201040751 ^ 六、發明說明: 【發明所屬之技術領域】 • 本發明係關於一種以目錄服務存取日誌為媒介同步異動 .資料之系統,特別係指一種利用檔案底部監測及逐塊分析處 理目錄服務存取日誌以取得目錄服務異動資料的方法,達成 將目錄服務異動資料同步到外部資料系統的目的之以目錄 服務存取日誌、為媒介同步異動資料之系統。 0 【先前技術】 近年來新發展之資訊系統架構,常使用目錄服務來儲存 組織資料、使用者帳號資料及權限資料,提供應用系統做為 使用者認證授權之應用平台,當初期導入目錄服務至既有資 料庫帳號系統時,為維持既有應用系統認證授權機制的運 作,勢必造成目錄服務必須與既有帳號資料庫並行運作的情 況,而產生雙方資料同步的需求。 〇 為解決目錄服務同步資料至其他資料庫的問題,—般會 使用目錄資料異動時間戳記搜尋或超目錄系統㈧伽 Directory)產品的技術方案。目錄資料異動時間戳記搜尋需耗 費目錄服務極大的運算資源;而超目錄系統產品透過超目錄 系統對各家廠牌目錄服務客製化的安插(piugin)元件的安 裝,讓原本目錄服務可主動即時提供異動資料給超目錄系統 來進行資料同步。由於超目錄系統產品的費用昂貴,且其資 料同步設定複雜常造成學習導入的門檻,並可能造成原本目 201040751 錄服務的廠牌或版本的更新而必須等待或加購新版安插元 件等問題,也可能因安裝安插元件造成目錄服務執行效能降 — 低等問題。 由此可見,上述習用方式仍有諸多缺失,實非一良善之 設計,而亟待加以改良。 本案發明人鑑於上述習用方式的各項缺點,乃亟思加以 改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完 Ο 成本件以目錄服務存取日誌為媒介同步異動資料之系統。 【發明内容】 本發明之目的即在於提供一種以目錄服務存取日誌為媒 介同步異動資料之系統,讓一般目錄服務在不需安裝任何安 插元件影響執行效能的情況下可以主動即時產出異動資 料’並以一通用方法將異動資料寫入外部資料系統。 達成上述發明目的之以目錄服務存取日魏為媒介同步異 〇 動資料之系統’係利用檔案底部監測及分析處理目錄服務存 取曰誌以取得目錄服務異動資料的方法,達成將目錄服務異 動資料同步到外部資料系統的目的。其方法為利用目錄服務 存取日諸資料的可讀性、規則性及完整性等特性,可在不影 響目錄服務執行效能前提下監測目錄服務資料異動,讀取目 錄服務異動資料並同步至外部資料系統。本發明之系統内容 包括: 一目錄服務資料異動監測元件’負責持續監測及分析處 4 201040751 $目錄服務存取日誌、檔案底部並分析異動資料識別名稱及 異動型式.新增/更新/刪除/更新識別名稱; 一目錄服務資料讀取元件,負責與目錄服務連線並根據 ‘異動資料的識別名稱讀取對應目錄資料; —異動資料包裝元件,負責將目錄服務資料讀取元件所 讀取的目錄資料包裝為異動資料物件; 一異動資料寫入元件’負責將異動資料包裝元件所包裝 〇的異動資料物件轉為與外部資料系統介面相容的格式並寫 入外部資料系統;以及 一種監測及分析處理目錄服務存取日誌以取得目錄服務 異動貝料的方法’主要邏輯為逐塊分析目錄服務存取日誌, 監測異動父易的進行,且—旦監測出異動成功的訊息,則立 即新增異動資訊(異動資訊為異動資料識別名稱及異動型 式:新增/更新/刪除/更新識別名稱),並透過組態資料的調 〇整,可讀取不同廠商及不同版本目錄服務的存取日諸並監 測出存取曰言志當中所記載之目錄服務異動資料識別名稱及 異動型式’讓-般目錄服務在不需安裝任何安減件的情況 下可以主動即時產出異動資料。 【實施方式】 請參閱圖-所示,為本發明以目錄服務存取日誌為媒介 同步異動貝料之系統之系統架構圖,顯示本發明内部組成及 其與目錄服務3及外部資料系統1G之運作關係。本發明係 5 201040751 透過,、動資料同步系、统1啟動目錄服務資料異動監測元件 2 ’並持續監測目錄服務3所產出之存取日* 4的底部,其 μ測方式可以無窮迴圈行程方式執行以持續監測目錄服務 *〇V» 子曰'^底部,直到透過外部信號(Signal)通知結束執行;或 可X ''人行程方式執行,直到碰觸目錄服務存取曰誌底部即 束執行,適用於補做某時間段落目錄服務資料異動之情 況每田目錄服務3有資料存取情況發生時,目錄服務存取 〇日㈣4即會有新資料被目錄服務資料異動監測元件2所截 取;目錄服務資料異動監測元件2根據组態資料5的内容, 得头存取日4當中記載有哪些資料在什麼時間被做了什麼 樣的異動’異動資料同步系統1根據這些被異動資料的目錄 服務識別名稱(Distinguish Name) ’啟動目錄服務資料讀取元 件6與目錄服務3連線,並把被異動資料讀取出來;異動 資料同步系統1隨後啟動異動f料包裝^件7,將目錄服務 〇貝料4取7L件6所讀取的異動資料包裝為異動資料物件8(異 動貝料物件8為物件導向程式設計概念當中的傳遞物件 (Transfer Object)型式’其中包含物件屬性值、物件識別編號 及異動型式等資訊’以便將其物件屬性對映成外部資料系統 的資料内容並且指定異動型式:新增/更新/刪除);異動資料 同步系統1最後啟動異動資料寫人元件9,根據異動資料物 件8的内容調整為與外部資料系統1〇介面相容的格式寫入 外部資料系統。其中外部資料系統可包含文字播案、胤標 6 201040751 * 案、資料庫、目錄服務或電子郵件服務等。 請參閱圖二及圖三所示,圖二為本發明圖一關於组態資 ' 料5之内容說明圖,其組態資料内容51包含18項屬性資料, 除了「TargetFile」、「CheckFrequency」及「DateTimeFormat」 等屬性之外每一項屬性的值都可以是正規表示式(Regular Expression)。目錄服務資料異動監測元件2可根據這些組態 資料明確讀出所要分析判斷的資料,這些組態資料可以隨著 〇 目錄服務廠牌或版本的不同進行對應的設定,無須再更改目 錄服務資料異動監測元件2的程式原始碼。圖三為本發明利 用組態資料5之設定來確認目錄服務存取日誌的異動資訊之 範例說明圖’其假設目錄服務存取日誌範例41内容以2個 區塊(Block)表達成功新增了一筆目錄資料: 「uid = 00000175,ou = OU,o = O,c=TWj’ 則組態資料範例 52 的 設定就可以提供目錄服務資料異動監測元件2確認這樣的異 〇 動資訊。 請參閱圖四所示,為本發明之目錄服務資料異動監測元 件之邏輯流程圖’主要邏輯為逐塊分析目錄服務存取日誌, 監測異動交易的進行,且一旦監測出異動成功的訊息,則立 即新增異動資訊(異動資訊為異動資料識別名稱及異動型 式·新增/更新/刪除/更新識別名稱),提供異動資料包裝元件 進行後續處理,其步驟包括: 步驟一 101 :其係根據組態資料5内之「DataBlocklnitj 201040751 - 屬性值辨別並讀取下一區塊目錄服務存取日誌4資料;接著 步驟二102,以判斷有無新目錄服務存取日誌4資料區塊, - 若無則接續步驟三103 ;有則接續步驟四104 ; 步驟三103:其係根據組態資料5内之「CheckFrequency」 屬性值所指定的時間長度進行停頓作業,然後回到步驟SOI; 步驟四 104 :其係根據組態資料 5 内之 「 KeyBeforeDiffType 」、「 KeyAfterDiffType 」、 〇 「AddKeyWord」、「ModifyKeyWord」、「DeleteKeyWord」及 「ModifyDNKeyWord」屬性值比對目錄服務存取日諸' 4區塊 資料是否有命中異動型態資訊,若無則接續步驟五105 ;有 則接續步驟六106 ; 步驟五 105 :其係根據組態資料 5 内之 「 KeyBeforeRequestResultReference 」 及 「KeyAfterRequestResultReference」屬性值比對目錄服務存 Q 取日誌4區塊資料是否有命中已暫存的交易識別碼資訊(請 見步驟八108說明),若無則接續步驟一 101 ;有則接續步驟 九 109 ; 步驟六106 :其係根據組態資料5内之「KeyBeforeDN」、 「 KeyAfterDN 」、「 KeyBeforeNewRDN 」、 「KeyAfterNewRDN」、「KeyBeforeSuperiorDN」及 「KeyAfterSuperiorRDN」屬性值比對目錄服務存取日誌4 區塊資料是否有命中資料識別名稱資訊,若無則接續步驟七 8 201040751 107 ;有則接續步驟八i〇8 ; 步驟七107:其係將該資料區塊註記為無法判定内容, 將貝料區塊内容記錄到系統日誌當中,然後回到步驟一 ; . 步驟八108:其係確定該資料區塊記载異動資料識別名 稱、異動型式及交易識別碼,並將這些f訊暫存起來以供後 續步驟五105進行交易識別碼比對及分別供步驟十ιι〇、步 驟十一 111進行丟棄及讀取異動資料識別名稱; 〇 步驟九109 :其係根據組態資料5内之 「KeyBeforeResultC〇de」、「KeyAfterResuitc〇de」及 「SuccessResultCode」屬性值比對目錄服務存取日誌4區塊 >料疋否有命中異動成功父易結果資訊,若無則接續步驟 S10 ;有則接續步驟十一 U1 ; 步驟十110:其係已確認所暫存的異動資訊交易並未成 功(步驟九109所取得之異動交易結果資訊未顯示成功),故 © 將該異動資訊丟棄,然後回到步驟一 1 〇 1 ; 步驟十一 111:其係已確認所暫存的異動資訊交易已成 功(步驟九109所取得之異動交易結果資訊顯示成功),故將 該異動資訊新增到待包裝異動資料清單中,然後回到步驟一 101 〇 本發明所提供之以目錄服務存取日誌為媒介同步異動資 料之系統,與其他習用技術相互比較時,更具有下列之優點: 1.本發明係在於提供一種可降低目錄服務同步資料至其 201040751 -他資料庫購買及學習維護軟體設備的人力時間成本花費。 2. 本發明係在於提供一種可適用於任何可產出資料存取 日誌的目錄服務,不會因目錄服務廠牌或版本的改變而須額 . 外進行程式開發及維護,只需調整系統組態即可。 3. 本發明係在於提供一種不會與目錄服務有直接介面關 係,而是透過目錄服務已經產出之存取日誌來讀取異動資 料,不會影響目錄服務原有的執行效能。 〇 上列詳細說明係針對本發明之一可行實施例之具體說 明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離 本發明技藝精神所為之等效實施或變更,均應包含於本案之 專利範圍中。 綜上所述’本案不但在技術思想上確屬創新,並能較習 用物品增進上述多項功效,應已充分符合新穎性及進步性之 法定發明專利要件,爰依法提出申請,懇請貴局核准本件 〇發明專利申請案,以勵發明,至感德便。 【圖式簡單說明】 δ青參閱以下有關本發明一較佳實施例之詳細說明及其附 圖’將可進一步瞭解本發明之技術内容及其目的功效;有關 該實施例之附圖為: 圖一為本發明所提供之以目錄服務存取日誌為媒介同步 異動資料之系統之系統架構 圖一為該以目錄服務存取日諸為媒介同步異動資料之系 201040751 - 統之目錄服務資料異動監測元件組態資料内容說明圖; 圖三為該以目錄服務存取日誌為媒介同步異動資料之系 - 統之圖目錄服務資料異動監測元件組態資料範例說明圖; . 圖四為該以目錄服務存取日誌為媒介同步異動資料之系 統之目錄服務資料異動監測元件邏輯流程圖。 【主要元件符號說明】 1異動資料同步系統 0 2目錄服務資料異動監測元件 3目錄服務 4存取日該 41目錄服務存取日誌範例 5組態資料 51組態資料内容 52組態資料範例 Q 6目錄服務資料讀取元件 7異動資料包裝元件 8異動資料物件 9異動資料寫入元件 10外部資料系統201040751 ^ VI. Description of the invention: [Technical field to which the invention pertains] The present invention relates to a system for synchronizing transaction data by means of a directory service access log, in particular to a directory service using file bottom monitoring and block-by-block analysis. The method of accessing the log to obtain the directory service transaction data, and achieving the purpose of synchronizing the directory service transaction data to the external data system is a directory service access log and a media synchronization transaction data system. 0 [Prior Art] In recent years, the newly developed information system architecture often uses directory services to store organizational data, user account data and authority data, and provides an application system as an application platform for user authentication and authorization. In the existing database account system, in order to maintain the operation of the existing application system authentication and authorization mechanism, it is bound to cause the directory service to operate in parallel with the existing account database, and the need for data synchronization between the two parties is generated. 〇 In order to solve the problem of the directory service synchronization data to other databases, the technical solution of the catalog data change time search or the super directory system (eight) gamma Directory product is generally used. The catalogue data change timestamp search requires a large amount of computing resources for the catalogue service; and the super catalog system product installs the piugin components of each brand catalogue service through the super catalog system, so that the original catalog service can be active immediately. Provide transaction data to the super directory system for data synchronization. Due to the high cost of the Super Catalog system products, and the complicated synchronization of data settings often leads to the threshold of learning import, and may cause the update of the original brand or version of the 201040751 recording service, and must wait for or purchase new installation components, etc. The