Abstract: A method, computer program product, and data processing system, with which a unified security policy may be implemented using existing application components with disparate security mechanisms and user registries is disclosed. The present invention provides a generic application programming interface (API) that forms a framework for creating registry adapters. Registry adapters allow a policy director (an item of software for imposing a sitewide security policy) to operate with new or unfamiliar registry types by acting as a drop-in translator for converting generic registry-access commands into operations specific to the particular registry in question.

Abstract: A method and system for sharing existing user and group registry information between heterogeneous application servers is provided. The method and system make use of an adapter that communicates with each registry associated with each application server through a registry communication mechanism. In a preferred embodiment, the present invention provides an additional application-specific database to protect application-specific data that is required for each application server's operation but is not part of an existing database registry. Both the application-specific databases and existing user and group definitions in a user and group registry form a new registry abstraction which is required for each application server. As a result, each application server automatically shares user and group definitions with the existing database server. Furthermore, both the database server and each application server maintain a centralized user and group management model across different application domains.

Abstract: A method, computer program product, and data processing system, with which a unified security policy may be implemented using existing application components with disparate security mechanisms and user registries is disclosed. The present invention provides a generic application programming interface (API) that forms a framework for creating registry adapters. Registry adapters allow a policy director (an item of software for imposing a sitewide security policy) to operate with new or unfamiliar registry types by acting as a drop-in translator for converting generic registry-access commands into operations specific to the particular registry in question.

Abstract: A method and system for sharing existing user and group registry information between heterogeneous application servers is provided. The method and system make use of an adapter that communicates with each registry associated with each application server through a registry communication mechanism. In a preferred embodiment, the present invention provides an additional application-specific database to protect application-specific data that is required for each application server's operation but is not part of an existing database registry. Both the application-specific databases and existing user and group definitions in a user and group registry form a new registry abstraction which is required for each application server. As a result, each application server automatically shares user and group definitions with the existing database server. Furthermore, both the database server and each application server maintain a centralized user and group management model across different application domains.

Abstract: A method of hierarchical LDAP searching in an LDAP directory service having a relational database management system (DBMS) as a backing store. The method begins by parsing an LDAP filter-based query for elements and logical operators of the filter query. For each filter element, the method generates an SQL subquery according to a set of translation rules. For each SQL subquery, the method then generates a set of entry identifiers for the LDAP filter query. Then, the SQL subqueries are combined into a single SQL query according to a set of combination rules chosen corresponding to the logical operators of the LDAP filter query.

Abstract: A method of hierarchical LDAP searching in an LDAP directory service having a relational database management system (DBMS) as a backing store. According to the invention, entries in a naming hierarchy are mapped into first and second relational tables: a parent table, and a descendant table. These tables are used to "filter" lists of entries returned from a search to ensure that only entries within a given search scope are retained for evaluation. Thus, for example, the parent table is used during an LDAP one level search, and the descendant table is used during an LDAP subtree search. In either case, use of the parent or descendant table obviates recursive queries through the naming directory.