ISO/IEC 9594-2:2020/Amd 2:2025

International
Standard
ISO/IEC 9594-2
Ninth edition
Information technology — Open
2020-11
systems interconnection —
AMENDMENT 2
Part 2:
2025-05
The Directory: Models
AMENDMENT 2: Miscellaneous
enhancements
Reference number
ISO/IEC 9594-2:2020/Amd. 2:2025(en) © ISO/IEC 2025

ISO/IEC 9594-2:2020/Amd. 2:2025(en)
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of document should be noted.
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had
not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT)
see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by ITU-T as ITU-T X.501 (2019) Amd. 2 (10/2024) and drafted in
accordance with its editorial rules, in collaboration with Joint Technical Committee ISO/IEC JTC 1,
Information technology, Subcommittee SC 6, Telecommunications and information exchange between
systems.
A list of all parts in the ISO/IEC 9594 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards body.
A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
INTERNATIONAL STANDARD ISO/IEC 9594-2
RECOMMENDATION ITU-T X.501
Information technology – Open Systems Interconnection – The Directory: Models

Amendment 2
Miscellaneous enhancements
Summary
Recommendation ITU-T X.501 (2019) | International Standard ISO/IEC 9594-2:2020, Amendment 2 introduces text
updates to facilitate separation between cybersecurity ASN.1 modules and directory ASN.1 modules.

History
Edition Recommendation Approval Study Group Unique ID
1.0 ITU-T X.501 1988-11-25 11.1002/1000/2997
2.0 ITU-T X.501 1993-11-16 7 11.1002/1000/2998
3.0 ITU-T X.501 1997-08-09 7 11.1002/1000/4122
3.1   ITU-T X.501 (1997) Technical Cor. 1 2000-03-31 7 11.1002/1000/5031
3.2   ITU-T X.501 (1997) Amd. 1 2000-03-31 7 11.1002/1000/5030
3.3   ITU-T X.501 (1997) Technical Cor. 2 2001-02-02 7 11.1002/1000/5308
3.4   ITU-T X.501 (1997) Technical Cor. 3 2005-05-14 17 11.1002/1000/8499
4.0 ITU-T X.501 2001-02-02 7 11.1002/1000/5310
4.1   ITU-T X.501 (2001) Technical Cor. 1 2005-05-14 17 11.1002/1000/8500
4.2   ITU-T X.501 (2001) Technical Cor. 2 2005-11-29 17 11.1002/1000/8634
4.3   ITU-T X.501 (2001) Cor. 3 2008-05-29 17 11.1002/1000/9431
5.0 ITU-T X.501 2005-08-29 17 11.1002/1000/8489
5.1   ITU-T X.501 (2005) Cor. 1 2008-05-29 17 11.1002/1000/9432
5.2   ITU-T X.501 (2005) Cor. 2 2008-11-13 17 11.1002/1000/9589
5.3   ITU-T X.501 (2005) Cor. 3 2011-02-13 17 11.1002/1000/11040
5.4   ITU-T X.501 (2005) Cor. 4 2012-04-13 17 11.1002/1000/11575
6.0 ITU-T X.501 2008-11-13 17 11.1002/1000/9588
6.1   ITU-T X.501 (2008) Cor. 1 2011-02-13 17 11.1002/1000/11041
6.2   ITU-T X.501 (2008) Cor. 2 2012-04-13 17 11.1002/1000/11576
6.3   ITU-T X.501 (2008) Cor. 3 2012-10-14 17 11.1002/1000/11734
7.0 ITU-T X.501 2012-10-14 17 11.1002/1000/11733
8.0 ITU-T X.501 2016-10-14 17 11.1002/1000/13030
9.0 ITU-T X.501 2019-10-14 17 11.1002/1000/14032
9.1   ITU-T X.501 (2019) Amd. 1 2021-10-14 17 11.1002/1000/14790
9.2   ITU-T X.501 (2019) Amd. 2 2024-10-29 17 11.1002/1000/16171

To access the Recommendation, type the URL https://handle.itu.int/ in the address field of your web browser, followed by the
Recommendation's unique ID.
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
iv
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
FOREWORD
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications, and information and communication technologies (ICTs). The ITU Telecommunication
Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,
operating and tariff questions and issuing Recommendations on them with a view to standardizing
telecommunications on a worldwide basis.
The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes
the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics.
The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
In some areas of information technology which fall within ITU-T's purview, the necessary standards are
prepared on a collaborative basis with ISO and IEC.