performance of the directory service may be degraded due to the installation of the plug-in components - low issues. It can be seen that there are still many shortcomings in the above-mentioned methods of use, which is not a good design, but needs to be improved. In view of the shortcomings of the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after years of painstaking research, he finally succeeded in researching and developing the system for synchronizing data with the directory service access log as the medium. SUMMARY OF THE INVENTION The object of the present invention is to provide a system for synchronizing transaction data by using a directory service access log as a medium, so that the general directory service can actively generate output data immediately without installing any installation components to affect execution performance. 'And use a general method to write transaction data to the external data system. The system for achieving the above-mentioned inventions is to use the directory service to access the Japanese Wei as the medium to synchronize the data of the heterogeneous data. The system uses the bottom of the file to monitor and analyze the directory service to access the directory to obtain the directory service transaction data, and achieve the directory service transaction. The purpose of synchronizing data to an external data system. The method is to use the directory service to access the readability, regularity and integrity of the daily data, and monitor the directory service data change without affecting the performance of the directory service, and read the directory service transaction data and synchronize to the outside. Information system. The system content of the present invention includes: a directory service data change monitoring component 'Responsible for continuous monitoring and analysis department 4 201040751 $ directory service access log, file bottom and analysis of transaction data identification name and transaction type. Add / update / delete / update Identification name; a directory service data reading component, responsible for connecting with the directory service and reading the corresponding directory data according to the identification name of the transaction data; - the transaction data packaging component, responsible for reading the directory read by the directory service data reading component The data package is a transactional data item; a transaction data writing component is responsible for converting the transaction data package packaged by the transaction data packaging component into a format compatible with the external data system interface and writing it to the external data system; and a monitoring and analysis The method of processing the directory service access log to obtain the directory service transaction material is 'the main logic is to analyze the directory service access log block by block, monitor the transaction of the transaction, and - if the message of the transaction success is detected, the transaction is newly added. Information (Transaction information is the name of the transaction data and the transaction type : Add/Update/Delete/Update the identification name), and through the configuration data adjustment, you can read the access dates of different vendors and different versions of the directory service and monitor the records recorded in the 曰言志Directory Service Transaction Data Identification Name and Transaction Type 'Give-Organization Directory Service can actively generate transaction data immediately