1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular to reducing the overhead associated with distributed password policy enforcement operations.
2. Description of the Related Art
A directory is a special type of database for managing information about people, organizations, data processing systems, and other information sources. Information within a directory is organized within a hierarchical namespace. Each entry in the directory is a named object and consists of a set of attributes. Each attribute has a defined attribute type and one or more values. Each entry is identified by an unambiguous distinguished name (DN), wherein a distinguished name is a concatenation of selected attributes from an entry. A directory service provides a mechanism for searching a directory and for retrieving information from a directory. Various standards have been promulgated for defining directories and directory services. For example, the X.500 specifications define a directory standard; more information can be found in Weider et al., “Technical Overview of Directory Services Using the X.500 Protocol”, Internet Engineering Task Force (IETF) RFC 1309, March 1992. As another example, the Lightweight Directory Access Protocol (LDAP) specifications define a protocol for accessing a directory that supports the X.500 directory model; more information can be found in Wahl et al., “Lightweight Directory Access Protocol (v3),” IETF RFC 2251, December 1997.
A logical representation of a directory does not necessarily reflect an organization of the physical storage of the directory. In a manner similar to many types of memory systems, a directory may be logically supported as a cohesive whole yet physically supported in a distributed manner. For example, a single “distributed” directory may be stored across many servers, wherein each server supports a subtree of the directory. In particular, a known distributed directory environment includes one or more LDAP “backend” servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. Clients bind to the proxy server instead of directly binding to the backend LDAP servers.
A set of rules that controls how passwords are used and administered in this type of directory environment is known as a “password policy.” These rules enforce various security requirements, e.g., that a user change his or her password periodically, that the user's selected password meets certain requirements for construction, that re-use of an old password is prevented, that entities are locked out after a certain number of failed attempts to use a given password, and so on. A “user” refers to any LDAP client application that has an identity in the directory. In an LDAP distributed directory environment, a given password policy is defined according to an object-oriented schema that defines a password policy object class, which includes a set of administrative password policy attributes, together with a set of operational attributes that hold general policy state information for each user. The policy also includes one or more “controls” that are used while enforcing password policy. In particular, a “request control” is defined as a control that is sent by a client with a request operation to elicit a “response control.” The “response control” typically contains one or more warnings and errors associated with password policy. Further details of how to implement password policy in this manner is described in Behera et al., “Password Policy for LDAP Directories”, Internet Draft RFC, October 2001.