Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
1999-12-14
2004-03-16
Le, Uyen (Department: 2171)
Data processing: database and file management or data structures
Database design
Data structure types
C709S223000
Reexamination Certificate
active
06708170
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates generally to an improved distributed data processing system and in particular to an improved method and apparatus for accessing information in a distributed system.
BACKGROUND OF THE INVENTION
A directory service is a central point where network services, security services and applications can form an integrated distributed computing environment. Typical uses of a directory service may be classified into several categories. A “naming service”, such as Directory Naming Service (DNS) or Cell Directory Service (CDS), uses the directory as a source to locate an Internet Host address or the location of a given server. A “user registry”, such as Novell Directory Services (NDS), stores information about users in a system comprised of a number of interconnected machines. Still another directory service is a “white pages” lookup provided by some mail clients, such as Netscape Communicator or Lotus Notes.
With more and more applications and system services demanding a central information repository, the next generation directory server will need to provide system administrators with a data repository that can significantly ease administrative burdens. In the Internet/intranet environment, it will be required to provide user access to such information in a secure manner. It will be equally important to provide robust and simple administrative tools to manage the directory content.
Lightweight Directory Access Protocol (LDAP) is a software protocol for providing directory service enablement to a large number of applications. These applications range from e-mail to distributed system management tools. LDAP is an evolving protocol model based on the client-server model in which a client makes a TCP/IP connection to an LDAP server. LDAP is a “lightweight” version of DAP (Directory Access Protocol), which is part of X.500, a standard for directory services in a network.
The LDAP information model in particular, is based on an “entry”, which contains information about some object. Entries are typically organized in a specified tree structure, and each entry is composed of attributes. An example LDAP directory is organized in a simple “tree” hierarchy consisting of the following levels:
The “root” directory is the starting place or the source of the tree.
Countries are designated by two letter codes, such as US for the United States of America.
Organizations can be private companies, government units, and so forth.
Organizational units are divisions, departments, and so forth.
Individuals include people, files, and shared resources such as printers.
LDAP provides a number of known functions for manipulating the data in the information model. These include search, compare, add, delete, and edit. It provides a rich set of searching capability with which users can assemble complex queries to return desired information for later viewing and updating.
An LDAP directory can be distributed among many servers, with parts of data residing on a set of machines. Another scenario has each server containing a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, either through server chaining or client referrals. Both cases ensure a single coordinated response for the user. Although directory structures can reside on a single server, there are several reasons for splitting directories across multiple machines. First, the directory may be too large to make it practical to store on a single server. Second, network administrators may want to keep the physical location of the server close to the expected clients to minimize network traffic.
A referral is used to show where a parent tree may be located. LDAP provides a mechanism for searching directories and for “chasing” referrals. However, the LDAP model does not address issues such as authentication. The LDAP servers contacted while retrieving information must recognize the user registry information.
One approach to solving the authentication problem is to use a client push model, as found in the Distributed Computing Environment (DCE) developed by the Open Group. The user registers with a first server and receives credentials, which include group membership. When accessing resources on a second server, these credentials are presented. The second server either accepts or denies the credentials after verifying their validity through a series of challenges. Windows NT uses a similar client push model.
Another approach to authentication is to define all of the group and user registry information on each machine, as done in a local area network (LAN). Within a domain, each server maintains a copy of authentication information through replication. A separate set of credentials must be maintained for a second domain.
If a directory is distributed over multiple servers, each server must maintain a copy of authentication information, such as group membership. To maintain identical objects in multiple locations uses excess space and leads to administrative problems when changes are made.
Both approaches to solving the authentication problem have drawbacks. Therefore, it would be advantageous to have an improved method that allows any server to use entry and resource information defined on some other LDAP server.
SUMMARY OF THE INVENTION
A method, apparatus, and instructions for maintaining authentication information in a distributed network of servers using Lightweight Directory Access Protocol (LDAP) directories is provided. A process generates and maintains a non-local access server list, queries non-local servers using an LDAP search request, caches responses to queries from non-local servers, updates the cached directory entries, and applies an LDAP operation to the cached directory entries and the local access control data. Customizable LDAP search filters can be applied when conducting a search. A variety of techniques are used to update cache information, such as re-querying each server in the non-local access server list after a predetermined time period. When a request to authenticate a user with a distinguished name is received, the cached directory entries and the local access control data are searched for the distinguished name and, once the distinguished name is located, the user is authenticated with each server in the non-local access server list.
REFERENCES:
patent: 6209036 (2001-03-01), Aldred et al.
patent: 6321259 (2001-11-01), Ouellette et al.
patent: 6490619 (2002-12-01), Byrne et al.
patent: 6539021 (2003-03-01), Kennelly et al.
Hassler “X.500 and LDAP security: a comparative overview”, IEEE 1999, pp. 54-64.*
Berchtold et al “SaveMe: a system for archiving electronic documents using messaging groupware”, ACM 1999, pp. 167-176.*
Cluet et al “Using LDAP directory caches”, ACM 1999, pp. 273-284.
Byrne Debora Jean
Garrison John Michael
International Business Machines - Corporation
Kinslow Cathrine K.
Le Uyen
Leeuwen Leslie A. Van
Yee Duke W.
LandOfFree
Method and system for usage of non-local data within a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for usage of non-local data within a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for usage of non-local data within a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3215293