M-VaultReplication & Data Distribution

Data can be distributed across servers using X.500 DSP (Directory System Protocol). Enterprise LDAP servers can also be connected into a distributed directory using M-Vault's support for LDAP chaining. Data can be replicated between servers using X.500 DISP (Directory Information Shadowing Protocol) and with Isode’s multi-master protocol. Server to server communication (DSP Chaining and DISP Replication) are secured using X.509 based strong authentication.

Server to Server Replication using X.500 DISP

Directory replication is important to achieve performance and resilience of read and search operations. A key benefit of M-Vault is the ability to replicate data. X.500 DISP (Directory Information Shadowing Protocol) provides flexible replication with the following features:

  • Total and incremental replication.
  • Initiation by consumer or supplier.
  • Attribute filtering.
  • On demand replication, or timed scheduling options.
  • Operator requested connections.
  • Automatic recovery from inconsistencies.
  • Control of data to be shadowed.
  • Secondary shadowing, so that data may be replicated over multiple hops.

M-Vault provides easy to set up replication using DISP, with flexible control of the replication options.

M-Vault provides high performance chaining to multiple shadow servers. M-Vault will maintain open connections to peer servers and will replicate to multiple servers at the same time. This means that replication will generally happen in a few hundred milliseconds, giving quasi-real time update of shadow servers.

Multi-Master

M-Vault supports a reliable multi-master approach described in detail in the [ACID Multi-Master Replication in M-Vault Directory] whitepaper. Each server configured for multi-master is connected to every other server and changes made are applied to all servers. This enables updates to be made at multiple locations and continued updates in the event of a server failing. M-Vault Console provides a view to enable monitoring of multi-master configuration, as well as configuration of multi-master setups. More information on multi-master can be found on the M-Vault Reliability page.

Multi-Master M-Vault Console: Multi-Master Status Monitoring

Secondary Shadowing

Secondary shadowing is a mechanism to enable directory data to be replicated to large numbers of servers using X.500 DISP. Secondary shadowing is traditionally done from a shadow directory, to give multi-stage replication; the name refers to shadowing being done from a shadow (replica) directory rather than from the master. Secondary shadowing can be done from a multi-master configuration to enable shadow directory servers that do not participate in the multi-master configuration. Here secondary shadowing may be done from either a mutlti-master server or from a shadow server.

LDAP Synchronization

In order to support replication of data with directory servers that do not support X.500 DISP, Isode's Sodium Sync product should be used.

Data Distribution

The real power of an X.500 directory is the ability of the servers (Directory System Agents, or DSAs) to perform distributed operations on behalf of client applications. Distributed operations are handled by the Directory System Protocol (DSP), as defined in X.518 and X.519. DSP enables a set of DSAs to appear as a single, coherent directory service, but leverage the benefits of distribution of information with a single client/server connection.

The configuration of the directory is controlled by knowledge information, which is the mechanism that enables the location of data in the various DSAs to be represented in the directory. The X.500 specifications define a range of knowledge features that enable a distributed directory. The M-Vault directory server provides support for subordinate references and cross-references. In addition, the server is capable of dynamically learning about other servers and automatically constructing knowledge references to those servers. This functionality is core to the operation of an X.500 based directory.

M-Vault also has the unique ability to include LDAP only servers in the distributed directory using LDAP chaining.

Using DSP one server can access information held in another via the network. A real world example of this could be where different departments manage and administer their own data in a local M-Vault server. When a user in one department queries their server for data in another department, M-Vault will use its knowledge to access the appropriate remote server to satisfy the query.

Where departments implement an LDAP only server M-Vault can be used to connect these to a X.500 distributed directory. It does this by converting X.500 requests to LDAP requests (and vice versa) as necessary. Clients of the LDAP only server access the wider directory by following a referral to an M-Vault server from the LDAP directory. Similarly, clients of servers in the wider directory can access data in LDAP only servers as M-Vault can convert any incoming X.500 to an LDAP request and then pass that request along.