User interface for securing lightweight directory access protocol traffic

US 7,577,132 B2
Filed: 11/24/2004
Issued: 08/18/2009
Est. Priority Date: 10/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

exposing a user interface suitable for receiving inputs from a user that specify whether execution of a particular lightweight directory access protocol (LDAP) action is permitted, wherein the exposing of the user interface includes a plurality of descriptions that are selectable by a user;

configuring a policy, based on the inputs, for managing lightweight directory access protocol (LDAP) traffic on a network;

intercepting a request communicated from a client to a server, wherein the request indicates an LDAP action;

applying the policy to the LDAP action in order to determine whether the LDAP action is permitted, wherein the policy is selected from one or more available policies; and

in an event the LDAP action is permitted;

determining if another policy of the one or more policies is available and applying the other policy to the LDAP action if it is available;

continuing to determine if another policy of the one or more policies is available and applying the other policy to the LDAP action if it is available until there are no more policies available; and

communicating the request for performance of the LDAP action;

in an event the LDAP action is not permitted;

modifying the request to specify a modified LDAP action;

selecting at least one of the one or more policies;

applying the at least one of the one or more policies to the modified LDAP action;

determining if another policy of the one or more policies is available and applying the other policy to the modified LDAP action if it is available; and

continuing to determine if another policy of the one or more policies is available and applying the other policy to the modified LDAP action if it is available until there are no more policies available; and

communicating the request for performance of the modified LDAP action.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Lightweight directory access protocol (LDAP) management is described. In an implementation, a method includes exposing a user interface suitable for receiving inputs from a user that specify whether execution of a particular lightweight directory access protocol (LDAP) action is permitted. A policy is configured based on the inputs, for managing lightweight directory access protocol (LDAP) traffic on a network.

Citations

29 Claims

1. A method comprising:
- exposing a user interface suitable for receiving inputs from a user that specify whether execution of a particular lightweight directory access protocol (LDAP) action is permitted, wherein the exposing of the user interface includes a plurality of descriptions that are selectable by a user;
  
  configuring a policy, based on the inputs, for managing lightweight directory access protocol (LDAP) traffic on a network;
  
  intercepting a request communicated from a client to a server, wherein the request indicates an LDAP action;
  
  applying the policy to the LDAP action in order to determine whether the LDAP action is permitted, wherein the policy is selected from one or more available policies; and
  
  in an event the LDAP action is permitted;
  
  determining if another policy of the one or more policies is available and applying the other policy to the LDAP action if it is available;
  
  continuing to determine if another policy of the one or more policies is available and applying the other policy to the LDAP action if it is available until there are no more policies available; and
  
  communicating the request for performance of the LDAP action;
  
  in an event the LDAP action is not permitted;
  
  modifying the request to specify a modified LDAP action;
  
  selecting at least one of the one or more policies;
  
  applying the at least one of the one or more policies to the modified LDAP action;
  
  determining if another policy of the one or more policies is available and applying the other policy to the modified LDAP action if it is available; and
  
  continuing to determine if another policy of the one or more policies is available and applying the other policy to the modified LDAP action if it is available until there are no more policies available; and
  
  communicating the request for performance of the modified LDAP action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as described in claim 1, wherein the lightweight directory access protocol (LDAP) action specifies a particular LDAP operation.
  - 3. A method as described in claim 2, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      renamebind;
      
      unbind; and
      
      abandon.
  - 4. A method as described in claim 1, wherein the lightweight directory access protocol (LDAP) action specifies a particular lightweight directory access protocol (LDAP) operation that is not permitted to be performed on a particular LDAP object.
  - 5. A method as described in claim 1, wherein:
    - one or more of the plurality of descriptions describe a plurality of authentication mechanisms that are selectable for authenticating a client in accordance with at least one of a plurality of authentication levels.
  - 6. A method as described in claim 1, wherein:
    - one or more of the plurality of descriptions describe a plurality of authentication mechanisms that are selectable by the user for being employed during a lightweight directory access protocol (LDAP) bind operation.
  - 7. A method as described in claim 1, wherein:
    - one or more of the plurality of descriptions describe logical lightweight directory access protocol (LDAP) operation groups which may be defined through selection by the user.
  - 8. A method as described in claim 1, wherein:
    - one description is selectable to allow encrypted LDAP traffic; and
      
      another description is selectable to allow only ping traffic through a particular LDAP port.
  - 9. A method as described in claim 1, wherein:
    - at least one description is selectable to control referral information included in a response formed utilizing a lightweight directory access protocol (LDAP) directory.
  - 10. A method as described in claim 1, wherein:
    - at least one description is selectable to control secure sockets layer (SSL) traffic.
  - 11. A method as described in claim 1, wherein:
    - at least one description is selectable to control which version of a lightweight directory access protocol (LDAP) is permitted.
  - 12. A method as described in claim 1, wherein:
    - at least one description is selectable to control access to a particular lightweight directory access protocol (LDAP) object.
  - 13. One or more computer readable storage media having computer executable instructions embodied thereon, the computer executable instructions when executed by a computer, configure the computer to perform the method of claim 1.