without installing any reductions. [Embodiment] Please refer to the figure - shown, which is a system architecture diagram of a system for synchronizing transaction materials with a directory service access log as a medium, showing the internal composition of the present invention and its relationship with the directory service 3 and the external data system 1G. Operational relationship. The invention is 5 201040751 through, the dynamic data synchronization system, the system 1 starts the directory service data transaction monitoring component 2 'and continuously monitors the bottom of the access date* 4 produced by the directory service 3, and the μ measurement method can be infinite loop The travel mode is executed to continuously monitor the directory service *〇V»曰曰^ bottom until the end of the execution through the external signal (Signal) notification; or X ''person trip mode execution until the bottom of the directory service access Bundle execution, suitable for supplementing the situation of a paragraph directory service data change at a certain time. When the data access situation occurs in the directory service 3, the directory service access will be the next day (4) 4, there will be new data by the directory service data change monitoring component 2 Intercepting; the directory service data change monitoring component 2 according to the content of the configuration data 5, which information is recorded in the head access date 4, what kind of transaction was made at what time, the transaction data synchronization system 1 based on these data Directory Service Identification Name (Distinguish Name) 'Start Directory Service Data Reading Element 6 is connected to Directory Service 3 and reads the changed data. The transaction data synchronization system 1 then activates the transaction f package 7 and the directory service 〇 料 4 takes 7L pieces 6 to read the transaction data as the transaction data item 8 (the transaction material 8 is the object-oriented programming design) The Transfer Object type in the concept contains information such as object attribute values, object identification numbers, and transaction types to map its object attributes to the data content of the external data system and specify the transaction type: Add/Update/ Delete); the transaction data synchronization system 1 finally activates the transaction data writer component 9, and adjusts to the external data system according to the content of the transaction data object 8 in a format compatible with the external data system interface. The external data system can include text broadcasts, scams, 2010, database, directory services, or e-mail services. Referring to FIG. 2 and FIG. 3, FIG. 2 is a diagram illustrating the content of the configuration information in FIG. 1 of the present invention. The configuration data content 51 includes 18 attribute data, except for “TargetFile” and “CheckFrequency”. The value of each attribute other than the attribute "DateTimeFormat" can be a regular expression. The directory service data change monitoring component 2 can clearly read out the data to be analyzed and judged according to the configuration data, and the configuration data can be correspondingly set according to the different directory service brand or version, and there is no need to change the directory service data. The program source code of component 2 is monitored. FIG. 3 is a schematic explanatory diagram of the change information of the directory service access log confirmed by the configuration of the configuration data 5 