Whitepapers

Directory

On this page you'll find a list of our Directory whitepapers together with sections listing those papers with a special relevance to X.500 Directories and and those of a more general relevance to those with interest in directories.

For more information on Isode's Directory Solutions, please click here.

---

General Directory

Using Security Labels for Directory Access Control and Replication Control
This paper looks at how Security Labels can be used to provide security and management benefits to directory services. It shows how Security Labels can be used to control access to data based on the Security Clearance of the user accessing the directory, and how Security Labels can be used to control access to directory services and selective directory replication.
(17th April 2008)

Managing and securely determining Security Clearance
Access controls based on Security Labels are made by matching the Security Label against the Security Clearance of the user or location for which the access control check is being made. This paper looks at how to ensure that the correct Security Clearance is used, and the role of directory in achieving this.
(18th March 2008)

Directory Deployment Planning Checklist
This document has been written to help those planning a directory deployment, and in particular Isode partners working on directory deployments for their customers and prospects. As the specifics of the approach taken will depend on the deployment requirements this paper does not attempt to be prescriptive, there are no "right answers". Instead, a series of questions that (may) need to be asked are listed. Notes on those questions help define the answers and explain the implications of choices made. References to other material are provided where appropriate.
(5th March 2008)

Access Control using Security Labels & Security Clearance
Security Labels provide an important mechanism for controlling access to information in many high security environments, and are also useful in environments with lower security requirements. This paper provides a reasonably detailed description of how security labels and clearances work, while attempting to avoid the high level of technical complexity seen in many papers in this area.
(31st Jan 2008)

Password Policy for Directories
In this whitepaper we look at password policy for directories, its major capabilities, benefits, how it is integrated into other applications and how it is used. The paper looks at password policy features implemented by Isode’s M-Vault in Release 14.1. A few features are described that are planned for Release 14.2. M-Vault implements a comprehensive set of password policy features, and so this paper covers all features which are likely to be of interest. The paper focuses on showing how features appear to the end user and can be used and controlled by an administrator.
(27th Sept 2007)

Identity Management: Is Directory Inside or Outside?
The role of directory varies considerably in different Identity Management solutions. This includes; systems where directory is a central and highly visible component, systems where directory is used, but is not really visible and systems that do not use directory. This paper examines the role of directory in Identity Management, with particular focus on functionality where an externally visible directory can play a part.
(19th Sept 2007)

Replicating and Synchronizing Data Between Directory Servers
There are many situations where it is useful in a directory service for directory data to be available in more than one directory server. This paper looks at three techniques for achieving this (replication, direct synchronization and indirect synchronization) and discusses when each is appropriate.
(11th Sept 2007)

Federated Identity, Distributed PKI and Smart Cards
This paper considers authentication systems based on smart cards, where the smart cards will be issued by many organizations, and authentication must work at any location. An important example of this type of deployment is the US Government planned deployment in support of HSPD (Homeland Security Presidential Directive) 12.
(2nd August 2007)

Web Interfaces to the Directory
Isode provides a number of Web UIs that interact with its M-Vault directory servers, in support of both messaging and directory deployments. Two new UIs have been added as a part of our R14 release. The first goal of this paper is to give a description of the Isode UIs, which have been driven by Isode's Internet messaging product set. The two new UIs are currently a part of Internet Messaging management, but will change to become general purpose directory UIs. A second goal of this paper is to solicit input from Isode directory customers as to requirements that may be addressed by these new products.
(20th April 2007)

Easy Setup of Strong Authentication
In order to gain the overall administrative "win" by choosing strong authentication, it is critical to make the setup of keys and certificates very easy, which in turn leads to the requirement on making Certification Authority interaction easy. This paper looks at how to achieve this goal, and Isode’s approach to the problem.
(22nd Nov 2005)

Why Strong Authentication for Directory?
LDAP and the X.500 directory protocols can all use strong authentication based on X.509 PKI (Public Key Infrastructure). This paper looks at the benefits and issues in using strong authentication for directory. It considers security threats to directory and looks at how strong authentication can be used to address these threats. It also looks at administrative benefits and drawbacks. This paper argues that strong authentication should used wherever possible for server to server communication, and for administrator access.
(22nd Nov 2005)

Why Strong Authentication? – The Security and Administrative Benefits of using X.509 PKI based Strong Authentication
Strong authentication based on X.509 PKI (Public Key Infrastructure) is available in a number of protocols and provides both security & administrative benefits and drawbacks. This paper looks at the security and administrative benefits (and draw backs) of using strong authentication. This paper looks at generic issues that apply to many applications and protocols using strong authentication. Future white papers will look at specific applications of strong authentication.
(22nd Nov 2005)

Distributed Directory in support of Large Scale PKI: Supporting Government Departments
In a previous white paper on Distributed Directory and PKI we took a "top level" view, and focused particularly on the relationship between departments and what is needed to be supported in the middle. This follow-on paper takes a departmental view, and looks at what a department will realistically need to do in order to provide a directory service that will integrate into the complete system. Whilst this white paper takes a generic approach, the models set out are written in light of the requirements of US Government departments that need to conform to Homeland Security Policy Directive 12 (HSPD12) and will interconnect using the Federal Bridge as part of the US Federal PKI.
(16th August 2005)

Distributed directory in support of large-scale PKI
This paper looks at the uses of directory made by a PKI (Public Key Infrastructure) system and PKI-enabled applications. It defines requirements in terms of directory and then looks at how directory can be used to meet these requirements, and implications on provision of a distributed directory.
(20th July 2005)

