的DIT结构规则。这些DIT结构规则中的每一个都会引用一个特定的名称形式,该名称形式定义了两个重要的语义。首先,每个名称表单将标识pcimRuleValidityAssociation对象类的三个可能命名属性之一(即pcimValidityConditionName、cn和orderedCIMKeys)。其次,每个名称表单都要求pcimRuleValidityAssociation类的一个实例具有pcimRule类的一个实例作为其上级。这
structure rule SHOULD also include a superiorStructureRule (see Note 2 at the beginning of section 5).
结构规则还应包括上级结构规则(见第5节开头的注释2)。
This class contains an attribute to represent the one property of the PCIM PolicyActionInPolicyRule association, ActionOrder. This property is used to specify an order for executing the actions associated with a policy rule. Instances of this class are related to an instance of pcimRule via DIT containment. The actions themselves are represented by auxiliary subclasses of the auxiliary class pcimActionAuxClass.
此类包含一个属性,用于表示PCIM PolicyActionInPolicyRule关联的一个属性ActionOrder。此属性用于指定执行与策略规则关联的操作的顺序。此类的实例通过DIT包含与pcimRule的实例相关。动作本身由辅助类pcimActionAuxClass的辅助子类表示。
These auxiliary classes are attached directly to instances of pcimRuleActionAssociation for rule-specific policy actions. For a reusable policy action, the pcimAction auxiliary subclass is attached to an instance of the class pcimPolicyInstance (which is presumably associated with a pcimRepository by DIT containment), and the pcimActionDN attribute (of this class) is used to reference the reusable pcimCondition instance.
这些辅助类直接附加到pcimRuleActionAssociation的实例,用于特定于规则的策略操作。对于可重用的策略操作,pcimAction辅助子类被附加到类pcimPolicyInstance的实例(该类可能通过DIT包含与pcimRepository关联),并且(该类的)pcimActionDN属性用于引用可重用的pcimCondition实例。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.10 NAME 'pcimRuleActionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy rule and one of its policy actions.' SUP pcimPolicy MUST ( pcimActionOrder ) MAY ( pcimActionName $ pcimActionDN ) )
(1.3.6.1.1.6.1.10名称'pcimRuleActionAssociation'DESC'此类包含表征策略规则与其策略操作之一之间关系的属性。'SUP pcimPolicy MUST(pcimActionOrder)MAY(pcimActionName$pcimActionDN))
The pcimActionName attribute is used to define a user-friendly name of this action, and may be used as a naming attribute if desired. This attribute is defined as follows:
pcimActionName属性用于定义此操作的用户友好名称,如果需要,还可以用作命名属性。该属性定义如下:
( 1.3.6.1.1.6.2.22 NAME 'pcimActionName' DESC 'A user-friendly name for a policy action.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
(1.3.6.1.1.6.2.22 NAME'pcimActionName'DESC'是策略操作的用户友好名称。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch语法1.3.6.1.4.1.1466.115.121.1.15单值)
The pcimActionOrder attribute is an unsigned integer that is used to indicate the relative position of an action in a sequence of actions that are associated with a given policy rule. When this number is positive, it indicates a place in the sequence of actions to be performed, with smaller values indicating earlier positions in the sequence. If the value is zero, then this indicates that the order is irrelevant. Note that if two or more actions have the same non-zero value, they may be performed in any order as long as they are each performed in the correct place in the overall sequence of actions. This attribute is defined as follows:
pcimActionOrder属性是一个无符号整数,用于指示操作在与给定策略规则关联的操作序列中的相对位置。当该数字为正数时,表示要执行的操作序列中的位置,较小的值表示序列中的较早位置。如果该值为零,则表示顺序无关。注意,如果两个或多个动作具有相同的非零值,则可以按任意顺序执行,只要它们在整个动作序列中的正确位置执行。该属性定义如下:
( 1.3.6.1.1.6.2.23 NAME 'pcimActionOrder' DESC 'An integer indicating the relative order of an action in the context of a policy rule.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
(1.3.6.1.1.6.2.23 NAME'pcimActionOrder'DESC'表示策略规则上下文中操作的相对顺序的整数。'EQUALITY integerMatch ORDERING integerordering SYNTAX 1.3.6.1.4.1.1466.115.121.1.27单值)
Note: if the value of the pcimActionOrder field is negative, then it SHOULD be treated as an error and any policy rule that refers to such an entry SHOULD be treated as being disabled.
注意:如果pcimActionOrder字段的值为负值,则应将其视为错误,并且引用此类条目的任何策略规则应视为已禁用。
The pcimActionDN attribute is a DN that references a reusable policy action. It is defined as follows:
pcimActionDN属性是引用可重用策略操作的DN。其定义如下:
( 1.3.6.1.1.6.2.24 NAME 'pcimActionDN' DESC 'A DN that references a reusable policy action.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
(1.3.6.1.1.6.2.24名称'pcimActionDN'DESC'引用可重用策略操作的DN。'EQUALITY DifferentiedNameMatch语法1.3.6.1.4.1.1466.115.121.1.12单值)
A DIT content rule could be written to enable an instance of pcimRuleActionAssociation to have attached to it an instance of the auxiliary class pcimActionAuxClass, or one of its subclasses. This would be used to formalize the semantics of the PolicyActionInPolicyRule association. Specifically, this would be used to represent a rule-specific policy action [1].
可以编写DIT内容规则,以使pcimRuleActionAssociation的实例能够附加辅助类pcimActionAuxClass或其子类之一的实例。这将用于形式化PolicyActionInPolicyRule关联的语义。具体而言,这将用于表示特定于规则的策略操作[1]。
Similarly, three separate DIT structure rules could be written. Each of these DIT structure rules would refer to a specific name form that defined two important semantics. First, each name form would identify one of the three possible naming attributes (i.e., pcimActionName, cn, and orderedCIMKeys) for the
类似地,可以编写三个单独的DIT结构规则。这些DIT结构规则中的每一个都会引用一个特定的名称形式,该名称形式定义了两个重要的语义。首先,每个名称表单都将标识该名称的三个可能命名属性(即pcimActionName、cn和orderedCIMKeys)之一
pcimRuleActionAssociation object class. Second, each name form would require that an instance of the pcimRuleActionAssociation class have as its superior an instance of the pcimRule class. This structure rule should also include a superiorStructureRule (see Note 2 at the beginning of section 5).
pcimRuleActionAssociation对象类。其次,每个名称表单都要求pcimRuleActionAssociation类的一个实例具有pcimRule类的一个实例作为其上级。该结构规则还应包括上级结构规则(见第5节开头的注释2)。
The purpose of a policy condition is to determine whether or not the set of actions (contained in the pcimRule that the condition applies to) should be executed or not. This class defines the basic organizational semantics of a policy condition, as specified in [1]. Subclasses of this auxiliary class can be attached to instances of three other classes in the PCLS. When a subclass of this class is attached to an instance of pcimRuleConditionAssociation, or to an instance of pcimRule, it represents a rule-specific policy condition. When a subclass of this class is attached to an instance of pcimPolicyInstance, it represents a reusable policy condition.
策略条件的目的是确定是否应执行操作集(包含在条件适用的pcimRule中)。此类定义了策略条件的基本组织语义,如[1]中所述。这个辅助类的子类可以附加到PCLS中其他三个类的实例。当此类的子类附加到pcimRuleConditionAssociation的实例或pcimRule的实例时,它表示特定于规则的策略条件。当此类的子类附加到pcimPolicyInstance的实例时,它表示可重用的策略条件。
Since all of the classes to which subclasses of this auxiliary class may be attached are derived from the pcimPolicy class, the attributes of pcimPolicy will already be defined for the entries to which these subclasses attach. Thus, this class is derived directly from "top".
由于此辅助类的子类可能附加到的所有类都是从pcimPolicy类派生的,因此pcimPolicy的属性将已经为这些子类附加到的条目定义。因此,该类直接从“top”派生。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.11 NAME 'pcimConditionAuxClass' DESC 'A class representing a condition to be evaluated in conjunction with a policy rule.' SUP top AUXILIARY )
(1.3.6.1.1.6.1.11名称'pcimConditionAuxClass'DESC'表示要与策略规则一起评估的条件的类。'SUP top-association'
The PCIM defines a time period class, PolicyTimePeriodCondition, to provide a means of representing the time periods during which a policy rule is valid, i.e., active. It also defines an aggregation, PolicyRuleValidityPeriod, so that time periods can be associated with a PolicyRule. The LDAP mapping also provides two classes, one for the time condition itself, and one for the aggregation.
PCIM定义了一个时间段类PolicyTimePeriodCondition,以提供一种表示策略规则有效(即活动)的时间段的方法。它还定义了聚合PolicyRuleValidityPeriod,以便时间段可以与PolicyRule关联。LDAP映射还提供了两个类,一个用于时间条件本身,另一个用于聚合。
In the PCIM, the time period class is named PolicyTimePeriodCondition. However, the resulting name of the auxiliary class in this mapping (pcimTimePeriodConditionAuxClass) exceeds the length of a name that some directories can store. Therefore, the name has been shortened to pcimTPCAuxClass.