of the present invention. [The hypothetical directory service access log example 41 content is successfully expressed by two blocks (Block). A directory of information: "uid = 00000175, ou = OU, o = O, c = TWj' The configuration data of the configuration example 52 can provide the directory service data monitoring component 2 to confirm such heterogeneous information. The logic flow chart of the directory service data change monitoring component of the present invention is the main logic for analyzing the directory service access log block by block, monitoring the progress of the transaction transaction, and immediately adding the message of successful transaction change, immediately adding The transaction information (transaction information is the transaction data identification name and the transaction type, new/update/delete/update identification name), and the transaction data packaging component is provided for subsequent processing, and the steps thereof include: Step 1101: According to the configuration data 5 "DataBlocklnitj 201040751 - attribute value identification and read the next block directory service access log 4 data; then step 2 102, to judge Whether there is a new directory service access log 4 data block, - if not, continue with step 3 103; then continue with step 4 104; step 3 103: according to the "CheckFrequency" attribute value specified in configuration data 5 The length of time is paused, and then returns to step SOI; Step 4104: According to the "KeyBeforeDiffType", "KeyAfterDiffType", "AddKeyWord", "ModifyKeyWord", "DeleteKeyWord" and "ModifyDNKeyWord" attributes in the configuration data 5 The value compares the directory service access time to the 4th block data whether there is a hit change type information, if not, then continue to step 5105; there are subsequent steps 6106; step 5105: according to the configuration data 5 The "KeyBeforeRequestResultReference" and "KeyAfterRequestResultReference" attribute values compare to the directory service store Q log 4 block data whether there is a hit transaction code information (see step 8108), if not, follow step 101; Then, proceed to step 9109; Step 6106: according to "KeyBeforeDN" and "KeyAfterDN" in the configuration data 5 , "KeyBeforeNewRDN", "KeyAfterNewRDN", "KeyBeforeSuperiorDN" and "KeyAfterSuperiorRDN" attribute values compare to the directory service access log 4 block data whether there is a hit data identification name information, if not, then continue to step 7 8 201040751 107; Step VII: Step 7: The system blocks the data block as undetermined content, records the contents of the block material into the system log, and then returns to step 1; Step 8108: The data block records the transaction data identification name, the transaction type and the transaction identification code, and temporarily stores the information for the subsequent step 5105 to perform the transaction identification code comparison and separately for the step 10, step 11111 Discard and read the transaction data identification name; 〇Step 9 109: It compares the directory service access log area 4 according to the "KeyBeforeResultC〇de", "KeyAfterResuitc〇de" and "SuccessResultCode" attribute values in the configuration data 5. Block > 疋 有 有 有 有 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 命 父 父 父Step 10: The department has confirmed that the temporarily stored transaction information transaction has not been successful (the information of the transaction transaction result obtained in step 9:109 does not show success), so © discard the