Using Active Directory as part of a distributed directory
There are many situations that require large distributed directories using LDAP (Lightweight Directory Access Protocol) and/or X.500, such as Government, Military and Aviation. Organizations building these distributed directories will often be making use of Microsoft Active Directory (AD). AD provides a number of key functions in a Microsoft server network, which impact its use as part of a distributed directory. This paper explains these issues, and then looks at three different approaches to using AD in the context of a distributed directory.
(5th July 2005)

Replication for Tactical Directory
Directory is an important component of Tactical Military operations. This paper looks at requirements for Tactical Directory, explains why there are special replication requirements, and that this is the only area where requirements differ significantly to other military directories.
(30th June 2005)

Why do ISPs need LDAP?
This white paper looks at why an Internet Service Provider (ISP) or Mobile Provider would want to use LDAP and the benefits to an ISP of holding customer account information in an LDAP Directory.
(3rd Dec 2004)

Comparative Performance: Isode M-Vault vs. OpenLDAP
This white paper describes LDAP (Lightweight Directory Access Protocol) performance benchmark tests of Isode's M-Vault directory server, and gives comparison benchmarks with OpenLDAP. Tests were performed using the independent DirectoryMark tests, on a small Linux server, with database sizes from 100,000 to 1,000,000 entries.
(16th Oct 2003)

LDAP Version 3
This white paper, by Steve Kille (one of the LDAP authors), looks at LDAP v3 capabilities.

The LDAP Standard Specification
In June 2006, 10 new LDAP RFCs were published (RFCs 4510-4519) to provide a new LDAPv3 (Lightweight Directory Access Protocol version 3) specification and to replace RFC 2251 and a number of related specifications. The primary goal of this paper is to guide those with some basic knowledge of LDAP quickly through all of these documents.

 

X.500

Directory Signed Operations
Directory signed operation are often requested or mandated as a part of Military ACP 133 Directory or other directory services with high security requirements. This paper explains what directory signed operations are, the benefits they provide, and situations where it makes sense to require their use.
(11th July 2006)

Building a Highly Replicated Directory: The case for X.500 DISP
This whitepaper looks at issues related to replication, when building a highly distributed and replicated directory. It argues that X.500 DISP (Directory Information Shadowing Protocol) is the best solution to this problem. This paper looks particularly at military directory, which has strong requirements for highly replicated directory. The paper is also applicable to other environments.
(14th Sept 2004)

How to Build an Enterprise Directory with LDAP and X.500
This white paper shows how an LDAP directory can be deployed in an enterprise, and the benefits of using a directory such as M-Vault which supports X.500 functionality such as replication and access control.

LDAP and X.500
This article by Steve Kille, Published in Messaging Magazine, looks at LDAP and X.500 and their relationship.

 

General

SNMP and Isode Servers
This white paper looks at the role of SNMP (Simple Network Management Protocol) in managing systems using Isode messaging and directory servers. It explains why SNMP support is provided, the sub-agent architecture used by Isode products, and approaches to deploying SNMP monitoring.
(29th May 2007)

ACP133: The Military Directory Standard
ACP 133 is the NATO Standard for Military Directory: "Common Directory Services and Procedures". The current version is "Edition B", published in February 2000. "Edition C" is being developed, and is expected to be published shortly. This white paper gives a short summary of ACP 133 aimed at readers with some familiarity with directory services.
(17th Aug 2006)

How AMHS users benefit from directory
This paper looks at how an AMHS end application, such as an AMHS Terminal sending and receiving flight plans, will utilize and benefit from the directory. This paper assumes a very basic understanding of AMHS and ATN Directory. For those unfamiliar with AMHS and ATN directory, a simple introduction is given in the Isode introduction to the Aviation industry. A simple explanation of the nature of the ATN Directory and its deployment in support of AMHS is given in the Isode White Paper Deploying the ATN Directory with AMHS: What you can do now.
(21st March 2006)

Operational Monitoring and Control of Systems using Isode Servers
Isode server products are deployed in a wide variety of situations, and usually there is a high service reliance placed on them. Isode’s approach to server design and management is that the products are building blocks, with maximum use of open standard protocols for interconnection. Management is almost entirely client/server. This combination of building block + client/server means that the approach to operational management needs to be considered as part of the overall system design. This paper explains the approach Isode has taken and the options provided, that can be used to build an operational system.
(1st March 2006)

ATN Directory Vision: An Infrastructure for Supporting AMHS and Ground to Ground Communication
This paper sets out the benefits of using an ATN Directory in support of AMHS (Air Traffic Services (ATS) Message Handling Services) and ground to ground messaging communication, and explains how this directory could be deployed in conjunction with AMHS.
(9th Feb 2005)

Isode Management Architecture: Client/Server and Directory
Isode's core business is messaging and directory servers. Isode products are designed for service oriented environments, such as ISPs, military, government and aviation. These are environments where there are stringent management requirements. This white paper sets out the approaches that Isode takes to address management requirements.
(21st Sept 2004)

Combining Directories and Relational Databases in the Enterprise
This white paper examines the capabilities of LDAP directories and relational databases, and shows how they have complementary roles within an enterprise.

Meta-Directories: Cutting Through the Hype
This white paper gives a controversial view of the Meta Directory solutions offered by some vendors in the directory space.

Why Deploy an Enterprise Directory?
This white paper gives a good introduction to the rationale for using a directory within an enterprise.