M-Vault Connector is a specialized version of the full M-Vault directory server, not a simple cut-down protocol engine. This gives a number of advantages:
- Protocol conformance to LDAP and to X.500, including procedures for distributed operations.
- Use of the flexible M-Vault management tools.
- "Knowledge management" capabilities, means that M-Vault Connector can be configured to understand the location of as many X.500 and LDAP directories as necessary, which will optimize performance.
- M-Vault Connector can replicate data from LDAP directories (using Changelog) and from X.500 directories using X.500 DISP (Directory Information Shadowing Protocol).
Governments and organizations often choose to deploy X.500 because it enables departments to operate independent directories, and connect using the standard X.500 directory system protocol (DSP) and replication (DISP). This will typically be achieved by deployment of a central X.500 service, with departments independently selecting their directory server products.
M-Vault Connector is useful in situations where a department wishes to deploy an LDAP only directory, which cannot connect to the central X.500 system. M-Vault Connector enables the departmental directory to be integrated with the central directory. Queries are resolved in two basic scenarios:
- A departmental user makes an LDAP query to the departmental directory, for data in another department. The departmental LDAP directory does not have the data, and so returns an LDAP referral to the LDAP client, pointing to M-Vault Connector. The client then repeats the LDAP query to M-Vault Connector, which "chains" the query using X.500 DSP to the central X.500 directory, which will either resolve the query directly or pass it on to the appropriate departmental server.
- A directory query relating to this departmental directory, typically from another department, is handled by the central X.500 directory. This query is chained using X.500 DSP to M-Vault Connector. M-Vault connector then uses "LDAP chaining" and connects to the departmental directory using LDAPv3 to resolve the query.
The performance of this system can be optimized by replication of data.
- Data can be replicated between the X.500 central directory and M-Vault Connector using X.500 DISP.
- Data can be replicated between M-Vault Connector and the departmental directory by use of LDAP and changelog. This will require some custom scripting.
- Replication can be staged, so that data from the departmental directory can be replicated into the central X.500 directory and vice versa.
There are many advantages in building a distributed directory. In particular it enables data to be managed locally and in a server that is appropriate to local (and usually most frequent) use. Provided that care is taken with consistent naming of directories and structure of the DIT (Directory Information Tree), multiple directory servers can work together to provide a coherent directory service.
In principle, a set of directory servers could all work together as peers. In practice, it works better to have a central M-Vault Connector directory, as shown above. This central directory does not hold any data, but facilitates all of the directories working together.
The key value the M-Vault Connector provides in this scenario is that it knows about the location of all of the other directory servers, and can dispatch queries to the server that can resolve them. There are a number of reasons why this is desirable.
- Some LDAP clients do not support referrals, so it is desirable to connect them to a server which can either resolve queries directly or can resolve them by chaining (either LDAP chaining or DSP) so that the distributed nature of the directory is hidden from the client. If this is used to support many clients, then it may be desirable to use the replication capabilities of M-Vault Connector to optimize performance.
- Where there are many departmental servers, it is administratively awkward to configure all directory servers to know about the other directory servers. There are no LDAP standards for doing this automatically. It is more convenient to configure M-Vault Connector to know where all of the servers are, and for each server to default queries back to M-Vault Connector.
Protocols and Authentication
X.500 DSP distinguishes between the directory servers that are connecting and the initiator of the query. Thus DSP authentication is straightforward, as M-Vault can use DSP peer authentication to an X.500 server. LDAP (and X.500 Directory Access Protocol (DAP)) do not make this distinction. When M-Vault Connector performs LDAP chaining, it must bind to the LDAP directory as a user. M-Vault Connector can be configured to bind anonymously or as a specific user.