NOTE
In this Recommendation, the expression "Administration" is used for conciseness to indicate both a
telecommunication administration and a recognized operating agency.
Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain
mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the
Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other
obligatory language such as "must" and the negative equivalents are used to express requirements. The use of
such words does not suggest that compliance with the Recommendation is required of any party.

INTELLECTUAL PROPERTY RIGHTS
ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve
the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or
applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of
the Recommendation development process.
As of the date of approval of this Recommendation, ITU had not received notice of intellectual property,
protected by patents/software copyrights, which may be required to implement this Recommendation.
However, implementers are cautioned that this may not represent the latest information and are therefore
strongly urged to consult the appropriate ITU-T databases available via the ITU-T website at
https://www.itu.int/ITU-T/ipr/.

 ITU 2025
All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior
written permission of ITU.
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
v
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
CONTENTS
Page
1) Clause 5 . 1
2) Clause 8.2 . 1
3) Clause 8.4 . 1
4) Clause 8.8 . 1
5) Clause 9.2 . 1
6) Clause 9.3 . 1
7) Clause 13.3.3 . 1
8) Clause 13.4.8 . 2
9) Clause 13.5.2 . 2
10) Clause 13.7.3 . 2
11) Clause 13.9.2 . 2
12) Clause 13.12 . 2
13) Annex A . 2
14) Annex B . 14
15) Annex C . 28
16) Annex D . 29
17) Annex E . 30
18) Annex F . 30
19) Annex G . 31
20) Annex H . 32
21) Annex I . 33

Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
vi
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
INTERNATIONAL STANDARD
ITU-T RECOMMENDATION
Information technology – Open Systems Interconnection – The Directory: Models