在PCIM中,时间段类被命名为PolicyTimePeriodCondition。但是,此映射中辅助类(pcimTimePeriodConditionAuxClass)的结果名称超出了某些目录可以存储的名称长度。因此,名称已缩短为pcimTPCAuxClass。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.12 NAME 'pcimTPCAuxClass' DESC 'This provides the capability of enabling or disabling a policy rule according to a predetermined schedule.' SUP pcimConditionAuxClass AUXILIARY MAY ( pcimTPCTime $ pcimTPCMonthOfYearMask $ pcimTPCDayOfMonthMask $ pcimTPCDayOfWeekMask $ pcimTPCTimeOfDayMask $ pcimTPCLocalOrUtcTime ) )
(1.3.6.1.1.6.1.12名称“pcimTPCAuxClass”DESC“这提供了根据预定计划启用或禁用策略规则的功能。”SUP pcimConditionAuxClass辅助可能(pcimTPCTime$pcimtpcmonthyearmask$pcimTPCDayOfMonthMask$pcimTPCDayOfWeekMask$pcimtpctimeofdaymmask$pcimtpcloorutime))
The attributes of the pcimTPCAuxClass are defined as follows.
pcimTPCAuxClass的属性定义如下。
The pcimTPCTime attribute represents the time period that a policy rule is enabled for. This attribute is defined as a string in [1] with a special format which defines a time period with a starting date and an ending date separated by a forward slash ("/"), as follows:
pcimTPCTime属性表示启用策略规则的时间段。此属性定义为[1]中的字符串,其特殊格式定义了一个时间段,该时间段的开始日期和结束日期由正斜杠(“/”)分隔,如下所示:
yyyymmddThhmmss/yyyymmddThhmmss
yyyymmddThhmmss/yyymmddthhmmss
where the first date and time may be replaced with the string "THISANDPRIOR" or the second date and time may be replaced with the string "THISANDFUTURE". This attribute is defined as follows:
其中,第一个日期和时间可以替换为字符串“ThisandPrevior”,或者第二个日期和时间可以替换为字符串“THISANDFUTURE”。该属性定义如下:
( 1.3.6.1.1.6.2.25 NAME 'pcimTPCTime' DESC 'The start and end times on which a policy rule is valid.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE )
(1.3.6.1.1.6.2.25名称“pcimTPCTime”DESC“策略规则有效的开始和结束时间”。“相等caseIgnoreMatch排序caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch语法1.3.6.1.4.1.1466.115.121.1.44单值)
The value of this attribute SHOULD be checked against its defined format ("yyyymmddThhmmss/yyyymmddThhmmss", where the first and second date strings may be replaced with the strings "THISANDPRIOR" and "THISANDFUTURE"). If the value of this attribute does not conform to this syntax, then this SHOULD be considered an error and the policy rule SHOULD be treated as being disabled.
应根据其定义的格式(“yyyyymmddthhmmss/yyyymmddThhmmss”检查此属性的值,其中第一个和第二个日期字符串可以替换为字符串“ThisandPrevior”和“THISANDFUTURE”)。如果此属性的值不符合此语法,则应将其视为错误,并且应将策略规则视为已禁用。
The next four attributes (pcimTPCMonthOfYearMask, pcimTPCDayOfMonthMask, pcimTPCDayOfWeekMask, and pcimTPCTimeOfDayMask) are all defined as octet strings in [1]. However, the semantics of each of these attributes are contained in
接下来的四个属性(PCIMTPCMOntofYearMask、pcimTPCDayOfMonthMask、pcimTPCDayOfWeekMask和pcimTPCTimeOfDayMask)在[1]中都定义为八位字符串。但是,这些属性的语义都包含在
bit strings of various fixed lengths. Therefore, the PCLS uses a syntax of Bit String to represent each of them. The definition of these four attributes are as follows.
各种固定长度的位字符串。因此,PCLS使用位字符串语法来表示它们中的每一个。这四个属性的定义如下。
The pcimTPCMonthOfYearMask attribute defines a 12-bit mask identifying the months of the year in which a policy rule is valid. The format is a bit string of length 12, representing the months of the year from January through December. The definition of this attribute is as follows:
PCIMTPCMOntofYearMask属性定义一个12位掩码,用于标识策略规则有效的月份。格式是长度为12的位字符串,表示一年中从1月到12月的月份。该属性的定义如下:
( 1.3.6.1.1.6.2.26 NAME 'pcimTPCMonthOfYearMask' DESC 'This identifies the valid months of the year for a policy rule using a 12-bit string that represents the months of the year from January through December.' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 SINGLE-VALUE )
(1.3.6.1.1.6.2.26 NAME'pcimtpcmOntofYearMask'DESC'该名称使用12位字符串标识策略规则的有效月份,该字符串表示一年中从1月到12月的月份。'EQUALITY bitStringMatch语法1.3.6.1.4.1.1466.115.121.1.6单值)
The value of this attribute SHOULD be checked against its defined format. If the value of this attribute does not conform to this syntax, then this SHOULD be considered an error and the policy rule SHOULD be treated as being disabled.
应根据定义的格式检查此属性的值。如果此属性的值不符合此语法,则应将其视为错误,并且应将策略规则视为已禁用。
The pcimTPCMonthOfDayMask attribute defines a mask identifying the days of the month on which a policy rule is valid. The format is a bit string of length 62. The first 31 positions represent the days of the month in ascending order, from day 1 to day 31. The next 31 positions represent the days of the month in descending order, from the last day to the day 31 days from the end. The definition of this attribute is as follows:
pcimTPCMonthOfDayMask属性定义一个掩码,用于标识策略规则有效的月份天数。格式是长度为62的位字符串。前31个位置以升序表示月份的天数,从第1天到第31天。接下来的31个位置以降序表示月份的天数,从最后一天到结束后的31天。该属性的定义如下:
( 1.3.6.1.1.6.2.27 NAME 'pcimTPCDayOfMonthMask' DESC 'This identifies the valid days of the month for a policy rule using a 62-bit string. The first 31 positions represent the days of the month in ascending order, and the next 31 positions represent the days of the month in descending order.' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 SINGLE-VALUE )
(1.3.6.1.1.6.2.27 NAME'pcimTPCDayOfMonthMask'DESC'使用62位字符串标识策略规则的月份有效天数。前31个位置以升序表示月份的天数,后31个位置以降序表示月份的天数。'EQUALITY bitStringMatch语法1.3.6.1.4.1.1466.115.121.1.6(单值)
The value of this attribute SHOULD be checked against its defined format. If the value of this attribute does not conform to this syntax, then this SHOULD be considered an error and the policy rule SHOULD be treated as being disabled.
应根据定义的格式检查此属性的值。如果此属性的值不符合此语法,则应将其视为错误,并且应将策略规则视为已禁用。
The pcimTPCDayOfWeekMask attribute defines a mask identifying the days of the week on which a policy rule is valid. The format is a bit string of length 7, representing the days of the week from Sunday through Saturday. The definition of this attribute is as follows:
pcimTPCDayOfWeekMask属性定义一个掩码,标识一周中策略规则有效的几天。格式是长度为7的位字符串,表示一周中从星期天到星期六的几天。该属性的定义如下:
( 1.3.6.1.1.6.2.28 NAME 'pcimTPCDayOfWeekMask' DESC 'This identifies the valid days of the week for a policy rule using a 7-bit string. This represents the days of the week from Sunday through Saturday.' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 SINGLE-VALUE )
(1.3.6.1.1.6.2.28 NAME'pcimTPCDayOfWeekMask'DESC'使用7位字符串标识策略规则一周中的有效天数。表示从周日到周六的一周天数。'EQUALITY bitStringMatch语法1.3.6.1.4.1.1466.115.121.1.6单值)
The value of this attribute SHOULD be checked against its defined format. If the value of this attribute does not conform to this syntax, then this SHOULD be considered an error and the policy rule SHOULD be treated as being disabled.
应根据定义的格式检查此属性的值。如果此属性的值不符合此语法,则应将其视为错误,并且应将策略规则视为已禁用。
The pcimTPCTimeOfDayMask attribute defines the range of times at which a policy rule is valid. If the second time is earlier than the first, then the interval spans midnight. The format of the string is Thhmmss/Thhmmss. The definition of this attribute is as follows:
pcimTPCTimeOfDayMask属性定义策略规则有效的时间范围。如果第二次早于第一次,则间隔跨越午夜。字符串的格式为Thhmmss/Thhmmss。该属性的定义如下:
( 1.3.6.1.1.6.2.29 NAME 'pcimTPCTimeOfDayMask' DESC 'This identifies the valid range of times for a policy using the format Thhmmss/Thhmmss.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE )
(1.3.6.1.1.6.2.29 NAME'pcimTPCTimeOfDayMask'DESC'使用Thhmmss/Thhmmss格式标识策略的有效时间范围。'EQUALITY caseIgnoreMatch ORDERING caseignoreordering caseignoreordering SUBSTR caseIgnoreSubstringsMatch语法1.3.6.1.1.1466.115.121.1.44单值)
The value of this attribute SHOULD be checked against its defined format. If the value of this attribute does not conform to this syntax, then this SHOULD be considered an error and the policy rule SHOULD be treated as being disabled.
应根据定义的格式检查此属性的值。如果此属性的值不符合此语法,则应将其视为错误,并且应将策略规则视为已禁用。
Finally, the pcimTPCLocalOrUtcTime attribute is used to choose between local or UTC time representation. This is mapped as a simple integer syntax, with the value of 1 representing local time and the value of 2 representing UTC time. The definition of this attribute is as follows:
最后,pcimTPCLocalOrUtcTime属性用于在本地时间表示或UTC时间表示之间进行选择。这被映射为一个简单的整数语法,值1表示本地时间,值2表示UTC时间。该属性的定义如下:
( 1.3.6.1.1.6.2.30 NAME 'pcimTPCLocalOrUtcTime' DESC 'This defines whether the times in this instance represent local (value=1) times or UTC (value=2) times.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
(1.3.6.1.1.6.2.30 NAME'pcimTPCLocalOrUtcTime'DESC'定义此实例中的时间是表示本地(值=1)时间还是UTC(值=2)时间。'EQUALITY integerMatch OrderingMatch ORDERING integerOrderingMatch语法1.3.6.1.4.1.1466.115.121.1.27单值)
Note: if the value of the pcimTPCLocalOrUtcTime is not 1 or 2, then this SHOULD be considered an error and the policy rule SHOULD be disabled. If the attribute is not present at all, then all times are interpreted as if it were present with the value 2, that is, UTC time.
注意:如果pcimTPCLocalOrUtcTime的值不是1或2,则应将其视为错误,并应禁用策略规则。如果该属性根本不存在,则所有时间都将被解释为它与值2(即UTC时间)一起存在。
This class provides a general extension mechanism for representing policy conditions that have not been modeled with specific properties. Instead, its two properties are used to define the content and format of the condition, as explained below. This class is intended for vendor-specific extensions that are not amenable to using pcimCondition; standardized extensions SHOULD NOT use this class.
