M-Vault
Server Management tools can be split into four categories:
- Directory Configuration Management
- Directory Operational Management
- Directory Data Access & Management
- Directory Synchronization
This section covers Data Access and Management, looking at Isode's
Sodium management tool.
You can find information on Configuration Management (Enterprise
Directory Management), Operational Management (DConsole,
SNMP monitoring, Audit, Event and Fault Logging), Data Access &
Management (using the web-based Directory
Services Interface) and Directory Synchronization (Sodium-Sync)
by following the links.
Secure Open Data, Identity and User Manager (Sodium)
Sodium is used to manage the data held in LDAP/X.500 enterprise directory
servers. It provides information managers and system administrators
with an easy to use Graphical User Interface.
Sodium is part of the Isode directory product set, and is ideal for
use with M-Vault. It may also be used with any directory server which
supports X.500 DAP (Directory Access Protocol) or LDAP Lightweight Directory
Access Protocol).
Sodium features include:
- Support for Strong Authentication and Signed Operations (more)
- X.509 certificate request and management functions (more)
- Extensive built-in schema support (more)
- Easy Browsing and Searching (more)
- Extensive Data modification, addition and checking facilities (more)
- Bulk Load/Dump of LDIF files (more)
- Flexible template configuration (more)
Sodium Features
Support for Strong Authentication
Sodium's Bind Manager contains configuration details for stored directory
server connections. Each configuration contains details of the protocol
(LDAP or DAP), address details and the type of authentication being
used (Anonymous, Simple or Strong).

The bind profiles can be modified at a later stage or copied for use
as a template for another connection configuration. Isode whitepaper's
relating to Strong Authentication can be found here.
Sodium also supports Directory signed operations: providing additional
security by applying an X.509 digital signature to individual directory
operations and to the results returned, you can read more about Signed
Operations in this whitepaper.
X.509 Certificate Management
Sodium simplifies the process of creating and managing certificate
signing requests (CSRs) for an entry, issuing that CSR to a Certificate
Authority (CA) and creating identities from X.509 certificates returned
from the CA.

Sodium's 'Create Identity' wizard will automatically create a Certificate
Signing Request (CSR) for passing onto the CA and, when the certificate
has been issued, create a PKCS#12 file representing the identity. Operations
can be deferred for later action in situations where the time delay
between CSR and the issuing of the certificate makes it impractical
to wait.
On completion of the identity creation, Sodium allows for storing the
certificate information inside the directory by associating it with
the entry matching that of the certificate. Sodium enables secure identity
creation for:
- Full installation for users with accounts on the local system.
- Full installation for an M-Vault server running on the local system.
- Provision of files that can be used for any user or server.
Secure Bind Profiles
Sodium stores configured servers in a bind profile. This may be encrypted,
using a key prompted for each time Sodium starts. When an encrypted
profile is used, it can hold passwords and pass phrases of PKCS#12 files.
This provides the convenience of not having to type passwords for each
server connection, while giving good data security.
Bind profiles allow setting of security and protocol parameters for
each directory. Multiple profiles may be established for a single server,
with different security and protocol options.
Extensive built-in schema support
Sodium includes extensive built-in schema support, including templates
for military (ACP133) and aviation (ATN Directory) markets.

Attribute names and values are displayed in groups appropriate
to the schema within tabs attached to the object.

Browsing and Searching with Sodium
Sodium's main window can support multiple tabs, which can be re-arranged
and moved to additional Sodium windows.
- The Browse Tab: opened when you connect to a directory server. This
is the default view that shows directory entries in a tree, structured
by their distinguished name.

- Search Tab: If the user performs a search, results from that search
are displayed in a Search Tab. The search tab view is similar to that
of the Browse tab, but only entries matching the search filter are
displayed. The screenshot below shows results for the search criteria
(cn=Kate*)

- Log: Sodium will display warnings and error messages in a 'Log'
tab. If there are no warnings or errors, this tab will not be displayed.
Data modification, addition and checking
Entries can be viewed and edited using the standard browser interface.
The interface allows for entry removal, addition of entries at any place
in the DIT or added using the current entry as a template.

There are number of editing features that make it easy
to manage information in the directory. These include:
- Modifying the templates to be used for an object.
- Viewing the object in "schema view", and selecting the
object classes to be used (underlying the templates).
- Drag and drop move of sub-trees.
- Delete sub-trees.
- Copy and paste attribute values.
- Copy of DNs (Distinguished Names), to easily enter values for DN
value attributes.
- Clone an existing entry, to make it easy to create a new entry based
on an existing one.
- Validate DN attributes, with graphical display of object class
and quick link to see the associated entry.
- "Referential Integrity Check" of sub-tree, to identify
DN values that do not point to an entry in the directory.
- Syntax validation of all attributes.
- Graphical display of many structured attributes.
- Validation of expiry dates in Certificates and Certificate Revocation
Lists.
- Management of the component Certificates in Cross Certificate Pairs.
- Option to display operational attributes.
Password Policy Controls
Sodium can be used to manage password policy. It allows:
- Setting of password policy preferences.
- Choice of hash algorithm (or plain passwords).
- Management of password policy exclusions.
- Account locking.

Futher information on password policy is given in the Isode white paper
Password Policy for Directories.
Bulk Load/Dump of LDIF files
Sodium allows for flexible bulk load and dump of LDIF (LDAP Data Interchange
Format) files. This includes the ability to load data to any part of
the DIT, automatically changing names and references to other names.

In addition to Sodium, Isode provides a family of bulk load tools based
on Isode's Tcldish directory scripting tool. As these are written in
the Tcl scripting language, they can be easily adapted for use in slightly
different environments or with different data sources. These tools support
two useful formats:
- Comma Separated Value (CSV). This format is generated by many popular
applications, and is a convenient and simple means to load data.
- LDIF. (LDAP Interchange Format). LDIF is a directory data format,
which is likely to be standardized, and is already used by some data
tools. As well as being a standard format, LDIF enables incremental
loading of data into the directory.
These are client/server tools which give a great deal of flexibility
and should be used where possible. Isode also provides tools for loading
and dumping LDIF files directly to the M-Vault database, which are useful
when the very highest performance is needed.
Templates
Sodium templates are XML based, allowing new templates to be rapidly
generated for specific user requirements, to modify support for current
schema or to add support for new schema.
Templates may be created with default values. This will be convenient
where entries are often created with the same values. Where an object
type has multiple templates, typically reflecting different sets of
default values, the user is prompted for the choice of which template
to use.
Evaluations
Sodium is bundled as part of our M-Vault Directory Server and can be
evaluated as part of our M-Vault
Evaluation package.