1. Technical Field
The present invention relates generally to an improved data processing system, and in particular, to a mechanism for maintaining group referential integrity across a distributed directory.
2. Description of Related Art
In today's computing environment, complex network data processing systems often are needed to facilitate work in large corporations. These complex networks may even span across regions in various worldwide locations, as well as use the Internet as part of a virtual private network for conducting business. In many instances, a federated data model is employed to allow enterprise components to share and access information and resources throughout the network. With the federated data model, wherein multiple data sources appear as one to users, data resides and is controlled locally, and client users in the system, regardless of location, needing the information may access the data using a directory service.
Directory services serve as central repository for searching, adding, deleting and modifying data. Example methods of accessing directory services in a computer network include X.500 and Lightweight Directory Access Protocol (LDAP). Lightweight Directory Access Protocol (LDAP) is a software protocol for enabling a user to locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate Intranet. LDAP is a “lightweight” version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network.
A directory may be distributed among many servers. In such a situation, each server may have a replicated version of the total directory that is synchronized periodically. Upon receiving a request from a client user, the LDAP server takes responsibility for the request. This responsibility includes passing the request on to other servers as necessary, but ensuring a single coordinated response for the client user.
Referential integrity rules may be used to maintain the consistency of the information residing in a distributed directory. Referential integrity rules are applicable to both the entries residing in a component of the network and the groups to which the entries belong, regardless of location. Entries in which referential integrity needs to be performed may exist anywhere in the network. For example, an entry is deleted on one computer system and the entry is also a member of several groups. As those groups may exist anywhere in the network, the entry should be deleted from all group entries in the network. Likewise, an entry may be renamed on one computer system and the entry is a member of several groups. As those groups may exist anywhere in the network, the entry needs to be renamed in all those groups.
Although referential integrity is not a new concept, problems exist when maintaining referential integrity across a distributed directory. Steps an administrator or application writer may currently take to maintain referential integrity across a distributed directory would be to first search each directory in the network to find the entries that need updating, and then perform update operations on each of those entries. For example, if the server performed referential integrity on group membership and an entry was deleted, an application would need to be written to search every server in the network for groups in which the deleted entry was a member. These groups could be of many different types and the application writer would need to know all the types of groups for which to search. Then, once the groups were found, separate modify operations would need to be performed for each group to delete the member from the group. These steps are both cumbersome and slow performing. In addition, the administrator or application writer would need to know whenever the referential integrity was enhanced on the servers in order to change their methodology and enhance their applications to be compatible with the directory servers. In the previous example, the application writer would need to update the application every time a new type of group was implemented or used in the network.
In another example, if an entry was renamed rather than deleted, the application writer must delete the old name and replace it with a new name. If the rename was a two-step process (i.e., delete the entry from one server in the network and add the entry to another server in the network), the application writer would have to find a way to notify the server that the server should not delete the entry from the groups, but rather rename the entry. This type of request does not currently exist. If the application writer first searched the directory for all groups prior to performing the delete operation, the same problems previously identified with above would occur.
Therefore, it would be advantageous to have an improved system and method for maintaining referential integrity, wherein the referential integrity is performed in a distributed network.