此类提供了一种通用扩展机制,用于表示未使用特定属性建模的策略条件。相反,它的两个属性用于定义条件的内容和格式,如下所述。此类适用于不适合使用pcimCondition的供应商特定扩展;标准化扩展不应使用此类。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.13 NAME 'pcimConditionVendorAuxClass' DESC 'A class that defines a registered means to describe a policy condition.' SUP pcimConditionAuxClass AUXILIARY MAY ( pcimVendorConstraintData $ pcimVendorConstraintEncoding ) )
(1.3.6.1.1.6.1.13名称“pcimConditionVendorAuxClass”描述“定义描述保单条件的注册方法的类”。“辅助pcimConditionAuxClass辅助可能(pcimVendorConstraintData$pcimVendorConstraintEncoding))
The pcimVendorConstraintData attribute is a multi-valued attribute. It provides a general mechanism for representing policy conditions that have not been modeled as specific attributes. This information is encoded in a set of octet strings. The format of the octet
pcimVendorConstraintData属性是一个多值属性。它提供了一种通用机制,用于表示尚未建模为特定属性的策略条件。此信息编码在一组八位字节字符串中。八位字节的格式
strings is identified by the OID stored in the pcimVendorConstraintEncoding attribute. This attribute is defined as follows:
字符串由pcimVendorConstraintEncoding属性中存储的OID标识。该属性定义如下:
( 1.3.6.1.1.6.2.31 NAME 'pcimVendorConstraintData' DESC 'Mechanism for representing constraints that have not been modeled as specific attributes. Their format is identified by the OID stored in the attribute pcimVendorConstraintEncoding.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
(1.3.6.1.1.6.2.31名称“pcimVendorConstraintData”DESC“表示未建模为特定属性的约束的机制。它们的格式由存储在属性pcimVendorConstraintEncoding中的OID标识。'EQUALITY octetStringMatch ORDERING octetStringOrderingMatch语法1.3.6.1.4.1.1466.115.121.1.40)
The pcimVendorConstraintEncoding attribute is used to identify the format and semantics for the pcimVendorConstraintData attribute. This attribute is defined as follows:
pcimVendorConstraintEncoding属性用于标识pcimVendorConstraintData属性的格式和语义。该属性定义如下:
( 1.3.6.1.1.6.2.32 NAME 'pcimVendorConstraintEncoding' DESC 'An OID identifying the format and semantics for the pcimVendorConstraintData for this instance.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE )
(1.3.6.1.1.6.2.32名称“pcimVendorConstraintEncoding”DESC“一个标识此实例pcimVendorConstraintData格式和语义的OID”。“EQUALITY objectIdentifierMatch语法1.3.6.1.4.1.1466.115.121.1.38单值”)
The purpose of a policy action is to execute one or more operations that will affect network traffic and/or systems, devices, etc. in order to achieve a desired policy state. This class is used to represent an action to be performed as a result of a policy rule whose condition clause was satisfied.
策略操作的目的是执行将影响网络流量和/或系统、设备等的一个或多个操作,以实现所需的策略状态。此类用于表示根据满足条件子句的策略规则执行的操作。
Subclasses of this auxiliary class can be attached to instances of three other classes in the PCLS. When a subclass of this class is attached to an instance of pcimRuleActionAssociation, or to an instance of pcimRule, it represents a rule-specific policy action. When a subclass of this class is attached to an instance of pcimPolicyInstance, it represents a reusable policy action.
这个辅助类的子类可以附加到PCLS中其他三个类的实例。当此类的子类附加到pcimRuleActionAssociation的实例或pcimRule的实例时,它表示特定于规则的策略操作。当此类的子类附加到pcimPolicyInstance的实例时,它表示可重用的策略操作。
Since all of the classes to which subclasses of this auxiliary class may be attached are derived from the pcimPolicy class, the attributes of the pcimPolicy class will already be defined for the entries to which these subclasses attach. Thus, this class is derived directly from "top".
由于该辅助类的子类可能附加到的所有类都是从pcimPolicy类派生的,因此pcimPolicy类的属性将已经为这些子类附加到的条目定义。因此,该类直接从“top”派生。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.14 NAME 'pcimActionAuxClass' DESC 'A class representing an action to be performed as a result of a policy rule.' SUP top AUXILIARY )
(1.3.6.1.1.6.1.14名称'pcimActionAuxClass'DESC'表示根据策略规则执行的操作的类。'SUP top AUXILIARY)
The purpose of this class is to provide a general extension mechanism for representing policy actions that have not been modeled with specific properties. Instead, its two properties are used to define the content and format of the action, as explained below.
此类的目的是提供一种通用扩展机制,用于表示尚未使用特定属性建模的策略操作。相反,它的两个属性用于定义操作的内容和格式,如下所述。
As its name suggests, this class is intended for vendor-specific extensions that are not amenable to using the standard pcimAction class. Standardized extensions SHOULD NOT use this class.
顾名思义,该类用于不适合使用标准pcimAction类的特定于供应商的扩展。标准化扩展不应使用此类。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.15 NAME 'pcimActionVendorAuxClass' DESC 'A class that defines a registered means to describe a policy action.' SUP pcimActionAuxClass AUXILIARY MAY ( pcimVendorActionData $ pcimVendorActionEncoding ) )
(1.3.6.1.1.6.1.15名称“pcimActionVendorAuxClass”DESC“定义描述策略操作的注册方法的类。”SUP pcimActionAuxClass辅助可(pcimVendorActionData$pcimVendorActionEncoding))
The pcimVendorActionData attribute is a multi-valued attribute. It provides a general mechanism for representing policy actions that have not been modeled as specific attributes. This information is encoded in a set of octet strings. The format of the octet strings is identified by the OID stored in the pcimVendorActionEncoding attribute. This attribute is defined as follows:
pcimVendorActionData属性是一个多值属性。它提供了一种通用机制,用于表示尚未建模为特定属性的策略操作。此信息编码在一组八位字节字符串中。八进制字符串的格式由pcimVendorActionEncoding属性中存储的OID标识。该属性定义如下:
( 1.3.6.1.1.6.2.33 NAME 'pcimVendorActionData' DESC ' Mechanism for representing policy actions that have not been modeled as specific attributes. Their format is identified by the OID stored in the attribute pcimVendorActionEncoding.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
(1.3.6.1.1.6.2.33名称“pcimVendorActionData”DESC“表示未建模为特定属性的策略操作的机制。它们的格式由存储在属性pcimVendorActionEncoding中的OID标识。'EQUALITY OcteStringMatch ORDERING OcteStringOrderingMatch语法1.3.6.1.4.1466.115.121.1.40)
The pcimVendorActionEncoding attribute is used to identify the format and semantics for the pcimVendorActionData attribute. This attribute is defined as follows:
pcimVendorActionEncoding属性用于标识pcimVendorActionData属性的格式和语义。该属性定义如下:
( 1.3.6.1.1.6.2.34 NAME 'pcimVendorActionEncoding' DESC 'An OID identifying the format and semantics for the pcimVendorActionData attribute of this instance.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE )
(1.3.6.1.1.6.2.34名称“pcimVendorActionEncoding”DESC“标识此实例的pcimVendorActionData属性的格式和语义的OID。“EQUALITY objectIdentifierMatch语法1.3.6.1.4.1.1466.115.121.1.38单值)
This class is not defined in the PCIM. Its role is to serve as a structural class to which auxiliary classes representing policy information are attached when the information is reusable. For auxiliary classes representing policy conditions and policy actions, there are alternative structural classes that may be used. See Section 4.4 for a complete discussion of reusable policy conditions and actions, and of the role that this class plays in how they are represented.
PCIM中未定义此类。它的作用是充当一个结构类,当信息可重用时,表示策略信息的辅助类将附加到该结构类。对于表示策略条件和策略操作的辅助类,可以使用其他结构类。有关可重用策略条件和操作的完整讨论,以及此类在如何表示它们方面所起的作用,请参见第4.4节。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.16 NAME 'pcimPolicyInstance' DESC 'A structural class to which aux classes containing reusable policy information can be attached.' SUP pcimPolicy MAY ( pcimPolicyInstanceName ) )
(1.3.6.1.1.6.1.16名称“pcimpolicInstance”DESC“包含可重用策略信息的辅助类可以附加到的结构类。SUP pcimPolicy MAY(pcimPolicyInstanceName))
The pcimPolicyInstanceName attribute is used to define a user-friendly name of this class, and may be used as a naming attribute if desired. It is defined as follows:
pcimPolicyInstanceName属性用于定义此类的用户友好名称,如果需要,还可以用作命名属性。其定义如下:
( 1.3.6.1.1.6.2.35 NAME 'pcimPolicyInstanceName' DESC 'The user-friendly name of this policy instance.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
(1.3.6.1.1.6.2.35 NAME'pcimPolicyInstanceName'DESC'此策略实例的用户友好名称。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubStrings匹配语法1.3.6.1.4.1466.115.121.1.15单值)
A DIT content rule could be written to enable an instance of pcimPolicyInstance to have attached to it either instances of one or more of the auxiliary object classes pcimConditionAuxClass and pcimActionAuxClass. Since these semantics do not include specifying any properties, the content rule would not need to specify any attributes. Note that other content rules could be defined to enable other policy-related auxiliary classes to be attached to pcimPolicyInstance.
可以编写DIT内容规则,以使pcimPolicyInstance的实例能够附加到一个或多个辅助对象类pcimConditionAuxClass和pcimActionAuxClass的实例。由于这些语义不包括指定任何属性,因此内容规则不需要指定任何属性。请注意,可以定义其他内容规则,以便将其他与策略相关的辅助类附加到pcimPolicyInstance。
Similarly, three separate DIT structure rules could be written. Each of these DIT structure rules would refer to a specific name form that defined two important semantics. First, each name form would identify one of the three possible naming attributes (i.e., pcimPolicyInstanceName, cn, and orderedCIMKeys) for this object class. Second, each name form would require that an instance of the pcimPolicyInstance class have as its superior an instance of the pcimRepository class. This structure rule SHOULD also include a superiorStructureRule (see Note 2 at the beginning of section 5).
