M-VaultOpen Standards Conformance
M-Vault is, and was designed to be, a multi-protocol server and so is able to support LDAP (v2 and v3) and X.500 (DAP) client access. Distribution of a directory service is mainly achieved using X.500 protocols - DSP (Directory System Protocol) for distributing client operations and DISP (Directory Information Shadowing Protocol) to replicate data between directory servers.
Additionally, M-Vault is able to interconnect LDAP and X.500 servers and make them part of a distributed directory system using LDAP chaining (i.e. by converting incoming LDAP requests to X.500 and vice versa).
The sections below set out the supported standards for LDAP and X.500, Additional Specifications, Aviation Conformance and Military Conformance.
LDAP Support in M-Vault
The M-Vault directory server provides full support for LDAP, including the current standard version (LDAPv3) [RFC 4510-4519] and its predecessor (LDAPv2) [RFC 1777-1779,1781]. This support is a key part of the module, as LDAP is the leading standard for client/server directory integration. Desktop applications requiring use of a directory, such as mail clients with directory-based address book capabilities, use LDAP as the primary access protocol. The following documents comprise the LDAP (v3) technical specification.
|RFC 4510||LDAP: Technical Specification Roadmap, K. Zeilenga, June 2006|
|RFC 4511||LDAP: The Protocol, J. Sermersheim, June 2006|
|RFC 4512||LDAP: Directory Information Models, K. Zeilenga, June 2006|
|RFC 4513||LDAP: Authentication Methods and Security Mechanisms, R. Harrison, June 2006|
|RFC 4514||LDAP: String Representation of Distinguished Names, K. Zeilenga, June 2006|
|RFC 4515||LDAP: String Representation of Search Filters, M. Smith, T. Howes, June 2006|
|RFC 4516||LDAP: Uniform Resource Locator, M. Smith, T. Howes, June 2006|
|RFC 4517||LDAP: Syntaxes and Matching Rules, S. Legg, June 2006|
|RFC 4518||LDAP: Internationalized String Preparation, K. Zeilenga, June 2006|
|RFC 4519||LDAP: Schema for User Applications, A. Sciberras, June 2006|
As well as supporting the base LDAP protocol, M-Vault also implements a number of extensions that expose clients and users to a wider range of functionality. M-Vault supports the following features, extensions and related specifications (partial list). SASL conformance and TLS conformance is set out on seperate pages. Application schema support is listed separately:
|RFC 5805||Lightweight Directory Access Protocol (LDAP) Transactions, K. Zeilenga, March 2010|
|RFC 5246||The Transport Layer Security (TLS) Protocol Version 1.2, T. Dierks, E. Rescorla, August 2008|
|RFC 4532||LDAP: "Who am I?" Operation, K. Zeilenga, June 2006|
|RFC 4530||LDAP: entryUUID Operational Attribute, K. Zeilenga, June 2006|
|RFC 4522||LDAP: The Binary Encoding Option, S. Legg, June 2006|
|RFC 3673||LDAP: All Operational Attributes, K. Zeilenga, December 2003|
|RFC 3672||LDAP: Subentries in the Lightweight Directory Access Protocol (LDAP), K. Zeilenga, S. Legg, September 2003|
|RFC 3671||Collective Attributes in the Lightweight Directory Access Protocol (LDAP)), K. Zeilenga, December 2003|
|RFC 3062||LDAP Password Modify Extended Operation, K. Zeilenga, February 2001|
|RFC 3045||Collective Attributes in the Lightweight Directory Access Protocol (LDAP), K. Zeilenga, December 2003|
|RFC 2891||LDAP Control Extension for Server Side Sorting of Search Results, T. Howes, M. Wahl, A. Anantha, August 2000|
|RFC 2849||The LDAP Data Interchange Format (LDIF) - Technical Specification, G. Good, June 2000|
|RFC 2696||LDAP Control Extension for Simple Paged Results Manipulation, C. Weider, A. Herron, A. Anantha, T. Howes, September 1999|
|Draft||Definition of an Object Class to Hold LDAP Change Records|
X.500 Support in M-Vault
M-Vault implements the three main application protocols of X.500, these being:
- Directory Access Protocol (DAP) - for client access.
