Role based groups

US 7,720,881 B2
Filed: 02/27/2007
Issued: 05/18/2010
Est. Priority Date: 02/27/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of a Lightweight Directory Access Protocol (LDAP) directory server for managing an LDAP directory, the method comprising:

defining a group represented by an organization unit subtree in the LDAP directory, the group being identified by a first distinguished name and including a list for at least one of a plurality of entries in the LDAP directory;

defining a group attribute for the at least one entry, the group attribute identified by the first distinguished name of the group;

defining a group-based role, at a role management module of the LDAP directory server, the group-based role identified by a second distinguished name and represented by a node outside of the organization subtree, a definition of the group-based role comprising the first distinguished name of the group and the second distinguished name of the group-based role, wherein an entry possesses the group-based role based on being on the list as a member of the group;

automatically updating the role of the at least one entry when the at least one entry is removed from membership of the group;

determining which of the plurality of entries possess the group based role by querying members in the group; and

providing the entries that possess the group based role to a client, the entries being the members of the group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for managing group based roles in a directory server is described. In one embodiment, a group of entries is defined in the directory server. One or more of the entries possess a group based role. The group based role points to one or more groups. Entries that belong to a group pointed by the group based role also possess the group based role.

15 Citations

View as Search Results

13 Claims

1. A computer-implemented method of a Lightweight Directory Access Protocol (LDAP) directory server for managing an LDAP directory, the method comprising:
- defining a group represented by an organization unit subtree in the LDAP directory, the group being identified by a first distinguished name and including a list for at least one of a plurality of entries in the LDAP directory;
  
  defining a group attribute for the at least one entry, the group attribute identified by the first distinguished name of the group;
  
  defining a group-based role, at a role management module of the LDAP directory server, the group-based role identified by a second distinguished name and represented by a node outside of the organization subtree, a definition of the group-based role comprising the first distinguished name of the group and the second distinguished name of the group-based role, wherein an entry possesses the group-based role based on being on the list as a member of the group;
  
  automatically updating the role of the at least one entry when the at least one entry is removed from membership of the group;
  
  determining which of the plurality of entries possess the group based role by querying members in the group; and
  
  providing the entries that possess the group based role to a client, the entries being the members of the group.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - receiving from the client, a request for determining if an entry of the directory server possesses a role, the request comprising an nsrole attribute.
  - 3. The method of claim 1 further comprising:
    - evaluating members of a static group, the static group listing at least one entry in the directory server.
  - 4. The method of claim 1 further comprising:
    - evaluating members of a dynamic group, the dynamic group comprising a search criteria for the entries in the directory server.
  - 5. The method of claim 1 wherein determining comprises:
    - evaluating the members of groups that are associated with the group based role; and
      
      determining the members of the groups that are within a scope of the group based role.

6. A directory server comprising:
- a storage device configured to store a plurality of entries in a Lightweight Directory Access Protocol (LDAP) directory;
  
  a processing device coupled to the storage device, the processing device comprising a role management module configured to define a group represented by an organization unit subtree in the LDAP directory, the group being identified by a first distinguished name and including a list for at least one of the entries, to define a group attribute for the at least one entry, the group attribute identified by the first distinguished name of the group, to define a group-based role that is identified by a second distinguished name and represented by a node outside of the organization subtree, a definition of the group-based role comprising the first distinguished name of the group and the second distinguished name of the group-based role, wherein an entry possesses the group-based role based on being on the list as a member of the group, to automatically update the role of the at least one entry when the at least one entry is removed from membership of the group, to determine which of the plurality of entries possess the group based role by querying members in the group, and to provide the entries that possess the group based role to a client, the entries being the members of the group.
- View Dependent Claims (7, 8, 9)
- - 7. The directory server of claim 6 wherein the directory server is to receive from the client, a request for determining if an entry of the directory server possesses a role, the request comprising an nsrole attribute.
  - 8. The directory server of claim 6 wherein the directory server is to evaluate members of a static group, the static group listing at least one entry in the directory server.
  - 9. The directory server of claim 6 wherein the directory server is evaluate members of a dynamic group, the dynamic group comprising a search criteria for the entries in the directory server.

10. A computer-readable storage medium, having instructions stored therein, which when executed, cause a computer system to perform a method comprising:
- defining a group represented by an organization unit subtree in a Lightweight Directory Access Protocol (LDAP) directory managed by an LDAP directory server, the group being identified by a first distinguished name and including a list for at least one of a plurality of entries in the LDAP directory;
  
  defining a group attribute for the at least one entry, the group attribute identified by the first distinguished name of the group;
  
  defining a group-based role at a role management module of the LDAP directory server, the group-based role identified by a second distinguished name and represented by a node outside of the organization subtree, a definition of the group-based role comprising the first distinguished name of the group and the second distinguished name of the group-based role, wherein an entry possesses the group-based role based on being on the list as a member of the groupautomatically updating the role of the at least one entry when the at least one entry is removed from membership of the group;
  
  determining which of the plurality of entries possess the group based role by querying members in the group; and
  
  providing the entries that possess the group based role to a client, the entries being the members of the group.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-readable storage medium of claim 10 wherein the method further comprises:
    - receiving from the client, a request for determining if an entry of the directory server possesses a role, the request comprising an nsrole attribute.
  - 12. The computer-readable storage medium of claim 10 wherein the method further comprises:
    - evaluating members of a static group, the static group listing at least one entry in the directory server.
  - 13. The computer-readable storage medium of claim 10 wherein the method further comprises:
    - evaluating members of a dynamic group, the dynamic group comprising a search criteria for the entries in the directory server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Rowley, Peter Andrew
Primary Examiner(s)
NGUYEN, CAM LINH T

Application Number

US11/712,262
Publication Number

US 20080208807A1
Time in Patent Office

1,176 Days
Field of Search

707100-102, 707/1, 707/9
US Class Current

707/803
CPC Class Codes

G06F 16/10 File systems; File servers

Role based groups

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Role based groups

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others