类似地,可以编写三个单独的DIT结构规则。这些DIT结构规则中的每一个都会引用一个特定的名称形式,该名称形式定义了两个重要的语义。首先,每个名称表单将标识此对象类的三个可能命名属性(即pcimPolicyInstanceName、cn和orderedCIMKeys)之一。其次,每个名称表单都要求PCIMImpolicyInstance类的一个实例具有pcimRepository类的一个实例作为其上级。该结构规则还应包括上级结构规则(见第5节开头的注释2)。
This class introduces no additional attributes, beyond those defined in the class pcimPolicy from which it is derived. Its role is to "tag" an instance of a class defined outside the realm of policy information as represented by PCIM as being nevertheless relevant to a policy specification. This tagging can potentially take place at two levels:
该类不引入任何附加属性,除了派生它的类pcimPolicy中定义的属性之外。它的作用是“标记”一个在策略信息领域之外定义的类的实例,如PCIM所表示的,该类仍然与策略规范相关。此标记可能在两个级别进行:
- Every instance to which pcimElementAuxClass is attached becomes an instance of the class pcimPolicy, since pcimElementAuxClass is a subclass of pcimPolicy. Searching for object class="pcimPolicy" will return the instance. (As noted earlier, this approach does NOT work for some directory implementations. To accommodate these implementations, policy-related entries SHOULD be tagged with the pcimKeyword "POLICY".)
- pcimElementAuxClass附加到的每个实例都成为PCIMonPolicy类的实例,因为pcimElementAuxClass是PCIMonPolicy的子类。搜索对象class=“pcimPolicy”将返回实例。(如前所述,此方法不适用于某些目录实现。为适应这些实现,应使用pcimKeyword“policy”标记与策略相关的条目。)
- With the pcimKeywords attribute that it inherits from pcimPolicy, an instance to which pcimElementAuxClass is attached can be tagged as being relevant to a particular type or category of policy information, using standard keywords, administrator-defined keywords, or both.
- 使用从pcimPolicy继承的pcimKeywords属性,可以使用标准关键字、管理员定义的关键字或两者,将pcimElementAuxClass附加到的实例标记为与特定类型或类别的策略信息相关。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.17 NAME 'pcimElementAuxClass' DESC 'An auxiliary class used to tag instances of classes defined outside the realm of policy as relevant to a particular policy specification.'
(1.3.6.1.1.6.1.17名称“pcimElementAuxClass”DESC“一个辅助类,用于标记在策略领域之外定义的与特定策略规范相关的类的实例。”
SUP pcimPolicy AUXILIARY )
辅助(不重要辅助)
These classes provide a container for reusable policy information, such as reusable policy conditions and/or reusable policy actions. This document is concerned with mapping just the properties that appear in these classes. Conceptually, this may be thought of as a special location in the DIT where policy information may reside. Since pcimRepository is derived from the class dlm1AdminDomain defined in reference [6], this specification has a normative dependency on that element of reference [6] (as well as on its entire derivation hierarchy, which also appears in reference [6]). To maximize flexibility, the pcimRepository class is defined as abstract. A subclass pcimRepositoryAuxClass provides for auxiliary attachment to another entry, while a structural subclass pcimRepositoryInstance is available to represent a policy repository as a standalone entry.
这些类为可重用的策略信息(如可重用的策略条件和/或可重用的策略操作)提供了一个容器。本文档只涉及映射这些类中出现的属性。从概念上讲,这可能被认为是DIT中策略信息可能驻留的特殊位置。由于pcimRepository派生自参考文献[6]中定义的dlm1AdminDomain类,因此本规范对参考文献[6]中的该元素(以及参考文献[6]中出现的整个派生层次结构)具有规范依赖性。为了最大限度地提高灵活性,pcimRepository类被定义为抽象类。子类pcimRepositoryAuxClass提供到另一个条目的辅助附件,而结构子类pcimRepositoryInstance可用于将策略存储库表示为独立条目。
The definition for the pcimRepository class is as follows:
pcimRepository类的定义如下:
( 1.3.6.1.1.6.1.18 NAME 'pcimRepository' DESC 'A container for reusable policy information.' SUP dlm1AdminDomain ABSTRACT MAY ( pcimRepositoryName ) )
(1.3.6.1.1.6.1.18名称“pcimRepository”DESC“可重用策略信息的容器”。“SUP dlm1AdminDomain ABSTRACT MAY(pcimRepositoryName))
The pcimRepositoryName attribute is used to define a user-friendly name of this class, and may be used as a naming attribute if desired. It is defined as follows:
pcimRepositoryName属性用于定义此类的用户友好名称,如果需要,还可以用作命名属性。其定义如下:
( 1.3.6.1.1.6.2.36 NAME 'pcimRepositoryName' DESC 'The user-friendly name of this policy repository.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
(1.3.6.1.1.6.2.36 NAME'pcimRepositoryName'DESC'此策略存储库的用户友好名称。'EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR CaseIgnoreSubStrings匹配语法1.3.6.1.4.1.1466.115.121.1.15单值)
The two subclasses of pcimRepository are defined as follows. First, the pcimRepositoryAuxClass is an auxiliary class that can be used to aggregate reusable policy information. It is defined as follows:
pcimRepository的两个子类定义如下。首先,pcimRepositoryAuxClass是一个辅助类,可用于聚合可重用策略信息。其定义如下:
( 1.3.6.1.1.6.1.19 NAME 'pcimRepositoryAuxClass' DESC 'An auxiliary class that can be used to aggregate reusable policy information.' SUP pcimRepository AUXILIARY )
(1.3.6.1.1.6.1.19名称'pcimRepositoryAuxClass'DESC'一个辅助类,可用于聚合可重用策略信息。'SUP pcimRepository auxclass'辅助)
In cases where structural classes are needed instead of an auxiliary class, the pcimRepositoryInstance class is a structural class that can be used to aggregate reusable policy information. It is defined as follows:
在需要结构类而不是辅助类的情况下,pcimRepositoryInstance类是一个可用于聚合可重用策略信息的结构类。其定义如下:
( 1.3.6.1.1.6.1.20 NAME 'pcimRepositoryInstance' DESC 'A structural class that can be used to aggregate reusable policy information.' SUP pcimRepository STRUCTURAL )
(1.3.6.1.1.6.1.20名称“pcimRepositoryInstance”DESC“一个可用于聚合可重用策略信息的结构类。SUP pcimRepository structural)
Three separate DIT structure rules could be written for this class. Each of these DIT structure rules would refer to a specific name form that enabled an instance of the pcimRepository class to be named under any superior using one of the three possible naming attributes (i.e., pcimRepositoryName, cn, and orderedCIMKeys). This structure rule SHOULD also include a superiorStructureRule (see Note 2 at the beginning of section 5).
可以为此类编写三个单独的DIT结构规则。这些DIT结构规则中的每一个都将引用一个特定的名称表单,该表单允许使用三个可能的命名属性(即pcimRepositoryName、cn和orderedCIMKeys)中的一个在任何上级下命名pcimRepository类的实例。该结构规则还应包括上级结构规则(见第5节开头的注释2)。
This auxiliary class provides a single, multi-valued attribute that references a set of objects that are at the root of DIT subtrees containing policy-related information. By attaching this attribute to instances of various other classes, a policy administrator has a flexible way of providing an entry point into the directory that allows a client to locate and retrieve the policy information relevant to it.
此辅助类提供一个单值、多值属性,该属性引用一组对象,这些对象位于包含策略相关信息的DIT子树的根。通过将此属性附加到各种其他类的实例,策略管理员可以灵活地向目录提供入口点,从而允许客户端查找和检索与其相关的策略信息。
It is intended that these entries are placed in the DIT such that well-known DNs can be used to reference a well-known structural entry that has the pcimSubtreesPtrAuxClass attached to it. In effect, this defines a set of entry points. Each of these entry points can contain and/or reference all related policy entries for
这些条目被放置在DIT中,以便可以使用已知的DNs引用连接有pcimSubtreesPtrAuxClass的已知结构条目。实际上,这定义了一组入口点。每个入口点都可以包含和/或引用所有相关的保险单条目
any well-known policy domains. The pcimSubtreesPtrAuxClass functions as a tag to identify portions of the DIT that contain policy information.
任何著名的策略域。pcimSubtreesPtrAuxClass用作标记,以标识包含策略信息的DIT部分。
This object does not provide the semantic linkages between individual policy objects, such as those between a policy group and the policy rules that belong to it. Its only role is to enable efficient bulk retrieval of policy-related objects, as described in Section 4.5.
此对象不提供单个策略对象之间的语义链接,例如策略组和属于它的策略规则之间的语义链接。它的唯一作用是实现策略相关对象的高效批量检索,如第4.5节所述。
Once the objects have been retrieved, a directory client can determine the semantic linkages by following references contained in multi-valued attributes, such as pcimRulesAuxContainedSet.
一旦检索到对象,目录客户端就可以通过以下多值属性中包含的引用来确定语义链接,例如pcimRulesAuxContainedSet。
Since policy-related objects will often be included in the DIT subtree beneath an object to which this auxiliary class is attached, a client SHOULD request the policy-related objects from the subtree under the object with these references at the same time that it requests the references themselves.
由于与策略相关的对象通常会包含在附加了此辅助类的对象下的DIT子树中,因此客户端应在请求引用的同时,从对象下具有这些引用的子树中请求与策略相关的对象。
Since clients are expected to behave in this way, the policy administrator SHOULD make sure that this subtree does not contain so many objects unrelated to policy that an initial search done in this way results in a performance problem. The pcimSubtreesPtrAuxClass SHOULD NOT be attached to the partition root for a large directory partition containing a relatively few number of policy-related objects along with a large number of objects unrelated to policy (again, "policy" here refers to the PCIM, not the X.501, definition and use of "policy"). A better approach would be to introduce a container object immediately below the partition root, attach pcimSubtreesPtrAuxClass to this container object, and then place all of the policy-related objects in that subtree.