Amendment 2
Miscellaneous enhancements
1) Clause 5
Add the following new paragraph at the end of clause 5:
As described in Annex A, some ASN.1 symbols have been moved from the InformationFramework module (Annex B)
to the UsefulDefinitions module (Annex A). However, in the main body of text the locations of the specifications
for these ASN.1 symbols are not changed as they still are logical parts of the information framework as they are present
in the InformationFramework module by being imported from the UsefulDefinitions module.
2) Clause 8.2
In clause 8.2 after the ASN.1 specification for Attribute, add:
NOTE 3 – This parameterized data type was moved from the InformationFramework module to the
UsefulDefinitions module after the ninth edition of this Directory Specification.
3) Clause 8.4
In clause 8.4 after the ASN.1 specification for AttributeType, add:
NOTE – This data type was moved from the InformationFramework module to the UsefulDefinitions module after
the ninth edition of this Directory Specification.
4) Clause 8.8
In clause 8.8 after the ASN.1 specification for Context, add:
NOTE 2 – This data type was moved from the InformationFramework module to the UsefulDefinitions module after
the ninth edition of this Directory Specification.
Renumber other NOTEs in clause 8.8 as required.
5) Clause 9.2
In clause 9.2 after the ASN.1 specification for Name and DomainName, add:
NOTE 2 – The Name and DomainName data types were moved from the InformationFramework module to the
UsefulDefinitions module after the ninth edition of this Directory Specification.
In clause 9.2 after the ASN.1 specification for DistinguishedName, add:
NOTE 4 – The RDNSequence and DistinguishedName data types were moved from the InformationFramework
module to the UsefulDefinitions module after the ninth edition of this Directory Specification.
Renumber other NOTEs in clause 9.2 as required.
6) Clause 9.3
In clause 9.3 after the ASN.1 specification for AttributeTypeAndValue, add:
NOTE 2 – The RelativeDistinguishedName and AttributeTypeAndValue data types were moved from the
InformationFramework module to the UsefulDefinitions module after the ninth edition of this Directory
Specification.
Renumber other NOTEs in clause 9.3 as required.
7) Clause 13.3.3
In clause 13.3.3 after the ASN.1 specification for ObjectClassKind, add:
NOTE 1 – The OBJECT-CLASS information object class and the ObjectClassKind data type were moved from the
InformationFramework module to the UsefulDefinitions module after the ninth edition of this Directory
Specification.
In clause 13.3.3 after the ASN.1 specification for top, add:
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
NOTE 3 – The top object class and the definition of the id-oc-top object identifier were moved from the
InformationFramework module to the UsefulDefinitions module after the ninth edition of this Directory
Specification.
Renumber the NOTEs in clause 13.3.3 as required.
8) Clause 13.4.8
In clause 13.4.8 after the ASN.1 specification for AttributeUsage, add:
NOTE 1 – The ATTRIBUTE information object class and the AttributeUsage data type were moved from the
InformationFramework module to the UsefulDefinitions module after the ninth edition of this Directory
Specification.
In clause 13.4.8 after the ASN.1 specification for objectClass, add:
NOTE 2 – The objectClass attribute type and the id-at-objectClass object identifier definition were moved from the
InformationFramework module to the UsefulDefinitions module after the ninth edition of this Directory
Specification.
Renumber other NOTEs in clause 13.4.8 as required.
9) Clause 13.5.2
In clause 13.5.2 after the ASN.1 specification for MATCHING-RULE, add:
NOTE 1 – This information object class was moved from the InformationFramework module to the
UsefulDefinitions module after the ninth edition of this Directory Specification.
In clause 13.5.2 after the ASN.1 specification for objectIdentifierMatch, add:
NOTE 4 – The objectIdentifierMatch matching rule and the definition of id-mr-objectIdentifierMatch object
identifier were moved from the InformationFramework module to the UsefulDefinitions module after the ninth
edition of this Directory Specification.
Renumber the NOTEs in clause 13.5.2 as required.
10) Clause 13.7.3
In clause 13.7.3 after the ASN.1 specification for NAME-FORM, add:
NOTE – This information object class was moved from the InformationFramework module to the UsefulDefinitions
module after the ninth edition of this Directory Specification.
11) Clause 13.9.2
In clause 13.9.2 after the ASN.1 specification for CONTEXT, add:
NOTE 1 – This information object class was moved from the InformationFramework module to the
UsefulDefinitions module after the ninth edition of this Directory Specification.
Renumber other NOTEs in clause 13.9.2 as required.
12) Clause 13.12
In clause 13.12 after the ASN.1 specification for SYNTAX-NAME, add:
NOTE – This information object class was moved from the InformationFramework module to the UsefulDefinitions
module after the ninth edition of this Directory Specification.
13) Annex A
Replace Annex A with:
Annex A
Useful definitions and object identifier usage
(This annex forms an integral part of this Recommendation | International Standard.)
It is desirable to have ASN.1 modules defined by the ITU-T X.500 series of Recommendations | ISO/IEC 9594-all parts
split into two groups:
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
a) The cybersecurity group consisting of modules that relates to cyber security. Currently, ASN.1 modules
defined in Rec. ITU-T X.509 | ISO/IEC 9594-8 and Rec. ITU-T X.510 | ISO/IEC 9594-11 belong to that
group together with a few more.
b) The directory group consisting of all the current modules except those defined by Rec. ITU-T X.510 |
ISO/IEC 9594-11 and later parts related to cybersecurity.
Some modules are members of both groups.
The modules of the cyber security group import ASN.1 items from modules in the directory group, especially from module
item defined by Rec. ITU-T X.501 | ISO/IEC 9594-2 and Rec. ITU-T X.520 | ISO/IEC 9594-6. Including those modules
also in the cybersecurity group causes complications due a compounding effect. Instead, such ASN.1 items are moved to
the module defined by this annex and by making that module part of both groups allows both groups to import ASN.1
items from that module avoiding duplication of specifications.
This annex also documents the upper arcs of the object identifier subtree in which all the object identifiers assigned in the
Directory Specifications reside.
The resulting ASN.1 module is called UsefulDefinitions.

UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 10}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
/*
The types and values defined in this module are exported for use in the other
ASN.1
modules contained within the Directory Specifications and within the X.500
cybersecurity soecifications. It mau also be used by other applications which will
use
them to access Directory services or cybersecurity services. Other applications
may use them for their own purposes, but this will not constrain extensions and
modifications needed to maintain or improve the Directory and cybersecurity
services
Several types and values that are part of the Directory specificationhave been
moved from
the formal ASN.1 modules into this module also to be used by the cybersecurity
modules.
The specification in the main text of the affected Directory specification parts
are
left unchanged.
*/
/*
The following ASN.1 specifications within the InformationFramework module from
Rec. ITU-T X.501 | ISO/IEC 9594-2 have been moved into this module
*/
Attribute {ATTRIBUTE:SupportedAttributes} ::= SEQUENCE {
type        ATTRIBUTE.&id({SupportedAttributes}),
values       SET SIZE (0.MAX) OF
ATTRIBUTE.&Type({SupportedAttributes}{@type}),
valuesWithContext  SET SIZE (1.MAX) OF SEQUENCE {
value        ATTRIBUTE.&Type({SupportedAttributes}{@type}),
contextList     SET SIZE (1.MAX) OF Context,
...} OPTIONAL,
... }
AttributeType ::= ATTRIBUTE.&id

