INTEGRATING SUDO RULES WITH ENTITIES REPRESENTED IN AN LDAP DIRECTORY

US 20130024907A1
Filed: 07/20/2011
Published: 01/24/2013
Est. Priority Date: 07/20/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for a Light Weight Directory Access Protocol (LDAP) directory server, the method comprising:

receiving a request to add a sudo rule to an LDAP repository, the LDAP repository having an LDAP schema facilitating an integration of sudo rules with other entities represented in the LDAP repository, the sudo rule defining at least one sudo command and one or more entities associated with an execution of the at least one sudo command;

creating an LDAP entry for the sudo rule; and

linking, in the LDAP entry of the sudo rule, an LDAP entry of the at least one sudo command with LDAP entries of the one or more entities associated with the execution of the at least one sudo command.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for integrating Sudo rules into a Lightweight Directory Access Protocol (LDAP) repository. An LDAP directory server receives a request to add a sudo rule to the LDAP repository. The sudo rule defines at least one sudo command and one or more entities associated with the execution of the sudo command. The LDAP directory server creates an LDAP entry for the sudo rule, and links in the LDAP entry of the sudo rule an LDAP entry of the sudo command and LDAP entries of the entities associated with the execution of the sudo command.

Citations

23 Claims

1. A computer-implemented method for a Light Weight Directory Access Protocol (LDAP) directory server, the method comprising:
- receiving a request to add a sudo rule to an LDAP repository, the LDAP repository having an LDAP schema facilitating an integration of sudo rules with other entities represented in the LDAP repository, the sudo rule defining at least one sudo command and one or more entities associated with an execution of the at least one sudo command;
  
  creating an LDAP entry for the sudo rule; and
  
  linking, in the LDAP entry of the sudo rule, an LDAP entry of the at least one sudo command with LDAP entries of the one or more entities associated with the execution of the at least one sudo command.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the LDAP entry of the at least one sudo command and the LDAP entries of the one or more entities associated with the execution of the at least one sudo command existed in the LDAP repository prior to the received request.
  - 3. The method of claim 1 further comprising:
    - receiving a query pertaining to the sudo rule from a sudo program;
      
      transforming the query according to the LDAP schema;
      
      retrieving an LDAP entry corresponding to the received query from the LDAP repository;
      
      transforming the retrieved data to a format of the sudo program; and
      
      providing the transformed data to the sudo program for execution.
  - 4. The method of claim 1 further comprising:
    - upon receiving a request to delete the sudo rule from the LDAP repository, marking the sudo rule disabled in the LDAP entry.
  - 5. The method of claim 1 wherein the at least one sudo command is a single sudo command or a group of sudo commands.
  - 6. The method of claim 1 wherein the one or more entities associated with the execution of the at least one sudo command comprise one or more of a user, a group of users, a host, a group of hosts, and a netgroup.
  - 7. The method of claim 1 wherein the one or more entities associated with the execution of the at least one sudo command comprises one or more of an entity allowed to execute the at least one sudo command, an entity disallowed to execute the at least one sudo command, and an entity on which behalf the at least one sudo command is allowed to be executed.
  - 8. The method of claim 1 wherein the schema comprises an object class for a sudo command, an object class for a group of sudo commands, an object class for a user, an object class for a group of users, an object class for a host, an object class for a group of hosts, an object class for a netgroup, and an object class for a rule.
  - 9. The method of claim 1 wherein the LDAP server is coupled to a sudo program via a network.
  - 10. The method of claim 9 wherein the sudo program communicates with a system security services daemon (SSSD) when the sudo program does not have a connection with the LDAP server, the SSSD periodically caching contents of the LDAP repository.
  - 11. The method of claim 1 further comprising:
    - receiving a client request to change one of the one or more entities associated with the execution of the at least one sudo command; and
      
      modifying an LDAP entry of the requested entity without modifying the LDAP entry for the at least one sudo command.

