ATTRIBUTE RULE ENFORCER FOR A DIRECTORY

US 20080060057A1
Filed: 10/30/2007
Published: 03/06/2008
Est. Priority Date: 08/01/2001
Status: Active Grant

First Claim

Patent Images

1. An attribute rule enforcer comprising a transaction monitor and a rule validator, the transaction monitor and the rule validator being interposed between a client computer and a directory access server for providing access to a directory;

transaction monitor being capable of intercepting a request from a client computer to said directory access server, diverting the intercepted request to the rule validator if the call includes one of a request to add data to a directory accessed by the directory access server, a request to modify data in the directory, and a request to delete data from the directory, and being further capable of forwarding the intercepted request to the directory access server if the request does not include one of a request to add data to the directory, a request to modify data in the directory, and a request to delete data from the directory; and

the rule validator being capable of determining whether an attribute of the request complies with a first rule governing content of data that is permissible to be forwarded to the directory access server and a second rule governing structure of data that is permissible to be forwarded to the directory access server, the first and second rules including a data addition rule when the request includes a request to add data to the directory, the first and second rules including a data modification rule when the request includes a request to modify data in a directory, and the first and second data rules including a data deletion rule when the request includes a request to delete data from the directory;

the rule validator further being capable of forwarding the request to the directory access server if the attribute complies with one of the first rule and the second rule and being further capable of rejecting the request to the directory access server and returning an error message to a source of the request if the attribute does not comply with the first rule and the second rule.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attribute rule enforcer for evaluating the attributes of a call to add, modify, or delete information in a directory, such as a lightweight directory access protocol (LDAP) directory. The attribute rule enforcer determines if the attributes of the call comply with predetermined rules governing the directory'"'"'s content. The directory attribute rule enforcer may be located at the front end of the directory'"'"'s access server, and intercepts calls to the directory access server. If the directory attribute rule enforcer determines that the attributes of a call complies with the rules governing the content of the directory, it will forward the call to the directory'"'"'s access server for action. If, on the other hand, directory attribute rule enforcer determines that the attributes of a call do not comply with the rules governing the content of the directory, the attribute rule enforcer will reject the call. Further, it may forward an appropriate error message to the source of the call.

20 Citations

View as Search Results

25 Claims

1. An attribute rule enforcer comprising a transaction monitor and a rule validator, the transaction monitor and the rule validator being interposed between a client computer and a directory access server for providing access to a directory;
- transaction monitor being capable of intercepting a request from a client computer to said directory access server, diverting the intercepted request to the rule validator if the call includes one of a request to add data to a directory accessed by the directory access server, a request to modify data in the directory, and a request to delete data from the directory, and being further capable of forwarding the intercepted request to the directory access server if the request does not include one of a request to add data to the directory, a request to modify data in the directory, and a request to delete data from the directory; and
  
  the rule validator being capable of determining whether an attribute of the request complies with a first rule governing content of data that is permissible to be forwarded to the directory access server and a second rule governing structure of data that is permissible to be forwarded to the directory access server, the first and second rules including a data addition rule when the request includes a request to add data to the directory, the first and second rules including a data modification rule when the request includes a request to modify data in a directory, and the first and second data rules including a data deletion rule when the request includes a request to delete data from the directory;
  
