Centrify v. Quest Software

8/4/2019 Centrify v. Quest Software

1/22

EDWARD V. ANDERSON (SBN 83 148)[email protected] B.MORRILL (SBN 35488)[email protected] H. KANG (SBN 158101)pkang@sidley comSIDLEY AUSTIN LLP1001 Page Mill RoadBuilding 1Palo Alto, CA 94304Telephone: 650-565-7000Facsimile: 650-565-7 100

1 ( RUSSELL L. JOHNSO N (SBN 53 833)[email protected] W. WOO (SBN 196459)[email protected] M. SANDR OCK (SBN 25 178 1)rsandrock@sidley comASEEM S. GUPTA (SBN 252858)[email protected] AUSTIN LLP555 California StreetFrancisco, CA 94 104elephone: 415-772-1200415-772-7400

4torneys for Pla int gC en trrjj CorporationUNITED STATES DISTRICT CO URT

I NORTHERN DISTRICT OF CALIFORNIA ICENTRIFY CORPORATION,

I I Plaintiff, COM PLAINT FOR PATENTINFRINGEMENT1 DEMAND FOR JURY TRIAL

I I QUEST SOFTWARE, INC.II Defendant.


2/22

Plaintiff Cen trify Corporation ("Centrify"), by its attorneys, hereby allege as follows:PRELIMINARY STATEM ENT

1. This is an action for patent infringement under the patent laws of the U nited States,35 U.S.C. $1 et seq., from the defendant's direct and indirect infringement of United States PatentNo. 8,024,360.

PARTIES2. Plaintiff Centrify Corporation is a D elaware corporation with its principal place of

business at 785 N. Mary Av enue, Suite 200, Sunnyvale, California 94085.3. On information and belief, Defendant Quest Software , Inc. ("Quest") is a Delaw are

corporation with a principal place of business at 5 Polaris W ay, Aliso Viejo, California 92656.JURISDICTION AND VEN UE

4. This is an action for patent infringement, arising under 35 U.S.C. $ 1 et seq.genera lly, and 35 U.S.C. $5 271(a)-(c) specifically.

5. This Cou rt has subject matter jurisdiction over this dispute pursuant to 28 U.S.C.$5 1331 and 1338(a).

6. The Court has personal jurisdiction over Quest because Quest comm itted and iscommitting acts of infringement in this Judicial District and is doing business in this JudicialDistrict at 469 El Cam ino Real, Santa Clara, CA 95050.

7. Venue is proper in this District pursuant to 28 U.S.C. $ 5 1391 and 1400(b) because asubstantial part of the events giving rise to Pla inti ffs cause of action o ccurred in this JudicialDistrict.

INTRADISTRICT ASSIGNMEN T8. This patent action is in an excepted category for Local Rule 3-2(c), Assignment to a

Division, and will be assigned on a district wide basis.FACTUAL BACKGROUND

9. On September 20 ,2 01 1, the United States Patent and Trademark Office issued U.S.Patent No. 8,024,360 ("the '360 Patent") entitled "Method and Appara tus for Maintaining Multiple

1COMPLAINTOR PATENTNFRINGEMENTC AS E NO.


3/22

1 Sets of Identity Data." Centrify is the owner by assignment of all right, title and interest to the '36023

Patent, including all rights to enforce the '360 Patent and to collect past and futu re damages forinfringement. A copy of the '360 Patent is attached as Exhibit A.

45

10. Quest makes, uses, and sells the Quest Authentication Services software product("QAS"), including at least version 4.0 of the software product, as well a s earlier and subsequent

678

versions thereof.11. QAS provides a feature called "personalities" for associating Unix identity

information from distinct zones with a single global entity record on a network.9

10

FIRST CAUSE OF ACTION(Defendant's infringem ent of the '360 Patent)

12. Quest sells QA S to its customers, and at least some of those customers use thepersonalities feature of QAS.

1112

l 5 I I 14. Plaintiff incorporates each of the preceding paragraphs 1-13 as if fully stated

13. Quest provides documentation, instructions, and other support to customers for thepersonalities feature of QAS.

161718

herein.15. Quest, in making, using, selling, offering for sale, importing into the United States

andlor exporting from the United States its Quest Authentication Services software product,1920

24 but not limited to exemplary claims 1, 8, 9, and 10. Quest further actively induces infringementI I

including version 4.0, and reasonab ly simila r products or services, has infringed and con tinues toinfringe one or more claims of the '360 Patent under 35 U.S.C. 8 271. In particular, Quest

212223

25 of the '360 Patent through, for example, providing customers with instructions and support forI I

makes, uses, sells, offers for sale, imports into the United Sta tes andlor exports from the UnitedStates computer readable media in accordance with on e or more apparatus claims of the '360Patent or operating in accordance with one or more method claims of the '360 Patent, including

26 Quest Authentication Services and other reasonably similar products or services. QuestI I27 contributorily infringes the '360 Patent by making Quest Authentication Services, itsI IL

COMPLAINTOR PATENTNFRINGEMENTCASENO.