Context ::= SEQUENCE {
contextType  CONTEXT.&id({SupportedContexts}),
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
contextValues
SET SIZE (1.MAX) OF CONTEXT.&Type({SupportedContexts}{@contextType}),
fallback    BOOLEAN DEFAULT FALSE,
... }
SupportedAttributes ATTRIBUTE ::= {.}

SupportedContexts CONTEXT ::= {.}

-- Naming
Name ::= CHOICE {
rdnSequence RDNSequence,
dnsName   DomainName,
oid     OBJECT IDENTIFIER }

DomainName ::= UTF8String (CONSTRAINED BY {
-- Conforms to the format of an (internationalized) domain name. -- })

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

RelativeDistinguishedName ::= SET SIZE (1.MAX) OF AttributeTypeAndValue

DistinguishedName ::= RDNSequence

AttributeTypeAndValue ::= SEQUENCE {
type         ATTRIBUTE.&id ({SupportedAttributes}),
value         ATTRIBUTE.&Type ({SupportedAttributes}{@type}),
... }
OBJECT-CLASS ::= CLASS {
&Superclasses     OBJECT-CLASS OPTIONAL,
&kind         ObjectClassKind DEFAULT structural,
&MandatoryAttributes ATTRIBUTE OPTIONAL,
&OptionalAttributes  ATTRIBUTE OPTIONAL,
&ldapName       SEQUENCE SIZE(1.MAX) OF UTF8String OPTIONAL,
&ldapDesc       UTF8String OPTIONAL,
&id          OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
[SUBCLASS OF     &Superclasses]
[KIND         &kind]
[MUST CONTAIN     &MandatoryAttributes]
[MAY CONTAIN     &OptionalAttributes]
[LDAP-NAME      &ldapName]
[LDAP-DESC      &ldapDesc]
ID          &id }
ObjectClassKind ::= ENUMERATED {
abstract  (0),
structural (1),
auxiliary (2)}
top OBJECT-CLASS ::= {
KIND     abstract
MUST CONTAIN {objectClass}
LDAP-NAME   {"top"}
ID      id-oc-top }
id-oc-top OBJECT IDENTIFIER ::= {id-oc 0}

-- Information object classes from Information Framework

Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
ATTRIBUTE ::= CLASS {
&derivation        ATTRIBUTE OPTIONAL,
&Type           OPTIONAL, -- either &Type or &derivation required
&equality-match      MATCHING-RULE OPTIONAL,
&ordering-match      MATCHING-RULE OPTIONAL,
&substrings-match     MATCHING-RULE OPTIONAL,
&single-valued      BOOLEAN DEFAULT FALSE,
&collective        BOOLEAN DEFAULT FALSE,
&dummy          BOOLEAN DEFAULT FALSE,
-- operational extensions
&no-user-modification   BOOLEAN DEFAULT FALSE,
&usage          AttributeUsage DEFAULT userApplications,
&ldapSyntax        SYNTAX-NAME.&id OPTIONAL,
&ldapName         SEQUENCE SIZE(1.MAX) OF UTF8String OPTIONAL,
&ldapDesc         UTF8String OPTIONAL,
&obsolete         BOOLEAN DEFAULT FALSE,
&id            OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
[SUBTYPE OF        &derivation]
[WITH SYNTAX       &Type]
[EQUALITY MATCHING RULE  &equality-match]
[ORDERING MATCHING RULE  &ordering-match]
[SUBSTRINGS MATCHING RULE &substrings-match]
[SINGLE VALUE       &single-valued]
[COLLECTIVE        &collective]
[DUMMY          &dummy]
[NO USER MODIFICATION   &no-user-modification]
[USAGE          &usage]
[LDAP-SYNTAX       &ldapSyntax]
[LDAP-NAME        &ldapName]
[LDAP-DESC        &ldapDesc]
[OBSOLETE         &obsolete]
ID            &id }

AttributeUsage ::= ENUMERATED {
userApplications   (0),
directoryOperation  (1),
distributedOperation (2),
dSAOperation     (3),
... }
objectClass ATTRIBUTE ::= {
WITH SYNTAX       OBJECT IDENTIFIER
EQUALITY MATCHING RULE objectIdentifierMatch
LDAP-SYNTAX       oid.&id
LDAP-NAME        {"objectClass"}
ID           id-at-objectClass }

