Encoding LDAP role and domain information in a fixed format

US 10,333,942 B2
Filed: 07/08/2014
Issued: 06/25/2019
Est. Priority Date: 07/08/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

associating one or more client domains with a computer executing a Lightweight Directory Access Protocol (LDAP) client, the one or more client domains comprised of multiple hosts, including the computer, on a network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service;

defining, by the computer, one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;

wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table;

associating one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;

wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges;

detecting a login of the client user having a client user name;

conveying the client user name to an LDAP server;

receiving, from the LDAP server, one or more client groups, each given client group comprising a server role and a server domain;

for each received client group having a respective server domain matching a given client domain;

matching the respective server role to a given client role; and

assigning, to the client user, the one or more privileges associated with the given client role; and

prior to defining the one or more client roles, defining by the LDAP server, multiple server domains, defining multiple server roles, and associating one or more given server roles with each of the multiple server domains.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, computing systems and computer program products implement embodiments of the present invention that include associating one or more client domains with a computer executing an LDAP client, defining one or more client roles for each of one or more client domains, and associating one or more privileges with each of the client roles. Upon detecting a login of a client user having a client user name, the client user name is conveyed to an LDAP server, and in response, one or more client groups are received from the LDAP server, each given client group comprising a server role and a server domain. For each received client group having a respective server domain matching a given client domain, the respective server role is matched to a given client role, and the one or more privileges associated with the given client role is assigned to the client user.

Citations

17 Claims

1. A method, comprising:
- associating one or more client domains with a computer executing a Lightweight Directory Access Protocol (LDAP) client, the one or more client domains comprised of multiple hosts, including the computer, on a network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service;
  
  defining, by the computer, one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;
  
  wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table;
  
  associating one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;
  
  wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges;
  
  detecting a login of the client user having a client user name;
  
  conveying the client user name to an LDAP server;
  
  receiving, from the LDAP server, one or more client groups, each given client group comprising a server role and a server domain;
  
  for each received client group having a respective server domain matching a given client domain;
  
  matching the respective server role to a given client role; and
  
  assigning, to the client user, the one or more privileges associated with the given client role; and
  
  prior to defining the one or more client roles, defining by the LDAP server, multiple server domains, defining multiple server roles, and associating one or more given server roles with each of the multiple server domains.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein each of the one or more client domains comprises a given server domain, and wherein each of the one or more client roles comprises a given client role, and comprising conveying, to the LDAP client, the one or more client domains and the one or more client roles for each of one or more client domains.
  - 3. The method according to claim 2, and comprising defining, by the LDAP server, multiple server users, each of the server users having a server user name, wherein the client user comprises a given server user, and wherein the client user name comprises a given server user name.
  - 4. The method according to claim 3, and comprising defining multiple server groups, each of the server groups comprising a given server role and a given server domain wherein each of the one or more client groups comprises a given server group.
  - 5. The method according to claim 4, and comprising defining, by the LDAP server, the LDAP user table comprising multiple entries, each of the entries comprising a given server user name, a given server role and a given server domain.
  - 6. The method according to claim 5, and comprising upon receiving the client user name from the LDAP client, identifying, by the LDAP server, one or more of the entries whose server user name matches the client user name, the one or more identified entries having respective one or more server groups, and conveying the respective one or more server groups to the LDAP client, wherein the received one or more client groups comprises the one or more conveyed server groups.

7. A computing facility, comprising:
- a communications network;
  
  a first computer executing a Lightweight Directory Access Protocol (LDAP) server application and coupled to the communications network; and
  
  a second computer coupled to the communications network, and configured;
  
  to execute an LDAP client application,to associate one or more client domains with the second computer, the one or more client domains comprised of multiple hosts, including the second computer, on the communications network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service,to define one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;
  
  wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table,to associate one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;
  
  wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges,to detect a login of the client user having a client user name,to convey the client user name to the first computer,to receive from the first computer, one or more client groups, each given client group comprising a server role and a server domain,for each received client group having a respective server domain matching a given client domain;
  