12. A system for a Light Weight Directory Access Protocol (LDAP) directory server, the system comprising:
- a memory;
  
  a processor, coupled to the memory, to;
  
  receive a request to add a sudo rule to an LDAP repository, the LDAP repository having a schema facilitating an integration of sudo rules with other entities represented in the LDAP repository, the sudo rule defining at least one sudo command and one or more entities associated with an execution of the at least one sudo command;
  
  create an LDAP entry for the sudo rule; and
  
  link, in the LDAP entry of the sudo rule, an LDAP entry of the at least one sudo command and LDAP entries of the one or more entities associated with the execution of the at least one sudo command.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12 wherein the LDAP entry of the at least one sudo command and the LDAP entries of the one or more entities associated with the execution of the at least one sudo command existed in the LDAP repository prior to the received request.
  - 14. The system of claim 12, wherein the processor is further configured to:
    - receive a query pertaining to the sudo rule from a sudo program;
      
      transform the query according to the LDAP schema;
      
      retrieve an LDAP entry corresponding to the received query from the LDAP repository;
      
      transform the retrieved data to a format of the sudo program; and
      
      provide the transformed data to the sudo program for execution.
  - 15. The system of claim 12 wherein the one or more entities associated with the execution of the at least one sudo command comprise one or more of a user, a group of users, a host, a group of hosts, and a netgroup.
  - 16. The system of claim 12 wherein the one or more entities associated with the execution of the at least one sudo command comprises one or more of an entity allowed to execute the at least one sudo command, an entity disallowed to execute the at least one sudo command, and an entity on which behalf the at least one sudo command is allowed to be executed.
  - 17. The system of claim 12 wherein the schema comprises an object class for a sudo command, an object class for a group of sudo commands, an object class for a user, an object class for a group of users, an object class for a host, an object class for a group of hosts, an object class for a netgroup, and an object class for a rule.
  - 18. The system of claim 12 wherein the sudo program communicates with a system security services daemon (SSSD), wherein the SSSD periodically caches contents of the LDAP repository, and wherein the the cached contents is used by the sudo program when the sudo program does not have a connection with the LDAP server or when the sudo program requires data within the cached contents.

19. A non-transitory computer readable storage medium storing instructions which when executed cause a data processing system to perform a method for a Light Weight Directory Access Protocol (LDAP) directory server, the method comprising:
- receiving a request to add a sudo rule to an LDAP repository, the LDAP repository having a schema facilitating an integration of sudo rules with other entities represented in the LDAP repository, the sudo rule defining at least one sudo command and one or more entities associated with an execution of the at least one sudo command;
  
  creating an LDAP entry for the sudo rule; and
  
  linking, in the LDAP entry of the sudo rule, an LDAP entry of the at least one sudo command and LDAP entries of the one or more entities associated with the execution of the at least one sudo command.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The non-transitory computer readable storage medium of claim 19 wherein the LDAP entry of the at least one sudo command and the LDAP entries of the one or more entities associated with the execution of the at least one sudo command existed in the LDAP repository prior to the received request.
  - 21. The non-transitory computer readable storage medium of claim 19 wherein the one or more entities associated with the execution of the at least one sudo command comprise one or more of a user, a group of users, a host, a group of hosts, and a netgroup.
  - 22. The non-transitory computer readable storage medium of claim 19 wherein the one or more entities associated with the execution of the at least one sudo command comprises one or more of an entity allowed to execute the at least one sudo command, an entity disallowed to execute the at least one sudo command, and an entity on which behalf the at least one sudo command is allowed to be executed.
  - 23. The non-transitory computer readable storage medium of claim 19 wherein the schema comprises an object class for a sudo command, an object class for a group of sudo commands, an object class for a user, an object class for a group of users, an object class for a host, an object class for a group of hosts, an object class for a netgroup, and an object class for a rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Pal, Dmitri V., Bose, Sumit

Granted Patent

US 9,015,790 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/0884   by delegation of authentica...

INTEGRATING SUDO RULES WITH ENTITIES REPRESENTED IN AN LDAP DIRECTORY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

INTEGRATING SUDO RULES WITH ENTITIES REPRESENTED IN AN LDAP DIRECTORY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links