id-at-objectClass     OBJECT IDENTIFIER ::= {id-at 0}

-- MATCHING-RULE information object class specification

MATCHING-RULE ::= CLASS {
&ParentMatchingRules  MATCHING-RULE OPTIONAL,
&AssertionType     OPTIONAL,
&uniqueMatchIndicator  ATTRIBUTE OPTIONAL,
&ldapSyntax       SYNTAX-NAME.&id OPTIONAL,
&ldapName        SEQUENCE SIZE(1.MAX) OF UTF8String OPTIONAL,
&ldapDesc        UTF8String OPTIONAL,
&id           OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
[PARENT         &ParentMatchingRules]
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
[SYNTAX         &AssertionType]
[UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator]
[LDAP-SYNTAX      &ldapSyntax]
[LDAP-NAME       &ldapName]
[LDAP-DESC       &ldapDesc]
ID           &id }
objectIdentifierMatch MATCHING-RULE ::= {
SYNTAX    OBJECT IDENTIFIER
LDAP-SYNTAX oid.&id
LDAP-NAME  {"objectIdentifierMatch"}
ID      id-mr-objectIdentifierMatch }

id-mr-objectIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 0}

NAME-FORM ::= CLASS {
&namedObjectClass   OBJECT-CLASS,
&MandatoryAttributes ATTRIBUTE,
&OptionalAttributes  ATTRIBUTE OPTIONAL,
&ldapName       SEQUENCE SIZE(1.MAX) OF UTF8String OPTIONAL,
&ldapDesc       UTF8String OPTIONAL,
&id          OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
NAMES         &namedObjectClass
WITH ATTRIBUTES    &MandatoryAttributes
[AND OPTIONALLY    &OptionalAttributes]
[LDAP-NAME      &ldapName]
[LDAP-DESC      &ldapDesc]
ID          &id }
CONTEXT ::= CLASS {
&Type,
&defaultValue  &Type OPTIONAL,
&Assertion   OPTIONAL,
&absentMatch  BOOLEAN DEFAULT TRUE,
&id       OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
WITH SYNTAX   &Type
[DEFAULT-VALUE &defaultValue]
[ASSERTED AS  &Assertion]
[ABSENT-MATCH  &absentMatch]
ID       &id }
SYNTAX-NAME ::= CLASS {
&ldapDesc        UTF8String,
&Type          OPTIONAL,
&id           OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
LDAP-DESC        &ldapDesc
[DIRECTORY SYNTAX    &Type]
ID           &id }
/*
The following ASN.1 specifications within the SelectedAttributeTypes module from
Rec. ITU-T X.520 | ISO/IEC 9594-6 have been moved into this module
*/
UnboundedDirectoryString ::= CHOICE {
teletexString  TeletexString(SIZE (1.MAX)),
printableString PrintableString(SIZE (1.MAX)),
bmpString    BMPString(SIZE (1.MAX)),
universalString UniversalString(SIZE (1.MAX)),
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
uTF8String    UTF8String(SIZE (1.MAX)) }

name ATTRIBUTE ::= {
WITH SYNTAX       UnboundedDirectoryString
EQUALITY MATCHING RULE  caseIgnoreMatch
SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
LDAP-SYNTAX       directoryString.&id
LDAP-NAME        {"name"}
ID            id-at-name }

id-at-name OBJECT IDENTIFIER ::= {id-at 41}

commonName ATTRIBUTE ::= {
SUBTYPE OF        name
WITH SYNTAX       UnboundedDirectoryString
LDAP-SYNTAX       directoryString.&id
LDAP-NAME        {"cn", "commonName"}
ID            id-at-commonName }

id-at-commonName OBJECT IDENTIFIER ::= {id-at 3}

dnsName ATTRIBUTE ::= {
WITH SYNTAX       DomainName
EQUALITY MATCHING RULE dnsNameMatch
LDAP-SYNTAX       dnsString.&id
LDAP-NAME        {"DNS name"}
ID           id-at-dnsName }

id-at-dnsName OBJECT IDENTIFIER ::= {id-at 100}

dnsNameMatch MATCHING-RULE ::= {
SYNTAX    DomainName
LDAP-SYNTAX dnsString.&id
LDAP-NAME  {"dnsNameMatch"}
ID      id-mr-dnsNameMatch }

id-mr-dnsNameMatch OBJECT IDENTIFIER ::= {id-mr 74}

dnsString SYNTAX-NAME ::= {
LDAP-DESC     "DNS Name String"
DIRECTORY SYNTAX DomainName
ID        id-asx-dnsString }

id-asx-dnsString OBJECT IDENTIFIER ::= {id-asx 9}

objectIdentifier ATTRIBUTE ::= {
WITH SYNTAX       OBJECT IDENTIFIER
EQUALITY MATCHING RULE objectIdentifierMatch
SINGLE VALUE      TRUE
LDAP-SYNTAX       oid.&id
LDAP-NAME        {"Object Identifier"}
ID           id-at-objectIdentifier }

