Browse Prior Art Database

State based Access Control Model in LDAP Servers

IP.com Disclosure Number: IPCOM000171497D
Original Publication Date: 2008-Jun-12
Included in the Prior Art Database: 2008-Jun-12
Document File: 2 page(s) / 38K

Publishing Venue

IBM

Abstract

Disclosured is a system wherein access control of entries can be governed by current state of the system.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

State based Access Control Model in LDAP Servers

INVENTORS - Magesh Rajamani, Hemant Gaikwad, Yogesh V Golwalkar

IBM

Currently, the access control model in Lightweight Directory Access Protocol (LDAP) Servers is static in nature. For a given user trying to access a given entry, the access is always determined by the Access Control Information (ACI) irrespective of the state of the server. For example, if an administrator realizes that some of the user ids are compromised and hence want to temporarily revoke access to all the users and only allow administrators the access, there is no way of doing that in the current Access Control List (ACL) model other than changing the ACLs manually. There could also be a maintenance state where only specific operations (like search and no updates) are allowed on the entire directory tree. These are not possible with the current ACL model. Also, for a single target object for a single bind user, there could be a need to have different ACLs designed based on the state of server. For example, in case of replicated servers having their ACLs also replicated - and one of the servers in a more secure environment (like intranet) than another server (like in internet) - one server needs more stricter ACLs than another still replicating the ACL information. The current ACL model does not allow this as well.

Disclosed a method of state based access control where the server supports:
1. Defining states and global ACLs corresponding to each state
2. Extended Operations to set the server state to one of the defined states
3. Applying the global ACLs defined for that state
4. Defining explicit ACL on an entry corresponding to different states
5. Applying the explicit ACL defined for the state with a higher precedence than the global ACL for the state.

The idea disclosed is to have a state based access control model where ACL can be managed based on the state of the server. There wou...