4/22

personalities feature and reasonably similar products or services, which have no substantial non-infringing uses, and which Quest sells to its customers.

16. As a result of Qu est's infringement of the '360 Patent, Centrify has lost profitsand suffered irreparable harm, and will continue to lose profits and suffer irreparable harm unlessand until Centrify is enjoined by this Court from future infringem ent.

PRA YE R FO R RE L IE FW HE R EF OR E, Plaintiff respectfully prays that this Court enter a judgment as

follows:A. Judgment that the '360 Patent is valid and enforceable.B. Judgment that the Defendant has directly andlor indirectly infringed the

claims of the '360 Patent.C. Award Centrify compensatory damages, in an amount to be ascertained at

trial, pursuant to 35 U.S.C. $284.D. Award Centrify compensatory damages, in an amount to be ascertained by

an accounting of the amount of dam ages suffered by Centrify between the close of fact discoveryand the entry of final judgment.

E. Permanently enjoin Quest and its officers, directors, employees and agentsfrom infringing or inducing others to infringe the '360 Patent.

F. Award Centrify interest and costs.G. Award C entrify such other and further relief as this C ourt deems just and

Dated: September 20 ,20 1 1 SIDLEY AUSTIN L LP

By: a w e t u*&L,wA &4)Edward V. AndersonAttorneys for Plaintiff CentrrJE, Corporation.

3COMPLAINTOR PATENTNFRINGEMENTCASENO.


5/22

DEMAND FOR JURY TRIALPlaintiff respectfully requests a jury trial on all issues triable thereby.

Dated: September 20,20 1 1 SIDLEY AUSTIN LLP

BY: 6dw-A L / . & . & - ( A s ~ )Edward V. AndersonAttorneys for Plaintiff Centrijj Corporation.


6/22


7/22

(12) United States PatentMoore(54) METHOD AND APPARATUS FOR

MAINTAINING MULTIPLE SETS OFIDENT ITY DATA(75) Inventor: Paul Moore, Mercer Island, WA (US)(73) Assignee: Centrify Corporation, Mountain View,CA (US)( ) Notice: Subject to any disclaimer, the term of thispatent is extended or adjusted under 35U.S.C. 1 54(b) by 695 day s.(21) Appl. No.: 11/009,92 1(22) Filed: Dec. 10,2004(65) Prior Publication Data

US 2006/0129570Al Jun. 15,2006(51) Int. Cl.C06F 7/00 (2006.01)C06F 17/30 (2006.01)(52) U.S. C1. ...................................................... 7071785(58) Field of Classlficatlon Search ....................705140;7091220; 3701328; 7131182; 70711,9, 785,707/999.001,999.009,999.01See application file for complete search history.(56) References Cited

U.S. PATENT DOCUMENTS.................,263,717 B1 8/2007 Boydstunb al. 72614.....................002/0019936 A l * a2002 Hitzetal. 7131165..................00310177389 A1 912003 Albert et al. 7131201

(10) Patent No.: US 8,024,360 B2(45) Date of Patent: Sep. 20,2011

200410019936 A l 112004 Shannon ......................8001312200410267909 A 1 1212004 Autret .......................... 7091220...............00510097041 A l 512005 Campbell et al. 705140200510289354 A l 1212005 Borthakur et al . ............7131182.......................00610002328 A l 112006 Naghian 370/328cited by examiner

Primary Examiner- ohammad AliAssistant Examiner- atrick Dam o(74) Attornqy, Agent, or Finn - lakely, Soko loff, Taylor&Zafman(57) ABSTRACTA method of assigning the UNIX compu ters in a network toone o fa plurality of groups called zones, of creating indepen-dent sets of UNIX identity information for each networkentity (user or group) for sepa rate zones, and of associating anentity's sets of UNlX entity information with a single globalentity record for the entity in the netw ork's id entity resolver.A further method of allowing a UNIX computer to requestentity information from the identity resolver, and of the iden -tity resolver returning resolved entity information appropri-ate for the requesting compu ter's zon e. A fu rther method ofmanagin g sets of zone-specificUNlX dentity informa tion inthe identity resolver to ensure that entity names and entityidentification numb ers &e not duplicated within a zone and toall the same names and numbers to be duplicated acrosszones. Other embodiments are also described.

