Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
2000-12-18
2003-10-14
Rones, Charles (Department: 2175)
Data processing: database and file management or data structures
Database design
Data structure types
C707S793000
Reexamination Certificate
active
06633872
ABSTRACT:
CROSS REFERENCE TO RELATED APPLICATIONS
(Not Applicable)
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
(Not Applicable)
BACKGROUND OF THE INVENTION
1. Technical Field
This invention relates to the field of directory services, and more particularly, to access control using Lightweight Directory Access Protocol (LDAP).
2. Description of the Related Art
A directory, similar to a database, can contain descriptive information and attributes associated with that information. An example of a directory can be an employee records directory for storing employee information. Other examples of directories can include telephone directories or property listings. The directory contains multiple entries, where an entry can correspond to the items of information which the directory can store. In the case of an employee directory, entries of the directory can be employee names or a unique index number associated with an employee name. Each entry of the directory can have one or more attributes, which can be any supplemental information or characteristic corresponding to the entry. Thus, an employee name attribute can be an item of personal employee information, as well as an employee telephone number, address, or a social security number.
Typically, information is read from a directory more often than information is written to the directory. Taking the previous example, although employee information must be updated periodically, much of the information within an employee record does not change from day to day. For example, an employee date of birth, if correctly entered in the directory, need not be updated. Similarly, an employee address need not be updated on a day to day basis, but rather, only when the employee relocates to a different residence. Because directories are accessed frequently using read operations, directories can be tuned for a high volume of search operations.
Lightweight Directory Access Protocol (LDAP) is a model for a directory service which runs over TCP/IP. LDAP-based directory service utilizes a hierarchical tree structure for storing information called a directory information tree. The directory information tree branches out from a root node where each branch or path leads to another related node of the directory information tree which can store a particular piece of information. Each particular node can be uniquely identified by the path of nodes taken from the root node to reach the particular node. This complete path, which is similar to a directory path for locating computer files, is called a distinguished name (DN). Thus, an entry can correspond to a particular node in the directory information tree, with related nodes above and below.
An attribute can include a type and one or more values such that an attribute type can indicate the type of information to follow. For example, the type “cn” denotes that a common name will follow. Thus, an example of an attribute can be “cn=John Doe” where “cn” is the type denoting that a common name will follow; and “John Doe” can be the value. In this case, “cn=John Doe” can be an attribute of a node closer to the root of the directory information tree, such as a department name, where other attributes beneath the department name can be other employees within that department. It should be appreciated that “cn=John Doe” also can be an entry of the directory information tree where related nodes can be the attributes of John Doe, such as John Doe's department, home address, and other related information. Other attributes can be assigned types as well. For example, an email address can be denoted as “mail” and a JPEG image can be denoted as “jpegPhoto”. Thus, the value corresponding to “mail” can be an email address and the value corresponding to “jpegPhoto” can be a photo encoded in binary JPEG format.
Presently within the art, a standard method of controlling user access to directory services using LDAP has yet to be developed. Access Control Lists (ACLs), however, have been used in conjunction with LDAP and directory services in an effort to provide security features. Such implementations typically link a user access group to a particular user classification such as normal (not restricted), sensitive, or critical. Then, a user can be granted a particular set of permissions or privileges for accessing the directory service via access groups. However, using such a limited number of security classifications often does not provide the necessary granularity of access control to the directory service. In other words, ACLs can lack the number of security levels and search restrictions necessary for suitably controlling access to a directory service when using LDAP. Moreover, such solutions are not tailored to the specific access parameters of the directory service being accessed.
Other security implementations utilize attribute based security classifications. Specifically, such implementations can assign security classifications based on an attribute rather than the entry or DN. Using this access system, an entire attribute class within a directory is assigned a specific security classification. For example, in an employee directory, the address attribute can be assigned a sensitive security classification. Under this approach, each address of the directory, despite the address's corresponding DN, can be assigned the sensitive security classification. Similarly, telephone numbers can be assigned the critical security classification. In that case each telephone number, regardless of the number's corresponding DN, can be assigned the critical security classification. Similar to ACLs, assigning security classifications to an entire attribute class on a directory wide basis does not provide the necessary granularity of access control to a directory service when using LDAP.
SUMMARY OF THE INVENTION
The invention disclosed herein concerns a method and a system for providing extendible access control for Lightweight Directory Access Protocol (LDAP). The invention concerns reformatting a user specified LDAP operation to include application specific parameters within the LDAP operation. The application specific parameters can correspond to access control or security parameters of a directory service. After authenticating a user to an LDAP server, a user can be identified as belonging to a particular access control group. Based on the defined access control group, which can correspond to the user and one or more arguments of the LDAP operation specified by the user, one or more application specific parameters can be included within the user specified LDAP operation. After inclusion of the application specific parameters, the reformatted LDAP operation can be provided to an LDAP search engine. Notably, the invention can be implemented within the scope of LDAP as one or more application programs or plug-ins within an LDAP server.
The inventive method taught herein can begin by receiving from a user an LDAP operation directed to an LDAP search engine. The method can include associating the user with an access control group. The step of reformatting the LDAP operation based on the access control group can be included. The reformatting step can be including one or more application specific parameters in the LDAP operation. Additionally, the application specific parameters can correspond to the access control group, to parameters of a directory service, and to arguments of the LDAP operation. Notably, the parameters of the directory service can be security levels, permissions, or access rights. The method further can include the step of providing the reformatted LDAP operation to the LDAP search engine.
Another embodiment of the invention can be a method of providing access control using LDAP. The method can include receiving from a user an LDAP operation directed to an LDAP search engine. The step of associating the user with an access control group can be included. The method further can include reformatting the LDAP operation based on the access control group. Notably, the reformatting step can
Ambrosini Martin A.
Nusbickel Wendi L.
Yoder Brian E.
Akerman & Senterfitt
Rones Charles
Wu Yicun
LandOfFree
Extendible access control for lightweight directory access... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Extendible access control for lightweight directory access..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Extendible access control for lightweight directory access... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3129717