Encoding LDAP role and domain information in a fixed format
First Claim
1. A method, comprising:
- associating one or more client domains with a computer executing a Lightweight Directory Access Protocol (LDAP) client, the one or more client domains comprised of multiple hosts, including the computer, on a network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service;
defining, by the computer, one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;
wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table;
associating one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;
wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges;
detecting a login of the client user having a client user name;
conveying the client user name to an LDAP server;
receiving, from the LDAP server, one or more client groups, each given client group comprising a server role and a server domain;
for each received client group having a respective server domain matching a given client domain;
matching the respective server role to a given client role; and
assigning, to the client user, the one or more privileges associated with the given client role; and
prior to defining the one or more client roles, defining by the LDAP server, multiple server domains, defining multiple server roles, and associating one or more given server roles with each of the multiple server domains.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, computing systems and computer program products implement embodiments of the present invention that include associating one or more client domains with a computer executing an LDAP client, defining one or more client roles for each of one or more client domains, and associating one or more privileges with each of the client roles. Upon detecting a login of a client user having a client user name, the client user name is conveyed to an LDAP server, and in response, one or more client groups are received from the LDAP server, each given client group comprising a server role and a server domain. For each received client group having a respective server domain matching a given client domain, the respective server role is matched to a given client role, and the one or more privileges associated with the given client role is assigned to the client user.
-
Citations
17 Claims
-
1. A method, comprising:
-
associating one or more client domains with a computer executing a Lightweight Directory Access Protocol (LDAP) client, the one or more client domains comprised of multiple hosts, including the computer, on a network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service; defining, by the computer, one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;
wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table;associating one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;
wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges;detecting a login of the client user having a client user name; conveying the client user name to an LDAP server; receiving, from the LDAP server, one or more client groups, each given client group comprising a server role and a server domain; for each received client group having a respective server domain matching a given client domain; matching the respective server role to a given client role; and assigning, to the client user, the one or more privileges associated with the given client role; and prior to defining the one or more client roles, defining by the LDAP server, multiple server domains, defining multiple server roles, and associating one or more given server roles with each of the multiple server domains. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computing facility, comprising:
-
a communications network; a first computer executing a Lightweight Directory Access Protocol (LDAP) server application and coupled to the communications network; and a second computer coupled to the communications network, and configured; to execute an LDAP client application, to associate one or more client domains with the second computer, the one or more client domains comprised of multiple hosts, including the second computer, on the communications network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service, to define one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;
wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table,to associate one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;
wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges,to detect a login of the client user having a client user name, to convey the client user name to the first computer, to receive from the first computer, one or more client groups, each given client group comprising a server role and a server domain, for each received client group having a respective server domain matching a given client domain; to match the respective server role to a given client role, and to assign, to the client user, the one or more privileges associated with the given client role, wherein, prior to defining the one or more client roles, the first computer is configured to define multiple server domains, to define multiple server roles, and to associate one or more given server roles with each of the multiple server domains. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product, the computer program product comprising:
-
a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising; computer readable program code configured to execute a Lightweight Directory Access Protocol (LDAP) client; computer readable program code configured to associate one or more client domains with a computer executing the LDAP client, the one or more client domains comprised of multiple hosts, including the computer, on a network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service; computer readable program code configured to define, one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;
wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table;computer readable program code configured to associate one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;
wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges;computer readable program code configured to detect a login of the client user having a client user name; computer readable program code configured to convey the client user name to an LDAP server; computer readable program code configured to receive, from the LDAP server, one or more client groups, each given client group comprising a server role and a server domain; for each received client group having a respective server domain matching a given client domain; computer readable program code configured to match the respective server role to a given client role; and computer readable program code configured to assign, to the client user, the one or more privileges associated with the given client role; and computer readable program code executing on the LDAP server and configured, prior to defining the one or more client roles, to define multiple server domains, to define multiple server roles, and to associate one or more given server roles with each of the multiple server domains. - View Dependent Claims (14, 15, 16, 17)
-
Specification