Integrating sudo rules with entities represented in an LDAP directory

US 9,015,790 B2
Filed: 07/20/2011
Issued: 04/21/2015
Est. Priority Date: 07/20/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for a Light Weight Directory Access Protocol (LDAP) directory server, the method comprising:

receiving a request to add a new sudo (substitute user do) rule of a plurality of sudo rules to an LDAP repository, the LDAP repository having an LDAP schema facilitating an integration of the plurality of sudo rules with a plurality of entities represented in the LDAP repository using a plurality of object classes each associated with a set of attributes, the new sudo rule defining at least one sudo command and one or more entities of the plurality of entities for executing the at least one sudo command via one or more sudo clients coupled to the LDAP directory server via a network, the new sudo rule permitting the one or more entities to execute, via the one or more sudo clients, the at least one sudo command with privileges of one or more other entities of the plurality of entities;

identifying an LDAP entry of the at least one sudo command, the LDAP entry of the at least one sudo command entry having attributes associated with a sudo command object class of the plurality of objects classes of the LDAP schema;

identifying one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients, each LDAP entry of the one or more entities having attributes associated with an entity object class of the plurality of objects classes of the LDAP schema;

creating, by a processing device, an LDAP entry for the new sudo rule using a sudo rule object class of the plurality of objects classes of the LDAP schema;

linking, in the LDAP entry of the new sudo rule, the LDAP entry of the at least one sudo command with the one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients; and

upon receiving a request to delete the new sudo rule from the LDAP repository, marking the new sudo rule disabled in the LDAP entry of the new sudo rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for integrating Sudo rules into a Lightweight Directory Access Protocol (LDAP) repository. An LDAP directory server receives a request to add a sudo rule to the LDAP repository. The sudo rule defines at least one sudo command and one or more entities associated with the execution of the sudo command. The LDAP directory server creates an LDAP entry for the sudo rule, and links in the LDAP entry of the sudo rule an LDAP entry of the sudo command and LDAP entries of the entities associated with the execution of the sudo command.

15 Citations

View as Search Results

21 Claims

1. A computer-implemented method for a Light Weight Directory Access Protocol (LDAP) directory server, the method comprising:
- receiving a request to add a new sudo (substitute user do) rule of a plurality of sudo rules to an LDAP repository, the LDAP repository having an LDAP schema facilitating an integration of the plurality of sudo rules with a plurality of entities represented in the LDAP repository using a plurality of object classes each associated with a set of attributes, the new sudo rule defining at least one sudo command and one or more entities of the plurality of entities for executing the at least one sudo command via one or more sudo clients coupled to the LDAP directory server via a network, the new sudo rule permitting the one or more entities to execute, via the one or more sudo clients, the at least one sudo command with privileges of one or more other entities of the plurality of entities;
  
  identifying an LDAP entry of the at least one sudo command, the LDAP entry of the at least one sudo command entry having attributes associated with a sudo command object class of the plurality of objects classes of the LDAP schema;
  
  identifying one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients, each LDAP entry of the one or more entities having attributes associated with an entity object class of the plurality of objects classes of the LDAP schema;
  
  creating, by a processing device, an LDAP entry for the new sudo rule using a sudo rule object class of the plurality of objects classes of the LDAP schema;
  
  linking, in the LDAP entry of the new sudo rule, the LDAP entry of the at least one sudo command with the one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients; and
  
  upon receiving a request to delete the new sudo rule from the LDAP repository, marking the new sudo rule disabled in the LDAP entry of the new sudo rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the LDAP entry of the at least one sudo command and the LDAP entries of the one or more entities for executing the at least one sudo command existed in the LDAP repository prior to the received request.
  - 3. The method of claim 1 further comprising:
    - receiving a query pertaining to the new sudo rule from a sudo client of the one or more sudo clients;
      
      transforming the query according to the LDAP schema;
      
      retrieving an LDAP entry corresponding to the received query from the LDAP repository;
      
      transforming the retrieved data to a format of the sudo client; and
      
      providing the transformed data to the sudo client for execution.
  - 4. The method of claim 1 wherein the at least one sudo command is a single sudo command or a group of sudo commands.
  - 5. The method of claim 1 wherein the one or more entities for executing the at least one sudo command comprise one or more of a user, a group of users, a host, a group of hosts, or a netgroup.
  - 6. The method of claim 1 wherein the one or more entities for executing the at least one sudo command comprises one or more of an entity allowed to execute the at least one sudo command, an entity disallowed to execute the at least one sudo command, or an entity on which behalf the at least one sudo command is allowed to be executed.
  - 7. The method of claim 1 wherein the sudo command object class is an object class for a sudo command or an object class for a group of sudo commands, the entity object class is any one of an object class for a user, an object class for a group of users, an object class for a host, an object class for a group of hosts, or an object class for a netgroup.
  - 8. The method of claim 1, wherein the sudo client communicates with a system security services daemon (SSSD) when the sudo client does not have a connection with the LDAP server, the SSSD periodically caching contents of the LDAP repository.
  - 9. The method of claim 1 further comprising:
    - receiving a client request to change one of the one or more entities for executing the at least one sudo command; and
      
      modifying an LDAP entry of the requested entity without modifying the LDAP entry for the at least one sudo command.