id-at-objectIdentifier OBJECT IDENTIFIER ::= {id-at 106}

PresentationAddress ::= SEQUENCE {
pSelector  [0] OCTET STRING OPTIONAL,
sSelector  [1] OCTET STRING OPTIONAL,
tSelector  [2] OCTET STRING OPTIONAL,
nAddresses [3] SET SIZE (1.MAX) OF OCTET STRING,
... }
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)

caseIgnoreMatch MATCHING-RULE ::= {
SYNTAX    UnboundedDirectoryString
LDAP-SYNTAX directoryString.&id
LDAP-NAME  {"caseIgnoreMatch"}
ID      id-mr-caseIgnoreMatch }

id-mr-caseIgnoreMatch OBJECT IDENTIFIER ::= {id-mr 2}

caseIgnoreSubstringsMatch MATCHING-RULE ::= {
SYNTAX    SubstringAssertion
LDAP-SYNTAX substringAssertion.&id
LDAP-NAME  {"caseIgnoreSubstringsMatch"}
ID      id-mr-caseIgnoreSubstringsMatch }

SubstringAssertion ::= SEQUENCE OF CHOICE {
initial [0] UnboundedDirectoryString,
any   [1] UnboundedDirectoryString,
final  [2] UnboundedDirectoryString,
-- at most one initial and one final component
control    Attribute{{SupportedAttributes}},
-- Use-d to specify interpretation of the following items
... }
id-mr-caseIgnoreSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 4}

integerMatch MATCHING-RULE ::= {
SYNTAX    INTEGER
LDAP-SYNTAX integer.&id
LDAP-NAME  {"integerMatch"}
ID      id-mr-integerMatch }

id-mr-integerMatch OBJECT IDENTIFIER ::= {id-mr 14}

octetStringMatch MATCHING-RULE ::= {
SYNTAX    OCTET STRING
LDAP-SYNTAX octetString.&id
LDAP-NAME  {"octetStringMatch"}
ID      id-mr-octetStringMatch }

id-mr-octetStringMatch OBJECT IDENTIFIER ::= {id-mr 17}

-- Copy of Syntax Names from Selected attribute types

directoryString SYNTAX-NAME ::= {
LDAP-DESC     "Directory String"
DIRECTORY SYNTAX UnboundedDirectoryString
ID        id-lsx-directoryString }

id-lsx-directoryString OBJECT IDENTIFIER ::= {id-lsx 15}

integer SYNTAX-NAME ::= {
LDAP-DESC     "INTEGER"
DIRECTORY SYNTAX INTEGER
ID        id-lsx-integer }

id-lsx-integer OBJECT IDENTIFIER ::= {id-lsx 27}

oid SYNTAX-NAME ::= {
LDAP-DESC     "OID"
DIRECTORY SYNTAX OBJECT IDENTIFIER
ID        id-lsx-oid }
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)

id-lsx-oid OBJECT IDENTIFIER ::= {id-lsx 38}

octetString SYNTAX-NAME ::= {
LDAP-DESC     "Octet String"
DIRECTORY SYNTAX OCTET STRING
ID        id-lsx-octetString }

id-lsx-octetString OBJECT IDENTIFIER ::= {id-lsx 40}

substringAssertion SYNTAX-NAME ::= {
LDAP-DESC     "Substring Assertion"
DIRECTORY SYNTAX SubstringAssertion
ID        id-lsx-substringAssertion }

