M-Vault Open Standards

M-Vault is, and was designed to be, a multi-protocol server and so is able to support LDAP (v2 and v3) and X.500 (DAP) client access. Distribution of a directory service is mainly achieved using X.500 protocols - DSP (Directory System Protocol) for distributing client operations and DISP (Directory Information Shadowing Protocol) to replicate data between directory servers.

Additionally, M-Vault is able to interconnect LDAP and X.500 servers and make them part of a distributed directory system using LDAP chaining (i.e. by converting incoming LDAP requests to X.500 and vice versa).

The sections below set out the supported standards for LDAP and X.500, Additional Specifications, Aviation Conformance and Military Conformance.

LDAP Support in M-Vault

The M-Vault directory server provides full support for LDAP, including the current standard version (LDAPv3) [RFC 4510-4519] and its predecessor (LDAPv2) [RFC 1777-1779,1781]. This support is a key part of the module, as LDAP is the leading standard for client/server directory integration. Desktop applications requiring use of a directory, such as mail clients with directory-based address book capabilities, use LDAP as the primary access protocol. The following documents comprise the LDAP (v3) technical specification.

RFC 4510	LDAP: Technical Specification Roadmap, K. Zeilenga, June 2006
RFC 4511	LDAP: The Protocol, J. Sermersheim, June 2006
RFC 4512	LDAP: Directory Information Models, K. Zeilenga, June 2006
RFC 4513	LDAP: Authentication Methods and Security Mechanisms, R. Harrison, June 2006
RFC 4514	LDAP: String Representation of Distinguished Names, K. Zeilenga, June 2006
RFC 4515	LDAP: String Representation of Search Filters, M. Smith, T. Howes, June 2006
RFC 4516	LDAP: Uniform Resource Locator, M. Smith, T. Howes, June 2006
RFC 4517	LDAP: Syntaxes and Matching Rules, S. Legg, June 2006
RFC 4518	LDAP: Internationalized String Preparation, K. Zeilenga, June 2006
RFC 4519	LDAP: Schema for User Applications, A. Sciberras, June 2006

As well as supporting the base LDAP protocol, M-Vault also implements a number of extensions that expose clients and users to a wider range of functionality. M-Vault supports the following features, extensions and related specifications (partial list). SASL conformance and TLS conformance is set out on seperate pages. Application schema support is listed separately:

RFC 5805	Lightweight Directory Access Protocol (LDAP) Transactions, K. Zeilenga, March 2010
RFC 5246	The Transport Layer Security (TLS) Protocol Version 1.2, T. Dierks, E. Rescorla, August 2008
RFC 4532	LDAP: "Who am I?" Operation, K. Zeilenga, June 2006
RFC 4530	LDAP: entryUUID Operational Attribute, K. Zeilenga, June 2006
RFC 4522	LDAP: The Binary Encoding Option, S. Legg, June 2006
RFC 3673	LDAP: All Operational Attributes, K. Zeilenga, December 2003
RFC 3672	LDAP: Subentries in the Lightweight Directory Access Protocol (LDAP), K. Zeilenga, S. Legg, September 2003
RFC 3671	Collective Attributes in the Lightweight Directory Access Protocol (LDAP)), K. Zeilenga, December 2003
RFC 3062	LDAP Password Modify Extended Operation, K. Zeilenga, February 2001
RFC 3045	Collective Attributes in the Lightweight Directory Access Protocol (LDAP), K. Zeilenga, December 2003
RFC 2891	LDAP Control Extension for Server Side Sorting of Search Results, T. Howes, M. Wahl, A. Anantha, August 2000
RFC 2849	The LDAP Data Interchange Format (LDIF) - Technical Specification, G. Good, June 2000
RFC 2696	LDAP Control Extension for Simple Paged Results Manipulation, C. Weider, A. Herron, A. Anantha, T. Howes, September 1999
Draft	Definition of an Object Class to Hold LDAP Change Records

X.500 Support in M-Vault

M-Vault implements the three main application protocols of X.500, these being:

Directory Access Protocol (DAP) - for client access.
Directory System Protocol (DSP) - for the communication of directory operations in a distributed directory system.
Directory Information Shadowing Protocol (DISP) - for the replication of stored data from one server to another.