10. A system for a Light Weight Directory Access Protocol (LDAP) directory server, the system comprising:
- a memory;
  
  a processor, coupled to the memory, to;
  
  receive a request to add a new sudo (substitute user do) rule of a plurality of sudo rules to an LDAP repository, the LDAP repository having an LDAP schema facilitating an integration of the plurality of sudo rules with a plurality of entities represented in the LDAP repository using a plurality of object classes each associated with a set of attributes, the sudo rule defining at least one sudo command and one or more entities of the plurality of entities for executing the at least one sudo command via one or more sudo clients coupled to the LDAP server via a network, the new sudo rule permitting the one or more entities to execute, via the one or more sudo clients, the at least one sudo command with privileges of one or more other entities of the plurality of entities;
  
  identify an LDAP entry of the at least one sudo command, the LDAP entry of the at least one sudo command entry having attributes associated with a sudo command object class of the plurality of objects classes of the LDAP schema;
  
  identify one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients, each LDAP entry of the one or more entities having attributes associated with an entity object class of the plurality of objects classes of the LDAP schema;
  
  create an LDAP entry for the new sudo rule using a sudo rule object class of the plurality of objects classes of the LDAP schema;
  
  link, in the LDAP entry of the new sudo rule, the LDAP entry of the at least one sudo command with the one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients; and
  
  upon receiving a request to delete the new sudo rule from the LDAP repository, mark the new sudo rule disabled in the LDAP entry of the new sudo rule.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10 wherein the LDAP entry of the at least one sudo command and the LDAP entries of the one or more entities for executing the at least one sudo command existed in the LDAP repository prior to the received request.
  - 12. The system of claim 10, wherein the processor is further configured to:
    - receive a query pertaining to the new sudo rule from the sudo client;
      
      transform the query according to the LDAP schema;
      
      retrieve an LDAP entry corresponding to the received query from the LDAP repository;
      
      transform the retrieved data to a format of the sudo client; and
      
      provide the transformed data to the sudo client for execution.
  - 13. The system of claim 10 wherein the one or more entities for executing the at least one sudo command comprise one or more of a user, a group of users, a host, a group of hosts, or a netgroup.
  - 14. The system of claim 10 wherein the one or more entities for executing the at least one sudo command comprises one or more of an entity allowed to execute the at least one sudo command, an entity disallowed to execute the at least one sudo command, or an entity on which behalf the at least one sudo command is allowed to be executed.
  - 15. The system of claim 10 wherein the sudo command object class is an object class for a sudo command or an object class for a group of sudo commands, the entity object class is any one of an object class for a user, an object class for a group of users, an object class for a host, an object class for a group of hosts, or an object class for a netgroup.
  - 16. The system of claim 10 wherein the sudo client communicates with a system security services daemon (SSSD), wherein the SSSD periodically caches contents of the LDAP repository, and wherein the cached contents are used by the sudo client when the sudo client does not have a connection with the LDAP server or when the sudo client requires data within the cached contents.

17. A non-transitory computer readable storage medium storing instructions which when executed cause a˜
- processing device˜
  
  stem to perform a method for a Light Weight Directory Access Protocol (LDAP) directory server, the method comprising;
  
  receiving a request to add a new sudo (substitute user do) rule of a plurality of sudo rules to an LDAP repository, the LDAP repository having an LDAP schema facilitating an integration of the plurality of sudo rules with a plurality of entities represented in the LDAP repository using a plurality of object classes each associated with a set of attributes, the new sudo rule defining at least one sudo command and one or more entities of the plurality of entities for executing the at least one sudo command via one or more sudo clients coupled to the LDAP directory server via a network, the new sudo rule permitting the one or more entities to execute, via the one or more sudo clients, the at least one sudo command with privileges of one or more other entities of the plurality of entities;
  
  identifying an LDAP entry of the at least one sudo command, the LDAP entry of the at least one sudo command entry having attributes associated with a sudo command object class of the plurality of objects classes of the LDAP schema;
  
  identifying one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients, each LDAP entry of the one or more entities having attributes associated with an entity object class of the plurality of objects classes of the LDAP schema;
  
  creating, by the processing device, an LDAP entry for the new sudo rule using a sudo rule object class of the plurality of objects classes of the LDAP schema;
  
  linking, in the LDAP entry of the new sudo rule, the LDAP entry of the at least one sudo command with the one or more LDAP entries of the one or more entities associated with the execution of the at least one sudo command via the respective sudo clients; and
  
  upon receiving a request to delete the new sudo rule from the LDAP repository, marking the new sudo rule disabled in the LDAP entry of the new sudo rule.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The non-transitory computer readable storage medium of claim 17 wherein the LDAP entry of the at least one sudo command and the LDAP entries of the one or more entities for executing the at least one sudo command existed in the LDAP repository prior to the received request.
  - 19. The non-transitory computer readable storage medium of claim 17 wherein the one or more entities for executing the at least one sudo command comprise one or more of a user, a group of users, a host, a group of hosts, or a netgroup.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein the one or more entities for executing the at least one sudo command comprises one or more of an entity allowed to execute the at least one sudo command, an entity disallowed to execute the at least one sudo command, or an entity on which behalf the at least one sudo command is allowed to be executed.
  - 21. The non-transitory computer readable storage medium of claim 17 wherein the sudo command object class is an object class for a sudo command or an object class for a group of sudo commands, the entity object class is any one of an object class for a user, an object class for a group of users, an object class for a host, an object class for a group of hosts, or an object class for a netgroup.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Pal, Dmitri V., Bose, Sumit
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US13/187,455
Publication Number

US 20130024907A1
Time in Patent Office

1,371 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/0884   by delegation of authentica...

Integrating sudo rules with entities represented in an LDAP directory

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Integrating sudo rules with entities represented in an LDAP directory

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links