Directories are specialized databases that are used for storing information about heterogeneous real world entities: users, network elements, services, policies etc. Directories are especially important in enterprises where a single enterprise directory contains central information (for example, concerning organizational administration) and provides integration of multiple intranet applications. Directories are also used in portals for storing user information (such as profiles/preferences) and for authenticating the users. Directories are typically used as foundational pieces in the identity management framework of an enterprise.
Large directories may contain as many as tens of millions of entries (records) arranged in a Directory Information Tree (DIT). Such directories typically need to be distributed across multiple directory servers. Directories are accessed on the internet using LDAP (Lightweight Directory Access Protocol). Moreover directory access (read/write) rate is in general proportional to the number of users (that is, the size of the directory). Also users of such directories are distributed globally.
Two techniques are used for improving performance of globally-accessed large directories: partitioning and replication. Partitioning refers to a directory being distributed across multiple servers. This might be required if the directory is too large to support on a single server. Replication is a technique to improve performance scalability, and reliability of the directory service by having additional replica servers, which are synchronized with the master servers. Current large-scale directory deployment provides partitioning or replication using a subtree of entries. Replica servers can be installed local to a site to improve performance, or can be used in a replica array to improve scalability and reliability. When replication is used with partitioning a (partial) replica contains one or more subtrees of entries from the DIT.
While such replication models can be used to improve performance of directories that can be supported by a single server, such models do not handle queries that span multiple subtrees very well.
For example, a partial replica close to the client can only answer a part of the query and refer the rest of the query to remote servers. Using referrals to contact remote server(s) degrades performance. Also, the only way to contain directory queries in fewer servers is to have replicas with larger subtrees. Further, replicating larger subtrees results in larger update traffic. This requires network bandwidth and results in increased update load on the replica servers.
LDAP is documented by the Internet Engineering Task Force in RFC 3377, which is entitled “Lightweight Directory Access Protocol (v3): Technical Specification”, the complete disclosure of which is herein incorporated by reference. LDAP does not standardize directory replication. Replication for X.500 directories, by contrast, is described in the X.525 recommendation of the International Telecommunications Union, published as ITU-T Recommendation X.525, the complete disclosure of which is herein incorporated by reference.
Accordingly, in view of the above observations, there exists a need for an improved manner of distributed directory replication.