Attribute rule enforcer for a directory
First Claim
1. A method for processing calls to a directory access server, comprising:
- intercepting a call from a client computer to a directory access server, the call consisting of one of a request to add data to a directory associated with the directory access server, a request to modify data in the directory, and a request to delete data from the directory, the call further including at least one attribute associated with data having a data content and a data structure;
evaluating the attribute according to a first rule governing data content that is permissible to be forwarded to the directory access server and a second rule governing data structure that is permissible to be forwarded to the directory access server;
the first and second rules including a data addition rule when the call includes a request to add data to the directory;
the first and second rules including a data modification rule when the call includes a request to modify data in the directory;
the first and second rules including a data deletion rule when the call includes a request to delete data from the directory;
determining whether the attribute complies with the first rule and the second rule;
forwarding the call to the directory access server if the attribute complies with the first rule and the second rule; and
rejecting the call to the directory access server and forwarding an error message to a source of the call if the call attribute does not comply with the first rule and the second rule,said steps of evaluating the attribute and determining whether the attribute complies with the first rule and second rule being performed by an attribute rule enforcer interposed between the directory access server and the client computer.
7 Assignments
0 Petitions
Accused Products
Abstract
An attribute rule enforcer for evaluating the attributes of a call to add, modify, or delete information in a directory, such as a lightweight directory access protocol (LDAP) directory. The attribute rule enforcer determines if the attributes of the call comply with predetermined rules governing the directory'"'"'s content. The directory attribute rule enforcer may be located at the front end of the directory'"'"'s access server, and intercepts calls to the directory access server. If the directory attribute rule enforcer determines that the attributes of a call complies with the rules governing the content of the directory, it will forward the call to the directory'"'"'s access server for action. If, on the other hand, directory attribute rule enforcer determines that the attributes of a call do not comply with the rules governing the content of the directory, the attribute rule enforcer will reject the call. Further, it may forward an appropriate error message to the source of the call.
14 Citations
5 Claims
-
1. A method for processing calls to a directory access server, comprising:
-
intercepting a call from a client computer to a directory access server, the call consisting of one of a request to add data to a directory associated with the directory access server, a request to modify data in the directory, and a request to delete data from the directory, the call further including at least one attribute associated with data having a data content and a data structure; evaluating the attribute according to a first rule governing data content that is permissible to be forwarded to the directory access server and a second rule governing data structure that is permissible to be forwarded to the directory access server; the first and second rules including a data addition rule when the call includes a request to add data to the directory; the first and second rules including a data modification rule when the call includes a request to modify data in the directory; the first and second rules including a data deletion rule when the call includes a request to delete data from the directory; determining whether the attribute complies with the first rule and the second rule; forwarding the call to the directory access server if the attribute complies with the first rule and the second rule; and rejecting the call to the directory access server and forwarding an error message to a source of the call if the call attribute does not comply with the first rule and the second rule, said steps of evaluating the attribute and determining whether the attribute complies with the first rule and second rule being performed by an attribute rule enforcer interposed between the directory access server and the client computer.
-
-
2. An attribute rule enforcer, comprising:
-
a rule validator and a transaction monitor, the rule validator and transaction monitor being interposed between a client computer and a directory access server; the transaction monitor being capable of intercepting a call from a client computer to a directory access server, diverting the intercepted call to the rule validator if the call includes one of a request to add data to a directory associated with the directory access server, a request to modify data in the directory, and a request to delete data from the directory, and being further capable of forwarding the intercepted call to the directory access server if the call does not include one of a request to add data to the directory, a request to modify data in the directory, and a request to delete data from the directory; and the rule validator being capable of determining whether an attribute of a call complies with a first rule governing content of data that is permissible to be forwarded to the directory access server and a second rule governing structure of data that is permissible to be forwarded to the directory access server, the first and second rules including a data addition rule when the call includes a request to add data to the directory, the first and second rules including a data modification rule when the call includes a request to modify data in a directory, and the first and second rules including a data deletion rule when the call includes a request to delete data from the directory; the rule validator further being capable of forwarding the call to the directory access server if the attribute complies with one of the first rule and the second rule and being further capable of rejecting the call to the directory access server and returning an error message to a source of the call if the attribute does not comply with the first rule and the second rule. - View Dependent Claims (3, 4)
-
-
5. A directory network including:
-
one or more client computers; a directory access server, said directory access server being capable of controlling access to a directory associated with the directory access server, and an attribute rule enforcer, said attribute rule enforcer comprising; a rule validator and a transaction monitor, the rule validator and transaction monitor being interposed between a client computer and a directory access server; the transaction monitor being capable of intercepting a call from a client computer to a directory access server, diverting the intercepted call to the rule validator if the call includes one of a request to add data to a directory associated with the directory access server, a request to modify data in the directory, and a request to delete data from the directory, and being further capable of forwarding the intercepted call to the directory access server if the call does not include one of a request to add data to the directory, a request to modify data in the directory, and a request to delete data from the directory; and the rule validator being capable of determining whether an attribute of the call complies with a first rule governing content of data that is permissible to be forwarded to the directory access server and a second rule governing structure of data that is permissible to be forwarded to the directory access server, the first and second rules including a data addition rule when the call includes a request to add data to the directory, the first and second rules including a data modification rule when the call includes a request to modify data in the directory, and the first and second rules including a data deletion rule when the call includes a request to delete data from the directory; the rule validator being further capable of forwarding the call to the directory access server if the attribute complies with one of the first rule and the second rule and being further capable of rejecting the call to the directory access server and returning an error message to a source of the call if the attribute does not comply with the first and the second rule; the attribute rule enforcer being arranged in the directory network so as to intercept calls from the one or more client computers to the directory access server, said attribute rule enforcer being interposed between the one or more client computers and the directory access server.
-
Specification