Isode Directory Whitepapers
On this page you'll find a list of our Directory whitepapers together with sections listing those papers with a special relevance to X.500 Directories and those of a more general relevance to those with interest in directories. More information on Isode's Directory Solutions, is available in the solutions section.
|M-Vault R16.0 Benchmarks
This whitepaper provides performance benchmark information for the R16.0 release of Isode's M-Vault directory server. R16.0 standardises on the transactional in-memory database introduced in R15.2, which had performance improvements as a primary goal. This paper compares R16.0 M-Vault performance to R15.1, which used the older on-disk database.
(11th April 2013)
In R15 the central code in our M-Vault server was re-written in order to provide new functionality and significant performance enhancements over R14. This whitepaper provides benchmark figures for the latest M-Vault release and compares its performance with two well-known alternative LDAP servers.
(19th December 2011)
|M-Vault Failover and Disaster Recovery
This white paper looks at how Isode's M-Vault directory server provides failover capabilities in support of disaster recovery. It looks at requirements for replication, and describes the architecture of Isode's approach and how this addresses disaster recovery requirements.
(20th June 2011)
|SCRAM: A New Protocol for Password Authentication
SCRAM (Salted Challenge Response) is a new protocol and data storage mechanism to support password based authentication. This white paper looks at the security benefits of SCRAM, and how it should be used to complement PKI based strong authentication. It describes Isode’s current support and future plans for SCRAM.
(19th May 2010)
|Isode Support for Kerberos, Active Directory and Single Sign On
This paper looks at how Isode client and server products can make use of Kerberos authentication, in configurations where Isode provides both client and server, and in conjunction with third party clients and servers, including Microsoft Active Directory. It looks at how Single Sign On (SSO) can be achieved for Isode products using Kerberos, and compares this with use of other SSO approaches.
(22nd April 2010)
by Email and over 'Air Gap'
Directory replication is an important feature of most directory services, commonly achieved by use of directory protocols. There are a number of situations where using directory protocols to perform replication does not work well, these include: HF Radio and other constrained links, system boundaries where only email traffic is allowed, directory gateways performing security checks and tactical directories with irregular network access. This paper looks at these scenarios, shows how directory replication over email and 'air gap' can address them and describes the architecture and key features of Isode's solution.
(3rd September 2008)
|Using Security Labels for
Directory Access Control and Replication Control
This paper looks at how Security Labels can be used to provide security and management benefits to directory services. It shows how Security Labels can be used to control access to data based on the Security Clearance of the user accessing the directory, and how Security Labels can be used to control access to directory services and selective directory replication.The paper looks at the functionality that can be achieved, and how this functionality may be useful in handling a number of security problems.
(17th April 2008)
This document has been written to help those planning a directory deployment, and in particular Isode partners working on directory deployments for their customers and prospects. As the specifics of the approach taken will depend on the deployment requirements this paper does not attempt to be prescriptive, there are no "right answers". Instead, a series of questions that (may) need to be asked are listed. Notes on those questions help define the answers and explain the implications of choices made. References to other material are provided where appropriate.
(5th March 2008)
|Access Control using Security
Labels & Security Clearance
Security Labels provide an important mechanism for controlling access to information in many high security environments, and are also useful in environments with lower security requirements. This paper provides a reasonably detailed description of how security labels and clearances work, while attempting to avoid the high level of technical complexity seen in many papers in this area.
(31st Jan 2008)
|Password Policy for Directories
In this whitepaper we look at password policy for directories, its major capabilities, benefits, how it is integrated into other applications and how it is used. The paper looks at password policy features implemented by Isode’s M-Vault in Release 14.1. A few features are described that are planned for Release 14.2. M-Vault implements a comprehensive set of password policy features, and so this paper covers all features which are likely to be of interest. The paper focuses on showing how features appear to the end user and can be used and controlled by an administrator.
(27th Sept 2007)
|Identity Management: Is Directory
Inside or Outside?
The role of directory varies considerably in different Identity Management solutions. This includes; systems where directory is a central and highly visible component, systems where directory is used, but is not really visible and systems that do not use directory. This paper examines the role of directory in Identity Management, with particular focus on functionality where an externally visible directory can play a part.
(19th Sept 2007)
|Replicating and Synchronizing Data
Between Directory Servers
There are many situations where it is useful in a directory service for directory data to be available in more than one directory server. This paper looks at three techniques for achieving this (replication, direct synchronization and indirect synchronization) and discusses when each is appropriate.
(11th Sept 2007)
Distributed PKI and Smart Cards
This paper considers authentication systems based on smart cards, where the smart cards will be issued by many organizations, and authentication must work at any location. An important example of this type of deployment is the US Government planned deployment in support of HSPD (Homeland Security Presidential Directive) 12.
(2nd August 2007)
|Web Interfaces to the Directory
Isode provides a number of Web UIs that interact with its M-Vault directory servers, in support of both messaging and directory deployments. Two new UIs have been added as a part of our R14 release. The first goal of this paper is to give a description of the Isode UIs, which have been driven by Isode's Internet messaging product set. The two new UIs are currently a part of Internet Messaging management, but will change to become general purpose directory UIs. A second goal of this paper is to solicit input from Isode directory customers as to requirements that may be addressed by these new products.
(20th April 2007)
|Why Strong Authentication for Directory?
LDAP and the X.500 directory protocols can all use strong authentication based on X.509 PKI (Public Key Infrastructure). This paper looks at the benefits and issues in using strong authentication for directory. It considers security threats to directory and looks at how strong authentication can be used to address these threats. It also looks at administrative benefits and drawbacks. This paper argues that strong authentication should used wherever possible for server to server communication, and for administrator access.
(22nd Nov 2005)
in support of Large Scale PKI: Supporting Government Departments
In a previous white paper on Distributed Directory and PKI we took a "top level" view, and focused particularly on the relationship between departments and what is needed to be supported in the middle. This follow-on paper takes a departmental view, and looks at what a department will realistically need to do in order to provide a directory service that will integrate into the complete system. Whilst this white paper takes a generic approach, the models set out are written in light of the requirements of US Government departments that need to conform to Homeland Security Policy Directive 12 (HSPD12) and will interconnect using the Federal Bridge as part of the US Federal PKI.
(16th August 2005)
in support of large-scale PKI
This paper looks at the uses of directory made by a PKI (Public Key Infrastructure) system and PKI-enabled applications. It defines requirements in terms of directory and then looks at how directory can be used to meet these requirements, and implications on provision of a distributed directory.
(20th July 2005)
Directory as part of a distributed directory
There are many situations that require large distributed directories using LDAP (Lightweight Directory Access Protocol) and/or X.500, such as Government, Military and Aviation. Organizations building these distributed directories will often be making use of Microsoft Active Directory (AD). AD provides a number of key functions in a Microsoft server network, which impact its use as part of a distributed directory. This paper explains these issues, and then looks at three different approaches to using AD in the context of a distributed directory.
(5th July 2005)
for Tactical Directory
Directory is an important component of Tactical Military operations. This paper looks at requirements for Tactical Directory, explains why there are special replication requirements, and that this is the only area where requirements differ significantly to other military directories.
(30th June 2005)
|Comparative Performance: Isode
M-Vault vs. OpenLDAP
This white paper describes LDAP (Lightweight Directory Access Protocol) performance benchmark tests of Isode's M-Vault directory server, and gives comparison benchmarks with OpenLDAP. Tests were performed using the independent DirectoryMark tests, on a small Linux server, with database sizes from 100,000 to 1,000,000 entries.
(16th Oct 2003)
|LDAP Version 3
This white paper, by Steve Kille (one of the LDAP authors), looks at LDAP v3 capabilities.
|The LDAP Standard Specification
In June 2006, 10 new LDAP RFCs were published (RFCs 4510-4519) to provide a new LDAPv3 (Lightweight Directory Access Protocol version 3) specification and to replace RFC 2251 and a number of related specifications. The primary goal of this paper is to guide those with some basic knowledge of LDAP quickly through all of these documents.