  to match the respective server role to a given client role, andto assign, to the client user, the one or more privileges associated with the given client role,wherein, prior to defining the one or more client roles, the first computer is configured to define multiple server domains, to define multiple server roles, and to associate one or more given server roles with each of the multiple server domains.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computing facility according to claim 7, wherein each of the one or more client domains comprises a given server domain, and wherein each of the one or more client roles comprises a given client role, and wherein the first computer is configured to convey, to the second computer, the one or more client domains and the one or more client roles for each of one or more client domains.
  - 9. The computing facility according to claim 8, wherein the first computer is configured to define multiple server users, each of the server users having a server user name, wherein the client user comprises a given server user, and wherein the client user name comprises a given server user name.
  - 10. The computing facility according to claim 9, wherein the first computer is configured to define multiple server groups, each of the server groups comprising a given server role and a given server domain wherein each of the one or more client groups comprises a given server group.
  - 11. The computing facility according to claim 10, wherein the first computer is configured to define the LDAP user table comprising multiple entries, each of the entries comprising a given server user name, a given server role and a given server domain.
  - 12. The computing facility according to claim 11, wherein upon receiving the client user name from the second computer, the first computer is configured to identify one or more of the entries whose server user name matches the client user name, the one or more identified entries having respective one or more server groups, and to convey the respective one or more server groups to the LDAP client, wherein the received one or more client groups comprises the one or more conveyed server groups.

13. A computer program product, the computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising;
  
  computer readable program code configured to execute a Lightweight Directory Access Protocol (LDAP) client;
  
  computer readable program code configured to associate one or more client domains with a computer executing the LDAP client, the one or more client domains comprised of multiple hosts, including the computer, on a network which are administered as a unit having common rules and procedures including providing, as the one or more client domains, at least one of a database service and an email service;
  
  computer readable program code configured to define, one or more client roles for each of one or more client domains, the one or more client roles including at least a read only role, a read and write role, and an administrator role;
  
  wherein each of the one or more client roles are encoded in a specific canonically-defined syntax as an entry in an LDAP user table;
  
  computer readable program code configured to associate one or more privileges with each of the client roles, the one or more privileges each comprising one or more executable commands to which a client user associated with one of the respective client roles is authorized to perform;
  
  wherein an application verifies the one or more privileges associated with the one or more client roles for the application by querying a respective entry in the LDAP user table, including querying both for syntactic correctness of the specific canonically-defined syntax and privilege role enforcement of the one or more privileges;
  
  computer readable program code configured to detect a login of the client user having a client user name;
  
  computer readable program code configured to convey the client user name to an LDAP server;
  
  computer readable program code configured to receive, from the LDAP server, one or more client groups, each given client group comprising a server role and a server domain;
  
  for each received client group having a respective server domain matching a given client domain;
  
  computer readable program code configured to match the respective server role to a given client role; and
  
  computer readable program code configured to assign, to the client user, the one or more privileges associated with the given client role; and
  
  computer readable program code executing on the LDAP server and configured, prior to defining the one or more client roles, to define multiple server domains, to define multiple server roles, and to associate one or more given server roles with each of the multiple server domains.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product according to claim 13, wherein each of the one or more client domains comprises a given server domain, and wherein each of the one or more client roles comprises a given client role, and comprising computer readable program code executing on the LDAP server and configured to conveying, to the LDAP client, the one or more client domains and the one or more client roles for each of one or more client domains.
  - 15. The computer program product according to claim 14, and comprising computer readable program code executing on the LDAP server and configured to define multiple server users, each of the server users having a server user name, wherein the client user comprises a given server user, and wherein the client user name comprises a given server user name.
  - 16. The computer program product according to claim 15, and comprising computer readable program code executing on the LDAP server and configured to define multiple server groups, each of the server groups comprising a given server role and a given server domain wherein each of the one or more client groups comprises a given server group, and to define the LDAP user table comprising multiple entries, each of the entries comprising a given server user name, a given server role and a given server domain.
  - 17. The computer program product according to claim 16, and comprising computer readable program code executing on the LDAP server and configured, upon receiving the client user name from the LDAP client, to identify one or more of the entries whose server user name matches the client user name, the one or more identified entries having respective one or more server groups, and to convey the respective one or more server groups to the LDAP client, wherein the received one or more client groups comprises the one or more conveyed server groups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Shapiro, Ron S.
Primary Examiner(s)
Edwards, Linglan E
Assistant Examiner(s)
Carey, Forrest L

Application Number

US14/325,926
Publication Number

US 20160014138A1
Time in Patent Office

1,813 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/282   Hierarchical databases, e.g...

H04L 61/4523   using lightweight directory...

H04L 61/4552   Lookup mechanisms between a...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

Encoding LDAP role and domain information in a fixed format

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Encoding LDAP role and domain information in a fixed format

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links