Abstract: A computer implemented method, apparatus, and computer program product for managing requests. Responsive to receiving a request from a client, a determination is made as to whether a connection within a pool of connections has a set of outstanding requests for the client to handle a previous request from the same client. Responsive to a determination that the connection has any outstanding request, a determination is made as to whether a set of requests queued for the connection is equal to or exceeds a threshold. Responsive to a determination that the set of outstanding requests is equal to or exceeds the threshold, subsequent requests from the client are unprocessed until the set of outstanding requests becomes less than the threshold.

Abstract: The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date.

Abstract: A method, system, and computer usable program product for certificate distribution using a secure handshake are provided in the illustrative embodiments. A client sends an indication in a request, the request being a part of a secure data communication with a server. The indication indicates an ability of the client to accept a certificate as a part of a response from the server. The server retrieves a new certificate. The server sends as a result of the indication, a new certificate in the response corresponding to the request. The client receives as a result of the indication, the new certificate in a response that corresponds to the request. The client separates the new certificate from the response and uses the new certificate in the secure data communication with the server. The server uses the new certificate in the secure data communication with the client.

Abstract: In association with a data processing system that includes one or more servers, one or more clients and a partitionable distributed directory contained in a database, a computer implemented method is provided for selectively processing data entries that reside in the directory. The method comprises the steps of generating a request to perform an operation on each data entry in a specified group of intended entries, and specifying a hashing control index that uniquely identifies each entry of the specified group, and excludes all other entries. The requested operation is applied only to data entries in the directory that are identified by the specified hashing control index.

Abstract: A method, system, and computer usable program product for deploying directory instances are provided in the illustrative embodiments. A configuration of an existing directory instance is cloned to the new directory instance. The existing directory instance may execute in a first data processing system and the new directory instance may execute in a second data processing system. A schema of the existing directory instance is cloned to the new directory instance. A determination is made whether the new directory instance is a peer of the existing directory instance. Data from the existing directory instance is cloned to the new directory instance if the new directory instance is a peer of the existing directory instance. The new directory instance is made operational in a directory topology.

Abstract: A filter range based search control to request a range of data from one or more directory servers. A directory server receives a search request from a client application comprising a search filter control defining a set of requested data, a sort control defining a sorting order of the set of requested data, and a range filter control defining a range of entries in the requested data. Data entries matching a search value defined in the search filter control and sorted according to sort attributes defined in the sort control are obtained from a set of directories associated with the directory server to form a sorted list of matching entries. A subset of data entries in the sorted list that match a range value defined in the range filter control are collected, and a response comprising the collected subset of data entries is then sent to the client application.

Abstract: A mechanism for providing proxy support for special subtree entries in a directory information tree by defining filters at the proxy level to indicate relationships between main subtree entries and associated special subtree entries. A proxy server receives a request from a client for a special subtree entry and determines whether the distinguished name of the main subtree entry can be built using information in the request and pre-defined relationships between the main subtree entry and the requested subtree entry. If so, the proxy server builds the distinguished name of the main subtree entry associated with the special subtree entry and applies a partitioning filter to the distinguished name of the main subtree entry to determine a target directory server in the plurality of backend directory servers that comprise the special subtree. The proxy server then sends the request to the target directory server.

Abstract: A computer implemented method, data processing system, and computer program product for password policy enforcement in a distributed directory when policy information is distributed. When a proxy server is providing a request from a client to a backend directory server, the proxy server performs a series of LDAP operations on a targeted set of backend directory servers to collect password policy information applicable to a target user. The password policy information applicable to the target user is partitioned and distributed across the plurality of backend directory servers. When the password policy information for the target user has been collected, the proxy server evaluates the collected password policy information to determine an effective password policy for the target user. The proxy server then sends the request and subsequent requests with the effective password policy to a backend directory server.

Abstract: A method, system, and computer usable program product for certificate renewal using a secure handshake are provided in the illustrative embodiments. A determination is made, forming an expiration determination, whether a validity period associated with a certificate ends within a predetermined period from a time of receiving the certificate. If the expiration determination is true, a holder of the certificate is notified about the expiration. The holder may be an application executing in a data processing system or the data processing system itself. A new certificate is requested on behalf of the holder. The requested new certificate is received. The new certificate is sent to the holder of the certificate over a network.

Abstract: A method, system, and computer usable program product for preserving references to deleted directory entries are provided in the illustrative embodiments. An instruction to delete an entry is received. A second entry referencing the entry is identified. The second entry is marked as a ghost reference to the entry. The entry is converted to a deleted entry. A ghost attribute with a value of “false” may be added to the entry. A ghost attribute or tag with a value of “false” may be added to the second entry. The ghost tag may correspond to an attribute of the second entry that references the entry. An entry may be deleted by setting a value of a ghost attribute in the entry to true. The second entry may be marked as the ghost reference by setting a value of a ghost attribute or a ghost tag in the second entry to true.