由于客户机应以这种方式运行,因此策略管理员应确保此子树不包含太多与策略无关的对象,以这种方式进行的初始搜索不会导致性能问题。对于包含相对较少数量的策略相关对象以及大量与策略无关的对象的大型目录分区,pcimSubtreesPtrAuxClass不应附加到分区根目录(这里的“策略”指的是PCIM,而不是X.501“策略”的定义和使用)。更好的方法是在分区根的正下方引入一个容器对象,将pcimSubtreesPtrAuxClass附加到此容器对象,然后将所有与策略相关的对象放置在该子树中。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.21 NAME 'pcimSubtreesPtrAuxClass' DESC 'An auxiliary class providing DN references to roots of DIT subtrees containing policy-related objects.' SUP top AUXILIARY MAY ( pcimSubtreesAuxContainedSet ) )
(1.3.6.1.1.6.1.21名称'pcimSubtreesPtrAuxClass'DESC'一个辅助类,提供对包含策略相关对象的DIT子树根的DN引用。'SUP-top-auxiliary-MAY(pcimSubtreesAuxContainedSet))
The attribute pcimSubtreesAuxContainedSet provides an unordered set of DN references to instances of one or more objects under which policy-related information is present. The objects referenced may or may not themselves contain policy-related information. The attribute definition is as follows:
属性pcimSubtreesAuxContainedSet提供一组无序的DN引用,这些DN引用指向一个或多个对象的实例,其中存在策略相关信息。引用的对象本身可能包含也可能不包含策略相关信息。属性定义如下所示:
( 1.3.6.1.1.6.2.37 NAME 'pcimSubtreesAuxContainedSet' DESC 'DNs of objects that serve as roots for DIT subtrees containing policy-related objects.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
(1.3.6.1.1.6.2.37作为包含策略相关对象的DIT子树的根的对象的名称“pcimSubtreesAuxContainedSet”DESC“DNs”。“相等区分名称匹配语法1.3.6.1.4.1.1466.115.121.1.12)
Note that the cn attribute does NOT need to be defined for this class. This is because an auxiliary class is used as a means to collect common attributes and treat them as properties of an object. A good analogy is a #include file, except that since an auxiliary class is a class, all the benefits of a class (e.g., inheritance) can be applied to an auxiliary class.
请注意,不需要为此类定义cn属性。这是因为辅助类用作收集公共属性并将其视为对象属性的方法。一个很好的类比是一个#include文件,除了因为辅助类是一个类,所以类的所有好处(例如继承)都可以应用于辅助类。
This auxiliary class provides a single, multi-valued attribute that references a set of pcimGroups. By attaching this attribute to instances of various other classes, a policy administrator has a flexible way of providing an entry point into the directory that allows a client to locate and retrieve the pcimGroups relevant to it.
这个辅助类提供了一个引用一组pcimGroups的单值多值属性。通过将此属性附加到各种其他类的实例,策略管理员可以灵活地向目录提供入口点,允许客户端查找和检索与其相关的pcimGroups。
As is the case with pcimRules, a policy administrator might have several different references to a pcimGroup in the overall directory structure. The pcimGroupContainmentAuxClass is the mechanism that makes it possible for the policy administrator to define all these different references.
与pcimRules的情况一样,策略管理员可能在整个目录结构中对pcimGroup有多个不同的引用。PCIMGroupContainementAuxClass是一种使策略管理员能够定义所有这些不同引用的机制。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.22 NAME 'pcimGroupContainmentAuxClass' DESC 'An auxiliary class used to bind pcimGroups to an appropriate container object.' SUP top AUXILIARY MAY ( pcimGroupsAuxContainedSet ) )
(1.3.6.1.1.6.1.22名称'pcimgroupContainementAuxClass'DESC'用于将pcimGroups绑定到适当的容器对象的辅助类。'SUP-top-auxiliary-MAY(pcimGroupsAuxContainedSet))
The attribute pcimGroupsAuxContainedSet provides an unordered set of references to instances of one or more pcimGroups associated with the instance of a structural class to which this attribute has been appended.
属性pcimGroupsAuxContainedSet提供对一个或多个pcimGroups实例的无序引用集,这些pcimGroups与已附加此属性的结构类实例关联。
The attribute definition is as follows:
属性定义如下所示:
( 1.3.6.1.1.6.2.38 NAME 'pcimGroupsAuxContainedSet' DESC 'DNs of pcimGroups associated in some way with the instance to which this attribute has been appended.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
(1.3.6.1.1.6.2.38名称'pcimGroupsAuxContainedSet'DESC'以某种方式与已附加此属性的实例关联的pcimGroups的DNs。'EQUALITY DifferencedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
Note that the cn attribute does NOT have to be defined for this class for the same reasons as those given for the pcimSubtreesPtrAuxClass in section 5.15.
请注意,由于与第5.15节中针对pcimSubtreesPtrAuxClass给出的相同原因,不必为此类定义cn属性。
This auxiliary class provides a single, multi-valued attribute that references a set of pcimRules. By attaching this attribute to instances of various other classes, a policy administrator has a flexible way of providing an entry point into the directory that allows a client to locate and retrieve the pcimRules relevant to it.
这个辅助类提供了一个引用一组pcimRules的单值多值属性。通过将此属性附加到各种其他类的实例,策略管理员可以灵活地向目录提供入口点,允许客户端查找和检索与其相关的pcimRules。
A policy administrator might have several different references to a pcimRule in the overall directory structure. For example, there might be references to all pcimRules for traffic originating in a particular subnet from a directory entry that represents that subnet. At the same time, there might be references to all pcimRules related to a particular DiffServ setting from an instance of a pcimGroup explicitly introduced as a container for DiffServ-related pcimRules. The pcimRuleContainmentAuxClass is the mechanism that makes it possible for the policy administrator to define all these separate references.
策略管理员可能在整个目录结构中对pcimRule有多个不同的引用。例如,对于源自特定子网的流量,可能会从表示该子网的目录条目中引用所有pcimRules。同时,从作为与区分服务相关的pcimRules的容器显式引入的pcimGroup实例中,可能存在对与特定区分服务设置相关的所有pcimRules的引用。PCIMRuleContainementAuxClass是使策略管理员能够定义所有这些单独引用的机制。
The class definition is as follows:
类别定义如下:
( 1.3.6.1.1.6.1.23 NAME 'pcimRuleContainmentAuxClass' DESC 'An auxiliary class used to bind pcimRules to an appropriate container object.' SUP top AUXILIARY MAY ( pcimRulesAuxContainedSet ) )
(1.3.6.1.1.6.1.23名称'PCIMRuleContainementAuxClass'DESC'用于将pcimRules绑定到适当容器对象的辅助类。'SUP-top-auxiliary-MAY(pcimRulesAuxContainedSet))
The attribute pcimRulesAuxContainedSet provides an unordered set of references to one or more instances of pcimRules associated with the instance of a structural class to which this attribute has been appended. The attribute definition is as follows:
属性pcimRulesAuxContainedSet提供了一组无序引用,这些引用指向一个或多个pcimRules实例,这些实例与附加了此属性的结构类实例关联。属性定义如下所示:
( 1.3.6.1.1.6.2.39 NAME 'pcimRulesAuxContainedSet' DESC 'DNs of pcimRules associated in some way with the instance to which this attribute has been appended.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
(1.3.6.1.1.6.2.39名称“pcimRulesAuxContainedSet”DESC“以某种方式与已附加此属性的实例关联的pcimRules的DNs”。“相等区分名称匹配语法1.3.6.1.4.1.1466.115.121.1.12)
The cn attribute does NOT have to be defined for this class for the same reasons as those given for the pcimSubtreesPtrAuxClass in section 5.15.
由于与第5.15节中给出的pcimSubtreesPtrAuxClass相同的原因,不必为此类定义cn属性。
The following subsections provide general guidance on how to create a domain-specific schema derived from this document, discuss how the vendor classes in the PCLS should be used, and explain how policyTimePeriodConditions are related to other policy conditions.
以下小节提供了有关如何创建从本文档派生的特定于域的架构的一般指导,讨论了应如何使用PCLS中的供应商类,并解释了policyTimePeriodConditions与其他策略条件的关系。
In Section 4.4, there is a discussion of how, by representing policy conditions and policy actions as auxiliary classes in a schema, the flexibility is retained to instantiate a particular condition or action as either rule-specific or reusable. This flexibility is lost if a condition or action class is defined as structural rather than auxiliary. For standardized schemata, this document specifies that domain-specific information MUST be expressed in auxiliary subclasses of pcimConditionAuxClass and pcimActionAuxClass. It is RECOMMENDED that non-standardized schemata follow this practice as well.
在第4.4节中,讨论了通过在模式中将策略条件和策略操作表示为辅助类,如何保持灵活性,将特定条件或操作实例化为特定于规则或可重用的。如果将条件或动作类定义为结构类而不是辅助类,则会失去这种灵活性。对于标准化模式,本文档规定特定于域的信息必须用pcimConditionAuxClass和pcimActionAuxClass的辅助子类表示。建议非标准化的图式也遵循这种做法。
As discussed Section 5.9, the attributes pcimVendorConstraintData and pcimVendorConstraintEncoding are included in the pcimConditionVendorAuxClass to provide a mechanism for representing vendor-specific policy conditions that are not amenable to being represented with the pcimCondition class (or its subclasses). The attributes pcimVendorActionData and pcimVendorActionEncoding in the pcimActionVendorAuxClass class play the same role with respect to actions. This enables interoperability between different vendors who could not otherwise interoperate.