- Directory System Protocol (DSP) - for the communication of directory operations in a distributed directory system.
- Directory Information Shadowing Protocol (DISP) - for the replication of stored data from one server to another.
The server and client libraries and client products using DAP support the X.500 (2008) version of the standard.
X.500 interoperability testing has been demonstrated in live commercial and government operational environments and at EuroSInet test-bed workshops. Isode directories have also undergone strenuous internal stress testing, scalability and performance testing, and conformance testing. Interoperability of the Isode directory server has been demonstrated with other X.500 vendors.
The set of X.500 (and related) specifications that M-Vault directory server conforms to include:
|ITU X.500||The Directory: Overview of concepts, models and services, ISO/IEC 9594-1, 2008|
|ITU X.501||The Directory: Models, ISO/IEC 9594-2, 2008|
|ITU X.509||The Directory: Authentication framework, ISO/IEC 9594-8, 2008|
|ITU X.511||The Directory: Abstract service definition, ISO/IEC 9594-3, 2008|
|ITU X.518||The Directory: Procedures for distributed operation, ISO/IEC 9594-4, 2008|
|ITU X.519||The Directory: Protocol specifications, ISO/IEC 9594-5, 2008|
|ITU X.521||The Directory: Selected object classes, ISO/IEC 9594-7, 2008|
|ITU X.525||The Directory: Replication, ISO/IEC 9594-9, 2008|
Conformance for X.500 products is defined in X.519, which gives a list of conformance questions that should be addressed for an X.500 product.
The X.519 statement summarizes key capabilities and options. More detailed protocol support is also provided in three PICS (Protocol Implementations Conformance statements. The PICS proformas are aligned to X.500 (1993), and so do not cover features introduced subsequent to this version of X.500. They do cover the core capabilities:
- Directory Access Protocol (DAP) - X.500(1993)
- Directory System Protocol (DSP) - X.500(1993)
- Directory Information Shadowing Protocol (DSIP)- X.500(1993)
As well as conformance to the base standards, the Isode products are conformant to industry profiles for military and intelligence markets, for the aviation industry (AMHS).
M-Vault fully supports IPv6 for LDAP and X.500 protocols. Server addresses are stored according to X.519(2008) that enables representation of IPv4 and IPv6 addresses. These addresses will usually use Internet Domains that will be resolved to IPv4 or IPv6 addresses at run time.
Directory Application Support
In addition to LDAP and X.500 base specification, M-Vault implements a wide range of specifications detailing additional general-use and/or application-specific schema elements and/or describing an application's directory service requirements. M-Vault implements the following additional specifications (partial list):
- COSINE LDAP/X.500 Schema [RFC 4524]
- LDAP Schema Definitions for X.509 Certificates [RFC 4523]
- H.350 Directory Services [RFC 3944]
- LDAP Schema for Printer Services [RFC 3712]
- Definition of the inetOrgPerson LDAP Object Class [RFC 2798]
- Naming Plan for Internet Directory-Enabled Applications [RFC 2377]
- An Approach for Using LDAP as a Network Information Service [RFC 2307]
- Representing the O/R Address hierarchy in the X.500 Directory Information Tree [RFC 2294]
- Representing Tables and Subtrees in the X.500 Directory [RFC 2293]
- Using Domains in LDAP/X.500 Distinguished Names [RFC 2247]
- Use of an X.500/LDAP directory to support MIXER address mapping [RFC 2164]
- Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs) [RFC 2079]
- Message Handling Systems (MHS): Overall Structure [X.402]
Directory support for Aeronational Telecommunications Network (ATN) is specified by ICAO (International Civil Aviation Authority)
- ICAO SARPS Doc 9880. Manual of Detailed Technical Specifications for the Aeronautical Telecommunications Network (ATN) using ISO/OSI Standards and Protocols. Part IV – Directory Services, Security and Systems Management. Second Edition 2016.
Military directory conformance is specified in ACP 133, described in more detail in the Isode white paper [ACP 133: The Military Directory Standard].
- ACP 133 Edition D: Common Directory Services and Procedures, July 2009