Business, and other, enterprises make use of directory services related to enterprise operations. Directory services are created and maintained for various purposes within the enterprise. More generally, a directory service is a software system that stores information. A directory service is typically configured in a manner so that the stored information can readily be looked-up. While a directory service is used to store any of many varied types of information, a common usage of a directory pertains to the storage and retrieval of user identities for the purpose of authentication and authorization.
An existing protocol, referred to as LDAP (Lightweight Directory Access Protocol), is a frequently-used protocol by which to query and to update information in a directory. Entries stored in the directory are referred to as objects or members. Each object has an associated set of named attributes/value pairs.
An Active Directory™ (AD) is an example of a LDAP directory service that stores identity, and other, information. Examples of directory services sometimes used by an enterprise include a directory service used to store employee payroll information and a directory service used to store email information. The different directory services sometimes store the same identity information, such as the first and last name of enterprise personnel. That is to say, the different directory services sometimes contain common identity information. A directory service is sometimes created through keyboard entry of the identity information and other associated information of the directory service. When there are large numbers of objects, the entry of the required information quickly becomes a time-consumptive operation. The objects of the directory services are susceptible to change over time, and the directory services must be updated to reflect the changes. For example, when existing personnel depart an enterprise or additional personnel become part of the enterprise, the directory services must be updated to reflect the changes.
Directory synchronization services are available that provide for the sharing of the common identity information and subsequent synchronization of the common information due to changes in the objects. A directory synchronization service, sometimes software-implemented, functions to aggregate and to synchronize identity information between the multiple directory services. When, for example, two directory services are connected by a directory synchronization service and a new identity is created at one of the directory services, the directory synchronization service functions automatically to create an equivalent identity in the other of the directory services. Analogously, when an existing identity is deleted from one of the directory services, the directory synchronization service functions automatically to delete the corresponding identity in the other of the directory services. And, when an attribute of an identity changes in one of the directory services, the directory synchronization service functions automatically to update the value of the attribute for the corresponding identity of the other directory service.
A complicating factor in directory synchronization service operation is that in some situations, not every identity in each of the directory services should be synchronized with one another. By way of an example, in an enterprise, sometimes, only a portion of the enterprise personnel are granted email privileges. In a directory synchronization service that synchronizes an email directory service with a directory service that includes the entire, enterprise personnel, the directory synchronization service should not synchronize all of the objects of both of the directory services. A directory synchronization service, in a scenario such as this, must provide a mechanism by which to define an appropriate set of identities that are to be synchronized between directory services by the directory synchronization service. This is sometimes referred to as the scope of synchronization. LDAP directory services sometimes establish the scope of synchronization by designating an attribute to be of a particular value. For example, a directory synchronization service is sometimes configured to synchronize all users that have an email address. In this example, the scope of synchronization is defined by an LDAP search filter “mail=*” used in the synchronization operation to distinguish between personnel that have an email address and personnel that do not have an email address.
Directory services also sometimes store information about groups. A group is a directory object that has a multi-value attribute to represent membership. Existing directory synchronization services are generally unable to establish a scope of synchronization using group membership as membership in a group is an attribute of the group, not the member. Also, group membership is nestable, and a single group can contain members that belong to more than one directory service.
It is in light of this background information related to directory synchronization services that the significant improvements of the present disclosure have evolved.