Browse Prior Art Database

A method of enabling transparent multi-tenancy support for LDAP service

IP.com Disclosure Number: IPCOM000230989D
Publication Date: 2013-Sep-22
Document File: 8 page(s) / 65K

Publishing Venue

The IP.com Prior Art Database

Abstract

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. To run LDAP as a service in a cloud environment, traditional LDAP servers are lack of multi-tenancy support. Current solutions to support multi-tenancy: The main idea is to regard LDAP sub-trees as tenancies. For each tenancy, a saparate subtree is dedicated. Our innovative idea is to regard LDAP sub-trees as tenancies. All the sub-trees are transparent to each tenancy. Each tenancy needn't to care the subtree where they use. All the control of the architecture will be performed by skillfully taking advantage of DSML(Directory Services Markup Language), HTTP 1.1 and DNS. After all, everything is pretty transparent to the end users. They are served like in a dedicated LDAP server.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 49% of the total text.

Page 01 of 8

A method of enabling transparent multi -

-tenancy support for LDAP service

tenancy support for LDAP service

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Breifing introduction in Wikipedia : http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

To run LDAP as a service in a cloud environment , traditional LDAP servers are lack of multi -tenancy support. Current solutions to support multi -tenancy:
The main idea is to regard LDAP sub -trees as tenancies. For each tenancy, a separate subtree is dedicated .

Root

o=Tenant1

cn=...

o=Tenant2

o=Tenant3

ou=Finance

cn=user 1

cn=user 2 cn=user 3 cn=...

Drawbacks:
It's not real multi-tenancy support:


1. Every tenancy knows it's a part of a bigger tree . It's not transparent to users .


2. When accessing the users , a full DN like "cn=user1, ou=FINANCE,o=Tenant 2" should be specified instead of simply "cn=user1,ou=FINANCE".

This disclosure introduces a method to transparently separate the above tenants by skillfully takingadvantage of DSML (Directory Services

1


Page 02 of 8

Markup Language), HTTP 1.1 and DNS.


1. The tenants will look like separated LDAP trees logically . They won't be aware of the existence of other tenants .


2. When accessing the tenant users , a simple relative DN like "cn=user1,ou=FINANCE" is enough.

Root

o=Tenant1 (Root)

cn=...

o=Tenant2 (Root)

o=Tenant3 (Root)

ou=Finance

cn=user 1

cn=user 2 cn=user 3 cn=...

Take LDAP search operation as example .

The normal ways to search user 1 in tenant 2:


1. Use ldapsearch command:
ldapsearch -L -h hostname -b "cn=user1,ou=FINANCE,o=Tenant 2" objectclass=* dn: cn=user1,ou=Finance,o=Tenant 2
objectclass: person
sn: user1

Search request :
POST /dsml HTTP/1.1
HOST: hostname Content-Length: 1081 Content-Type: text/xml

2


Page 03 of 8

SOAPAction: ""

Connection: close

<soap-env:Envelope xmlns:xsd='http://www.worldpublic.org/2001/XMLSchema'

xmlns:xsi='http://www.worldpublic.org/2001/XMLSchema-instance'

xmlns:soap-env='http://schemas.xmlsoap.org/soap/envelope/'

\>

<batchRequest

xmlns='urn:oasis:names:tc:DSML:2:0:core'

requestID='Batch of search requests '

\>

<searchRequest

dn="cn=user1,ou=FINANCE,o=Tenant 2"

requestID="search on user1"

scope="subTree"

\>

Search response :
HTTP/1.1 200 OK
Cache-control: no-cache
Connection: close
Date: Fri, 15 Dec 2006 09:21:43 GMT Accept-Ranges: none
Server: Sun-Java(tm)-System-Directory/6.3 Content-Type: text/xml; charset="utf-8" Content-Length: 1287

<soap-env:Envelope xmlns:xsd='http://www.worldpublic.org/2001/XMLSchema'

xmlns:xsi='http://www.worldpublic.org/2001/XMLSchema-instance'

3


Page 04 of 8

xmlns:soap-env='http://schemas.xmlsoap.org/soap/envelope/'

\>

<batchResponse xmlns:xsd='http://www.worldpublic.org/2001/XMLSchema'

xmlns:xsi='http://www.worldpublic.org/2001/XMLSchema-instance'

xmlns='urn:oasis:names:tc:DSML:2:0:core'

requestID='Batch of search requests'

\...