METHODS AND SYSTEMS FOR MULTI-TENANT CONTROLLER BASED MAPPING OF DEVICE IDENTITY TO NETWORK LEVEL IDENTITY
First Claim
1. A method comprising:
- executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service;
mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE;
instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE;
receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers;
transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP;
executing an algorithm to determine which element will contact specific AD instances to minimize lightweight directory access protocol (LDAP) traffic volume occurring on the WAN and to ensure AD instances can still be reached in case of failure of any one network element;
monitoring in Active Directory servers changes in at least one identity of a network user by using the LDAP ROLE on the network elements; and
updating a policy, based at least in part on the mapping of user identity in AD domains, at a multi-tenant controller, wherein the tracking of changing identity information is implemented as a horizontally scalable service the Identity Definitions Manager Service.
4 Assignments
0 Petitions
Accused Products
Abstract
A method includes executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service, mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE, instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE, receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers and transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP.
34 Citations
20 Claims
-
1. A method comprising:
-
executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service; mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE; instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE; receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers; transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP; executing an algorithm to determine which element will contact specific AD instances to minimize lightweight directory access protocol (LDAP) traffic volume occurring on the WAN and to ensure AD instances can still be reached in case of failure of any one network element; monitoring in Active Directory servers changes in at least one identity of a network user by using the LDAP ROLE on the network elements; and updating a policy, based at least in part on the mapping of user identity in AD domains, at a multi-tenant controller, wherein the tracking of changing identity information is implemented as a horizontally scalable service the Identity Definitions Manager Service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14)
-
-
8. A centrally controllable multi-tenant controller for controlling a plurality of assets across a plurality of distributed computing environments wherein the controller is configured to:
-
execute at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service; map active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE; instruct a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE; receive from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers; transmit the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP; execute an algorithm to determine which element will contact specific AD instances to minimize lightweight directory access protocol (LDAP) traffic volume occurring on the WAN and to ensure AD instances can still be reached in case of failure of any one network element; receive from the LDAP ROLE of network element changes in Active Directory servers in at least one identity (user or group) of a network; and update a policy, based at least in part on the mapping of user identity in AD domains, at a multi-tenant controller, wherein the tracking of changing identity information is implemented as a horizontally scalable service the Identity Definitions Manager Service.
-
-
15. A method comprising:
-
executing at a controller a horizontally scalable service IP to Site Mapping (ISM) Service; instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise; receiving from the plurality of network elements information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers; transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using WMI; executing an algorithm to determine which element will contact specific AD instances in order to contain WMI communication over LAN and minimize WMI communication over WAN; monitoring, using the WMI role on the network elements, the AD servers security login events comprising an IP address, a user AD ID and a user name; converting the login events to IP-to-user events and transmitting these to the ISM service in the controller; using the ISM service to map these IP-to-user events to the right spoke site; sending the events with enriched information comprising one or more group IDs for the user to the element in the spoke site; and using the enriched IP to user event at the spoke site to enforce policy based on user and group IDs and to enrich flow and application statistics with user and group information. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification