Directory cache techniques for efficient user management

User management is one of the most time consuming tasks for administrators of large networks. This paper presents some techniques developed at Carnegie Mellon University to improve handling of accounts and access rights in a corporate environment. Directory information is typically handled by a hierarchy of LDAP servers maintained by different support groups on different administrative levels, from corporate to department. Optimization of information flow between these levels can be achieved by minimizing the need for communication between different support groups, and by reusing the data provided by the higher levels for automatic configuration of the lower levels. The method described here for achieving this goal is to trickle down user information from the higher to the lower administrative levels using successive cache mechanisms. This technique can be applied between different levels of LDAP servers (corporate, departmental, group), as well as for end-user computers. To preserve the flexibility of the configuration and the autonomy of the lower levels, the information stored by the LDAP server that's the closest to the end-user computer should have the highest precedence. By implementing the techniques described here, user management became more efficient, especially for automatically creating new accounts on end-user computers, expanding the number of local authenticated services, and granting local access rights for users.