Structures for Userid, Password and other resource definition sharing in LDAP and their management
Original Publication Date: 2004-May-18
Included in the Prior Art Database: 2004-May-18
Structures for Userid, Password and other resource definition sharing in LDAP
Structures for Userid, Password and other resource definition sharing in LDAP and
Many operating and application systems can externalize userid, password and other userid related information into LDAP based directory services. They do that via a so called PAM (Pluggable Authentication Module). If many systems connect to the same LDAP service a person can share the password and userid definitions on all the connected systems. So the main driver for establishing such type of LDAP service is to enable a person to use the same password for all Ids as much as possible and to simplify the user admin processes. The so far known implementations have flat structures. That means password and resource definition sharing is only possible if the connected systems have the same user community and very often if they are of the same system type. Assumed we have system A with the userids 1,2,3,4 and system B which should have only the userids 2,4,5 the userids 2 and 4 cannot share passwords and resource definitions in flat structures. The invention addresses the problem of controlling the scope of userids per system on one site and the capability to share password and resource definitions per userid on the other site.
The second part addresses the problem of how to manage such shared Id definitions. On one site a user has the same id and password, and on the other site that can be used in many systems. That situation has to be made transparent to the users if they perform password updates and log into systems. System owners or service providers need to know and to control which users have ids in their environments.
The LDAP information tree is structured into 2 different tree types. One type depicts the systems and the userids that are on a system. The other type depicts persons with passwords and other common id definitions for a person. A LDAP alias or a LDAP referral points in a search for an userid in the systems tree to the user's personal entry. This is in short words the solution for being able to share passwords and id resource definitions and to be still able to define per system the scope of userids that are allowed to use a system.
The second problem is solved by seeing a userid in a LDAP controlled environment as only one userid rather than multipl...