Isode Products

M-Vault Directory

 

M-Vault is, and was designed to be, a multi-protocol server and so is able to support LDAP (v2 and v3) and X.500 (DAP) client access. Distribution of a directory service is mainly achieved using X.500 protocols - DSP (Directory System Protocol) for distributing client operations and DISP (Directory Information Shadowing Protocol) to replicate data between directory servers.

Additionally, M-Vault is able to interconnect LDAP and X.500 servers and make them part of a distributed directory system using LDAP chaining (i.e. by converting incoming LDAP requests to X.500 and vice versa).

The sections below set out the supported standards for LDAP and X.500, Additional Specifications, Aviation Conformance and Military Conformance.

LDAP Support in M-Vault

The M-Vault directory server provides full support for LDAP, including the current standard version (LDAPv3) [RFC 4510-4519] and its predecessor (LDAPv2) [RFC 1777-1779,1781]. This support is a key part of the module, as LDAP is the leading standard for client/server directory integration. Desktop applications requiring use of a directory, such as mail clients with directory-based address book capabilities, use LDAP as the primary access protocol. The following documents comprise the LDAP (v3) technical specification.

RFC 4510 LDAP: Technical Specification Roadmap, K. Zeilenga, June 2006
RFC 4511 LDAP: The Protocol, J. Sermersheim, June 2006
RFC 4512 LDAP: Directory Information Models, K. Zeilenga, June 2006
RFC 4513 LDAP: Authentication Methods and Security Mechanisms, R. Harrison, June 2006
RFC 4514 LDAP: String Representation of Distinguished Names, K. Zeilenga, June 2006
RFC 4515 LDAP: String Representation of Search Filters, M. Smith, T. Howes, June 2006
RFC 4516 LDAP: Uniform Resource Locator, M. Smith, T. Howes, June 2006
RFC 4517 LDAP: Syntaxes and Matching Rules, S. Legg, June 2006
RFC 4518 LDAP: Internationalized String Preparation, K. Zeilenga, June 2006
RFC 4519 LDAP: Schema for User Applications, A. Sciberras, June 2006

As well as supporting the base LDAP protocol, M-Vault also implements a number of extensions that expose clients and users to a wider range of functionality. M-Vault supports the following features, extensions and related specifications (partial list). SASL conformance is set out here, and TLS conformance is set out here. Application schema support is listed separately:

RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1, T. Dierks, E. Rescorla, April 2006
RFC 4532 LDAP: "Who am I?" Operation, K. Zeilenga, June 2006
RFC 4530 LDAP: entryUUID Operational Attribute, K. Zeilenga, June 2006
RFC 4522 LDAP: The Binary Encoding Option, S. Legg, June 2006
RFC 3673 LDAP: All Operational Attributes, K. Zeilenga, December 2003
RFC 3672 LDAP: Subentries in the Lightweight Directory Access Protocol (LDAP), K. Zeilenga, S. Legg, September 2003
RFC 3671 Collective Attributes in the Lightweight Directory Access Protocol (LDAP)), K. Zeilenga, December 2003
RFC 3062 LDAP Password Modify Extended Operation, K. Zeilenga, February 2001
RFC 3045 Collective Attributes in the Lightweight Directory Access Protocol (LDAP), K. Zeilenga, December 2003
RFC 2891 LDAP Control Extension for Server Side Sorting of Search Results, T. Howes, M. Wahl, A. Anantha, August 2000
RFC 2849 The LDAP Data Interchange Format (LDIF) - Technical Specification, G. Good, June 2000
RFC 2696 LDAP Control Extension for Simple Paged Results Manipulation, C. Weider, A. Herron, A. Anantha, T. Howes, September 1999

X.500 Support in M-Vault

M-Vault implements the three main application protocols of X.500, these being:

  • Directory Access Protocol (DAP) - for client access.
  • Directory System Protocol (DSP) - for the communication of directory operations in a distributed directory system.
  • Directory Information Shadowing Protocol (DISP) - for the replication of stored data from one server to another.

