Securing lightweight directory access protocol traffic

US 20060092948A1
Filed: 10/28/2004
Published: 05/04/2006
Est. Priority Date: 10/28/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

monitoring data for communication, via a lightweight directory access protocol (LDAP), between a plurality of computing devices such that each said computing device is not aware of the monitoring; and

determining whether an LDAP action specified in the data is permitted according to one or more policies, and if not, restricting completion of the LDAP action.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Lightweight directory access protocol (LDAP) management is described. In an implementation, a method includes intercepting data, configured according to a lightweight directory access protocol (LDAP), for communication between a client and a server. One or more polices are applied to the data to determine whether performance of an LDAP action specified in the data is permitted. When the performance is not authorized, the LDAP action is modified such that performance of the modified LDAP action is permitted.

33 Citations

View as Search Results

89 Claims

1. A method comprising:
- monitoring data for communication, via a lightweight directory access protocol (LDAP), between a plurality of computing devices such that each said computing device is not aware of the monitoring; and
  
  determining whether an LDAP action specified in the data is permitted according to one or more policies, and if not, restricting completion of the LDAP action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A method as described in claim 1, wherein the lightweight directory access protocol (LDAP) action specifies a particular LDAP operation.
  - 3. A method as described in claim 2, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 4. A method as described in claim 2, wherein the particular lightweight directory access protocol (LDAP) operation is configured as an unsolicited event.
  - 5. A method as described in claim 2, wherein the particular lightweight directory access protocol (LDAP) operation includes an extended LDAP operation.
  - 6. A method as described in claim 1, wherein at least one said policy specifies a particular lightweight directory access protocol (LDAP) operation that is not permitted to be performed on a particular LDAP object.
  - 7. A method as described in claim 1, wherein the determining includes enforcement of a level of authentication by at least one said computing device configured as a client.
  - 8. A method as described in claim 7, wherein level of authentication is a minimum level of authentication that is to be met by the data for communication between the plurality of computing devices.
  - 9. A method as described in claim 1, wherein the determining includes deciding whether to allow signed LDAP data.
  - 10. A method as described in claim 1, wherein the determining includes deciding whether the data complies with a lightweight directory access protocol (LDAP) specification.
  - 11. A method as described in claim 10, wherein when the data does not comply, further comprising modifying the data for compliance.
  - 12. A method as described in claim 1, wherein the determining includes deciding whether the data is configured as a known attack.
  - 13. A method as described in claim 12, wherein the known attack is a null base query.
  - 14. A method as described in claim 1, wherein the monitoring is performed to act on both a lightweight directory access protocol (LDAP) server portion and a global catalog.
  - 15. A method as described in claim 1, wherein the determining further comprises if the action specified in the data is permitted according to the one or more policies, permitting completion of the action.
  - 16. A method as described in claim 1, wherein at least one said computing device is a front-end server and another said computing device is a back-end server.
  - 17. A method as described in claim 1:
    - wherein the lightweight directory access protocol (LDAP) action is specified in a request in the data, and further comprising when the action is not authorized, modifying the request such that the modified request specifies an LDAP action that is authorized.
  - 18. A method as described in claim 1, wherein the restricting includes preventing a request that specifies the lightweight directory access protocol (LDAP) action from being communicated to a server that is configured to perform LDAP action.
  - 19. A method as described in claim 1, wherein the restricting includes preventing a result of the lightweight directory access protocol (LDAP) action from being communicated from a server that performed the LDAP action to a client.
  - 20. One or more computer readable media comprising computer executable instructions that, when executed on a computer, direct the computer to perform the method as described in claim 1.

21. A method comprising:
- intercepting data for communication between a client and a server, wherein the data is configured according to a lightweight directory access protocol (LDAP);
  
  applying one or more polices to the request to determine whether performance of an LDAP action specified in the request is permitted; and
  
  when the performance is not authorized, modifying the LDAP action such that performance of the modified LDAP action is permitted.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. A method as described in claim 21, wherein the intercepting and the applying are performed by the server.
  - 23. A method as described in claim 21, wherein the client is not aware of performance of the intercepting and the applying.
  - 24. A method as described in claim 21, wherein the lightweight directory access protocol (LDAP) action specifies a particular LDAP operation.
  - 25. A method as described in claim 24, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 26. A method as described in claim 21, wherein at least one said policy specifies a particular lightweight directory access protocol (LDAP) operation that is not permitted to be performed on a particular LDAP object.
  - 27. A method as described in claim 21, wherein the data is a request:
    - for performing the LDAP action; and
      
      for communication from the client to the server.
  - 28. A method as described in claim 21, wherein the data is a result of the performance of the LDAP action and is for communication from the server to the client.
  - 29. One or more computer readable media comprising computer executable instructions that, when executed on a computer, direct the computer to perform the method of claim 21.