Abstract: The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date.

Abstract: A filter range based search control to request a range of data from one or more directory servers. A directory server receives a search request from a client application comprising a search filter control defining a set of requested data, a sort control defining a sorting order of the set of requested data, and a range filter control defining a range of entries in the requested data. Data entries matching a search value defined in the search filter control and sorted according to sort attributes defined in the sort control are obtained from a set of directories associated with the directory server to form a sorted list of matching entries. A subset of data entries in the sorted list that match a range value defined in the range filter control are collected, and a response comprising the collected subset of data entries is then sent to the client application.

Abstract: A filter range based search control to request a range of data from one or more directory servers. A directory server receives a search request from a client application comprising a search filter control defining a set of requested data, a sort control defining a sorting order of the set of requested data, and a range filter control defining a range of entries in the requested data. Data entries matching a search value defined in the search filter control and sorted according to sort attributes defined in the sort control are obtained from a set of directories associated with the directory server to form a sorted list of matching entries. A subset of data entries in the sorted list that match a range value defined in the range filter control are collected, and a response comprising the collected subset of data entries is then sent to the client application.

Abstract: Real-time attributes are processed according to a syntax schema for a directory access protocol service by associating by a computer a real-time attribute with a directory structure, the real-time attribute being externally stored from the directory structure; responsive to an access request via a directory access protocol for access to a database value for the real-time attribute, obtaining by a computer a current value from a real-time data source external to the directory structure, and converting by a computer the obtained value from a format not compatible with the directory access protocol to a compatible format; and returning by a computer to a requester the converted real-time attribute directly in the directory access protocol, wherein storing and updating of the converted real-time attribute value in the directory structure are eliminated or avoided.

Abstract: A method, system, and computer usable program product for transmitting information about dynamic group memberships of an entry stored in a computer memory are provided in the illustrative embodiments. A set of dynamic group filters is received from a server in a distributed data environment. The set of dynamic group filters provides a set of attributes. A determination is made whether the entry includes a subset of the set of attributes. A request for dynamic group memberships of the entry is sent to the server. The request includes the subset of attributes and excludes attributes not used by any of the dynamic group filters. Information about at least one dynamic group of which the entry is a member is received for evaluation. A proxy server may receive the request for dynamic group filters and distribute the request to one or more servers in a distributed data environment.

Abstract: An instruction to delete the entry is received. A second entry that includes a reference to the entry is identified. A third entry including information to be preserved from the entry is added in a deleted entries subtree. The third entry is modified to include the reference information from the second entry. The third entry is saved such that during a restore of the entry the third entry provides the information to restore the entry and the reference to the entry. The third entry may include a set of attributes that store an identifier of the second entry. The entry is restored from the third entry and made available in the directory. A reference is recreated in the second entry to the restored entry forming a restored second entry.

Abstract: A mechanism for performing a sorted search in a distributed directory environment using a proxy server. A sorted search request for a set of top entries is sent to each backend server. The proxy server identifies a target server which returned a top entry in the set and sends another sorted search request to the target server for all entries having a sort order higher than or equal to the top entry and a sort order lower than or equal to the next top entry of the set, and returns the entries to a requesting client. The proxy server sends another sorted search request to the target server for a new top entry having a sort order greater than the next top entry and adds the new top entry to the set. The proxy server returns to the evaluating step until no top entries remain in the set.

Abstract: A computer implemented method, data processing system, and computer program product for reducing the overhead associated with distributed password policy enforcement operations using a proxy server. When a proxy server provides a request from a client to a backend directory server, the proxy server determines whether a password policy check is required to be performed at the backend directory server. If a password policy check is not required to be performed at the backend directory server, the proxy server sends the client request together with a skip password policy control to the backend directory server. This skip password policy control informs the backend directory server to skip the password policy check on the client request.

Abstract: A computer implemented method, data processing system, and computer program product for performing a virtual list view search in a distributed directory environment using a proxy server. The mechanism described in the illustrative embodiments enables a proxy server to provide virtual list view search support in a distributed directory environment when data is partitioned across multiple directory servers.

Abstract: A method, system, and computer usable program product for transferring messages to a directory are provided in the illustrative embodiments. A listing of message templates that is stored in a computer usable storage medium is received. A list of messages is received. The listing of message templates is loaded in a directory. The directory executes in a data processing system and is configured to store messages. The list of messages are loaded in the directory. Messages are loaded in the directory by receiving a list of messages in the directory. A message is selected and identified from the list of messages. A determination is made if the message corresponds to an existing base message entry in the directory. A message instance entry is created in relation to the existing base message entry if the message corresponds to an existing base message entry and the message is otherwise handled if not.