The server and client libraries and client products using DAP support the X.500 (2005) version of the standard.

X.500 interoperability testing has been demonstrated in live commercial and government operational environments and at EuroSInet test-bed workshops. Isode directories have also undergone strenuous internal stress testing, scalability and performance testing, and conformance testing. Interoperability of the Isode directory server has been demonstrated with other X.500 vendors.

The set of X.500 (and related) specifications that M-Vault directory server conforms to include:

ITU X.500 The Directory: Overview of concepts, models and services, ISO/IEC 9594-1, 2008
ITU X.501 The Directory: Models, ISO/IEC 9594-2, 2008
ITU X.509 The Directory: Authentication framework, ISO/IEC 9594-8, 2008
ITU X.511 The Directory: Abstract service definition, ISO/IEC 9594-3, 2008
ITU X.518 The Directory: Procedures for distributed operation, ISO/IEC 9594-4, 2008
ITU X.519 The Directory: Protocol specifications, ISO/IEC 9594-5, 2008
ITU X.521 The Directory: Selected object classes, ISO/IEC 9594-7, 2008
ITU X.525 The Directory: Replication, ISO/IEC 9594-9, 2008

Conformance for X.500 products is defined in X.519, which gives a list of conformance questions that should be addressed for an X.500 product. Answers to these questions for M-Vault, Sodium, and Isode directory client API according to X.500 (2005) are set out here.

The X.519 statement summarizes key capabilities and options. More detailed protocol support is also provided in three PICS (Protocol Implementations Conformance statements. The PICS proformas are aligned to X.500 (1993), and so do not cover features introduced subsequent to this version of X.500. They do cover the core capabilities:

As well as conformance to the base standards, the Isode products are conformant to industry profiles for military and intelligence markets, for the aviation industry (AMHS).

IPv6

M-Vault fully supports IPv6 for LDAP and X.500 protocols. Server addresses are stored according to X.519(2009) that enables representation of IPv4 and IPv6 addresses. These addresses will usually use Internet Domains that will be resolved to IPv4 or IPv6 addresses at run time.

Directory Application Support

In addition to LDAP and X.500 base specification, M-Vault implements a wide range of specifications detailing additional general-use and/or application-specific schema elements and/or describing an application's directory service requirements. M-Vault implements the following additional specifications (partial list):

  • COSINE LDAP/X.500 Schema [RFC 4524]
  • LDAP Schema Definitions for X.509 Certificates [RFC 4523]
  • H.350 Directory Services [RFC 3944]
  • LDAP Schema for Printer Services [RFC 3712]
  • Definition of the inetOrgPerson LDAP Object Class [RFC 2798]
  • Naming Plan for Internet Directory-Enabled Applications [RFC 2377]
  • An Approach for Using LDAP as a Network Information Service [RFC 2307]
  • Representing the O/R Address hierarchy in the X.500 Directory Information Tree [RFC 2294]
  • Representing Tables and Subtrees in the X.500 Directory [RFC 2293]
  • Using Domains in LDAP/X.500 Distinguished Names [RFC 2247]
  • Use of an X.500/LDAP directory to support MIXER address mapping [RFC 2164]
  • Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs) [RFC 2079]
  • Message Handling Systems (MHS): Overall Structure [X.402]

Aviation Conformance

Directory support for Aeronational Telecommunications Network (ATN) is specified by ICAO (International Civil Aviation Authority)

  • ICAO SARPS Doc 9880/AN965:The ATN SARPS Sub-Volume 7 - Directory Services (Fourth Edition).

Military Conformance

Military directory conformance is specified in ACP 133, described in more detail in the Isode white paper ACP 133: The Military Directory Standard.

  • ACP 133 Edition B: Common Directory Services and Procedures, February 2000
  • ACP 133 Edition C (draft 1.3): Common Directory Services and Procedures (to be published)

     

     
Copyright © 2010 Isode sitemap    privacy   feedback Subscribe to our rss newsfeed