Abstract: The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date.

Abstract: Replicating modifications of a directory that include receiving in a source directory service for a source directory requests for modifications in the source directory and transmitting, from the source directory service to a duplicate directory service for a duplicate directory asynchronously in parallel over a plurality of data communications connections, requests for the same modifications in the duplicate directory. In typical embodiments, a duplicate directory may replicate a subtree of a source directory, receiving requests for modifications may include receiving in the source directory service requests for modifications in the subtree in the source directory, and transmitting requests may include transmitting requests for the same modifications in the subtree in the duplicate directory.

Abstract: In association with a data processing system that includes one or more servers, one or more clients and a partitionable distributed directory contained in a database, a computer implemented method is provided for selectively processing data entries that reside in the directory. The method comprises the steps of generating a request to perform an operation on each data entry in a specified group of intended entries, and specifying a hashing control index that uniquely identifies each entry of the specified group, and excludes all other entries. The requested operation is applied only to data entries in the directory that are identified by the specified hashing control index.

Abstract: A method, system, and computer usable program product for deploying directory instances are provided in the illustrative embodiments. A configuration of an existing directory instance is cloned to the new directory instance. The existing directory instance may execute in a first data processing system and the new directory instance may execute in a second data processing system. A schema of the existing directory instance is cloned to the new directory instance. A determination is made whether the new directory instance is a peer of the existing directory instance. Data from the existing directory instance is cloned to the new directory instance if the new directory instance is a peer of the existing directory instance. The new directory instance is made operational in a directory topology.

Abstract: A mechanism for providing proxy support for special subtree entries in a directory information tree by defining filters at the proxy level to indicate relationships between main subtree entries and associated special subtree entries. A proxy server receives a request from a client for a special subtree entry and determines whether the distinguished name of the main subtree entry can be built using information in the request and pre-defined relationships between the main subtree entry and the requested subtree entry. If so, the proxy server builds the distinguished name of the main subtree entry associated with the special subtree entry and applies a partitioning filter to the distinguished name of the main subtree entry to determine a target directory server in the plurality of backend directory servers that comprise the special subtree. The proxy server then sends the request to the target directory server.

Abstract: A computer implemented method, data processing system, and computer program product for password policy enforcement in a distributed directory when policy information is distributed. When a proxy server is providing a request from a client to a backend directory server, the proxy server performs a series of LDAP operations on a targeted set of backend directory servers to collect password policy information applicable to a target user. The password policy information applicable to the target user is partitioned and distributed across the plurality of backend directory servers. When the password policy information for the target user has been collected, the proxy server evaluates the collected password policy information to determine an effective password policy for the target user. The proxy server then sends the request and subsequent requests with the effective password policy to a backend directory server.

Abstract: A method, system, and computer usable program product for preserving references to deleted directory entries are provided in the illustrative embodiments. An instruction to delete an entry is received. A second entry referencing the entry is identified. The second entry is marked as a ghost reference to the entry. The entry is converted to a deleted entry. A ghost attribute with a value of “false” may be added to the entry. A ghost attribute or tag with a value of “false” may be added to the second entry. The ghost tag may correspond to an attribute of the second entry that references the entry. An entry may be deleted by setting a value of a ghost attribute in the entry to true. The second entry may be marked as the ghost reference by setting a value of a ghost attribute or a ghost tag in the second entry to true.

Abstract: The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date.

Abstract: Real-time attributes are processed according to a syntax schema for a directory access protocol service by associating by a computer a real-time attribute with a directory structure, the real-time attribute being externally stored from the directory structure; responsive to an access request via a directory access protocol for access to a database value for the real-time attribute, obtaining by a computer a current value from a real-time data source external to the directory structure, and converting by a computer the obtained value from a format not compatible with the directory access protocol to a compatible format; and returning by a computer to a requester the converted real-time attribute directly in the directory access protocol, wherein storing and updating of the converted real-time attribute value in the directory structure are eliminated or avoided.

Abstract: A method, system, and computer usable program product for transmitting information about dynamic group memberships of an entry stored in a computer memory are provided in the illustrative embodiments. A set of dynamic group filters is received from a server in a distributed data environment. The set of dynamic group filters provides a set of attributes. A determination is made whether the entry includes a subset of the set of attributes. A request for dynamic group memberships of the entry is sent to the server. The request includes the subset of attributes and excludes attributes not used by any of the dynamic group filters. Information about at least one dynamic group of which the entry is a member is received for evaluation. A proxy server may receive the request for dynamic group filters and distribute the request to one or more servers in a distributed data environment.

Abstract: An instruction to delete the entry is received. A second entry that includes a reference to the entry is identified. A third entry including information to be preserved from the entry is added in a deleted entries subtree. The third entry is modified to include the reference information from the second entry. The third entry is saved such that during a restore of the entry the third entry provides the information to restore the entry and the reference to the entry. The third entry may include a set of attributes that store an identifier of the second entry. The entry is restored from the third entry and made available in the directory. A reference is recreated in the second entry to the restored entry forming a restored second entry.

