1. Technical Field
The invention relates to accessing resources in a directory structure in a computer environment. More particularly, the invention relates to controlling access to resources within an LDAP directory structure in a computer environment.
2. Description of the Prior Art
A Lightweight Directory Access Protocol (LDAP) directory (such as Netscape Communications Corporation's Directory Server) is a collection of “entries.” Each entry has a name (called the Distinguished Name) and a list of attribute values. The entries in a directory are organized in a tree structure, with major groupings that are subdivided into smaller units. A directory might contain several organization entries, each of which contains several organizationalUnit entries. These entries can be further subdivided.
LDAP provides search operations that can be performed over specified portions of the directory tree. Trees and subtrees, therefore, are a natural way to deal with data stored in an LDAP directory.
Entries and attributes correspond to a wide variety of data types such as personnel information, server configuration, business relationships, and user preferences. Since all entries contain important information, a method is required to restrict the availability of specific information to authorized users.
The Netscape Directory Server allows an ACI entry to be created which controls access to data stored in the directory tree. The ACI entry contains rules to determine which users of the directory should be allowed to have access. One of the components of the ACL rule is a description of which entries the rule applies to. The entry is essentially a resource specification (e.g., data, printers, servers, etc.).
The method used to control access in an LDAP system is via Access Control Lists (ACL). The Directory Server Administrator (DSAdmin) creates basic ACL rules that grant specific users access to entries in the directory.
Previous methods required the DSAdmin to specify separate attributes in the command line for a resource which was cumbersome and confusing. An additional problem with previous approaches was that the DSAdmin could not restrict the affect of the ACI to a single node or single level of nodes.
It would be advantageous to provide a domain specification system for an LDAP ACI entry that gives the system administrator the ability to easily specify resources that are accessible by a user. It would further be advantageous to provide an domain specification system for an LDAP ACL rule that allows the system administrator to restrict a user's access to a single node or single level of nodes.