The server and client libraries and client products using DAP support the X.500 (2008) version of the standard.

X.500 interoperability testing has been demonstrated in live commercial and government operational environments and at EuroSInet test-bed workshops. Isode directories have also undergone strenuous internal stress testing, scalability and performance testing, and conformance testing. Interoperability of the Isode directory server has been demonstrated with other X.500 vendors.

The set of X.500 (and related) specifications that M-Vault directory server conforms to include:

ITU X.500	The Directory: Overview of concepts, models and services, ISO/IEC 9594-1, 2008
ITU X.501	The Directory: Models, ISO/IEC 9594-2, 2008
ITU X.509	The Directory: Authentication framework, ISO/IEC 9594-8, 2008
ITU X.511	The Directory: Abstract service definition, ISO/IEC 9594-3, 2008
ITU X.518	The Directory: Procedures for distributed operation, ISO/IEC 9594-4, 2008
ITU X.519	The Directory: Protocol specifications, ISO/IEC 9594-5, 2008
ITU X.521	The Directory: Selected object classes, ISO/IEC 9594-7, 2008
ITU X.525	The Directory: Replication, ISO/IEC 9594-9, 2008

Conformance for X.500 products is defined in X.519, which gives a list of conformance questions that should be addressed for an X.500 product.

The X.519 statement summarizes key capabilities and options. More detailed protocol support is also provided in three PICS (Protocol Implementations Conformance statements. The PICS proformas are aligned to X.500 (1993), and so do not cover features introduced subsequent to this version of X.500. They do cover the core capabilities:

As well as conformance to the base standards, the Isode products are conformant to industry profiles for military and intelligence markets, for the aviation industry (AMHS).

IPv6

M-Vault fully supports IPv6 for LDAP and X.500 protocols. Server addresses are stored according to X.519(2008) that enables representation of IPv4 and IPv6 addresses. These addresses will usually use Internet Domains that will be resolved to IPv4 or IPv6 addresses at run time.

Directory Application Support

In addition to LDAP and X.500 base specification, M-Vault implements a wide range of specifications detailing additional general-use and/or application-specific schema elements and/or describing an application's directory service requirements. M-Vault implements the following additional specifications (partial list):

COSINE LDAP/X.500 Schema [RFC 4524]
LDAP Schema Definitions for X.509 Certificates [RFC 4523]
H.350 Directory Services [RFC 3944]
LDAP Schema for Printer Services [RFC 3712]
Definition of the inetOrgPerson LDAP Object Class [RFC 2798]
Naming Plan for Internet Directory-Enabled Applications [RFC 2377]
An Approach for Using LDAP as a Network Information Service [RFC 2307]
Representing the O/R Address hierarchy in the X.500 Directory Information Tree [RFC 2294]
Representing Tables and Subtrees in the X.500 Directory [RFC 2293]
Using Domains in LDAP/X.500 Distinguished Names [RFC 2247]
Use of an X.500/LDAP directory to support MIXER address mapping [RFC 2164]
Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs) [RFC 2079]
Message Handling Systems (MHS): Overall Structure [X.402]

Aviation Conformance

Directory support for Aeronational Telecommunications Network (ATN) is specified by ICAO (International Civil Aviation Authority)

ICAO SARPS Doc 9880. Manual of Detailed Technical Specifications for the Aeronautical Telecommunications Network (ATN) using ISO/OSI Standards and Protocols. Part IV – Directory Services, Security and Systems Management. Second Edition 2016.

Military Conformance

Military directory conformance is specified in ACP 133, described in more detail in the Isode white paper [ACP 133: The Military Directory Standard].

ACP 133 Edition D: Common Directory Services and Procedures, July 2009.
ACP 133 Supp-1(C): Common Directory Services and Procedures, May 2020 (update to Edition D).

M-VaultOpen Standards Conformance