Browse Prior Art Database

Method for allowing managed endpoint group based LDAP login to system management applications

IP.com Disclosure Number: IPCOM000238635D
Publication Date: 2014-Sep-09
Document File: 2 page(s) / 31K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method for allowing managed endpoint group based Lightweight Directory Access Protocol (LDAP) login to system management applications is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

Method for allowing managed endpoint group based LDAP login to system management applications

Disclosed is a method for allowing managed endpoint group based Lightweight Directory Access Protocol (LDAP) login to system management applications.

A common requirement for system management applications / appliances (apps) is to support LDAP user login. The app can be setup to talk to a LDAP server that contains user records. System administrators (admins) can log into the app using their LDAP IDs to manage any managed endpoints. A common drawback, however, is when configured to allow LDAP user log-in, any LDAP user can log in any app regardless of the user's work assignment.

In an large environment with a large number of managed endpoints, perhaps managed by a distribution of apps, there is a need to assign system admins to manage select sets of endpoints rather than the whole collection. Some known group based LDAP login solutions include:

Proprietary solutions where one or more objects that map to LDAP sub-trees can be specified which the solution uses to search for user objects in the LDAP server. Similar solutions that use Distinguished Names and / or Organizational Units.

Group specification in pam access can be used. But care needs to be taken to allow local users to login in case LDAP fails.

The drawback of these known solutions is they only restrict users to the app itself, but not endpoints it's managing. That is, users can't be restricted to login to only those apps that manage certain endpoints (it should be noted that what apps are managing which endpoints is dynamic).
.

Disclosed is a method to configure apps to maintain a dynamic group attribute specifying a list of managed endpoints. LDAP user records are defined to contain a group assignment attribute specifying endpoints this user is authorized to manage. This group assignment a...