如第5.9节所述,PCIMConditionVendorConstraintData和pcimVendorConstraintEncoding属性包含在pcimConditionVendorAuxClass中,以提供一种机制,用于表示不能用pcimCondition类(或其子类)表示的特定于供应商的策略条件。pcimActionVendorAuxClass类中的属性pcimVendorActionData和pcimVendorActionEncoding在操作方面起着相同的作用。这使得无法进行互操作的不同供应商之间能够进行互操作。
For example, imagine a network composed of access devices from vendor A, edge and core devices from vendor B, and a policy server from vendor C. It is desirable for this policy server to be able to configure and manage all of the devices from vendors A and B. Unfortunately, these devices will in general have little in common (e.g., different mechanisms, different ways for controlling those mechanisms, different operating systems, different commands, and so forth). The extension conditions provide a way for vendor-specific commands to be encoded as octet strings, so that a single policy server can commonly manage devices from different vendors.
例如,假设一个网络由供应商a的访问设备、供应商B的边缘和核心设备以及供应商C的策略服务器组成。该策略服务器最好能够配置和管理供应商a和B的所有设备。不幸的是,这些设备通常没有什么共同点(例如,不同的机制、控制这些机制的不同方法、不同的操作系统、不同的命令等等)。扩展条件提供了一种方法,可以将特定于供应商的命令编码为八位字节字符串,以便单个策略服务器可以共同管理来自不同供应商的设备。
Time validity periods are defined as an auxiliary subclass of pcimConditionAuxClass, called pcimTPCAuxClass. This is to allow their inclusion in the AND/OR condition definitions for a pcimRule. Care should be taken not to subclass pcimTPCAuxClass to add domain-specific condition properties.
时间有效期定义为pcimConditionAuxClass的一个辅助子类,称为pcimTPCAuxClass。这是为了允许它们包含在pcimRule的和/或条件定义中。应注意不要将pcimTPCAuxClass子类化以添加特定于域的条件属性。
For example, it would be incorrect to add IPsec- or QoS-specific condition properties to the pcimTPCAuxClass class, just because IPsec or QoS includes time in its condition definition. The correct subclassing would be to create IPsec or QoS-specific subclasses of pcimConditionAuxClass and then combine instances of these domain-specific condition classes with the appropriate validity period criteria. This is accomplished using the AND/OR association capabilities for policy conditions in pcimRules.
例如,将特定于IPsec或QoS的条件属性添加到pcimTPCAuxClass类是不正确的,因为IPsec或QoS在其条件定义中包含时间。正确的子类化方法是创建pcimConditionAuxClass的IPsec或QoS特定子类,然后将这些特定于域的条件类的实例与适当的有效期标准结合起来。这是使用pcimRules中策略条件的和/或关联功能实现的。
The PCLS, presented in this document, provides a mapping of the object-oriented model for describing policy information (PCIM) into a data model that forms the basic framework for describing the structure of policy data, in the case where the policy repository takes the form of an LDAP-accessible directory.
本文档中介绍的PCLS提供了用于描述策略信息的面向对象模型(PCIM)到数据模型的映射,在策略存储库采用LDAP可访问目录形式的情况下,该数据模型构成了描述策略数据结构的基本框架。
PCLS is not intended to represent any particular system design or implementation. PCLS is not directly useable in a real world system, without the discipline-specific mappings that are works in progress in the Policy Framework Working Group of the IETF.
PCLS不代表任何特定的系统设计或实现。如果没有IETF政策框架工作组正在进行的特定于学科的映射,PCLS不能直接用于现实系统。
These other derivative documents, which use PCIM and its discipline-specific extensions as a base, will need to convey more specific security considerations (refer to RFC 3060 for more information.)
这些其他衍生文档使用PCIM及其特定于学科的扩展作为基础,需要传达更具体的安全注意事项(有关更多信息,请参阅RFC 3060)
The reason that PCLS, as defined here, is not representative of any real-world system, is that its object classes were designed to be independent of any specific discipline, or policy domain. For example, DiffServ and IPsec represent two different policy domains. Each document that extends PCIM to one of these domains will derive subclasses from the classes and relationships defined in PCIM, in order to represent extensions of a generic model to cover specific technical domains.
这里定义的PCLS不能代表任何现实世界系统的原因是,它的对象类被设计为独立于任何特定的规程或策略域。例如,DiffServ和IPsec代表两个不同的策略域。将PCIM扩展到其中一个域的每个文档都将从PCIM中定义的类和关系派生子类,以便表示通用模型的扩展,以覆盖特定的技术域。
PCIM-derived documents will thus subclass the PCIM classes into classes specific to each technical policy domain (QOS, IPsec, etc.), which will, in turn, be mapped, to directory-specific schemata consistent with the PCLS documented here.
因此,PCIM派生文档将PCIM类划分为特定于每个技术策略域(QOS、IPsec等)的类,这些类将被映射到与此处记录的PCL一致的目录特定模式。
Even though discipline-specific security requirements are not appropriate for PCLS, specific security requirements MUST be defined for each operational real-world application of PCIM. Just as there will be a wide range of operational, real-world systems using PCIM, there will also be a wide range of security requirements for these systems. Some operational, real-world systems that are deployed using PCLS may have extensive security requirements that impact nearly all object classes utilized by such a system, while other systems' security requirements might have very little impact.
尽管特定于规程的安全要求不适用于PCL,但必须为PCIM的每个实际操作应用程序定义特定的安全要求。正如使用PCIM的各种实际操作系统一样,这些系统也有各种各样的安全要求。使用PCL部署的一些可操作、真实世界的系统可能具有广泛的安全需求,影响此类系统使用的几乎所有对象类,而其他系统的安全需求可能影响甚微。
The derivative documents, discussed above, will create the context for applying operational, real-world, system-level security requirements against the various models that derive from PCIM, consistent with PCLS.
上面讨论的衍生文档将创建一个上下文,用于根据与PCLS一致的PCIM衍生的各种模型应用操作、真实世界、系统级安全需求。
In some real-world scenarios, the values associated with certain properties, within certain instantiated object classes, may represent information associated with scarce, and/or costly (and therefore valuable) resources. It may be the case that these values must not be disclosed to, or manipulated by, unauthorized parties.
在某些真实场景中,与某些实例化对象类中的某些属性相关联的值可能表示与稀缺和/或昂贵(因此也有价值)资源相关联的信息。在这种情况下,不得向未经授权的方披露或操纵这些价值。
Since this document forms the basis for the representation of a policy data model in a specific format (an LDAP-accessible directory), it is herein appropriate to reference the data model-specific tools and mechanisms that are available for achieving the authentication and authorization implicit in a requirement that restricts read and/or read- write access to these values stored in a directory.
由于本文档构成了以特定格式(LDAP可访问目录)表示策略数据模型的基础,这里适当地参考数据模型特定的工具和机制,这些工具和机制可用于实现限制对存储在目录中的这些值的读和/或读写访问的需求中隐含的认证和授权。
General LDAP security considerations apply, as documented in RFC 3377 [2]. LDAP-specific authentication and authorization tools and mechanisms are found in the following standards track documents, which are appropriate for application to the management of security applied to policy data models stored in an LDAP-accessible directory:
一般LDAP安全注意事项适用,如RFC 3377[2]中所述。以下标准跟踪文档中提供了特定于LDAP的身份验证和授权工具和机制,适用于应用于LDAP可访问目录中存储的策略数据模型的安全管理:
- RFC 2829 (Authentication Methods for LDAP) - RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security)
- RFC 2829(LDAP的身份验证方法)-RFC 2830(轻量级目录访问协议(v3):传输层安全性扩展)
Any identified security requirements that are not dealt with in the appropriate discipline-specific information model documents, or in this document, MUST be dealt with in the derivative data model documents which are specific to each discipline.
任何未在相关专业特定信息模型文件或本文件中处理的已识别安全要求,必须在特定于各专业的衍生数据模型文件中处理。
Refer to RFC 3383, "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)" [16].
请参阅RFC 3383,“轻量级目录访问协议(LDAP)的Internet分配号码管理局(IANA)注意事项”[16]。
The IANA has registered an LDAP Object Identifier for use in this technical specification according to the following template:
IANA已根据以下模板注册了LDAP对象标识符,以用于本技术规范:
Subject: Request for LDAP OID Registration Person & email address to contact for further information: Bob Moore (remoore@us.ibm.com) Specification: RFC 3703 Author/Change Controller: IESG Comments: The assigned OID will be used as a base for identifying a number of schema elements defined in this document.
