Surety is performing system maintenance this weekend. Electronic date stamps on new Prior Art Database disclosures may be delayed.
Browse Prior Art Database

Determining Distributed Nested group membership

IP.com Disclosure Number: IPCOM000176667D
Original Publication Date: 2008-Nov-20
Included in the Prior Art Database: 2008-Nov-20
Document File: 2 page(s) / 83K

Publishing Venue



This article provides a mechanism to do group processing involving nested group in a distributed directory setup using a concept of dedicated partition for managing nested groups and doing a 2 phase group evaluation.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 54% of the total text.

Page 1 of 2

Determining Distributed Nested group membership


Magesh Rajamani, Yogesh V Golwalkar, Kristin M Hazlewood.

In a distributed directory environment, determining the groups to which an entry belongs to is not straightforward. This becomes all the more complex if there are nested groups in the environment.

Nested groups are groups which have another group as its member. So if an entry

E1 is a member of group G and group G is a member of nested group NG1 - then entry E1 is a member of both G and NG1. Assuming E1, G and NG1 as discussed above as part of a distributed environment. Also assume that we have more nested groups like NG2 which has NG1 as its member and NG3 which has NG2 as member. Also assume that the distributed environment has a proxy server which manages 3

partitions having servers S1, S2, S3

corresponding to each partition and the entries discussed above are distributed as E1 and NG3 in server S1, G and NG2 in server S2 and NG1 in server S3. In this scenario, if a client requests for all the groups that E1 belong to -

proxy should first send a request to all servers to find the

groups that E1 belong to which will return only G1. With this information, it should again request all the servers for the list of groups that G1 is a member of which will return NG1. It needs to repeat this step to get NG2 and NG3. Hence this kind of all-groups search could become very costly.

In addition to this, cycles are not allowed in groups which mean, in our example - we cannot make NG3 as a member of G. Therefore during group addition a lot of processing will be required to identify cycles.

Access control processing is dependent on identifying the groups to which particular user belongs to. Therefore getting the full list of groups is vital for true distributed group processing (which involves nested group as well).

In a distributed directory environment with a proxy server, entry addition is routed through the

proxy server. Proxy Server identifies the target partition that the entry should reside on and adds

it to the server in that partition. In our disclosure, one of the partitions will be identified as the one which will handle nested group resolution (Let us call it NGP -

Nested Group Partition).

proxy will identify the target partition for this entry. If

the target partition is the same as NGP, it will go ahead and add the entry as is. Otherwise, apart from adding the entry to the target partition,

proxy will also add the entry to NGP. While adding

proxy will use 2 additional controls. The first control will inform the backend