10 Clalms, 9 Drawing Sheets

AD User Record (global user record)Global user~nrrac I alex. [email protected]...

540 standard wr account da b


8/22

mU.S. Patent Sep. 20, 201 1 Sheet 1 of 9 US 8,024,360 B2

Figure 1A


9/22

eU.S. Patent Sep. 20,2 011 Sheet 2 of 9 US 8,1024,360 B2

Figure 1B


10/22

U.S. Patent Sep. 20,2011 Sheet 3 of 9 US 8,024,360 B2

Figure 2


11/22

U.S. Patent Sep. 20,2 011 Sheet 4 of 9

Admintstrator

Figure 3


12/22

U.S. Patent ~ e p . 0,2011 Sheet 5 of 9 US 8,024,360 B2

standard useraccounldale

370 -' Home directory /home/alcx lnfslahsu380-: rrnarr g w alex operator

Figure4

4 2 0 b - 00Group Record (global group record)~a&"h~P~iEa'&%%$@il fac'uttyI ...standard groupaccountdata 430

Figure 5


13/22

U.S. Patent Sep. 20,2011 Sheet 6 of 9/ o0

user Record (plobal u x r recordj1 Globalusername 1 alex~hs~acme.com...stnndard u x r accwnt da u

I wne ~

Figure 6AA D User Record (alobal user record)Globalwer m m e 1 elex.hsu@acmc corn

...540 manderd user account data

550 Figure 6BAD User Record (global user record)Clobal%iii '&m"e alex. h&me.com...standard user account data-%Ile,.2;

ahsu

550 ' Figure 6C

6 1 0 DGroup Record (global gGlobal wvup.namc 1 c?wraton I '...standard group account dam 6 3 06 2 0\ .I rnn&~. l * * l ime2 ' (

ICMlX gmup name I staff 1 service* . .cni 1 llOo0 1 101 IFigure 7A


14/22

U.S. Patent Sep. 20,2011 Sheet 7 of 9

AD Gmup Rcwrd (global group record)GlobalEroup name. ' I operators ...standard group accounl data /640

IFigure 7B 650


15/22


I I I m a k w II7bo Iaarskar Returnr.ro)vwdslsbsl.kr a enUty IFmmuU#l

LLYTnm(d I* r o m t n u n d w \760mssthg 8amdl U I w t h 8 lcry.rlr hcuing zone-wd?c


16/22


Figure 9

800--

810--

8 2 0 -

830

i! A processrSpJ-h ha B r o w

w1VlGl01 1 0 0 0 , gqOtrigwne aE dlrsttuy lookupRecsiMs goupname s18ff

3-85z3

0.-a!Ei. . ----35 5!E g

I Imecues zonelogic for diredorylookup-

Rehrm Qmupname'WI 4 t

Looks upcomputats zone inzone m n r i u r e t i o n c ~dala, w i o v r tme 1'

I Is ~ r c h s s Flnds globel groupdatebaoe lor a Nmfd'Operetws',g m l W P refurns UNlXRICord w i n g @wp name forsem crlblia zons 1:'aacr 850 1Queries for aglobe, P U P

f e r n essocistedwith a zone urw prscoa for tor# 1thet spedCes GIDl low

Rebrm proupname '8lM


17/22

US 8,024,360 B21 2

METHOD A ND APPARATUS FOR tones are consolidated into a single master directory for allMAINTAINING MULTTPLE SETS O F networks. Because the original directories have developed

IDENTITY DATA names an d IDS in igno rance of each other, it is not onlypossible but likely that they have used the same entity namesBRIEF DESCRIPTION OF THE INVENTION 5 and ID num bers. When the directories are consolidated, theseidentical names and 1Ds conflict, make user and group iden -Embo diments of this invention work with Computers run- tity uncertain, and require that many user and gro up recordsning UNIX (or a variation of UNIX) and an identity resolver be reassigned unique names and IDS. m s reates a signifi-(such as a directory server) within a network of com puters. cant amount of work for system administrators and oftenEmbodiments of the inve ntion allow the association of mu l- 10 users who may be forced to use a new name fortiple sets of UNIX identity information (user or group names, log-on.user or group iden tification numb ers, and similar data) with asingle global entity record in an identity resolver database. SUMMARY OF THE INVENTIONWhen the user logs on to a UNIX com puter, an embodim entof the invention Gec ts the correct set o ~ N I Xdenti- 15 Embodiments of this invention pmvidemnhods of treat-based On the logical groupingof a ing m ultiple sets of LJNIX identity infom ation fo r each net-zone) to which that UNIX computer belongs. The UNIXcompu ter also uses the UNIX identity informa tion at other entity, One set for each group UNIXtims for identity lookup such as when the computer ooks up compu ters (called a zone) in the network. Each of these infor-them user name associated with a given UNIX user zo mation sets is a zone entity record. A zone entity record

