Government DirectoryLDAP and X.500
Isode's M-Vault directory products are a popular choice for Government directory deployments. This page shows why Isode's products are ideal for this environment, where typical uses include support of white pages services for email and general purpose use, support of account information and control of user access (including authentication and authorization) and support for digital signature and PKI (Public Key Infrastructure).
What Isode Provides
Isode's directory products (M-Vault LDAP and X.500 directory and Sodium Sync directory synchronisation), and are used by government organizations all round the world, due to functionality that is ideal for this type of deployment. M-Vault and Sodium Sync have excellent capabilities to address all of the key government directory requirements identified on this page. The following diagram shows an example departmental directory.
This diagram shows:
- LDAP Access from email clients to support address lookup and from applications to provide user authentication.
- Directory management using Isode's M-Vault Console management tool.
- Data management using Isode's Isode's Sodium (Secure Open Data, Identity and User Manager) data management tool.
- Directory synchronisation using Sodium Sync, which enables synchronization between directory servers and other data sources such as files and databases.
- Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience.
- A Certification Authority, such as Entrust, accessing and managing data in M-Vault.
- X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory.
- LDAP chaining to access data in a peer departmental LDAP directory.
The conflicting influences of centralisation and independence inevitably leads to governments building complex, heterogenous, distributed systems where directories are connected to provide an overall service.
In many government departments sharing information, such as white pages and email routing data, is critical to IT operations. They also wish to operate in a resilient and independent manner. These two factors combined necessitate the replication of directory data between departments so that operation is not dependent on remote directory servers.
Digital Signatures and PKI
Digital signature initiatives are important cross-departmental functions that rely on a directory infrastructure in order to support PKI.
Security and Audit
Government IT systems have complex legal requirements to handle, and often have to deal with balancing and supporting "data protection" and "freedom of information" requirements. When these high level requirements are translated onto underlying components such as directory, this leads to high security requirements (to protect and control data) and high audit requirements (for accountability).
LDAP and X.500
LDAP is the most popular directory access mechanism, and is the access mechanism of choice for government directories. Because of the specialized nature of government requirements, X.500 is also particularly important because:
- The requirements for distributed working and open replication are solved well by X.500, which has standardized directory server to directory server communication and standardized replication.
- PKI makes use of binary (ASN.1) attributes, defined in X.509. LDAP is designed for string encoded attributes, and the extensions for handling binary attributes are not well supported in many LDAP servers. X.509 was designed in parallel with X.500, so it makes sense to use an X.500 based directory to support X.509.