主题:请求LDAP OID注册人员和电子邮件地址以联系更多信息:Bob Moore(remoore@us.ibm.com)规范:RFC 3703作者/变更控制者:IESG注释:分配的OID将用作标识本文档中定义的许多架构元素的基础。
IANA has assigned an OID of 1.3.6.1.1.6 with the name of pcimSchema to this registration as recorded in the following registry:
IANA已将名称为pcimSchema的OID 1.3.6.1.1.6分配给该注册,记录在以下注册表中:
http://www.iana.org/assignments/smi-numbers
http://www.iana.org/assignments/smi-numbers
The IANA has registered the LDAP Descriptors used in this technical specification as detailed in the following template:
IANA已注册了本技术规范中使用的LDAP描述符,详情见以下模板:
Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comment
主题:请求LDAP描述符注册更新描述符(简称):请参阅注释对象标识符:请参阅注释
Person & email address to contact for further information: Bob Moore (remoore@us.ibm.com) Usage: see comment Specification: RFC 3703 Author/Change Controller: IESG Comments:
联系人和电子邮件地址,以获取更多信息:Bob Moore(remoore@us.ibm.com)用法:参见注释规范:RFC 3703作者/变更控制者:IESG注释:
The following descriptors have been added:
已添加以下描述符:
NAME Type OID
-------------- ---- ------------
pcimPolicy O 1.3.6.1.1.6.1.1
pcimGroup O 1.3.6.1.1.6.1.2
pcimGroupAuxClass O 1.3.6.1.1.6.1.3
pcimGroupInstance O 1.3.6.1.1.6.1.4
pcimRule O 1.3.6.1.1.6.1.5
pcimRuleAuxClass O 1.3.6.1.1.6.1.6
pcimRuleInstance O 1.3.6.1.1.6.1.7
pcimRuleConditionAssociation O 1.3.6.1.1.6.1.8
pcimRuleValidityAssociation O 1.3.6.1.1.6.1.9
pcimRuleActionAssociation O 1.3.6.1.1.6.1.10
pcimConditionAuxClass O 1.3.6.1.1.6.1.11
pcimTPCAuxClass O 1.3.6.1.1.6.1.12
pcimConditionVendorAuxClass O 1.3.6.1.1.6.1.13
pcimActionAuxClass O 1.3.6.1.1.6.1.14
pcimActionVendorAuxClass O 1.3.6.1.1.6.1.15
pcimPolicyInstance O 1.3.6.1.1.6.1.16
pcimElementAuxClass O 1.3.6.1.1.6.1.17
pcimRepository O 1.3.6.1.1.6.1.18
pcimRepositoryAuxClass O 1.3.6.1.1.6.1.19
pcimRepositoryInstance O 1.3.6.1.1.6.1.20
pcimSubtreesPtrAuxClass O 1.3.6.1.1.6.1.21
pcimGroupContainmentAuxClass O 1.3.6.1.1.6.1.22
pcimRuleContainmentAuxClass O 1.3.6.1.1.6.1.23
pcimKeywords A 1.3.6.1.1.6.2.3
pcimGroupName A 1.3.6.1.1.6.2.4
pcimRuleName A 1.3.6.1.1.6.2.5
pcimRuleEnabled A 1.3.6.1.1.6.2.6
pcimRuleConditionListType A 1.3.6.1.1.6.2.7
pcimRuleConditionList A 1.3.6.1.1.6.2.8
pcimRuleActionList A 1.3.6.1.1.6.2.9
pcimRuleValidityPeriodList A 1.3.6.1.1.6.2.10
pcimRuleUsage A 1.3.6.1.1.6.2.11
pcimRulePriority A 1.3.6.1.1.6.2.12
pcimRuleMandatory A 1.3.6.1.1.6.2.13
pcimRuleSequencedActions A 1.3.6.1.1.6.2.14
pcimRoles A 1.3.6.1.1.6.2.15
pcimConditionGroupNumber A 1.3.6.1.1.6.2.16
NAME Type OID
-------------- ---- ------------
pcimPolicy O 1.3.6.1.1.6.1.1
pcimGroup O 1.3.6.1.1.6.1.2
pcimGroupAuxClass O 1.3.6.1.1.6.1.3
pcimGroupInstance O 1.3.6.1.1.6.1.4
pcimRule O 1.3.6.1.1.6.1.5
pcimRuleAuxClass O 1.3.6.1.1.6.1.6
pcimRuleInstance O 1.3.6.1.1.6.1.7
pcimRuleConditionAssociation O 1.3.6.1.1.6.1.8
pcimRuleValidityAssociation O 1.3.6.1.1.6.1.9
pcimRuleActionAssociation O 1.3.6.1.1.6.1.10
pcimConditionAuxClass O 1.3.6.1.1.6.1.11
pcimTPCAuxClass O 1.3.6.1.1.6.1.12
pcimConditionVendorAuxClass O 1.3.6.1.1.6.1.13
pcimActionAuxClass O 1.3.6.1.1.6.1.14
pcimActionVendorAuxClass O 1.3.6.1.1.6.1.15
pcimPolicyInstance O 1.3.6.1.1.6.1.16
pcimElementAuxClass O 1.3.6.1.1.6.1.17
pcimRepository O 1.3.6.1.1.6.1.18
pcimRepositoryAuxClass O 1.3.6.1.1.6.1.19
pcimRepositoryInstance O 1.3.6.1.1.6.1.20
pcimSubtreesPtrAuxClass O 1.3.6.1.1.6.1.21
pcimGroupContainmentAuxClass O 1.3.6.1.1.6.1.22
pcimRuleContainmentAuxClass O 1.3.6.1.1.6.1.23
pcimKeywords A 1.3.6.1.1.6.2.3
pcimGroupName A 1.3.6.1.1.6.2.4
pcimRuleName A 1.3.6.1.1.6.2.5
pcimRuleEnabled A 1.3.6.1.1.6.2.6
pcimRuleConditionListType A 1.3.6.1.1.6.2.7
pcimRuleConditionList A 1.3.6.1.1.6.2.8
pcimRuleActionList A 1.3.6.1.1.6.2.9
pcimRuleValidityPeriodList A 1.3.6.1.1.6.2.10
pcimRuleUsage A 1.3.6.1.1.6.2.11
pcimRulePriority A 1.3.6.1.1.6.2.12
pcimRuleMandatory A 1.3.6.1.1.6.2.13
pcimRuleSequencedActions A 1.3.6.1.1.6.2.14
pcimRoles A 1.3.6.1.1.6.2.15
pcimConditionGroupNumber A 1.3.6.1.1.6.2.16
NAME Type OID
-------------- ---- ------------
pcimConditionNegated A 1.3.6.1.1.6.2.17
pcimConditionName A 1.3.6.1.1.6.2.18
pcimConditionDN A 1.3.6.1.1.6.2.19
pcimValidityConditionName A 1.3.6.1.1.6.2.20
pcimTimePeriodConditionDN A 1.3.6.1.1.6.2.21
pcimActionName A 1.3.6.1.1.6.2.22
pcimActionOrder A 1.3.6.1.1.6.2.23
pcimActionDN A 1.3.6.1.1.6.2.24
pcimTPCTime A 1.3.6.1.1.6.2.25
pcimTPCMonthOfYearMask A 1.3.6.1.1.6.2.26
pcimTPCDayOfMonthMask A 1.3.6.1.1.6.2.27
pcimTPCDayOfWeekMask A 1.3.6.1.1.6.2.28
pcimTPCTimeOfDayMask A 1.3.6.1.1.6.2.29
pcimTPCLocalOrUtcTime A 1.3.6.1.1.6.2.30
pcimVendorConstraintData A 1.3.6.1.1.6.2.31
pcimVendorConstraintEncoding A 1.3.6.1.1.6.2.32
pcimVendorActionData A 1.3.6.1.1.6.2.33
pcimVendorActionEncoding A 1.3.6.1.1.6.2.34
pcimPolicyInstanceName A 1.3.6.1.1.6.2.35
pcimRepositoryName A 1.3.6.1.1.6.2.36
pcimSubtreesAuxContainedSet A 1.3.6.1.1.6.2.37
pcimGroupsAuxContainedSet A 1.3.6.1.1.6.2.38
pcimRulesAuxContainedSet A 1.3.6.1.1.6.2.39
NAME Type OID
-------------- ---- ------------
pcimConditionNegated A 1.3.6.1.1.6.2.17
pcimConditionName A 1.3.6.1.1.6.2.18
pcimConditionDN A 1.3.6.1.1.6.2.19
pcimValidityConditionName A 1.3.6.1.1.6.2.20
pcimTimePeriodConditionDN A 1.3.6.1.1.6.2.21
pcimActionName A 1.3.6.1.1.6.2.22
pcimActionOrder A 1.3.6.1.1.6.2.23
pcimActionDN A 1.3.6.1.1.6.2.24
pcimTPCTime A 1.3.6.1.1.6.2.25
pcimTPCMonthOfYearMask A 1.3.6.1.1.6.2.26
pcimTPCDayOfMonthMask A 1.3.6.1.1.6.2.27
pcimTPCDayOfWeekMask A 1.3.6.1.1.6.2.28
pcimTPCTimeOfDayMask A 1.3.6.1.1.6.2.29
pcimTPCLocalOrUtcTime A 1.3.6.1.1.6.2.30
pcimVendorConstraintData A 1.3.6.1.1.6.2.31
pcimVendorConstraintEncoding A 1.3.6.1.1.6.2.32
pcimVendorActionData A 1.3.6.1.1.6.2.33
pcimVendorActionEncoding A 1.3.6.1.1.6.2.34
pcimPolicyInstanceName A 1.3.6.1.1.6.2.35
pcimRepositoryName A 1.3.6.1.1.6.2.36
pcimSubtreesAuxContainedSet A 1.3.6.1.1.6.2.37
pcimGroupsAuxContainedSet A 1.3.6.1.1.6.2.38
pcimRulesAuxContainedSet A 1.3.6.1.1.6.2.39
where Type A is Attribute, Type O is ObjectClass
其中类型A是属性,类型O是对象类
These assignments are recorded in the following registry:
这些分配记录在以下注册表中:
http://www.iana.org/assignments/ldap-parameters
http://www.iana.org/assignments/ldap-parameters
We would like to thank Kurt Zeilenga, Roland Hedburg, and Steven Legg for doing a review of this document and making many helpful suggestions and corrections.
我们要感谢Kurt Zeilenga、Roland Hedburg和Steven Legg对本文件进行了审查,并提出了许多有益的建议和更正。
Several of the policy classes in this model first appeared in early IETF drafts on IPsec policy and QoS policy. The authors of these drafts were Partha Bhattacharya, Rob Adams, William Dixon, Roy Pereira, Raju Rajan, Jean-Christophe Martin, Sanjay Kamat, Michael See, Rajiv Chaudhury, Dinesh Verma, George Powers, and Raj Yavatkar.
该模型中的几个策略类首先出现在早期IETF关于IPsec策略和QoS策略的草案中。这些草案的作者是帕塔·巴塔查里亚、罗布·亚当斯、威廉·迪克森、罗伊·佩雷拉、拉朱·拉詹、让·克里斯托夫·马丁、桑杰·卡马特、迈克尔·西、拉吉夫·乔杜里、迪内什·维尔马、乔治·鲍尔斯和拉吉·亚瓦卡尔。
This document is closely aligned with the work being done in the Distributed Management Task Force (DMTF) Policy and Networks working groups. We would especially like to thank Lee Rafalow, Glenn Waters, David Black, Michael Richardson, Mark Stevens, David Jones, Hugh Mahon, Yoram Snir, and Yoram Ramberg for their helpful comments.
