Messaging and Directory Server software used around the world in the Government, Military, Aviation and Commercial sectors.

Whitepapers

Isode Web Interfaces to the Directory

Purpose

Isode provides a number of Web User Interfaces (UIs) that interact with its M-Vault directory servers, in support of both messaging and directory deployments. Two new UIs have been added as a part of our R14 release; a personal information administrator and a directory browser, both currently packaged as part of the Internet Messaging Administrator but which will change over time to become general purpose directory UIs.

The first goal of this paper is to give a description of these new products, which have been driven by Isode's Internet messaging product set. The second goal of this paper is to solicit input from Isode directory customers as to requirements that may be addressed by these new products.

Internet Messaging, Web, & Directory

Isode's Internet Messaging product suite has two key strategies:

1. User and configuration information is held in the directory.
2. Tools for operators and for basic account/user administration will all be Web based.

A consequence of this is that Isode's Internet Messaging Administration (IMA) family of tools is a Web based interface onto the directory. It is these tools that are described here, and considerations as to how they may evolve. These tools are written in Java with JSP customization, and are run on Tomcat application server.

In order to illustrate this, a sample ISP configuration is used throughout this paper, to show the various different views onto the data and the functionality offered.

Messaging Administrator View

IMA gives ability to managed users, shared folders and M-Box (POP/IMAP) servers with a Web interface. All of this information is held in the directory. IMA shows the access configuration to the directory, which is shown below:

Click for more detail

IMA gives a view that enables user accounts to be created:

Click for more detail

It also gives simple screens to create and update account information:

Click for more detail

These are straightforward messaging administrator screens, that give a natural email account management view.

Directory View

It is useful to see how this messaging administrator view is mapped onto the directory. The following screenshot is of Sodium (Secure Open Data, Identity and User Manager) , which is Isode’s directory administration tool:

Click for more detail

This shows how information is represented in a natural part of the DIT (Directory Information Tree), with account entries named by the hierarchical components of the email address. An M-Box server can be seen configured as a single entry in the DIT. The account entries hold information about the end user, using a natural directory schema. This is completely extensible, and can include a mixture of data, including structured information and data such as photographs:

Click for more detail

End User Data Update

Personal Information Administrator (PIA)

The first new product is Personal Information Administrator (PIA), which is a tool that enables a user to change information in the directory. In R14.0, this is a component of IMA. In future releases, it will be an independent product. From a user perspective, it is simply a Web page with easy screens to update personal information.

Personal Logon & Password Change

PIA Logon is illustrated below:

Click for more detail

This uses username (generally email address) and password for login. This is mapped onto the directory using SASL (Simple Authentication and Security Layer), which can map between username and directory name with a number of algorithms. This gives flexible use of directory, while providing the user with a simple login procedure. PIA can also be used for password changing:

Click for more detail

Email Preferences

The core functionality of PIA in the context of email management is update of personal email preferences. This is illustrated below:

Click for more detail

White Pages

PIA includes general purpose functionality to modify "white pages" entries, such as home telephone numbers. This is typically used for "additional" information, which it makes more sense for the end user to provide, rather than the administrator. This may be done for privacy reasons (to give the user control over what is put into the directory), because the administrator does not know, or because it is more convenient for the user to manage this data. This is illustrated below.

Click for more detail

PIA Product Plans

PIA will continue as a part of the IMA suite, but will also be packaged so that it is available separately. This is particularly to support directory deployments that do not use Isode’s Internet Messaging, and to enable self administration and password changing. Control will be provided so that the PIA configuration can control which information and attributes are available to the user.
Feedback is solicited on any desired features, and in particular as to which directory attributes it is essential or desirable to make available through PIA.

End User Data Access

There are many ways that users get access to data in a directory, through applications, devices and general purpose interfaces. This section considers the Isode Web interface for accessing the directory.

List/Browse View

The core of Isode's Web to Directory (M-Vault) interface is a list/browse view, shown below:

Click for more detail

The core of this is a simple "one line per entry" display that shows selected attributes of the matched entry. This is intended for use in two ways:

1. As a simple "full directory display", simply showing all directory information on a single web page. This is convenient for small organizations, departments, and family ISP accounts. Directory information is shown, and there is no user action other than selecting the Web page (which is automatically generated from the directory).
2. With basic searching, to select entries. This is useful for larger directories, where it would be impractical to show all information on a single page.

Information Display and Export

The model of detailed information display is to use the standard vCard format, rather than to generate a custom Web page. There are two reasons for this:

1. Most platforms have a native vCard display mechanism, which will show (potentially extensive) user information in a display format that is native and convenient to the user.
2. It will allow for immediate and natural import into local contact database.

An example vCard record generated from the directory and displayed on Windows using the Microsoft Outlook contact display is illustrated below.

Click for more detail

The same information is shown using the Linux KDE contact display:

Click for more detail

The underlying vCard representation of this vCard is text format, illustrated below.

Click for more detail

Certificates & S/MIME Encryption

The vCard approach is particularly important for support of sending encrypted messages using S/MIME. In order to send an encrypted message, the message originator needs to have the certificate (public key) of the intended recipients. Most email clients require that this is available in the local contact information.

In some situations, this requirement is inconvenient, as the certificate is not available. Isode's Web interface provides support for X.509 certificates, and their presence is shown in the list/browse view. They are then made available in the vCard information, as illustrated below:

Click for more detail

Details of this certificate (Properties) can be displayed as:

Click for more detail

This will be particularly convenient to support access to email addresses where encryption may be desirable (e.g., to submit planning applications to a government department) where the certificate is not present in the originator’s contact list.

Core Product Plans

The R14.0 IMA directory browser is a demonstration of capability, and not yet a complete product. Isode's primary goal for this product is in the context of it's delegated administration capabilities for ISPs. This will enable an ISP to provide an email and directory service for a small organization, with directory information managed by the administrator (using IMA and possibly Sodium) and by end users using PIA.

Users within the small organization will be provided with a simple directory, using the Isode Web interface. This Web interface will be packaged so that it can be used with "directory only" deployments.

What Isode will (probably) NOT Do

There are many commercial and open source toolkits that enable easy development of Web interfaces to an LDAP directory. Isode is not intending to provide another tool kit, or to build a generic framework that can be customized for any deployment.

What Isode may Do

We will be providing a Web interface to access information in the directory. We will provide customization for this, including:

• Ability to select which attributes are displayed.
• List display with and without search.
• Branding of the pages.

We may provide capabilities beyond this, including:

• Further customization options.
• Display of entry as Web page (as alternate to vCard).
• Directory browse mode, so that the hierarchy of the Directory is exposed to the user.

Conclusions & Request for Feedback

Isode is providing some new Web tools to update and access information in the directory as a part of R14, particularly to support Internet Messaging. These tools will be packaged for use with "directory only" in a future release. Feedback on requirements for these new products is solicited.