  the rule validator further being capable of forwarding the request to the directory access server if the attribute complies with one of the first rule and the second rule and being further capable of rejecting the request to the directory access server and returning an error message to a source of the request if the attribute does not comply with the first rule and the second rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. An attribute rule enforcer as recited in claim 1 wherein a request from a client computer to a directory access server comprises an operation selected from one of retrieve, add, delete and modify and an attribute comprising one of a telephone number field, a street address field, a city field, a state field and a zip code field.
  - 3. An attribute rule enforcer as recited in claim 1 wherein an attribute has a value and an associated rule, the transaction monitor, responsive to receipt of a request, creating a monitoring process for a request to the directory access server via a command line comprising the identities of a port address of a rule validator and of a port address of the directory access server such that said directory access server and said rule validator may be implemented on different programmable computers.
  - 4. An attribute rule enforcer as recited in claim 1 wherein the rule validator upon startup opens a datagram socket and binds to a specified port to receive a client computer request.
  - 5. An attribute rule enforcer as recited in claim 1 having a configuration file for use by said rule validator, the configuration file containing a plurality of parameters including one of an add rules parameter, a modify rules parameter, a modrdn parameter where modrdn relates to modifying a relative distinguished name, a delete rules parameter, a log directory parameter, a service port parameter, a debug level parameter and a directory access protocol error parameter.
  - 6. An attribute rule enforcer as recited in claim 5 wherein said plurality of parameters comprises a directory access protocol parameter for specifying a file containing said error message.
  - 7. An attribute rule enforcer as recited in claim 3 wherein said rule comprises a primitive of one of a precedence primitive, a dependencies primitive, an attribute primitive, an error message primitive and a type primitive, the type primitive designating an operation to be taken by a rule, wherein said rule comprises a beginning, at least one primitive and an end.
  - 8. An attribute rule enforcer as recited in claim 7 wherein said error message primitive comprises a character string corresponding to a rule.
  - 9. An attribute rule enforcer as recited in claim 7 wherein said error message primitive comprises an error message storage location.
  - 10. An attribute rule enforcer as recited in claim 5, the rule validator for parsing rules indicated in said configuration file and for caching a list of rules in memory.
  - 11. An attribute rule enforcer as recited in claim 1, the rule validator for selecting a master list of rule lists for a request from a source to a directory access server.
  - 12. An attribute rule enforcer as recited in claim 3 comprising a master rule validator comprising an active rule validator bound to an identified port and a backup rule validator sharing the same port, the master rule validator periodically sending a signal to the backup rule validator according to a preset period of time.

13. A rule validator of an attribute rule enforcer for a directory, the rule validator being interposed between a client and a directory access server for providing access to the directory, the rule validator being capable of determining whether an attribute of a client request complies with a first rule governing content of data that is permissible to be forwarded to the directory access server and a second rule governing structure of data that is permissible to be forwarded to the directory access server, the first and second rules including a data addition rule when the request includes a request to add data to the directory, the first and second rules including a data modification rule when the request includes a request to modify data in a directory, and the first and second data rules including a data deletion rule when the request includes a request to delete data from the directory;
- the rule validator further being capable of forwarding the request to the directory access server if the attribute complies with one of the first rule and the second rule and being further capable of rejecting the request to the directory access server and returning an error message to a source of the request if the attribute does not comply with the first rule and the second rule; and
  
  a configuration file for use by said rule validator, the configuration file containing a plurality of parameters including one of an add rules parameter, a modify rules parameter, a modrdn parameter where modrdn relates to modifying a relative distinguished name, a delete rules parameter, a log directory parameter, a service port parameter, a debug level parameter and a directory access protocol error parameter.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. A rule validator as recited in claim 13 wherein the rule validator upon startup opens a datagram socket and binds to a specified port to receive a client computer request.
  - 15. A rule validator as recited in claim 13 wherein said parameter comprises a directory access protocol parameter for specifying a file containing said error message.
  - 16. A rule validator as recited in claim 13, the rule validator for parsing rules indicated in said configuration file and for caching a list of rules in memory.
  - 17. A rule validator as recited in claim 13, the rule validator for selecting a master list of rule lists for a request from a client source to a directory access server.
  - 18. A rule validator as recited in claim 13 comprising a master rule validator comprising an active rule validator bound to an identified port and a backup rule validator sharing the same port, the master rule validator periodically sending a signal to the backup rule validator according to a preset period of time.

19. A transaction monitor interposed between a client and a directory access server for providing access to a directory;
- the transaction monitor being capable of intercepting a request from a client computer to said directory access server, diverting the intercepted request to a rule validator if the call includes one of a request to add data to a directory accessed by the directory access server, a request to modify data in the directory, and a request to delete data from the directory, and being further capable of forwarding the intercepted request to the directory access server if the request does not include one of a request to add data to the directory, a request to modify data in the directory, and a request to delete data from the directory, the request from a client computer to a directory access server comprising an operation selected from one of retrieve, add, delete and modify and an attribute comprising one of a telephone number field, a street address field, a city field, a state field and a zip code field, wherein said attribute has a value and an associated rule, the transaction monitor, responsive to receipt of a request, creating a monitoring process for a request to the directory access server via a command line comprising the identities of a port address of a rule validator and of a port address of the directory access server such that said directory access server and said rule validator may be implemented on different programmable computers.

20. A method for processing requests from clients to a directory access server, the method being performed by an attribute rule enforcer interposed between a client and said directory access server, the method comprising:
- intercepting a request from a client to said directory access server, the request consisting of one of a request to add data to a directory associated with the directory access server, a request to modify data in the directory, and a request to delete data from the directory, the request further including at least one attribute associated with data having a data content and a data structure;
  
  evaluating the attribute according to a first rule governing content of data that is permissible to be forwarded to the directory access server and a second rule governing structure of data that is permissible to be forwarded to the directory access server, the first and second rules including a data addition rule when the request includes a request to add data to the directory, the first and second rules including a data modification rule when the request includes a request to modify data in a directory, the first and second data rules including a data deletion rule when the request includes a request to delete data from the directory;
  
  determining whether the attribute complies with the first and second rules;
  
  forwarding the request to the directory access server if the attribute complies with the first and second rules; and
  
  rejecting the request to the directory access server and forwarding an error message to the client if the call attribute does not comply with the first and second rules.
- View Dependent Claims (21, 22, 23, 24)
- - 21. A method as recited in claim 20, wherein a request from a client computer to a directory access server comprises an operation selected from one of retrieve, add, delete and modify and an attribute comprising one of a telephone number field, a street address field, a city field, a state field and a zip code field.
  - 22. A method as recited in claims 20 further comprising parsing rules indicated in a configuration file and caching a list of rules in memory.
  - 23. A method as recited in claim 20 further comprising selecting a master list of rule lists for a request from a source to a directory access server.
  - 24. A method as recited in claim 23, the configuration file containing a plurality of parameters including one of an add rules parameter, a modify rules parameter, a modrdn parameter where modrdn relates to modifying a relative distinguished name, a delete rules parameter, a log directory parameter, a service port parameter, a debug level parameter and a directory access protocol error parameter.

25. A method of validating rules for use with an attribute rule enforcer for a directory, the method of validating rules being interposed between a client and a directory access server for providing access to the directory, the method of validating rules comprising:
- determining whether an attribute of a client request complies with a first rule governing content of data that is permissible to be forwarded to the directory access server and a second rule governing structure of data that is permissible to be forwarded to the directory access server, the first and second rules including a data addition rule when the request includes a request to add data to the directory, the first and second rules including a data modification rule when the request includes a request to modify data in a directory, and the first and second data rules including a data deletion rule when the request includes a request to delete data from the directory;
  
  forwarding the request to the directory access server if the attribute complies with one of the first rule and the second rule; and
  
  rejecting the request to the directory access server and returning an error message to a source of the request if the attribute does not comply with the first rule and the second rule; and
  
  the method of validating rules for use with a configuration file, the configuration file containing a plurality of parameters including one of an add rules parameter, a modify rules parameter, a modrdn parameter where modrdn relates to modifying a relative distinguished name, a delete rules parameter, a log directory parameter, a service port parameter, a debug level parameter and a directory access protocol error parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Mobility II LLC (AT&T, Inc.)
Original Assignee
AT&T Mobility II LLC (AT&T, Inc.)
Inventors
Carter, Jeffrey, Barchi, Ronald

Granted Patent

US 7,865,482 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 16/282   Hierarchical databases, e.g...

H04L 61/4523   using lightweight directory...

H04L 61/4552   Lookup mechanisms between a...

Y10S 707/99931   Database or file accessing

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99936   Pattern matching access

Y10S 707/99938   Concurrency, e.g. lock mana...

ATTRIBUTE RULE ENFORCER FOR A DIRECTORY

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

ATTRIBUTE RULE ENFORCER FOR A DIRECTORY

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links