Utilizing LDAP directories for application access control and personalization
First Claim
1. A computer system comprising:
- a lightweight directory access protocol directory storing organizational units and associated user names and providing directory services, said directory services providing for user log-on into and authentication by the computer system; and
a management server separate from said directory services but providing additional access services that assign or deny user access rights based on organizational units defined by said lightweight directory access protocol directory services, said management server comprising a private data store outside of the lightweight directory access protocol directory that stores authorization/personalization data, said management server querying said directory and applying additional authorization/personalization rules to enhance said directory services and override inherited attributes provided by said directory services without requiring modification of said directory and without requiring an additional user log-on.
25 Assignments
0 Petitions
Accused Products
Abstract
Lightweight LDAP Access Control for authorization and personalization integrates with a directory service for defining sessions for users and groups without requiring read access or modification to directory schemas. In one exemplary illustrative non-limiting implementation, authorization/personalization data is stored in a private data store outside of the LDAP directory (e.g., on a management or other server). When a user attempts to log on to the computer system, the LDAP directory is queried for a list of associated groups and/or organizational units in the normal way. To compute a resulting set of authorization/personalization rules applicable to the user, an entity (.e.g., the management or other server) traverses the organizational hierarchy of the directory groups/OU'"'"'s, overriding the inherited attributes with explicitly associated ones. Integration with existing user/group/organization unit infrastructures is provided while avoiding the need to deploy additional user/group databases. In one example arrangement, an LDAP directory is queried for the list of groups and OUs during user logon. There is no need to replicate user/group directory data in a private data store of the Management Server. This improves performance and eliminates the need to synchronize data between the directory and the private data store of the Management Server. To compute the resulting set of authorization/personalization rules applicable to a user, the Management Server traverses the organizational hierarchy of directory groups/OUs, overriding the inherited attributes with the explicitly mapped ones. This minimizes the amount of administrative work for restricting access to protected resources for individuals. In many cases, users will simply inherit authorization/personalization data from the group/OUs they are members of.
-
Citations
7 Claims
-
1. A computer system comprising:
-
a lightweight directory access protocol directory storing organizational units and associated user names and providing directory services, said directory services providing for user log-on into and authentication by the computer system; and a management server separate from said directory services but providing additional access services that assign or deny user access rights based on organizational units defined by said lightweight directory access protocol directory services, said management server comprising a private data store outside of the lightweight directory access protocol directory that stores authorization/personalization data, said management server querying said directory and applying additional authorization/personalization rules to enhance said directory services and override inherited attributes provided by said directory services without requiring modification of said directory and without requiring an additional user log-on.
-
-
2. A method of authorizing a computer system user comprising:
-
providing user log-on and authentication using an LDAP directory storing organizational units and associated user names and providing directory services; receiving an access request related to said user; using a computer system to automatically reference said user in said LDAP directory and, if a corresponding user entry is found, to obtain and provide information pertaining to said user; associating at least one of authorization data and personalization data pertaining to said user with a protected resource that assigns or denies user access rights based on organizational units defined by said lightweight directory access protocol directory services; saving, by said computer, said authorization and/or personalization in a private data store separate from said LDAP directory; and responding to said request related to said user at least in part based on said referencing and associating to provide at least one resource access result conditionally allows said user to access at least one computer resource without requiring an additional user log-on.
-
-
3. A computer readable storage medium and instructions stored thereto, the instructions, when executed by a computer processor:
-
use a private data store to provide an authorization service for authorizing users to access protected resources; query and receive user information from a directory database storing organizational units and associated user names and providing directory services, said directory services providing for user log-on into and authentication by the computer system; create authorization associations with respect to user information received from said directory database, said authorization associations assigning or denying user access rights based on organizational units defined by said lightweight directory access protocol directory services; and store said associations to said private data store separate from and not within said directory database and retrieve said associations from said private data store, to override, replace, or extend inherited attributes without requiring an additional user log-on.
-
-
4. A computer operating method comprising:
-
querying an LDAP directory during computer user logon, said LDAP directory storing organizational units and associated user names and providing directory services, said directory services providing for user log-on into and authentication; traversing an organizational hierarchy of directory information in said LDAP directory; accessing a private data store separate from said directory, said private data store not replicating user/group directory data to eliminate need for detailed synchronization between the directory and the private data store; overriding inherited attributes from said traversed LDAP directory with explicitly mapped attributes obtained from said private data store; and restricting access to protected resources based on private data store authorization/personalization data contents without requiring an additional user log-on.
-
-
5. A method of logging a user onto a computer system comprising:
-
receiving a user identification during a log on process; in response to said received user identification, querying a directory for a list of at least one of associated groups and organizational units associated with the user, said directory storing organizational units and associated user names and providing directory services, said directory services providing for user log-on into and authentication by the computer system; traversing an organizational hierarchy of directory and organizational groups provided by said directory services; and overriding inherited attributes provided by said directory services with explicitly associated attributes obtained from a private data store outside of the directory; and using said overrided inherited attributes to control access to at least one resource without requiring an additional user log-on. - View Dependent Claims (6, 7)
-
Specification
-
- Resources
-
Current AssigneeAttachmate Corporation (Open Text Corporation)
-
Original AssigneeAttachmate Corporation (Open Text Corporation)
-
InventorsMinyailov, Vyacheslav
-
Primary Examiner(s)MIZRAHI, DIANE D
-
Application NumberUS10/876,764Publication NumberTime in Patent Office1,863 DaysField of Search707/707, 707 1- 10, 707100-1041, 707200- 2, 705/14, 705/37, 705/400, 709/223, 709/217, 709/225, 709/245, 700/237, 726/3, 726/5, 726/15, 726/17, 713/150, 713/156, 714/38, 717/177, 711/164, 340/5.22US Class Current1/1CPC Class CodesG06F 21/6218 to a system of files or obj...G06F 9/4492 InheritanceH04L 61/4523 using lightweight directory...H04L 63/101 Access control lists [ACL]Y10S 707/99933 Query processing, i.e. sear...Y10S 707/99943 Generating database or data...