30. A method comprising executing a lightweight directory access protocol (LDAP) filter module to:
- determine whether a response is authorized for communication from a server to a client, wherein;
  
  the response is configured according to the LDAP; and
  
  the determination is performed utilizing one or more policies; and
  
  when the response is authorized, communicate the response such that the client is not aware of the determination.
- View Dependent Claims (31, 32, 33, 34, 35, 36)
- - 31. A method as described in claim 30, further comprising when the response is not authorized, modifying the response such that the modified response is authorized.
  - 32. A method as described in claim 30, wherein the response includes a result of a lightweight directory access protocol (LDAP) action.
  - 33. A method as described in claim 32, wherein the lightweight directory access protocol (LDAP) action specifies a particular LDAP operation.
  - 34. A method as described in claim 33, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 35. A method as described in claim 30, wherein at least one said policy specifies a particular lightweight directory access protocol (LDAP) operation that is not permitted to be performed on a particular LDAP object.
  - 36. One or more computer readable media comprising computer executable instructions that, when executed on a computer, direct the computer to perform the method of claim 30.

37. One or more computer readable media comprising computer executable instructions that, when executed on a computer, direct the computer to transparently manage lightweight directory access protocol (LDAP) traffic communicated via a network between a plurality of computing devices such that at least one said computing device is not aware of the management.
- View Dependent Claims (38, 39, 40)
- - 38. One or more computer readable media as described in claim 37, wherein the lightweight directory access protocol (LDAP) traffic specifies a particular LDAP operation.
  - 39. One or more computer readable media as described in claim 38, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 40. One or more computer readable media as described in claim 37, wherein the lightweight directory access protocol (LDAP) traffic is transparently managed according to a plurality of policies, at least one of which specifies a particular lightweight directory access protocol (LDAP) operation that is not permitted to be performed on a particular LDAP object.

41. A system comprising:
- a directory containing data arranged according to a lightweight directory access protocol (LDAP);
  
  one or more applications that are executable to form a request to perform an action, wherein the request is configured in accordance with the LDAP to interact with the data in the directory; and
  
  an LDAP filter module that is executable to manage traffic between the one or more applications and the directory according to one or more policies which define permissible LDAP actions.
- View Dependent Claims (42, 43, 44, 45, 46, 47)
- - 42. A system as described in claim 41, wherein the LDAP filter module is executable such that the one or more applications are unaware of the management of the traffic.
  - 43. A system as described in claim 41, wherein at least one said policy specifies whether performance of a particular lightweight directory access protocol (LDAP) operation is permitted.
  - 44. A system as described in claim 43, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 45. A system as described in claim 41, wherein at least one said policy specifies whether performance of a particular lightweight directory access protocol (LDAP) operation on a particular LDAP object is permitted.
  - 46. A system as described in claim 41, wherein:
    - the database is available via a first computing device;
      
      the one or more applications are executable on a second computing device; and
      
      the LDAP filter module is executable on a third computing device.
  - 47. A system as described in claim 46, wherein the third computing device is configured as a network firewall device.

48. A computing device comprising:
- a processor; and
  
  memory configured to maintain;
  
  one or more policies, each of which defining one or more conditions for performing at least one corresponding lightweight directory access protocol (LDAP) operation; and
  
  one or more modules that are executable on the processor to;
  
  determine whether a request is authorized according to at least one said policy; and
  
  when the request is authorized, communicate the request such that the client is not aware of the determination.
- View Dependent Claims (49, 50, 51, 52, 53, 54)
- - 49. A computing device as described in claim 48, wherein the request is for communication from a client to a server.
  - 50. A computing device as described in claim 48, wherein the lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 51. A computing device as described in claim 48, wherein at least one said policy further specifies whether performance of a particular lightweight directory access protocol (LDAP) operation on a particular LDAP object is permitted.
  - 52. A computing device as described in claim 48, wherein the one or more modules are further executable to modify the request when the request is not authorized.
  - 53. A computing device as described in claim 48 that is configured as a network firewall.
  - 54. A computing device as described in claim 48 that is configured as a lightweight directory access protocol (LDAP) server.

55. A method comprising:
- exposing a user interface suitable for receiving inputs from a user that specify whether execution of a particular lightweight directory access protocol (LDAP) action is permitted; and
  
  configuring a policy, based on the inputs, for managing lightweight directory access protocol (LDAP) traffic on a network.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 56. A method as described in claim 55, wherein the lightweight directory access protocol (LDAP) action specifies a particular LDAP operation.
  - 57. A method as described in claim 56, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 58. A method as described in claim 55, wherein the lightweight directory access protocol (LDAP) action specifies a particular lightweight directory access protocol (LDAP) operation that is not permitted to be performed on a particular LDAP object.
  - 59. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      one or more said descriptions describe a plurality of authentication mechanisms that are selectable for authenticating a client.
  - 60. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      one or more said descriptions describe a plurality of authentication mechanisms that are selectable by the user for being employed during a lightweight directory access protocol (LDAP) bind operation.
  - 61. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      one or more said descriptions describe logical lightweight directory access protocol (LDAP) operation groups which may be defined through selection by the user.
  - 62. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user;
      
