Hierarchical processing for a virtual directory system for LDAP to SCIM proxy service

US 10,721,237 B2
Filed: 07/31/2017
Issued: 07/21/2020
Est. Priority Date: 08/05/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by one or more processors, cause the processors to hierarchically process LDAP (Lightweight Directory Access Protocol) operations against a SCIM (System for Cross-domain Identity Management) directory, the processing comprising:

providing an LDAP Directory Information Tree (DIT) including a plurality of LDAP DIT entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values;

providing a SCIM directory including a plurality of SCIM resource entries that describe SCIM users and groups, each SCIM resource entry including a plurality of SCIM attributes including an externalID and a resource type identifying the SCIM resource entry as belonging to a user or a group, each SCIM attribute including a name and one or more values;

migrating the plurality of LDAP DIT entries to the SCIM directory, including storing the LDAP DIT hierarchical information in the SCIM directory by mapping LDAP user DNs and group DNs to SCIM user externalIDs and group externalIDs, respectively;

receiving, from an LDAP-based application over a network, an LDAP operation request including an LDAP add request, an LDAP delete request, an LDAP modify request, or an LDAP search request;

processing the LDAP operation request; and

returning an LDAP operation response to the LDAP-based application over the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for hierarchically processing LDAP (Lightweight Directory Access Protocol) operations against a SCIM (System for Cross-domain Identity Management) directory is provided. The method includes providing an LDAP Directory Information Tree (DIT) including a plurality of LDAP DIT entries that describe LDAP containers, users and groups, providing a SCIM directory including a plurality of SCIM resource entries that describe SCIM users and groups, migrating the plurality of LDAP DIT entries to the SCIM directory, receiving, from an LDAP-based application over a network, an LDAP operation request, processing the LDAP operation request, and returning an LDAP operation response to the LDAP-based application over the network.

399 Citations

20 Claims

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by one or more processors, cause the processors to hierarchically process LDAP (Lightweight Directory Access Protocol) operations against a SCIM (System for Cross-domain Identity Management) directory, the processing comprising:
- providing an LDAP Directory Information Tree (DIT) including a plurality of LDAP DIT entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values;
  
  providing a SCIM directory including a plurality of SCIM resource entries that describe SCIM users and groups, each SCIM resource entry including a plurality of SCIM attributes including an externalID and a resource type identifying the SCIM resource entry as belonging to a user or a group, each SCIM attribute including a name and one or more values;
  
  migrating the plurality of LDAP DIT entries to the SCIM directory, including storing the LDAP DIT hierarchical information in the SCIM directory by mapping LDAP user DNs and group DNs to SCIM user externalIDs and group externalIDs, respectively;
  
  receiving, from an LDAP-based application over a network, an LDAP operation request including an LDAP add request, an LDAP delete request, an LDAP modify request, or an LDAP search request;
  
  processing the LDAP operation request; and
  
  returning an LDAP operation response to the LDAP-based application over the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The non-transitory computer-readable medium of claim 1, wherein said processing the LDAP operation request includes:
    - for the LDAP add request;
      
      extracting an LDAP DN value and a plurality of LDAP attribute-value pairs from the LDAP add request,converting the plurality of LDAP attribute-value pairs to respective SCIM attributes,creating a new SCIM entry in the SCIM directory, including storing the LDAP DN value in the externalID of the new SCIM entry, storing the respective SCIM attributes in the new SCIM entry, and setting the resource type of the new SCIM entry to user or group based on the user or group container present in the LDAP DN value or an objectclass defined in the LDAP add request,converting the new SCIM entry to a virtual LDAP DIT entry, including converting the externalID of the new SCIM entry to a virtual LDAP DN, and converting the SCIM attributes of the new SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP add response that includes the virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP add request;
      
      sending the LDAP add response to the LDAP-based application over the network.
  - 3. The non-transitory computer-readable medium of claim 1, wherein said processing the LDAP operation request includes:
    - for the LDAP delete request;
      
      extracting an LDAP DN value from the LDAP delete request,searching the SCIM directory to find a SCIM entry having an externalID that matches the LDAP DN value extracted from the LDAP delete request,deleting the matching SCIM entry from the SCIM directory, andcreating an LDAP delete response; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP delete request;
      
      sending the LDAP delete response to the LDAP-based application over the network.
  - 4. The non-transitory computer-readable medium of claim 1, wherein said processing the LDAP operation request includes:
    - for the LDAP modify request;
      
      extracting an LDAP DN value and a plurality of LDAP attribute-value pairs from the LDAP modify request,converting the plurality of LDAP attribute-value pairs to respective SCIM attributes,searching the SCIM directory to find a SCIM entry having an externalID that matches the LDAP DN value extracted from the LDAP modify request,modifying the matching SCIM entry in the SCIM directory, including storing the respective SCIM attributes in the modified SCIM entry,converting the modified SCIM entry to a virtual LDAP DIT entry, including converting the externalID of the modified SCIM entry to a virtual LDAP DN, andconverting the SCIM attributes of the modified SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP modify response that includes the virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP modify request;
      
      sending the LDAP modify response to the LDAP-based application over the network.
  - 5. The non-transitory computer-readable medium of claim 1, wherein said processing the LDAP operation request includes:
    - for the LDAP search request;
      
      extracting a search base DN value and a search scope value from the LDAP search request,creating a SCIM search request including an externalID value that is based on the search base DN value and the search scope value,searching the SCIM directory to find one or more SCIM entries that match the SCIM search request,converting each matching SCIM entry to a virtual LDAP DIT entry, including converting the externalID of each matching SCIM entry to a virtual LDAP DN, and converting the SCIM attributes of each matching SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP search response that includes each virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP search request;
      
      sending the LDAP search response to the LDAP-based application over the network.
  - 6. The non-transitory computer-readable medium of claim 5, wherein said processing the LDAP operation request further includes:
    - for the LDAP search request;
      
      extracting an LDAP filter from the LDAP search request, the LDAP filter including a plurality of LDAP filter attributes,converting the plurality of LDAP filter attributes to SCIM filter attributes,creating a SCIM filter based on the SCIM filter attributes, andadding the SCIM filter to the SCIM search request.
  - 7. The non-transitory computer-readable medium of claim 6, wherein said processing the LDAP operation request further includes:
    - for the LDAP search request;
      
      if the search scope value is base;
      
      setting the externalID value of the SCIM filter such that the externalID value is equal to the search base DN value,if the search scope value is one level;
      
      setting the externalID value of the SCIM filter such that the externalID value contains the search base DN value,scanning the externalID value of each matching SCIM entry, andconverting only those matching SCIM entries having one Relative Distinguished Name (RDN) prefixed before the search base DN value to a virtual LDAP DIT entry, andif the search scope value is subtree;
      
      setting the externalID value of the SCIM filter such that the externalID value contains the search base DN value.
  - 8. The non-transitory computer-readable medium of claim 5, wherein said processing the LDAP operation request further includes:
    - for the LDAP search request;
      
      analyzing the LDAP filter to determine whether a user object class or a group object class is present,if a user object class is present in the LDAP filter, then the SCIM directory is searched against a users endpoint,if a group object class is present in the LDAP filter, then the SCIM directory is searched against a groups endpoint, andif neither a user object class or a group object class is present in the LDAP filter, then SCIM searches are issued against both the users and the groups endpoints.

9. A method for hierarchically processing LDAP (Lightweight Directory Access Protocol) operations against a SCIM (System for Cross-domain Identity Management) directory, the method comprising:
- providing an LDAP Directory Information Tree (DIT) including a plurality of LDAP DIT entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values;
  
  providing a SCIM directory including a plurality of SCIM resource entries that describe SCIM users and groups, each SCIM resource entry including a plurality of SCIM attributes including an externalID and a resource type identifying the SCIM resource entry as belonging to a user or a group, each SCIM attribute including a name and one or more values;
  
  migrating the plurality of LDAP DIT entries to the SCIM directory, including storing the LDAP DIT hierarchical information in the SCIM directory by mapping LDAP user DNs and group DNs to SCIM user externalIDs and group externalIDs, respectively;
  
  receiving, from an LDAP-based application over a network, an LDAP operation request including an LDAP add request, an LDAP delete request, an LDAP modify request, or an LDAP search request;
  
  processing the LDAP operation request; and
  
  returning an LDAP operation response to the LDAP-based application over the network.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9,wherein said processing the LDAP operation request includes:
    - for the LDAP add request;
      
      extracting an LDAP DN value and a plurality of LDAP attribute-value pairs from the LDAP add request,converting the plurality of LDAP attribute-value pairs to respective SCIM attributes, creating a new SCIM entry in the SCIM directory, including storing the LDAP DN value in the externalID of the new SCIM entry, storing the respective SCIM attributes in the new SCIM entry, and setting the resource type of the new SCIM entry to user or group based on the user or group container present in the LDAP DN value or an objectclass defined in the LDAP add request,converting the new SCIM entry to a virtual LDAP DIT entry, including converting the externalID of the new SCIM entry to a virtual LDAP DN, and converting the SCIM attributes of the new SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP add response that includes the virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP add request;
      
      sending the LDAP add response to the LDAP-based application over the network.
  - 11. The method of claim 9,wherein said processing the LDAP operation request includes:
    - for the LDAP delete request;
      
      extracting an LDAP DN value from the LDAP delete request,searching the SCIM directory to find a SCIM entry having an externalID that matches the LDAP DN value extracted from the LDAP delete request,deleting the matching SCIM entry from the SCIM directory, andcreating an LDAP delete response; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP delete request;
      
      sending the LDAP delete response to the LDAP-based application over the network.
  - 12. The method of claim 9,wherein said processing the LDAP operation request includes:
    - for the LDAP modify request;
      
      extracting an LDAP DN value and a plurality of LDAP attribute-value pairs from the LDAP modify request,converting the plurality of LDAP attribute-value pairs to respective SCIM attributes,searching the SCIM directory to find a SCIM entry having an externalID that matches the LDAP DN value extracted from the LDAP modify request,modifying the matching SCIM entry in the SCIM directory, including storing the respective SCIM attributes in the modified SCIM entry,converting the modified SCIM entry to a virtual LDAP DIT entry, including converting the externalID of the modified SCIM entry to a virtual LDAP DN, and converting the SCIM attributes of the modified SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP modify response that includes the virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP modify request;
      
      sending the LDAP modify response to the LDAP-based application over the network.
  - 13. The method of claim 9,wherein said processing the LDAP operation request includes:
    - for the LDAP search request;
      
      extracting a search base DN value and a search scope value from the LDAP search request,creating a SCIM search request including an externalID value that is based on the search base DN value and the search scope value,searching the SCIM directory to find one or more SCIM entries that match the SCIM search request,converting each matching SCIM entry to a virtual LDAP DIT entry, including converting the externalID of each matching SCIM entry to a virtual LDAP DN, andconverting the SCIM attributes of each matching SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP search response that includes each virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP search request;
      
      sending the LDAP search response to the LDAP-based application over the network.
  - 14. The method of claim 13, wherein said processing the LDAP operation request further includes:
    - for the LDAP search request;
      
      extracting an LDAP filter from the LDAP search request, the LDAP filter including a plurality of LDAP filter attributes,converting the plurality of LDAP filter attributes to SCIM filter attributes,creating a SCIM filter based on the SCIM filter attributes, andadding the SCIM filter to the SCIM search request.
  - 15. The method of claim 14, wherein said processing the LDAP operation request further includes:
    - for the LDAP search request;
      
      analyzing the LDAP filter to determine whether a user object class or a group object class is present,if a user object class is present in the LDAP filter, then the SCIM directory is searched against a users endpoint,if a group object class is present in the LDAP filter, then the SCIM directory is searched against a groups endpoint, andif neither a user object class or a group object class is present in the LDAP filter, then SCIM searches are issued against both the users and the groups endpoints,if the search scope value is base;
      
      setting the externalID value of the SCIM filter such that the externalID value is equal to the search base DN value,if the search scope value is one level;
      
      setting the externalID value of the SCIM filter such that the externalID value contains the search base DN value,scanning the externalID value of each matching SCIM entry, andconverting only those matching SCIM entries having one Relative Distinguished Name (RDN) prefixed before the search base DN value to a virtual LDAP DIT entry, andif the search scope value is subtree;
      
      setting the externalID value of the SCIM filter such that the externalID value contains the search base DN value.

16. A system, comprising:
- a memory; and
  
  one or more processors, coupled to the memory and a network, configured to hierarchically process LDAP (Lightweight Directory Access Protocol) operations against a SCIM (System for Cross-domain Identity Management) directory, the processing including;
  
  providing an LDAP Directory Information Tree (DIT) including a plurality of LDAP DIT entries that describe LDAP containers, users and groups, each LDAP DIT entry including a Distinguished Name (DN) and a plurality of LDAP attribute-value pairs, the DN providing LDAP DIT hierarchical information that uniquely identifies the LDAP DIT entry and describes a hierarchical position of the LDAP DIT entry in the LDAP DIT, each LDAP attribute-value pair including an attribute name and one or more attribute values,providing a SCIM directory including a plurality of SCIM resource entries that describe SCIM users and groups, each SCIM resource entry including a plurality of SCIM attributes including an externalID and a resource type identifying the SCIM resource entry as belonging to a user or a group, each SCIM attribute including a name and one or more values,migrating the plurality of LDAP DIT entries to the SCIM directory, including storing the LDAP DIT hierarchical information in the SCIM directory by mapping LDAP user DNs and group DNs to SCIM user externalIDs and group externalIDs, respectively,receiving, from an LDAP-based application over the network, an LDAP operation request including an LDAP add request, an LDAP delete request, an LDAP modify request, or an LDAP search request,processing the LDAP operation request, andreturning an LDAP operation response to the LDAP-based application over the network.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16,wherein said processing the LDAP operation request includes:
    - for the LDAP add request;
      
