(Not Applicable)
(Not Applicable)
1. Technical Field
This invention relates to the field of directory services, and more particularly, to access control using Lightweight Directory Access Protocol (LDAP).
2. Description of the Related Art
A directory, similar to a database, can contain descriptive information and attributes associated with that information. An example of a directory can be an employee records directory for storing employee information. Other examples of directories can include telephone directories or property listings. The directory contains multiple entries, where an entry can correspond to the items of information which the directory can store. In the case of an employee directory, entries of the directory can be employee names or a unique index number associated with an employee name. Each entry of the directory can have one or more attributes, which can be any supplemental information or characteristic corresponding to the entry. Thus, an employee name attribute can be an item of personal employee information, as well as an employee telephone number, address, or a social security number.
Typically, information is read from a directory more often than information is written to the directory. Taking the previous example, although employee information must be updated periodically, much of the information within an employee record does not change from day to day. For example, an employee date of birth, if correctly entered in the directory, need not be updated. Similarly, an employee address need not be updated on a day to day basis, but rather, only when the employee relocates to a different residence. Because directories are accessed frequently using read operations, directories can be tuned for a high volume of search operations.
Lightweight Directory Access Protocol (LDAP) is a model for a directory service which runs over TCP/IP. LDAP-based directory service utilizes a hierarchical tree structure for storing information called a directory information tree. The directory information tree branches out from a root node where each branch or path leads to another related node of the directory information tree which can store a particular piece of information. Each particular node can be uniquely identified by the path of nodes taken from the root node to reach the particular node. This complete path, which is similar to a directory path for locating computer files, is called a distinguished name (DN). Thus, an entry can correspond to a particular node in the directory information tree, with related nodes above and below.
An attribute can include a type and one or more values such that an attribute type can indicate the type of information to follow. For example, the type xe2x80x9ccnxe2x80x9d denotes that a common name will follow. Thus, an example of an attribute can be xe2x80x9ccn=John Doexe2x80x9d where xe2x80x9ccnxe2x80x9d is the type denoting that a common name will follow; and xe2x80x9cJohn Doexe2x80x9d can be the value. In this case, xe2x80x9ccn=John Doexe2x80x9d can be an attribute of a node closer to the root of the directory information tree, such as a department name, where other attributes beneath the department name can be other employees within that department. It should be appreciated that xe2x80x9ccn=John Doexe2x80x9d also can be an entry of the directory information tree where related nodes can be the attributes of John Doe, such as John Doe""s department, home address, and other related information. Other attributes can be assigned types as well. For example, an email address can be denoted as xe2x80x9cmailxe2x80x9d and a JPEG image can be denoted as xe2x80x9cjpegPhotoxe2x80x9d. Thus, the value corresponding to xe2x80x9cmailxe2x80x9d can be an email address and the value corresponding to xe2x80x9cjpegPhotoxe2x80x9d can be a photo encoded in binary JPEG format.
Presently within the art, a standard method of controlling user access to directory services using LDAP has yet to be developed. Access Control Lists (ACLs), however, have been used in conjunction with LDAP and directory services in an effort to provide security features. Such implementations typically link a user access group to a particular user classification such as normal (not restricted), sensitive, or critical. Then, a user can be granted a particular set of permissions or privileges for accessing the directory service via access groups. However, using such a limited number of security classifications often does not provide the necessary granularity of access control to the directory service. In other words, ACLs can lack the number of security levels and search restrictions necessary for suitably controlling access to a directory service when using LDAP. Moreover, such solutions are not tailored to the specific access parameters of the directory service being accessed.
Other security implementations utilize attribute based security classifications. Specifically, such implementations can assign security classifications based on an attribute rather than the entry or DN. Using this access system, an entire attribute class within a directory is assigned a specific security classification. For example, in an employee directory, the address attribute can be assigned a sensitive security classification. Under this approach, each address of the directory, despite the address""s corresponding DN, can be assigned the sensitive security classification. Similarly, telephone numbers can be assigned the critical security classification. In that case each telephone number, regardless of the number""s corresponding DN, can be assigned the critical security classification. Similar to ACLs, assigning security classifications to an entire attribute class on a directory wide basis does not provide the necessary granularity of access control to a directory service when using LDAP.
The invention disclosed herein concerns a method and a system for providing extendible access control for Lightweight Directory Access Protocol (LDAP). The invention concerns reformatting a user specified LDAP operation to include application specific parameters within the LDAP operation. The application specific parameters can correspond to access control or security parameters of a directory service. After authenticating a user to an LDAP server, a user can be identified as belonging to a particular access control group. Based on the defined access control group, which can correspond to the user and one or more arguments of the LDAP operation specified by the user, one or more application specific parameters can be included within the user specified LDAP operation. After inclusion of the application specific parameters, the reformatted LDAP operation can be provided to an LDAP search engine. Notably, the invention can be implemented within the scope of LDAP as one or more application programs or plug-ins within an LDAP server.
The inventive method taught herein can begin by receiving from a user an LDAP operation directed to an LDAP search engine. The method can include associating the user with an access control group. The step of reformatting the LDAP operation based on the access control group can be included. The reformatting step can be including one or more application specific parameters in the LDAP operation. Additionally, the application specific parameters can correspond to the access control group, to parameters of a directory service, and to arguments of the LDAP operation. Notably, the parameters of the directory service can be security levels, permissions, or access rights. The method further can include the step of providing the reformatted LDAP operation to the LDAP search engine.
Another embodiment of the invention can be a method of providing access control using LDAP. The method can include receiving from a user an LDAP operation directed to an LDAP search engine. The step of associating the user with an access control group can be included. The method further can include reformatting the LDAP operation based on the access control group. Notably, the reformatting step can be including one or more application specific parameters in the LDAP operation where the application specific parameters correspond to the access control group. Additionally, the method can include the step of providing the reformatted LDAP operation to the LDAP search engine.
Another aspect of the invention can be a method of configuring an LDAP access control system. The method can include determining one or more application specific parameters within a directory service. The step of constructing at least one configuration file containing one or more of the application specific parameters corresponding to at least one LDAP access control group can be included. The configuration file can be contained within an LDAP server. The additional step of associating users with the LDAP access control group using a directory information tree can be included. The method further can include constructing an application program which can function as a plug-in within an LDAP server for including the application specific parameters within an LDAP operation.
Another aspect of the invention can be a system for providing access control using LDAP. The system can include a buffer for receiving an LDAP operation and user information, and a directory information tree containing one or more access control groups. The access control groups can be associated with one or more users. Also included in the system can be a configuration file for associating the access control group with one or more application specific parameters to be included in the received LDAP operation. Notably, the application specific parameters can correspond to parameters in a directory service. Further, an access control application, functioning as a plug-in within an LDAP server, for including the application specific parameters in the LDAP operation based upon the user information can be included in the system.
Another aspect of the invention can be a machine readable storage, having stored thereon a computer program having a plurality of code sections executable by a machine for causing the machine to perform a series of steps. The steps can include receiving from a user an LDAP operation directed to an LDAP search engine. The step of associating the user with an access control group can be included. The machine readable storage can cause the machine to perform the step of reformatting the LDAP operation based on the access control group. Notably, the reformatting step can be including one or more application specific parameters in the LDAP operation. The application specific parameters can correspond to the access control group, to parameters of a directory service, and to arguments of the LDAP operation. Notably, the parameters of the directory service can be security levels, permissions, or access rights. The step of providing the reformatted LDAP operation to the LDAP search engine can be included.