Method and apparatus to secure digital directory object changes
First Claim
1. A method of resolving object attributes in a computer system, wherein a first distributed directory object and a second distributed directory object each have at least one associated attribute, comprising the steps of:
- a) determining an associated attribute of the first object;
b) checking that the second object is included in the associated attribute of the first object;
c) determining an associated attribute of the second object; and
d) checking that the first object is included in the associated attribute of the second object.
3 Assignments
0 Petitions
Accused Products
Abstract
A method of providing authoritative access control to computer networks that employs a distributed network directory using a static means of resolving object attributes is disclosed. The method employs the existing directories and an authentication procedure for each server. A first object that is under the physical control of the administrator of one partition of the distributed network directory requests access to a second object that is under the physical control of the administrator of another partition of the distributed network directory. The directory verifies that the access control list of the first object includes the second object. The access control list of the second object is then checked to verify that it includes a reference to the first object as an object that is permitted access to the second object. As a result, access is only granted in response to requests from objects that appear in the access control list of the second object. A method of synchronizing the access control lists based upon an authoritative access control list is also disclosed.
-
Citations
25 Claims
-
1. A method of resolving object attributes in a computer system, wherein a first distributed directory object and a second distributed directory object each have at least one associated attribute, comprising the steps of:
-
a) determining an associated attribute of the first object; b) checking that the second object is included in the associated attribute of the first object; c) determining an associated attribute of the second object; and d) checking that the first object is included in the associated attribute of the second object. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of synchronizing an associated attribute of a first distributed directory object and an associated attribute of a second distributed directory object in a computer system, comprising the steps of:
-
a) receiving a request to modify the associated attribute of the second object; b) verifying that the associated attribute of the second object may be modified; c) modifying the associated attribute of the second object; and d) synchronizing the associated attribute of the first object and the associated attribute of the second object by modifying the associated attribute of the first object to correspond to the modified associated attribute of the second object. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method of verifying in a computer system that a first distributed directory object has authorization to access a second distributed directory object wherein the first object and the second object each have at least one associated attribute, the method comprising the steps of:
-
a) receiving a request for the first object to access the second object; b) determining the associated attribute of the first object and the associated attribute of the second object; c) checking that the second object is included in the associated attribute of the first object and that the first object is included in the associated attribute of the second object; and d) verifying that the first object has authorization to access the second object if; i. the second object is included in the associated attribute of the first object; and ii. the first object is included in the associated attribute of the second object. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer system comprising a first computer and a second computer which are capable of transmitting and receiving information from one another, which first and second computers access a distributed directory having a plurality of objects, wherein the first computer maintains a first distributed directory object in the distributed directory and the second computer maintains a second distributed directory object in the distributed directory, and wherein the first object has a first associated attribute which references at least the second object and the second object has a second associated attribute which references at least the first object.
-
24. A computer readable medium comprising a program for resolving object attributes in a distributed directory having a first distributed directory object and a second distributed directory object, wherein each of said objects includes at least one associated attributed, the program being capable of resolving object attributes by performing the steps of:
-
a) receiving a request for the first object to access the second object; b) determining the associated attribute of the first object and the associated attribute of the second object; c) checking that the second object is included in the associated attribute of the first object and that the first object is included in the associated attribute of the second object; and d) verifying that the first object has authorization to access the second object if; i. the second object is included in the associated attribute of the first object; and ii. the first object is included in the associated attribute of the second object.
-
-
25. A computer system accessing a distributed directory that includes a plurality of objects having associated attributes, the computer system comprising:
-
a) means for receiving a request for a first distributed directory object in the distributed directory to access a second distributed directory object in the distributed directory; b) means for determining an associated attribute of the first object and an associated attribute of the second object; c) means for checking that the second object is included in the associated attribute of the first object and that the first object is included in the associated attribute of the second object; and d) means for verifying that the first object has authorization to access the second object if; i. the second object is included in the associated attribute of the first object; and ii. the first object is included in the associated attribute of the second object.
-
Specification