      extracting an LDAP DN value and a plurality of LDAP attribute-value pairs from the LDAP add request,converting the plurality of LDAP attribute-value pairs to respective SCIM attributes,creating a new SCIM entry in the SCIM directory, including storing the LDAP DN value in the externalID of the new SCIM entry, storing the respective SCIM attributes in the new SCIM entry, and setting the resource type of the new SCIM entry to user or group based on the user or group container present in the LDAP DN value or an objectclass defined in the LDAP add request,converting the new SCIM entry to a virtual LDAP DIT entry, including converting the externalID of the new SCIM entry to a virtual LDAP DN, and converting the SCIM attributes of the new SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP add response that includes the virtual LDAP DIT entry;
      
      for the LDAP delete request;
      
      extracting an LDAP DN value from the LDAP delete request,searching the SCIM directory to find a SCIM entry having an externalID that matches the LDAP DN value extracted from the LDAP delete request,deleting the matching SCIM entry from the SCIM directory, andcreating an LDAP delete response; and
      
      for the LDAP modify request;
      
      extracting an LDAP DN value and a plurality of LDAP attribute-value pairs from the LDAP modify request,converting the plurality of LDAP attribute-value pairs to respective SCIM attributes,searching the SCIM directory to find a SCIM entry having an externalID that matches the LDAP DN value extracted from the LDAP modify request,modifying the matching SCIM entry in the SCIM directory, including storing the respective SCIM attributes in the modified SCIM entry,converting the modified SCIM entry to a virtual LDAP DIT entry, including converting the externalID of the modified SCIM entry to a virtual LDAP DN, andconverting the SCIM attributes of the modified SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP modify response that includes the virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP add request;
      
      sending the LDAP add response to the LDAP-based application over the network; and
      
      for the LDAP delete request;
      
      sending the LDAP delete response to the LDAP-based application over the network; and
      
      for the LDAP modify request;
      
      sending the LDAP modify response to the LDAP-based application over the network.
  - 18. The system of claim 16,wherein said processing the LDAP operation request includes:
    - for the LDAP search request;
      
      extracting a search base DN value and a search scope value from the LDAP search request,creating a SCIM search request including an externalID value that is based on the search base DN value and the search scope value,searching the SCIM directory to find one or more SCIM entries that match the SCIM search request,converting each matching SCIM entry to a virtual LDAP DIT entry, including converting the externalID of each matching SCIM entry to a virtual LDAP DN, andconverting the SCIM attributes of each matching SCIM entry to virtual LDAP attribute-value pairs, andcreating an LDAP search response that includes each virtual LDAP DIT entry; and
      
      wherein said returning the LDAP operation response to the LDAP-based application over the network includes;
      
      for the LDAP search request;
      
      sending the LDAP search response to the LDAP-based application over the network.
  - 19. The system of claim 18, wherein said processing the LDAP operation request further includes:
    - for the LDAP search request;
      
      extracting an LDAP filter from the LDAP search request, the LDAP filter including a plurality of LDAP filter attributes,converting the plurality of LDAP filter attributes to SCIM filter attributes,creating a SCIM filter based on the SCIM filter attributes, andadding the SCIM filter to the SCIM search request.
  - 20. The system of claim 19, wherein said processing the LDAP operation request further includes:
    - for the LDAP search request;
      
      analyzing the LDAP filter to determine whether a user object class or a group object class is present,if a user object class is present in the LDAP filter, then the SCIM directory is searched against a users endpoint,if a group object class is present in the LDAP filter, then the SCIM directory is searched against a groups endpoint, andif neither a user object class or a group object class is present in the LDAP filter, then SCIM searches are issued against both the users and the groups endpoints,if the search scope value is base;
      
      setting the externalID value of the SCIM filter such that the externalID value is equal to the search base DN value,if the search scope value is one level;
      
      setting the externalID value of the SCIM filter such that the externalID value contains the search base DN value, scanning the externalID value of each matching SCIM entry, andconverting only those matching SCIM entries having one Relative Distinguished Name (RDN) prefixed before the search base DN value to a virtual LDAP DIT entry, and if the search scope value is subtree;
      
      setting the externalID value of the SCIM filter such that the externalID value contains the search base DN value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Vats, Kanika, Purushothaman, Rajesh
Primary Examiner(s)
Gebresenbet, Dinku W

Application Number

US15/665,165
Publication Number

US 20180041598A1
Time in Patent Office

1,086 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/188   Virtual file systems

G06F 21/604   Tools and structures for ma...

G06F 21/629   to features or functions of...

H04L 41/22   comprising specially adapte...

H04L 63/0281   Proxies

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 67/1095   Replication or mirroring of...

H04L 67/306   User profiles

H04L 67/567   Integrating service provisi...

Hierarchical processing for a virtual directory system for LDAP to SCIM proxy service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

399 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical processing for a virtual directory system for LDAP to SCIM proxy service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

399 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links