identification number. contains zone-specific information for an entity. That infor-mation identifies and defines the entity withina single zoneofBACKGROUND computers. For example, a zone entity record may containUND( identity information such as a UNIX user nam e, UID,Any network of UNIX com puters relies on identity infor- 25 preferred shell, primary group, and a home directory thatmation to identify computer users and groups of computer identifies a user within a single zone.users on the netwo rk. For example, when a user logs onto a Anem bodimen t of the invention stores zone entity recordsnetwork compu ter, he provides a user name to identify him- in the identity resolver for the netwo rk. The em bodime nt alsoself. Once the user is logged in, he is associated with a pre- stores a set of global entity records there. A global entityassigned user iden tification numbe r (WID) that is used within 30 record contains identity information hat identifies an entityany comp uter on the network to identify that user. Files use across and any other compukrs in the network,UIDs to indicate file ownership, and UNIX operations use including non-UND( compu ters. A global entity record con-UIDs to report user activity. Other user identity information tains a global entity name and other identity information. Ama y theuser's name, lhe user's home globa] user record, for example, a global user namethe type of he prefers to u se, and the primary group of 35 that identifiesa user throughout the entirenetwork,and mightusers to which he belongs.Groups of within a network likewise have identity also contain a passw ord for the user, the user's real name, andinformation: a group name and an associated group identifi- usercation number (GID). Embodiments of the invention associate all zone entityidentity information is typ ically stored by an identity records for a single entity with th e global entity record for theresolver (usuallya directoryerver) attached to the network. same entity. The identity resolver can use the associations nThe resolver stores the data in user records group records, a global entity record to find zone entity reco rds for an entity.known collectively as entity records. The resolver may be an For example, a directory server can find a global user recordActive Directory (AD) server, a Lightweight Directory and examine an associated zone user record that containsAccess Protocol (LDAP) server, or other type of identity 45 UNIX ide ntity information for the user within a particularresolver such as a relational database. zone. It is convenient to think of the global entity record asAny computer can request identity information from the containing all its associated zone entity records, but theseresolver by su pplying an entity identifier (typically a user records need not be kept together physically in a single data-name, UlD, group name, or GID). When a user logs on to a base. All that is necessary is that the zone data associated withLJNIX computer and supplies a user name, for examp le, the so a glob al entity record be accessible given a g lobal entitycompu ter can request the UID, home directory, preferred identifier and a zone identifier, and vice versa: that a zoneshell, and principal group associated with that user name. Or record contain enoug h information to locate its associateda compu ter can ask the directory server to find the user name global record.associated with the UID indicated as the owner of a file. All the compu ters in a zone use a comm on set of userEntity identifiers used w ithin a single network of UNIX 5s names, UIDs, group names, and GIDs. These identifiers arecompu ters must beunique for each entity within the network. unique and non-conflicting within the zone. Computers in aIf, for example, two users have the sam e user name, or if a second, different zone also use a common set of id entity datasingl e user name is associated with two different UIDs, then for that second zone. However, identity data may conflictcompu ters in the network cannot establish identity for a user between zones. For example, the compu ters of a first zonename or UID. The same is true for group names and GIDs. 60 may learn from the resolver that U ID 504 identifies files andWhen a single UNIX netwo rk grows from scratch into a processes in the first zone that belong to John Doe, while thefull network, entity name and ID duplication is generally not computers of a second zone may learn that the same UID,a problem. Each newly generated user name, UID, group 504, identifies files and processes in the second zone thatname, and GID is checked against existing names and IDS o belong to a different entity, Mary Smith. John Doe and Marymake sure it is not a dupl icate. 65 Smith will possess unique, nonconflicting global entity iden-Problems frequently arise, however, when two or more tifiers, but (as this examp le shows) they may be associatedexisting UNIX networks are linked together and their direc- with conflicting zone entity records.


