Messaging and Directory Server software used around the world in the Government, Military, Aviation and Commercial sectors.

Enterprise Directory Manager

Isode's Enterprise Directory Management (EDM) tool is the flagship product of the Isode directory management tool set, designed specifically for the management and systems' administration of large-scale directory services. For most of its operation, it functions as a client/server management tool with a graphical interface. EDM's functions and those of EDM Shell (the associated scripting interface) include;

• Server control. This is the only part of EDM which is not client/server, and comprises functions which must be carried out on the same machine as the server.
• Configuration of directory databases, and naming contexts (which are the fundamental data building block of LDAP/X.500 directories).
• Configuration of "references", which is the management of information relating to other servers in the directory.
• Dealing with configuration of replicated data.
• Monitoring functions.
• Access control management.
• Configuring the authentication requirements, server to server and client to server.

Server Control

The server control functions provide basic capabilities:

• Creating new Directory Servers. This initializes new Directory Servers ready for immediate use.
• Starting Directory Servers.
• Stopping Directory Servers.

These functions of EDM require the tool to be running on the same machine as the directory server it is controlling.

Directory Databases and Naming Contexts

Following on from the basic functions of handling the server, there is the need to configure data in the server. There are a number of elements to this.

• The Directory Information Tree (DIT) is the basic hierarchical framework of LDAP and X.500. EDM is used to establish the portions of the DIT that are managed in the directory server. EDM displays a DIT view of the directory server to achieve this.
• 'Naming contexts' are the key mechanism in a distributed X.500 directory for partitioning data. EDM allows naming contexts to be defined and managed.
• A directory server can have one or more databases. Multiple databases will usually only be used in very large and complex configurations. This will typically be used to handle large subtrees managed in one directory server. The databases are configured by EDM.
• Naming contexts and multiple databases represent configuration from the server viewpoint. To present a user view, data can also be grouped into 'administrative areas', and management of this powerful X.500 concept is handled by EDM. EDM allows administrative areas to be defined and collective information (such as common telephone numbers) and access control frameworks assigned to the administrative areas.

References and Knowledge

Isode's M-Vault servers will usually be configured as part of a distributed system of servers (the directory service), which will include servers internal and external to the enterprise. In order to tie the elements of the distributed directory together, each directory server maintains "references" to other directory servers and how they relate to the Directory Information Tree. The management of this "knowledge" is a key function of EDM which maintains the details of the servers (automatically retrieved from the servers it contacts), so that the manager can easily select and contact different servers, using simple point and click actions, thus minimizing the typing required.

When EDM contacts a new directory server it will determine all of the references that this server has. This in effect allows EDM to build a large cache of available directory servers.

Replication (Shadowing)

In order to achieve performance and robustness against component failure, data is replicated between directory servers. This is achieved by "shadowing" agreements, which must be configured in both of the directory servers participating in the agreement. This agreement will control whether the replication is push or pull, whether incremental or total, and the policy for the timing of updates. X.500 DISP provides for a good deal of flexibility in controlling replication, and EDM provides a clean management interface onto this.

Isode's DConsole (Directory Console) operator tool can be used to monitor the status of several copies of M-Vault and any replication agreements.

Access Control Management

Access control is a key function of a directory, which is often used to share data in a complex fashion. X.500 has a very powerful and flexible access mechanism, which allows a manager to set varying levels of data access, for individual users, groups of users and whole subtrees. EDM provides a clean way to manage this. EDM will typically be used for managing access control for special entries and for setting access control templates, so that one definition can define the access control for all entries in a subtree. This approach will be useful for many enterprises.

Peer Authentication Configuration

Access control is not effective without authentication and Isode is promoting X.509 based strong authentication. Most enterprises will not be able to immediately enforce use of X.509 for all functions, as support is not going to be available in all products. Isode offers a sophisticated configuration management for authentication level, which offers high flexibility to mix and match authentication levels. For example, an enterprise might choose to use strong authentication for all server to server communication and in particular for data replication where there is a larger security threat. Similarly, all administration of core data may require strong authentication. However, read access and modification of less sensitive data may be configured to require a lower level of authentication. This function may be used to configure access for trading partners. EDM has a generic approach to authentication, which enables a wide range of these needs to be met.

EDM Shell

All of the preceding descriptions have been written in terms of the EDM graphical interface, which is referred to as EDM. There is also a scripting Tcl interface to EDM (EDM Shell), which provides the same functionality. This can be used for bulk operations, or for automated remote installation and configuration of directory servers. A short sample script is given below:

# -*- tcl -*- \
exec edmsh "$0" ${1+"$@"}
# This script sequentially:
# o Creates a first level dsa
# o Starts the newly created dsa
set dir "/tmp/dsa-db-example"
set name "cn=DSA,cn=paris,o=Isode Ltd,c=US"
set addr "Internet=paris+19999"
set user "cn=DSA Manager,$name"
set passwd "HELEN123"
set prefix "c=US"
# Create a first level dsa
if {[catch {dmi create \
            -dsa_dir "$dir" \
            -name "$name" \
            -address "$addr" \
            -password "$passwd" \
            -prefix "$prefix"} err]} {
    puts "dsa ($dir) not created: $err"
    return "$err"
} else {
    puts "dsa ($dir) created"
}
# Start the newly created dsa
if {[catch {dmi start \
            -dsa_dir "$dir"} err]} {
    puts "dsa ($dir) not started: $err"
    return "$err"
} else {
    puts "dsa ($dir) started"
}

Conformance