transaction information, and then return to step 1 〇1 Step 11111: The department has confirmed that the temporarily stored transaction information transaction has been successful (the information of the transaction transaction result obtained in step 9:109 is successfully displayed), so the transaction information is added to the list of transaction data to be packaged, and then Returning to Step 101, the system for synchronizing the transaction data by using the directory service access log as the medium is compared with other conventional technologies, and has the following advantages: 1. The present invention provides a directory for reducing the directory. Service synchronization data to its 201040751 - his library to purchase and learn to maintain the labor time cost of software equipment. 2. The present invention is to provide a directory service that can be applied to any output data access log, and does not require the development and maintenance of the program due to the change of the directory service brand or version, and only needs to adjust the system group. State can be. 3. The present invention is to provide an access log that has not been directly interfaced with the directory service, but which has been generated through the directory service to read the transaction data, without affecting the original execution performance of the directory service. The detailed description of the present invention is intended to be illustrative of the preferred embodiments of the invention, and is not intended to limit the scope of the invention. In the scope of the patent in this case. To sum up, 'this case is not only innovative in terms of technical thinking, but also can enhance the above-mentioned multiple functions compared with the conventional articles. It should fully comply with the statutory invention patent requirements of novelty and progressiveness, and apply for it according to law. I urge you to approve this article. Invented the patent application, in order to invent the invention, to the sense of virtue. BRIEF DESCRIPTION OF THE DRAWINGS The technical contents of the present invention and the effects of the objects of the present invention will be further understood by referring to the following detailed description of a preferred embodiment of the invention and the accompanying drawings. 1 is a system architecture of a system for synchronizing transaction data with a directory service access log as a medium for the present invention. FIG. 1 is a system for synchronizing transaction data with a directory service access date. 201040751 - Directory directory data monitoring The component configuration data content description diagram; Figure 3 is the system of the directory service access log as the medium synchronization transaction data - the system diagram of the directory service data transaction monitoring component configuration data sample diagram; Figure 4 is the directory service The access log is a logic flow chart of the directory service data transaction monitoring component of the system for media synchronization transaction data. [Main component symbol description] 1 Transaction data synchronization system 0 2 Directory service data transaction monitoring component 3 Directory service 4 access day 41 directory service access log example 5 configuration data 51 configuration data content 52 configuration data example Q 6 Directory service data reading component 7 transaction data packaging component 8 transaction data object 9 transaction data writing component 10 external data system