Directory signed operation are often requested or mandated as a part of Military ACP 133 Directory or other directory services with high security requirements. This paper explains what directory signed operations are, the benefits they provide, and situations where it makes sense to require their use.
(11th July 2006)
|Building a Highly Replicated Directory:
The case for X.500 DISP
This whitepaper looks at issues related to replication, when building a highly distributed and replicated directory. It argues that X.500 DISP (Directory Information Shadowing Protocol) is the best solution to this problem. This paper looks particularly at military directory, which has strong requirements for highly replicated directory. The paper is also applicable to other environments.
(14th Sept 2004)
|How to Build an Enterprise Directory
with LDAP and X.500
This white paper shows how an LDAP directory can be deployed in an enterprise, and the benefits of using a directory such as M-Vault which supports X.500 functionality such as replication and access control.
|LDAP and X.500
This article by Steve Kille, Published in Messaging Magazine, looks at LDAP and X.500 and their relationship.
|SNMP and Isode Servers
This white paper looks at the role of SNMP (Simple Network Management Protocol) in managing systems using Isode messaging and directory servers. It explains why SNMP support is provided, the sub-agent architecture used by Isode products, and approaches to deploying SNMP monitoring.
(29th May 2007)
|ACP133: The Military
ACP 133 is the NATO Standard for Military Directory: "Common Directory Services and Procedures". The current version is "Edition B", published in February 2000. "Edition C" is being developed, and is expected to be published shortly. This white paper gives a short summary of ACP 133 aimed at readers with some familiarity with directory services.
(17th Aug 2006)
|How AMHS users benefit from
This paper looks at how an AMHS end application, such as an AMHS Terminal sending and receiving flight plans, will utilize and benefit from the directory. This paper assumes a very basic understanding of AMHS and ATN Directory. For those unfamiliar with AMHS and ATN directory, a simple introduction is given in the Isode introduction to the Aviation industry. A simple explanation of the nature of the ATN Directory and its deployment in support of AMHS is given in the Isode White Paper Deploying the ATN Directory with AMHS: What you can do now.
(21st March 2006)
|Operational Monitoring and
Control of Systems using Isode Servers
Isode server products are deployed in a wide variety of situations, and usually there is a high service reliance placed on them. Isode’s approach to server design and management is that the products are building blocks, with maximum use of open standard protocols for interconnection. Management is almost entirely client/server. This combination of building block + client/server means that the approach to operational management needs to be considered as part of the overall system design. This paper explains the approach Isode has taken and the options provided, that can be used to build an operational system.
(1st March 2006)
|ATN Directory Vision: An Infrastructure
for Supporting AMHS and Ground to Ground Communication
This paper sets out the benefits of using an ATN Directory in support of AMHS (Air Traffic Services (ATS) Message Handling Services) and ground to ground messaging communication, and explains how this directory could be deployed in conjunction with AMHS.
(9th Feb 2005)
|Why do ISPs need LDAP?
This white paper looks at why an Internet Service Provider (ISP) or Mobile Provider would want to use LDAP and the benefits to an ISP of holding customer account information in an LDAP Directory.
(3rd Dec 2004)
|Isode Management Architecture:
Client/Server and Directory
Isode's core business is messaging and directory servers. Isode products are designed for service oriented environments, such as ISPs, military, government and aviation. These are environments where there are stringent management requirements. This white paper sets out the approaches that Isode takes to address management requirements.
(21st Sept 2004)
|Combining Directories and Relational
Databases in the Enterprise
This white paper examines the capabilities of LDAP directories and relational databases, and shows how they have complementary roles within an enterprise.
|Meta-Directories: Cutting Through
This white paper gives a controversial view of the Meta Directory solutions offered by some vendors in the directory space.
|Why Deploy an Enterprise Directory?
This white paper gives a good introduction to the rationale for using a directory within an enterprise.