The present invention relates generally to an improved distributed data processing system and in particular to an improved method and apparatus for accessing information in a distributed system. Still more particularly, the present invention relates to a method and apparatus for managing LDAP directory servers.
A directory service is a central point where network services, security services and applications can form an integrated distributed computing environment. Typical uses of a directory services may be classified into several categories. A xe2x80x9cnaming servicexe2x80x9d, such as Directory Naming Service (DNS) DNS or Cell Directory Service (CDS), uses the directory as a source to locate an Internet Host address or the location of a given server. A xe2x80x9cuser registryxe2x80x9d, such as Novel Directory Services (NDS), stores information about users is a system comprised of a number of interconnected machines. Still another directory service is a xe2x80x9cwhite pagesxe2x80x9d lookup provided by some mail clients, such as Netscape Communicator or Lotus Notes.
With more and more applications and system services demanding a central information repository, the next generation directory server will need to provide system administrators with a data repository that can significantly ease administrative burdens. In the Internet/intranet environment, it will be required to provide user access to such information in a secure manner. It will be equally important to provide robust, and simple administrative tools to manage the directory content.
LDAP (Lightweight Directory Access Protocol) is a software protocol for providing directory service enablement to a large number of applications. These applications range from e-mail to distributed system management tools. LDAP is an evolving protocol model based on the client-server model in which a client makes a TCP/IP connection to an LDAP server. LDAP is a xe2x80x9clightweightxe2x80x9d version of DAP (Directory Access Protocol), which is part of X.500, a standard for directory services in a network.
The LDAP information model in particular, is based on an xe2x80x9centryxe2x80x9d, which contains information about some object. Entries are typically organized in a specified tree structure, and each entry is composed of attributes. An example LDAP directory is organized in a simple xe2x80x9ctreexe2x80x9d hierarchy consisting of the following levels:
The xe2x80x9crootxe2x80x9d directory (the starting place or the source of the tree), which branches out to
Countries, each of which branches out to
Organizations, which branch out to
Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for)
Individuals (which includes people, files, and shared resources such as printers)
LDAP provides a number of known functions for manipulating the data in the information model. These include search, compare, add, delete, and edit. It provides a rich set of searching capability with which users can assemble complex queries to return desired information for later viewing and updating.
An LDAP directory can be distributed among many servers, with parts of data residing on a set of machines. Another scenario is where each server contains a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, either through server chaining or client referrals. Both cases ensure a single coordinated response for the user. Although directory structures can reside on a single server, there are several reasons for splitting directories across multiple machines. First, the directory may be too large to make it practical to store on a single server. Second, network administrators may want to keep the physical location of the server close to the expected clients to minimize network traffic.
A referral is used to show where a parent tree may be located. LDAP provides a mechanism for searching directories and for xe2x80x9cchasingxe2x80x9d referrals; however, the mechanism has several limitations. First, it is not possible to search the entire domain since a base domain name must be provided. The best that can be done is to search the main domain one suffix at a time.
Second, a referral chase does not show where the final results were found. A query that dereferences referrals may attempt many servers before finding the right one. This could drastically affect performance on subsequent related queries. Although these subsequent queries eventually may succeed, they go through the same server search as the original query rather that proceed directly to the correct server.
Third, where chasing referrals, the client must bind to each referred to server. This means the bind request will either be treated as an anonymous request or the client will be prompted for additional account information. This could be especially important if access control is set in a manner where a different authorization ID must be used in order for the operation to succeed.
Fourth, the search process cannot be customized by the user. For example, the user may want the search to be restricted to only two servers in an enterprise, but the LDAP search software forces all servers to be searched.
To overcome these limitations it would be advantageous to have an improved method and apparatus for searching and manipulating data within a set of servers in a distributed network.
The present invention provides an improved method, apparatus, and instructions for locating a server in a distributed network using the Lightweight Directory Access Protocol (LDAP), maintaining information for the server, displaying a tree of servers, browsing the tree of servers, and searching the tree of servers for an entry with specific attributes. The information maintained about the server includes its location, lists of attributes, and access control. The tree displayed can be for all servers combined or for an individual server. The search can be across the entire server or customized to a subset of servers. The search can be based on one of the following attributes: user, country, group, locality, access group, access role, organization, organization unit, domain, or can be based on user defined attributes.