This invention relates generally to directories, and more particularly to the synchronization of information within such directories.
Directories, also refereed to as directory services, catalog the names, profile information, and machine addresses of every user and resource on a network. User accounts, and network permissions, can be managed by using a directory. For example, the attributes for specific user names can be looked up, such as telephone numbers, an email addresses, and other attributes. Directories are generally specialized databases that are typically hierarchical in design, and provide fast lookups.
Companies may have more than one type of directory to manage their networks. For example, a company may use Novell Directory Services (NDS), which is available from Novell, Inc., as well as Active Directory (AD), which is available from Microsoft Corp., Inc. Different types of directories usually store information in different ways, and have different types of management tools to add, delete, and change information in the directories. To ensure that the information in one directory is consistent with another directory, network administrators typically have to make changes in both directories. This is a time-consuming and laborious process.
For this and other reasons, there is a need for the present invention.
The invention relates to directory synchronization. A synchronization logic synchronizes a first directory and a second directory. The logic has one or more of the following synchronization capabilities: a dampening capability, an identifier mapping capability, and a checksum capability. The dampening capability prevents changes that originate from the second directory and that have already been synchronized to the first directory from being synchronized back to the second directory. The identifier mapping capability uses a table that maps a unique identifier of each record of the first directory with a unique identifier of a corresponding record of the second directory, and vice-versa. Records that are moved within a directory can then be located. The checksum capability uses a checksum for each record in one of the directories, to detect changes, where this directory otherwise has no mechanism for efficiently detecting changes.
The dampening capability in particular uses an update sequence number capability of the first directory. A unique and consecutively incremented update sequence number is associated with each change in the first directory. When changes are synchronized from the second directory to the first directory, dampening information is recorded. The dampening information includes the update sequence numbers. When the first directory is then synchronized to the second directory, only non-dampened changes are sent to the second directory. The changes that were synchronized from the second directory to the first directory are not sent back from the first directory to the second directory because they are dampened.
Another aspect of the invention is that update sequence numbers (USN""s) are also tracked to ensure that changes to the first directory have a higher priority than changes to the second directory. When a change in a record in the second directory is being synchronized to the corresponding record in first directory, it is only synchronized if there is not a newer change to the corresponding record in the first directory. This is accomplished by comparing the appropriate USN""s, such that if newer changes are detected in the first directory, the change to the record in the second directory is not made to the corresponding record in the first directory. Note that the first directory having a higher priority than the second directory is a design decision. Alternatively, the second directory can have a higher priority than the first directory.
The identifier mapping capability is used in particular in situations where a record has been moved within a directory. For example, a particular record in North American sales may need synchronization from the first directory to the second directory. However, in the meantime, this record may have been moved in the second directory from North American sales to European marketing, and may not be able to be located via its distinguished name. The distinguished name is constructed from the name of record and the directory within which it is located. For example, the record may originally have the distinguished name of xe2x80x9cNorth America/Sales/Record Name.xe2x80x9d After it is moved, the record may have the distinguished name of xe2x80x9cEurope/Marketing/Record Name.xe2x80x9d Therefore, to locate this record in the second directory as corresponding to the record in the first directory, the identifier mapping table is used. The table maps a unique identifier of the record in the first directory with a corresponding unique identifier of the record in the second directory. Even if the records are moved within their respective directories, they can still easily be located through the mapping table, and moved as necessary.
The identifier mapping logic can also include a delete logic. For example, a mapping from the first directory to the second directory may show that records A, B, C, and D in the first directory are mapped to records 1, 2, 3, and 4 in the second directory, respectively. After reading the mapping, the second directory is then examined, which shows that the second directory only has records 1, 2, and 4. This means that record 3 in the second directory has been deleted, such that the corresponding record in the first directory, record C, may also be deleted when synchronizing from the second directory to the first directory.
The checksum capability is used in particular with a directory that does not have a mechanism for efficiently detecting changes in its records. For example, whereas the first directory may have the update sequence number capability to detect changes efficiently, the second directory may have no such capability, or have a limited capability. The limited capability may be inadequate, difficult to use, and not robust. For example, the second directory may have a time stamp capability, where each change has a time stamp associated therewith. However, time stamps cannot be used to detect deleted records. Furthermore, if the system time is changed, then the time stamps may yield inaccurate results. Therefore, the checksum capability is used to detect changes in the second directory. To detect changes in the second directory, a new checksum is determined for each record, which is compared with a previously determined and stored checksum for the record. If the new checksum is different from the stored checksum, this means that the record has changed. The checksum can be determined by using the values from all the attributes of a record. For a given set of values, the checksum is always the same. The checksum changes only if any of the attributes change.
Methods, systems, and synchronization logics of varying scope are encompassed by the invention. Other aspects, embodiments and advantages of the invention, beyond those described here, will become apparent by reading the detailed description and by referencing the drawings.