      one said description is selectable to allow encrypted LDAP traffic; and
      
      another said description is selectable to allow only ping traffic through a particular LDAP port.
  - 63. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      at least one said description is selectable to control referral information included in a response formed utilizing a lightweight directory access protocol (LDAP) directory.
  - 64. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      at least one said description is selectable to control secure sockets layer (SSL) traffic.
  - 65. A exposing as described in claim 55, wherein:
    - the outputting of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      at least one said description is selectable to control which version of a lightweight directory access protocol (LDAP) is permitted.
  - 66. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      at least one said description is selectable to select one of a plurality of levels of authentication allowed.
  - 67. A method as described in claim 55, wherein:
    - the exposing of the user interface includes a plurality of descriptions that are selectable by a user; and
      
      at least one said description is selectable to control access to a particular lightweight directory access protocol (LDAP) object.
  - 68. One or more computer readable media comprising computer executable instructions that, when executed on a computer, direct the computer to perform the method of claim 55.

69. One or more computer readable media comprising computer executable instructions that, when executed on a computer, direct the computer to output a user interface for configuring a policy for managing lightweight directory access protocol (LDAP) traffic on a network, wherein the user interface, when output, is configured to enable a user to indicate whether performance of an LDAP operation is permitted and to indicate whether performance of a particular LDAP operation on a particular LDAP object is permitted.
- View Dependent Claims (70)
- - 70. One or more computer readable media as described in claim 69, wherein the lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.

71. A system comprising:
- one or more modules configured to output a user interface for configuring a policy that defines permissible traffic over a network utilizing a lightweight directory access protocol; and
  
  at least one module configured to manage LDAP traffic according to the configured policy.
- View Dependent Claims (72, 73, 74, 75, 76)
- - 72. A system as described in claim 71, wherein the at least one module is executable on a network firewall device.
  - 73. A system as described in claim 71, wherein the at least one module is executable on a lightweight directory access protocol (LDAP) server.
  - 74. A system as described in claim 71, wherein the user interface is configured to allow a user to specify whether performance of a particular lightweight directory access protocol (LDAP) operation is permitted.
  - 75. A system as described in claim 71, wherein the user interface is configured to allow a user to specify whether interaction with a particular lightweight directory access protocol (LDAP) object is permitted.
  - 76. A system as described in claim 71, wherein the user interface is configured to allow a user to specify whether a particular lightweight directory access protocol (LDAP) operation is permitted to be performed on a particular LDAP object.

77. A computing device comprising:
- a processor; and
  
  memory configured to maintain one or more modules that are executable to output a user interface having a plurality of descriptions which are selectable by a user to configure a policy for managing lightweight directory access protocol (LDAP) traffic over a network.
- View Dependent Claims (78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89)
- - 78. A computing device as described in claim 77, wherein at least one said description is selectable to specify whether performance of a particular lightweight directory access protocol (LDAP) operation is permitted.
  - 79. A computing device as described in claim 78, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      rename;
      
      bind;
      
      unbind; and
      
      abandon.
  - 80. A computing device as described in claim 77, wherein at least one said description is selectable to control access to a particular lightweight directory access protocol (LDAP) object.
  - 81. A computing device as described in claim 77, wherein at least one said description is selectable to specify whether a particular lightweight directory access protocol (LDAP) operation is permitted to be performed on a particular LDAP object.
  - 82. A computing device as described in claim 77, wherein one or more said descriptions describe a plurality of authentication mechanisms that are selectable for authenticating a client.
  - 83. A computing device as described in claim 77, wherein one or more said descriptions describe a plurality of authentication mechanisms that are selectable by the user for being employed during a lightweight directory access protocol (LDAP) bind operation.
  - 84. A computing device as described in claim 77, wherein one or more said descriptions describe logical lightweight directory access protocol (LDAP) operation groups which may be defined through selection by the user.
  - 85. A computing device as described in claim 77, wherein:
    - one said description is selectable to allow encrypted LDAP traffic; and
      
      another said description is selectable to allow only ping traffic through a particular LDAP port.
  - 86. A computing device as described in claim 77, wherein at least one said description is selectable to control referral information included in a response formed utilizing a lightweight directory access protocol (LDAP) directory.
  - 87. A computing device as described in claim 77, wherein at least one said description is selectable to control secure sockets layer (SSL) traffic.
  - 88. A computing device as described in claim 77, wherein at least one said description is selectable to control which version of a lightweight directory access protocol (LDAP) is permitted.
  - 89. A computing device as described in claim 77, wherein at least one said description is selectable to select one of a plurality of authentication levels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Mondri, Ron, Katz, Ariel

Application Number

US10/975,292
Publication Number

US 20060092948A1
Time in Patent Office

Days
Field of Search
US Class Current

370/395.52
CPC Class Codes

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

Securing lightweight directory access protocol traffic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

89 Claims

Specification

Solutions

Use Cases

Quick Links

Securing lightweight directory access protocol traffic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

89 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links