18/22

US 8,024,360 B23 4Embodiments of this invention also provide methods of FIG. 5 illustrates a global group record stored in an id entitydividing the UNIX compu ters in a network in to one or more resolver with associated zone group records in accordancegroups called zon es. A single zon e is specified for each UNIX with one embodiment of the invention.comp uter. FIG. 6A illustrates a global user record associated with aThe methods of an embodiment of this invention allow a 5 single zone user record in accordance with one embodimentUM X computer in a network to make an identity query about of the invention.an entity and receive resolved entity information that is FIG. 6 8 illustrates a global user record associated with anappropriate for the entity within the computer's zone. The additional zone user record filled with default zone data inIJNJX compu ter specifies an entity using an entity identifier accordance with one embodiment of the invention.(a user name or a UID, for exam ple) in an identity query to the 10 FIG. 6C illus trates a global user record with ad ministrator-identity resolver. The query also comm unicates zone identity edited zone data in a zone user record accordan ce with oneinformation from which the identity resolver can determine embodiment of the invention.the querying computer's zone. FIG. 7A illustrates a global group record associated withWhen the identity resolver receives an identity query from two zone group records in accordance with one embodimenta UNIX computer in a zone, it locates a global entity record 1s of the invention.that corresponds to the query-specified entity, along with the FIG. 7 8 llustrates a global group record with an additionalzone entity records associated with the global entity record. zone group record filled with default zone data in accordanceThe identity resolver then finds the zone entity record that with one embodiment of the invention.corresponds to the inquiring com puter's zone and returns FIG. 8 illustrates the process that occurs when a userresolved entity information that contain s zone-specific infor- 20 attempts log-on through a UNIX compu ter in the network inmation fo rthe entity. That information will beappropriate for accordance with one embodiment of the invention.use on all computers that are members of the querying com- FIG. 9 illustrates the process that occurs when a processputer's zone. This type of identity query may occur, for running on a UNIX compu ter requests a group informationexample, when a UNIX computer performs a system lookup lookup from the identity resolver in accordance with oneof a UID, user na me, GID , or group name to determine 2s embo diment of the invention.identity information for a user or group in that zon e.An identity query may also occur during a user log-on, DETAILED DESCRIPTION OF TH E INVENTIONwhen the com puter uses the sup plied user name as an entityidentifier in a query to find the app ropriate global user record This disclosure refers to UNlX user and group data atin a directory server and return the correspon ding U]D, home 30 several levels of abstra ction . For precision and ea se of refer-directory, preferred shell, and primary group for that user in ence, Applicant provide s the follow ing definitions, whichthe computer's zone. The methods of embodiments of this will be used through out the specification and in the claims.invention allow a user to log on to a com puter by providing a UNlX is defined to be the UNlX operating system, azone user name that is specific to the zo ne or by providing a UNIX-like operating system, or variants of the UNlX oper-global user name that is reco&zed for all compu ters in the 3s ating system suc h as the Linux operating system or thenetwork. Macintosh OS X operating system.The methods of this invention provide tools within the Entity is defined to be either a user or a user grou p.identity resolver to m anage zone-specific infom ation within Identifier is either a name or an identification number thateach zone entity record. They allow duplicate entity nam es unamb iguously identifies an entity.and entity identification numbers across different zones 40 FIG. 1A illustrates a network of com puters that may bewithin the sam e network but prohibit duplication within each operated in accordance withan embodiment of the invention.zone. The m ethods allow an administrator to restrict an enti- The network includes an identity resolver (20) in communi-ty's a ccess to one or more zones by not p roviding zone entity cation through a transmission channel (30 ) with a set ofLTNMseco rds for those zones for the entity. computers suchas that specified by label (40). Thecom puters