Abstract: A computer implemented method, data processing system, and computer program product for reducing the overhead associated with distributed password policy enforcement operations using a proxy server. When a proxy server provides a request from a client to a backend directory server, the proxy server determines whether a password policy check is required to be performed at the backend directory server. If a password policy check is not required to be performed at the backend directory server, the proxy server sends the client request together with a skip password policy control to the backend directory server. This skip password policy control informs the backend directory server to skip the password policy check on the client request.

Abstract: Dynamically adding n partitions to a distributed directory setup having x existing servers by modifying the configuration file to include the n new servers and implementing a replication setup mechanism with agreements to x+n?1 servers. The migration to dynamically add partitions is carried out while continuing to serve clients.

Abstract: A method, system, and computer usable program product for transferring messages to a directory are provided in the illustrative embodiments. A listing of message templates that is stored in a computer usable storage medium is received. A list of messages is received. The listing of message templates is loaded in a directory. The directory executes in a data processing system and is configured to store messages. The list of messages are loaded in the directory. Messages are loaded in the directory by receiving a list of messages in the directory. A message is selected and identified from the list of messages. A determination is made if the message corresponds to an existing base message entry in the directory. A message instance entry is created in relation to the existing base message entry if the message corresponds to an existing base message entry and the message is otherwise handled if not.

Abstract: A mechanism for providing proxy support for special subtree entries in a directory information tree by defining filters at the proxy level to indicate relationships between main subtree entries and associated special subtree entries. A proxy server receives a request from a client for a special subtree entry and determines whether the distinguished name of the main subtree entry can be built using information in the request and pre-defined relationships between the main subtree entry and the requested subtree entry. If so, the proxy server builds the distinguished name of the main subtree entry associated with the special subtree entry and applies a partitioning filter to the distinguished name of the main subtree entry to determine a target directory server in the plurality of backend directory servers that comprise the special subtree. The proxy server then sends the request to the target directory server.

Abstract: A method, system, and computer usable program product for storing messages in a directory executing in a data processing system are provided in the illustrative embodiments. A message is received over a network and identified in the directory. A base message entry that corresponds to the message is selected in a hierarchy of entries in the directory. A message instance entry for the message is created, such that the message instance entry becomes a child entry of the base message entry in the hierarchy.

Abstract: A processor which cooperates with directory servers to handle requests for values of dynamic attributes which would otherwise present a real-time processing challenge to the directory server due to the server's dependence on the data normally being static in nature. Special schema syntax identifiers are used to identify dynamic attributes which then are not stored directly in the directory, but whose values are resolved at the time a read request is made for those attributes. This approach eliminates the need to store the dynamic information in the directory, and allows user-supplied modules to perform the resolution of the dynamic attributes in a real-time manner, including not only retrieving a value from a dynamic data source, but optionally performing calculations or manipulations on the data as well. One embodiment of the invention cooperates with Lightweight Directory Access Protocol (“LDAP”) directory servers.

Abstract: A directory server handles requests for values of dynamic attributes by providing at least one declaration for an attribute to be handled as a real-time attribute associated with but external to a directory structure; receiving a directory access protocol request for access to an attribute value from the associated directory structure; detecting requested access to an attribute declared as a real-time external attribute; resolving a real-time value by obtaining an attribute value from a real-time source external to the directory structure; converting the obtained attribute value from a real-time attribute to a static attribute, wherein the real-time attribute is incompatible with the directory access protocol, and wherein the static attribute is compatible with the directory access protocol; and returning to a requester the converted real-time attribute directly in the directory access protocol, wherein storing and updating of the converted real-time attribute value in the directory structure is eliminated or

Abstract: A method, system, and computer usable program product for managing deleted directory entries are provided in the illustrative embodiments. An instruction to delete the entry is received. A second entry that includes a reference to the entry is identified. A third entry including information to be preserved from the entry is added in a deleted entries subtree. The third entry is modified to include the reference information from the second entry. The third entry is saved such that during a restore of the entry the third entry provides the information to restore the entry and the reference to the entry. The third entry may include a set of attributes that store an identifier of the second entry. The entry is restored from the third entry and made available in the directory. A reference is recreated in the second entry to the restored entry forming a restored second entry.

Abstract: A method, system, and computer usable program product for preserving references to deleted directory entries are provided in the illustrative embodiments. An instruction to delete an entry is received. A second entry referencing the entry is identified. The second entry is marked as a ghost reference to the entry. The entry is converted to a deleted entry. A ghost attribute with a value of “false” may be added to the entry. A ghost attribute or tag with a value of “false” may be added to the second entry. The ghost tag may correspond to an attribute of the second entry that references the entry. An entry may be deleted by setting a value of a ghost attribute in the entry to true. The second entry may be marked as the ghost reference by setting a value of a ghost attribute or a ghost tag in the second entry to true.