Utilizing LDAP directories for application access control and personalization
First Claim
1. A computer system comprising:
- a lightweight directory access protocol directory; and
a management server separate from said directory but providing services integrated therewith, said management server having a private data store outside of the directory that stores authorization/personalization data, said management server querying said directory and applying additional authorization/personalization rules to enhance directory services and override inherited attributes without requiring modification of said directory.
25 Assignments
0 Petitions
Accused Products
Abstract
Lightweight LDAP Access Control for authorization and personalization integrates with a directory service for defining sessions for users and groups without requiring read access or modification to directory schemas. In one exemplary illustrative non-limiting implementation, authorization/personalization data is stored in a private data store outside of the LDAP directory (e.g., on a management or other server). When a user attempts to log on to the computer system, the LDAP directory is queried for a list of associated groups and/or organizational units in the normal way. To compute a resulting set of authorization/personalization rules applicable to the user, an entity (e.g., the management or other server) traverses the organizational hierarchy of the directory groups/OU'"'"'s, overriding the inherited attributes with explicitly associated ones. Integration with existing user/group/organization unit infrastructures is provided while avoiding the need to deploy additional user/group databases. In one example arrangement, an LDAP directory is queried for the list of groups and OUs during user logon. There is no need to replicate user/group directory data in a private data store of the Management Server. This improves performance and eliminates the need to synchronize data between the directory and the private data store of the Management Server. To compute the resulting set of authorization/personalization rules applicable to a user, the Management Server traverses the organizational hierarchy of directory groups/OUs, overriding the inherited attributes with the explicitly mapped ones. This minimizes the amount of administrative work for restricting access to protected resources for individuals. In many cases, users will simply inherit authorization/personalization data from the group/OUs they are members of.
43 Citations
7 Claims
-
1. A computer system comprising:
-
a lightweight directory access protocol directory; and
a management server separate from said directory but providing services integrated therewith, said management server having a private data store outside of the directory that stores authorization/personalization data, said management server querying said directory and applying additional authorization/personalization rules to enhance directory services and override inherited attributes without requiring modification of said directory.
-
-
2. A method of authorizing a computer system user comprising:
-
receiving a request related to said user;
referencing said user in an LDAP directory and, if a corresponding user entry is found, obtaining information pertaining to said user;
associating authorization and/or personalization data pertaining to said user with a protected resource; and
saving said authorization and/or personalization in a private data store separate from said LDAP directory.
-
-
3. A storage medium storing executable instructions providing an authorization service for authorizing users to access protected resources, said storage medium storing the following instructions:
-
first instructions that query and receive user information from a directory database;
second instructions that create authorization associations with respect to user information received from said directory database;
third instructions that store, retrieve said associations to/from a private data store separate from said directory database to override inherited attributes.
-
-
4. A computer operating method comprising:
-
querying an LDAP directory during computer user logon;
traversing an organizational hierarchy of directory information while overriding inherited attributes with explicitly mapped ones;
accessing a private data store separate from said directory, said private data store not replicating substantial user/group directory data to eliminate need for detailed synchronization between the directory and the private data store; and
restricting access to protected resources based on private data store authorization/personalization data contents.
-
-
5. A method of logging a user onto a computer system comprising:
-
receiving a user identification during a log on process;
in response to said received user identification, querying a directory for a list of associated groups and/or organizational units associated with the user;
traversing an organizational hierarchy of directory groups/OU'"'"'s; and
overriding inherited attributes with explicitly associated attributes obtained from a private data store outside of the directory. - View Dependent Claims (6, 7)
-
Specification