Method and system for grouping entries in a directory server by group memberships defined by roles
First Claim
1. A directory server comprising:
- at least one role, said role defined as an entry grouping mechanism, wherein a role is uniquely defined by distinguishing name (DN) of its defining entry.
3 Assignments
0 Petitions
Accused Products
Abstract
Role is a comprehensive grouping mechanism. In a client-server directory system, roles transfer some of the complexity to the directory server. A role is defined by its role definition entry. Assigning entries to roles enables applications to locate the roles of an entry, rather than select a group and browse the members list. Additionally, roles allow for support of generated attribute values, and directory server-performed membership verification for clients. By changing a role definition, a user can change an entire organization with ease. Any client with appropriate access privileges can discover, identify and examine any role definition.
173 Citations
23 Claims
-
1. A directory server comprising:
at least one role, said role defined as an entry grouping mechanism, wherein a role is uniquely defined by distinguishing name (DN) of its defining entry. - View Dependent Claims (2)
-
3. A method of grouping a plurality of entries in a directory server, the method comprising the step of:
assigning at least one role to a first entry, said at least one role being an entry grouping mechanism defined by distinguishing name of its defining entry. - View Dependent Claims (4)
-
5. A method for searching an entry in a directory server, the directory server storing a plurality of entries, at least one of the plurality of entries possessing at least one role, said role being an entry grouping mechanism defined by distinguishing name of its defining entry, the method comprising the steps of:
-
receiving a request to enumerate role membership for a particular role;
comparing a plurality of entries stored in the directory server by checking a predetermined role attribute for the particular role; and
returning the result of the comparison. - View Dependent Claims (6)
-
-
7. A data processing system for searching for checking entries in a directory server for role membership, the system comprising:
-
a CPU;
a memory coupled to the CPU, the memory storing a directory comprising a plurality of entries, each said entry being associated with a role containing a predefined role attribute;
wherein the memory stores a search program which is executable by the CPU to check role membership by searching the predefined role attribute; and
to return the result of the search if any entries possess the role.
-
-
8. In a directory system comprising a client computer configured to execute applications to perform membership verification in a directory communicatively coupled to a server computer, the directory server storing a plurality of entries, a method of reducing client-side complexity in searching for a particular entry, the method comprising the steps of:
configuring the server computer to assign at least one role to a subset of the plurality of entries, said at least one role being an entry grouping mechanism defined by distinguishing name of its defining entry.
-
9. A computer program product comprising a computer readable medium having computer readable code embodied therein for processing data in a directory server by:
-
receiving a request for enumerating role membership for a particular role;
comparing a plurality of entries stored in the directory server by checking a predetermined role attribute; and
returning the result of the comparison. - View Dependent Claims (10, 11)
-
-
12. A method for use in connection with application and network services to provide a directory service that defines roles for directory members, the method comprising the steps of:
-
defining a directory search specification for a role based on user attribute information, where said role can be possessed by any set of members and in which roles possessed by users are defined by the directory search specification;
evaluating said directory search specification at service delivery time;
determining whether information maintained in a directory matches said directory search specification; and
delivering said service. - View Dependent Claims (13, 14)
-
-
15. A method of configuring a directory server comprising a plurality of entries, the method comprising the steps of:
-
defining a computed attribute for an entry;
assigning a value to the computed attribute, whereby said entry is capable of being grouped with other entries that have the same or a similar value for the computed attribute; and
configuring the directory server software to perform search operations, thereby reducing complexity in a client program that accesses the directory server. - View Dependent Claims (16, 17)
-
-
18. A method of computing which roles an entry possesses, said method comprising the steps of:
-
validating that the entry meets the criteria to possess a role; and
determining that the entry falls within the scope of the role.
-
-
19. A method of determining all roles possessed by an entry in a directory system, the method comprising the steps of:
-
examining a computed attribute associated with the entry for a list of values of the computed attribute, and enumerating each value, which is a distinguishing name (DN) representing a role possessed by that entry.
-
-
21. A method of obviating the need to examine all groups in a directory system in order to determine the roles possessed by an entry, the method comprising the steps of:
-
configuring the directory system to contain roles; and
returning a list of computed values of a computed attribute belonging to the entry, whereby all the roles possessed by the entry are obtained. - View Dependent Claims (20, 22)
-
-
23. In a directory system comprising a plurality of entries and a plurality of roles possessed by the plurality of entries, a method of enumerating the membership of a desired role, the method comprising the steps of:
locating all roles that are in scope with an entry that possesses the desired role;
iterating over the in-scope roles looking for the entries that possess the desired role;
adding, to an attribute'"'"'s value set, the distinguishing names (DNs) of those entries that possess the desired role.
Specification