14. One or more computer readable media comprising computer executable instructions that, when executed on a computer, direct the computer to perform a method, the method comprising:
- outputting a user interface for configuring one or more of a plurality of policies for managing lightweight directory access protocol (LDAP) traffic on a network, wherein the user interface, when output, is configured to enable a user to indicate whether performance of an LDAP operation is permitted and to indicate whether performance of a particular LDAP operation on a particular LDAP object is permitted, by presenting a plurality of descriptions that are selectable by the user;
  
  configuring one or more policies according to one or more descriptions that are selected by the user;
  
  intercepting a request communicated from a client to a server, wherein the request indicates an LDAP operation;
  
  selecting at least one of the one or more policies;
  
  applying the at least one of the one or more policies to the LDAP operation in order to determine whether the LDAP operation is permitted; and
  
  in an event the LDAP operation is permitted;
  
  determining if another policy of the one or more polices is available and applying the other policy to the LDAP operation if it is available;
  
  continuing to determine if another policy of the one or more policies is available and applying the other policy to the LDAP operation if it is available until there are no more policies available; and
  
  communicating the request for performance of the LDAP operation;
  
  in an event the LDAP operation is not permitted;
  
  modifying the request to specify a modified LDAP operation;
  
  selecting at least one of the one or more policies;
  
  applying the at least one of the one or more policies to the modified LDAP operation;
  
  determining if another policy of the one or more polices is available and applying the other policy to the modified LDAP operation if it is available; and
  
  continuing to determine if another policy of the one or more policies is available and applying the other policy to the modified LDAP operation if it is available until there are no more policies available; and
  
  communicating the request for performance of the modified LDAP operation.
- View Dependent Claims (15)
- - 15. One or more computer readable media as described in claim 14, wherein the lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      renamebind;
      
      unbind; and
      
      abandon.

16. A system comprising:
- a processor;
  
  a memory coupled to the processor, the memory having computer-executable instructions embodied thereon, the computer-executable instructions, when executed by the processor, configuring a computer to secure network traffic;
  
  one or more modules stored on the memory, the one or more modules comprising;
  
  first computer-executable instructions configured to output a user interface having a plurality of descriptions, the plurality of descriptions selectable by a user to configure a policy defining permissible traffic over a network utilizing a lightweight directory access protocol (LDAP);
  
  second computer-executable instructions configured to manage LDAP traffic according to the configured policy; and
  
  third computer-executable instructions configuring the system to perform actions comprising;
  
  intercepting a request communicated from a client to a server, wherein the request indicates an LDAP operation;
  
  selecting at least one of one or more policies available;
  
  applying the at least one of the one or more policies to the LDAP operation in order to determine whether the LDAP operation is permitted; and
  
  in an event the LDAP operation is permitted;
  
  determining if another policy of the one or more polices is available and applying the other policy to the LDAP operation if it is available;
  
  continuing to determine if another policy of the one or more policies is available and applying the other policy to the LDAP operation if it is available until there are no more policies available; and
  
  communicating the request for performance of the LDAP operation;
  
  in an event the LDAP operation is not permitted;
  
  modifying the request to specify a modified LDAP operation;
  
  selecting at least one of the one or more policies available;
  
  applying the at least one of the one or more policies to the modified LDAP operation;
  
  determining if another policy of the one or more polices is available and applying the other policy to the modified LDAP operation if it is available;
  
  continuing to determine if another policy of the one or more policies is available and applying the other policy to the modified LDAP operation if it is available until there are no more policies available; and
  
  communicating the request for performance of the modified LDAP operation.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. A system as described in claim 16, wherein the second computer-executable instructions are executable on a network firewall device.
  - 18. A system as described in claim 16, wherein the second computer-executable instructions are executable on a lightweight directory access protocol (LDAP) server.
  - 19. A system as described in claim 16 wherein the user interface is configured to allow a user to specify whether performance of a particular lightweight directory access protocol (LDAP) operation is permitted.
  - 20. A system as described in claim 16, wherein the user interface is configured to allow a user to specify whether interaction with a particular lightweight directory access protocol (LDAP) object is permitted.
  - 21. A system as described in claim 16, wherein the user interface is configured to allow a user to specify whether a particular lightweight directory access protocol (LDAP) operation is permitted to be performed on a particular LDAP object.
  - 22. A system as described in claim 16, wherein the particular lightweight directory access protocol (LDAP) operation is selected from the group consisting of:
    - search;
      
      compare;
      
      add;
      
      delete;
      
      modify;
      
      renamebind;
      
      unbind; and
      
      abandon.
  - 23. A system as described in claim 16, wherein one or more of the plurality of descriptions describe a plurality of authentication mechanisms that are selectable for authenticating a client in accordance with at least one of a plurality of authentication levels.
  - 24. A system as described in claim 16, wherein one or more of the plurality of descriptions describe a plurality of authentication mechanisms that are selectable by the user for being employed during a lightweight directory access protocol (LDAP) bind operation.
  - 25. A system as described in claim 16, wherein one or more of the plurality of descriptions describe logical lightweight directory access protocol (LDAP) operation groups which may be defined through selection by the user.
  - 26. A system as described in claim 16, wherein:
    - one description is selectable to allow encrypted LDAP traffic; and
      
      another description is selectable to allow only ping traffic through a particular LDAP port.
  - 27. A system as described in claim 16, wherein at least one description is selectable to control referral information included in a response formed utilizing a lightweight directory access protocol (LDAP) directory.
  - 28. A system as described in claim 16, wherein at least one description is selectable to control secure sockets layer (SSL) traffic.
  - 29. A system as described in claim 16, wherein at least one description is selectable to control which version of a lightweight directory access protocol (LDAP) is permitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Katz, Ariel, Mondri, Ron
Primary Examiner(s)
Trost, IV; William
Assistant Examiner(s)
Shand; Roberta A

Application Number

US10/997,433
Publication Number

US 20060168255A1
Time in Patent Office

1,728 Days
Field of Search

370/352, 370/401, 709/203, 709/219, 709/220
US Class Current

370/352
CPC Class Codes

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

User interface for securing lightweight directory access protocol traffic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

User interface for securing lightweight directory access protocol traffic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links