Utilizing ldap directories for application access control and personalization

Abstract

Lightweight LDAP Access Control for authorization and personalization integrates with a directory service for defining sessions for users and groups without requiring read access or modification to directory schemas. In one exemplary illustrative non-limiting implementation, authorization/personalization data is stored in a private data store outside of the LDAP directory (e.g., on a management or other server). When a user attempts to log on to the computer system, the LDAP directory is queried for a list of associated groups and/or organizational units in the normal way. To compute a resulting set of authorization/personalization rules applicable to the user, an entity (.e.g., the management or other server) traverses the organizational hierarchy of the directory groups/OU's, overriding the inherited attributes with explicitly associated ones. Integration with existing user/group/organization unit infrastructures is provided while avoiding the need to deploy additional user/group databases. In one example arrangement, an LDAP directory is queried for the list of groups and OUs during user logon. There is no need to replicate user/group directory data in a private data store of the Management Server. This improves performance and eliminates the need to synchronize data between the directory and the private data store of the Management Server. To compute the resulting set of authorization/personalization rules applicable to a user, the Management Server traverses the organizational hierarchy of directory groups/OUs, overriding the inherited attributes with the explicitly mapped ones. This minimizes the amount of administrative work for restricting access to protected resources for individuals. In many cases, users will simply inherit authorization/personalization data from the group/OUs they are members of.