1. Field of the Invention
The present invention relates generally to systems and methods for configuring and controlling remote access to LDAP clients by users who are organized into groups of users.
2. Background of the Invention
There are many texts and references available in the art regarding Lightweight Directory Access Protocol, or “LDAP”, including “Integrating AIX into Heterogeneous LDAP Environments” by Ed Geraghty, et al., Fourth Edition, published in May, 2006, and “Understanding LDAP: Design and Implementation” by Steven Tuttle, et al., Second Edition, published in June, 2004, both published by International Business Machines Corp.
According to Denis Howe's Free Online Dictionary of Computing (FOLDOC), Lightweight Directory Access Protocol, or “LDAP”, is an open, standardized protocol defined by the Internet Engineering Task Force, or “IETF”, for accessing online directory services such as structured repositories of information regarding an organization's resources, personnel, etc.
LDAP was developed in response to shortcomings of the more complicated X.500 structure defined by the International Telecommunications Union, which did not provide for efficient integration of the Internet with other networks.
The protocol includes aspects user information, hardware and software information for those users, as well as some policies governing the rights and privileges assigned to those users for accessing information in the LDAP repositories.
By abstracting all of this detailed network information, users are allowed to access the repositories, and to interact with each other, with little or no knowledge of the details of the network topology, or the various protocols being used by each user to access the network.
Many companies have adopted or added support for LDAP to their computing products, including Netscape, Novell, Sun, Hewlett-Packard, IBM, Lotus, Banyan, and Silicon Graphics, Inc.
Basics of LDAP.
This disclosure is written with the understanding that one of ordinary skill in the art has a basic understanding of LDAP, its installation, configuration, operation, and administration.
LDAP directories contain “entries” organized usually in a hierarchical structure mimicking geographic or organizational structures, such as that shown in FIG. 5, which is substantially reproduced from the book “Understanding LDAP: Design and Implementation” by Steven Tuttle. This eases conceptualization of how the stored data relates to the organization who owns it, uses it, or produces it. This structure can be called a “tree” (500), where the “top of the tree” (501) represents the highest level of the organization, highest level of integration, or highest level of abstraction of the organization. Entries placed in the “tree” below the top of the tree (502-504) represent subsets or groups within the entity at the top of the tree. For example, for a corporate database, the top of the tree might represent the entire corporation's personnel directory. At a first level down from the top might be several global regions, such as North America, Asia, Europe, Africa/Middle East, etc. Below that level might be specific divisions of the company within countries, such as India below Asia, Canada below North America, Germany below Europe, etc. And, further below the countries may be national regions, such as Punjab below India, Ontario below Canada, or Bayern below Germany. At a bottom level may be one or more actual data repositories, such as a human resources database containing names of all employees for that corporation in that country and state or province, and certain other information about those employees, such as telephone number, building and location, immediate manager, job title, etc.
LDAP directory entries are collections of attributes, where the attribute collection is identified by a “distinguished name”, or “DN”. Each DN unambiguously and uniquely refers to one and only one LDAP entry.
Each attribute within an entry is assigned a “type” (variable, constant, functions, expression, etc.) and one or more “values”. For ease of use, mnemonic strings are often used for the type, such as “mail” for an email address attribute or “jpegPhoto” for a photograph file. For an email address attribute, the “values” stored in the LDAP repository would necessarily have to conform to the format of an email address, for example.
Some of those in the art think of LDAP less as a data arrangement and more as a protocol, because the LDAP specification actually specifies messages, responses, and procedures for accessing LDAP-arranged data. As a protocol, it enables heterogeneous application programs to access the same data repository, such as the arrangement (600) shown in FIG. 6 where application servers, web servers, email applications, and a telephone directory application all access a common data repository (601) by employing LDAP concepts and protocols. FIG. 6 is also substantially reproduced from Tuttle's book mentioned in the previous paragraphs.
As such, LDAP directories, and the LDAP protocol, are well known and widely used by companies, organizations, and governments worldwide. Improvements to LDAP are expected to be profitable and to have significant impact due to this large user base.