本文件与分布式管理任务组(DMTF)政策和网络工作组正在进行的工作密切相关。我们要特别感谢李·拉法洛、格伦·沃特斯、大卫·布莱克、迈克尔·理查森、马克·史蒂文斯、大卫·琼斯、休·马洪、约拉姆·斯奈尔和约拉姆·兰伯格的有益评论。
This appendix is non-normative, and is included in this document as a guide to implementers that wish to exchange information between CIM schemata and LDAP schemata.
本附录为非规范性附录,包含在本文档中,作为希望在CIM模式和LDAP模式之间交换信息的实施者的指南。
Within a CIM name space, the naming is basically flat; all instances are identified by the values of their key properties, and each combination of key values must be unique. A limited form of hierarchical naming is available in CIM, however, by using weak associations: since a weak association involves propagation of key properties and their values from the superior object to the subordinate one, the subordinate object can be thought of as being named "under" the superior object. Once they have been propagated, however, propagated key properties and their values function in exactly the same way that native key properties and their values do in identifying a CIM instance.
在CIM名称空间中,命名基本上是平坦的;所有实例都由其键值属性的值标识,键值的每个组合都必须是唯一的。但是,在CIM中,通过使用弱关联,可以使用有限形式的分层命名:由于弱关联涉及关键属性及其值从上级对象传播到下级对象,因此可以将下级对象视为在上级对象下命名。但是,一旦它们被传播,传播的密钥属性及其值的作用方式与本机密钥属性及其值在标识CIM实例时的作用方式完全相同。
The CIM mapping document [6] introduces a special attribute, orderedCIMKeys, to help map from the CIM_ManagedElement class to the LDAP class dlm1ManagedElement. This attribute SHOULD only be used in an environment where it is necessary to map between an LDAP-accessible directory and a CIM repository. For an LDAP environment, other LDAP naming attributes are defined (i.e., cn and a class-specific naming attribute) that SHOULD be used instead.
CIM映射文档[6]引入了一个特殊属性orderedCIMKeys,以帮助从CIM_ManagedElement类映射到LDAP类dlm1ManagedElement。此属性仅应在需要在LDAP可访问目录和CIM存储库之间映射的环境中使用。对于LDAP环境,定义了其他LDAP命名属性(即cn和特定于类的命名属性),应改用这些属性。
The role of orderedCIMKeys is to represent the information necessary to correlate an entry in an LDAP-accessible directory with an instance in a CIM name space. Depending on how naming of CIM-related entries is handled in an LDAP directory, the value of orderedCIMKeys represents one of two things:
orderedCIMKeys的作用是表示将LDAP可访问目录中的条目与CIM名称空间中的实例关联所需的信息。根据LDAP目录中CIM相关条目的命名方式,orderedCIMKeys的值表示以下两种情况之一:
- If the DIT hierarchy does not mirror the "weakness hierarchy" of the CIM name space, then orderedCIMKeys represents all the keys of the CIM instance, both native and propagated. - If the DIT hierarchy does mirror the "weakness hierarchy" of the CIM name space, then orderedCIMKeys may represent either all the keys of the instance, or only the native keys.
- 如果DIT层次结构不镜像CIM名称空间的“弱点层次结构”,则orderedCIMKeys表示CIM实例的所有键,包括本机键和传播键。-如果DIT层次结构确实镜像了CIM名称空间的“弱点层次结构”,则orderedCIMKeys可能表示实例的所有键,或者仅表示本机键。
Regardless of which of these alternatives is taken, the syntax of orderedCIMKeys is the same - a DirectoryString of the form
无论采用哪一种替代方法,orderedCIMKeys的语法都是相同的——形式为DirectoryString
<className>.<key>=<value>[,<key>=<value>]*
<className>.<key>=<value>[,<key>=<value>]*
where the <key>=<value> elements are ordered by the names of the key
properties, according to the collating sequence for US ASCII. The
only spaces allowed in the DirectoryString are those that fall within
a <value> element. As with alphabetizing the key properties, the
where the <key>=<value> elements are ordered by the names of the key
properties, according to the collating sequence for US ASCII. The
only spaces allowed in the DirectoryString are those that fall within
a <value> element. As with alphabetizing the key properties, the
goal of suppressing the spaces is once again to make the results of string operations predictable.
抑制空格的目的再次是使字符串操作的结果可预测。
The values of the <value> elements are derived from the various CIM syntaxes according to a grammar specified in [5].
<value>元素的值根据[5]中指定的语法从各种CIM语法派生而来。
[1] Moore, B., Ellesson,E., Strassner, J. and A. Westerinen "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001.
[1] Moore,B.,Ellesson,E.,Strassner,J.和A.Westerinen“策略核心信息模型——版本1规范”,RFC 3060,2001年2月。
[2] Hodges, J. and R. Morgan, "Lightweight Directory Access Protocol (v3): Technical Specification", RFC 3377, September 2002.
[2] Hodges,J.和R.Morgan,“轻量级目录访问协议(v3):技术规范”,RFC3372002年9月。
[3] Wahl, M., Coulbeck, A., Howes,T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.
[3] Wahl,M.,Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。
[4] The Directory: Models. ITU-T Recommendation X.501, 2001.
[4] 目录:Models。ITU-T建议X.501,2001年。
[5] Distributed Management Task Force, Inc., "Common Information
Model (CIM) Specification", Version 2.2, June 14, 1999. This
document is available on the following DMTF web page:
http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf
[5] Distributed Management Task Force, Inc., "Common Information
Model (CIM) Specification", Version 2.2, June 14, 1999. This
document is available on the following DMTF web page:
http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf
[6] Distributed Management Task Force, Inc., "DMTF LDAP Schema for
the CIM v2.5 Core Information Model", April 15, 2002. This
document is available on the following DMTF web page:
http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf
[6] Distributed Management Task Force, Inc., "DMTF LDAP Schema for
the CIM v2.5 Core Information Model", April 15, 2002. This
document is available on the following DMTF web page:
http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf
[7] Wahl, M., "A Summary of the X.500(96) User Schema for use with LDAPv3", RFC 2256, December 1997.
[7] Wahl,M.,“与LDAPv3一起使用的X.500(96)用户模式摘要”,RFC 2256,1997年12月。
[8] The Directory: Selected Attribute Types. ITU-T Recommendation X.520, 2001.
[8] 目录:选定的属性类型。ITU-T建议X.520,2001年。
[9] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Additional Matching Rules", RFC 3698, February 2004.
[9] Zeilenga,K.,编辑,“轻量级目录访问协议(LDAP):附加匹配规则”,RFC3698,2004年2月。
[10] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[10] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[11] Hovey, R. and S. Bradner, "The Organizations Involved in the IETF Standards Process", BCP 11, RFC 2028, October 1996.
[11] Hovey,R.和S.Bradner,“参与IETF标准过程的组织”,BCP 11,RFC 2028,1996年10月。
[12] Strassner, J., policy architecture BOF presentation, 42nd IETF Meeting, Chicago, Illinois, October 1998. Minutes of this BOF are available at the following location: http://www.ietf.org/proceedings/98aug/index.html.
[12] Strassner,J.,政策架构BOF演讲,第42届IETF会议,芝加哥,伊利诺伊州,1998年10月。该转炉的会议记录可在以下位置查阅:http://www.ietf.org/proceedings/98aug/index.html.
[13] Yavatkar, R., Guerin, R. and D. Pendarakis, "A Framework for Policy-based Admission Control", RFC 2753, January 2000.
[13] Yavatkar,R.,Guerin,R.和D.Pendarakis,“基于政策的准入控制框架”,RFC 2753,2000年1月。
[14] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan, "Authentication Methods for LDAP", RFC 2829, May 2000
[14] Wahl,M.,Alvestrand,H.,Hodges,J.和R.Morgan,“LDAP的身份验证方法”,RFC 28292000年5月
[15] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000.
[15] Hodges,J.,Morgan,R.和M.Wahl,“轻量级目录访问协议(v3):传输层安全扩展”,RFC 2830,2000年5月。
[16] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002.
[16] Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,BCP 64,RFC 3383,2002年9月。
John Strassner Intelliden Corporation 90 South Cascade Avenue Colorado Springs, CO 80903
约翰·斯特拉斯纳·Intelliden公司科罗拉多州斯普林斯市南喀斯喀特大道90号,邮编:80903
Phone: +1.719.785.0648
Fax: +1.719.785.0644
EMail: john.strassner@intelliden.com
Phone: +1.719.785.0648
Fax: +1.719.785.0644
EMail: john.strassner@intelliden.com
Bob Moore IBM Corporation P. O. Box 12195, BRQA/B501/G206 3039 Cornwallis Rd. Research Triangle Park, NC 27709-2195
Bob Moore IBM Corporation地址:北卡罗来纳州三角研究公园康沃利斯路3039号BRQA/B501/G206 12195信箱,邮编:27709-2195
Phone: +1 919-254-4436
Fax: +1 919-254-6243
EMail: remoore@us.ibm.com
Phone: +1 919-254-4436
Fax: +1 919-254-6243
EMail: remoore@us.ibm.com
Ryan Moats Lemur Networks, Inc. 15621 Drexel Circle Omaha, NE 68135
Ryan Moats Lemur Networks,Inc.15621美国东北部奥马哈德雷塞尔环线,邮编68135
Phone: +1-402-894-9456
EMail: rmoats@lemurnetworks.net
Phone: +1-402-894-9456
EMail: rmoats@lemurnetworks.net
Ed Ellesson 3026 Carriage Trail Hillsborough, NC 27278
北卡罗来纳州希尔斯伯勒市埃德·埃尔森3026马车道27278号
Phone: +1 919-644-3977
EMail: ellesson@mindspring.com
Phone: +1 919-644-3977
EMail: ellesson@mindspring.com
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78 and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。