id-lsx-substringAssertion OBJECT IDENTIFIER ::= {id-lsx 58}

TimeSpecification ::= SEQUENCE {
time      CHOICE {
absolute    SEQUENCE {
startTime [0] GeneralizedTime OPTIONAL,
endTime  [1] GeneralizedTime OPTIONAL,
... },
periodic   SET SIZE (1.MAX) OF Period},
notThisTime  BOOLEAN DEFAULT FALSE,
timeZone   TimeZone OPTIONAL,
... }
Period ::= SEQUENCE {
timesOfDay [0] SET SIZE (1.MAX) OF DayTimeBand OPTIONAL,
days    [1] CHOICE {
intDay      SET OF INTEGER,
bitDay      BIT STRING {
sunday  (0),
monday  (1),
tuesday  (2),
wednesday (3),
thursday (4),
friday  (5),
saturday (6)},
dayOf      XDayOf,
...} OPTIONAL,
weeks    [2] CHOICE {
allWeeks     NULL,
intWeek     SET OF INTEGER,
bitWeek     BIT STRING {
week1   (0),
week2   (1),
week3   (2),
week4   (3),
week5   (4)},
... } OPTIONAL,
months   [3] CHOICE {
allMonths    NULL,
intMonth     SET OF INTEGER,
bitMonth     BIT STRING {
january  (0),
february (1),
march   (2),
april   (3),
may    (4),
june   (5),
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
july   (6),
august  (7),
september (8),
october  (9),
november (10),
december (11)},
...} OPTIONAL,
years    [4] SET OF INTEGER(1000.MAX) OPTIONAL,
... }
XDayOf ::= CHOICE {
first  [1] NamedDay,
second [2] NamedDay,
third  [3] NamedDay,
fourth [4] NamedDay,
fifth  [5] NamedDay }
NamedDay ::= CHOICE {
intNamedDays ENUMERATED {
sunday   (1),
monday   (2),
tuesday   (3),
wednesday  (4),
thursday  (5),
friday   (6),
saturday  (7)},
bitNamedDays BIT STRING {
sunday   (0),
monday   (1),
tuesday   (2),
wednesday  (3),
thursday  (4),
friday   (5),
saturday  (6)} }
DayTimeBand ::= SEQUENCE {
startDayTime [0] DayTime DEFAULT {hour 0},
endDayTime  [1] DayTime DEFAULT {hour 23, minute 59, second 59},
... }
DayTime ::= SEQUENCE {
hour  [0] INTEGER(0.23),
minute [1] INTEGER(0.59) DEFAULT 0,
second [2] INTEGER(0.59) DEFAULT 0,
... }
TimeZone ::= INTEGER(-12.12)
ID  ::= OBJECT IDENTIFIER
ds ID ::= {joint-iso-itu-t ds(5)}

-- The following definition is for ASN.1 definitions moved from
-- Rec. ITU-T X.660 | ISO/IEC 9834-1:

id ID ::= {joint-iso-itu-t registration-procedures(17) module(1) directory-
defs(2)}
-- The following defition is for ASN.1 definitions of LDAP schema

internet      ID ::= {iso(1) identified-organization(3) dod(6) internet(1)}
ldap-dir      ID ::= {internet directory(1)}
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
intSecurity     ID ::= {internet security(5)}
ldap-enterprise   ID ::= {internet private(4) enterprise(1)}
ldap-x509      ID ::= {ldap-dir x509(15)}
ldap-openLDAP    ID ::= {ldap-enterprise openLDAP(4203) ldap(1)}
openLDAP-attributes ID ::= {ldap-openLDAP attributeType(3)}
openLDAP-controls  ID ::= {ldap-openLDAP controls(10)}
ldap-wall      ID ::= {ldap-enterprise wahl(1466)}
ldap-dynExt     ID ::= {ldap-wall 101 119}
ldap-attr      ID ::= {ldap-wall 101 120}
ldap-match     ID ::= {ldap-wall 109 114}
ldap-syntax     ID ::= {ldap-wall 115 121 1}
cosine       ID ::= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100)}
cosineAttr     ID ::= {cosine pilotAttributeType(1)}

-- categories of information object

module                  ID ::= {ds 1}
serviceElement              ID ::= {ds 2}
applicationContext            ID ::= {ds 3}
attributeType              ID ::= {ds 4}
attributeSyntaxVendor          ID ::= {ds 5}
-- This arc will not be used by these Directory Specifications
objectClass-oid             ID ::= {ds 6}
-- attributeSet             ID ::= {ds 7}
-- algorithm               ID ::= {ds 8}
abstractSyntax              ID ::= {ds 9}
-- object                ID ::= {ds 10}
-- port                 ID ::= {ds 11}
dsaOperationalAttribute         ID ::= {ds 12}
matchingRule               ID ::= {ds 13}
knowledgeMatchingRule          ID ::= {ds 14}
nameForm                 ID ::= {ds 15}
group                  ID ::= {ds 16}
subentry                 ID ::= {ds 17}
operationalAttributeType         ID ::= {ds 18}
operationalBinding            ID ::= {ds 19}
schemaObjectClass            ID ::= {ds 20}
schemaOperationalAttribute        ID ::= {ds 21}
administrativeRoles           ID ::= {ds 23}
accessControlAttribute          ID ::= {ds 24}
--rosObject               ID ::= {ds 25}
--contract                ID ::= {ds 26}
--package                ID ::= {ds 27}
accessControlSchemes           ID ::= {ds 28}
certificateExtension           ID ::= {ds 29}
managementObject             ID ::= {ds 30}
attributeValueContext          ID ::= {ds 31}
-- securityExchange           ID ::= {ds 32}
idmProtocol               ID ::= {ds 33}
problem                 ID ::= {ds 34}
notification               ID ::= {ds 35}
matchingRestriction           ID ::= {ds 36} -- None are currently
defined
controlAttributeType           ID ::= {ds 37}
keyPurposes               ID ::= {ds 38}
passwordQuality             ID ::= {ds 39}
attributeSyntax             ID ::= {ds 40}
avRestriction              ID ::= {ds 41}
cmsContentType              ID ::= {ds 42}
wrapperProtocolType           ID ::= {ds 43}
algorithm                ID ::= {ds 44}

Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
/*
-- modules
usefulDefinitions            ID ::= {module usefulDefinitions(0) x}
informationFramework           ID ::= {module informationFramework(1)
x}
directoryAbstractService         ID ::= {module directoryAbstractService(2)
8}
distributedOperations          ID ::= {module distributedOperations(3)
8}
-- protocolObjectIdentifiers       ID ::= {module protocolObjectIdentifiers(4)
8}
selectedAttributeTypes          ID ::= {module selectedAttributeTypes(5)
8}
selectedObjectClasses          ID ::= {module selectedObjectClasses(6)
8}
authenticationFramework         ID ::= {module authenticationFramework(7)
8}
algorithmObjectIdentifiers        ID ::= {module algorithmObjectIdentifiers(8)
8}
directoryObjectIdentifiers        ID ::= {module directoryObjectIdentifiers(9)
8}
-- upperBounds              ID ::= {module upperBounds(10) 8}
-- dap                  ID ::= {module dap(11) 8}
-- dsp                  ID ::= {module dsp(12) 8}
distributedDirectoryOIDs         ID ::= {module distributedDirectoryOIDs(13)
8}
directoryShadowOIDs           ID ::= {module directoryShadowOIDs(14)
8}
directoryShadowAbstractService      ID ::= {module

directoryShadowAbstractService(15) 8}
-- disp                 ID ::= {module disp(16) 7}
-- dop                  ID ::= {module dop(17) 7}
opBindingManagement           ID ::= {module opBindingManagement(18)
8}
opBindingOIDs              ID ::= {module opBindingOIDs(19) 8}
hierarchicalOperationalBindings     ID ::= {module

hierarchicalOperationalBindings(20) 8}
dsaOperationalAttributeTypes       ID ::= {module
dsaOperationalAttributeTypes(22)
8}
schemaAdministration           ID ::= {module schemaAdministration(23)
8}
basicAccessControl            ID ::= {module basicAccessControl(24) 8}
directoryOperationalBindingTypes     ID ::= {module

directoryOperationalBindingTypes(25) 8}
certificateExtensions          ID ::= {module certificateExtensions(26)
8}
directoryManagement           ID ::= {module directoryManagement(27)
8}
enhancedSecurity             ID ::= {module enhancedSecurity(28) 8}
-- directorySecurityExchanges      ID ::= {module
--                       directorySecurityExchanges (29)
8}
iDMProtocolSpecification         ID ::= {module iDMProtocolSpecification(30)
8}
directoryIDMProtocols          ID ::= {module directoryIDMProtocols(31)
8}
Rec. ITU-T X.501 (2019) Amd. 2 (10/2024)
© ISO/IEC 2025 – All rights reserved
ISO/IEC 9594-2:2020/Amd. 2:2025(en)
attributeCertificateDefinitions     ID ::= {module
attributeCertificateDefinitions(32) 8}
serviceAdministration          ID ::= {module serviceAdministration(33)
8}
ldapAttributes              ID ::= {module ldapAttributes(34) 8}
commonProtocolSpecification       ID ::= {module
commonProtocolSpecification(35)
8}
oSIProtocolSpecification         ID ::= {module oSIProtocolSpecification(36)
8}
directoryOSIProtocols          ID ::= {module directoryOSIProtocols(37)
8}
ldapSystemSchema             ID ::= {module ldapSystemSchema(38) 8}
passwordPolicy              ID ::= {module passwordPolicy(39) x}
pkiPmiExternalDataTypes         ID ::= {module pkiPmiExternalDataTypes(40)
x}
extensionAttributes           ID ::= {module extensionAttributes(41)
xx}
-- X.510
cryptoTools               ID ::= {module cryptoTools(42) x}
wrapper                 ID ::= {module wrapper(43) x}
avlManagement              ID ::= {module avlManagement(44) x}
caSubsription              ID ::= {module caSubsription (45) x}
trustBrokerProtocol           ID ::= {module trustBrokerProtocol(46)
x}
protProtocols              ID ::= {module protProtocols(47) x}
genAlgo                 ID ::= {module genAlgo(48) x}
-- X509
supportedIn
...