45 in the network can num ber from several to a great number.BRIEF DESCRIPTION OF DRAWINGS The identity resolver (20) can use any directory technol-ogy. This description uses Microsoft's A ctive Directory (AD )Embodiments of the invention are illustrated by way of as an examp le, but the identity resolver might also be anexample and not by way of limitation in the figures of the LDAP server, a relational datab ase, or othe r directory tech-accomp anying draw ings in which like reference s in dicate so nology. The identity resolver can be a single server or a set ofsimilar elements. It should be noted that references to "an" o r servers that supply unified identity resolution service to the"one" embodim ent in this disclosure are not necessarily to the network.same embo diment, and such references mean "at least one." The transmission channel (30) can beany wired or wirelessFIG. 1A illustrates a compu ter network organized into transmission chan nel.zones in accordance with one embodiment of the invention. ss The computers (40) in this network have each beenFIG. 1B illustrates how a user may log on to comp uters in assigned to a single zone such as Zone 1 hown by label (50).different zones in the network defined in FIG. 1A . The numb er of zones in the network can range from one to asFIG. 2 illustrates a UNIX compu ter configured to opera te many zones as there are compu ters. In this example, Zone 1in a zone in accordance with one embo diment of the inven- includes computers A and B, Zone 2 includes compu ters Ction. 60 and D, and Zon e 3 includes compu ters E, F, and G .FIG. 3 illustrates an identity resolver and workstation con- FIG. 1B illustrates how a com pute r user (60) can log on tofigured to supply resolved entity information to requesting any UNIX computer in the network illustrated in FIG. 1A . Incomputers in accordance with o ne embod iment of the inven- this example, Alex Hsu log s on to compu ter B in Z one 1, thention. later logs on to computer F in Zone 3 and later still intoFIG. 4 illustrates a globaI user record stored in an identity 6s compu ter D in Zone 2. At each log-on, the user must supply aresolver with associated zon euser records in accordance with user name to iden tify himself. That user name may be aone embodiment of the invention. zone-specific user name o r a global user name .


19/22

US 8,024,360 B25 6FIG. 2 illustrates a UNlX compu ter (100) configured to The ADUC (240) has been customized with a set of zoneoperate in a zone. The com puter is connected by the net- extensions (260), a part of this invention that provides addi-work's transm ission channel (110) to the identity resolver tional user interface cont rols to work with zone data within(120). In this emb odimen t of the invention, the identity identity resolver records. The MMC snap-in (250 ) is a com-resolver contains a computer record (130) that stores infor- 5 pletely customized component, also a part of this embodi-

mation about the computer (100). The computer record con- ment, that provides the same additional user interface con-tains zone configuration data (140 ) that specifies the zone to trols for wo rking with zo ne data w ithin identity resolverwhich the compu ter belongs. This zone configuration data records.(140) may also be stored in any other location accessible by Both the ADUC and the MMC snap-in work with zonethe com puter or identity resolver, whether it is on the com- '"puter itself or elsewhere in the netw ork.The computer contains zone logic (150) that is part ofembod iments of the inv ention. The logic is used whenever aprocess nrnnjng on the computer (100 ) requests user or group ,information from the identity resolver (12 0). This logic (15 0)consults the computer record (130) to determin e the comput-er's zone, adds zone identity data to the request to identify thecomputer's zone, then sends the request to the identityresolver (120). The logic receives resolved entity information 20from the identity resolver in response.

record logic (270) installed on the workstation to help managezone-specific information within records. The logic addsdefault zone-specific information to a zone entity recordwhen requested. The logic also checks to ensure that whenzone-specific nformation is added to a zone entity record thatthe entity name (user name or group nam e) and entity iden-tification number (UID or GID) for the zone entity record areunique amo ng all zone entity records affiliated with the sam ezone.The MMC snap-in (250) supplies additional zone-manage-ment features. The snap-in displays the computers in eachAlthough the zone logic in this example resides on each zone, reports on zone status, and allows an administratorUNIX computer, it does not have to reside there. It may also (230) to create and remove zones and to set zone names.reside on the identity resolver where it determines a zone for The ADUC (240) and MM C snap-in (25 0) are just ana computer requesting identity information and then returns 25 example for this description. The administration consoleidentity information appropriate for that zone. The resolver could just as well be one or more standard or custom consolesmay determine the zone h u g h an explicit zone identifier for any othe r identity resolution technology . To implem entcontained in a computer's request, or it may determine the the methods of an embodiment of this invention, the consolezone h u g h an implicit zone identifier accompanying the or consoles would be extended to handle zone-specific datarequest. For example, an implicit zone id entifier may be the 30 within identity resolver records, to manage zones, and toInternet Protocol (IP) address, or another type of network ensu re that entity names and entity identification numb ersaddress, of the requesting compu ter; or the method in which within a singl e zone are unique.the request was received. The identity resolver can use the FIG. 4 shows a global user record (300) that is-in thisimplicit zone identifier to determine the requesting compu t- example--an Active Directory user record. The global userer's zone. 35 record (300) is associated with zone user records (310) thatFIG. 3 illustrates an identity resolver (200) used to supp ly contain additional zone-specific identity information. (Thiszone-specific entity information to requesting computers. record could also be an LDAP record or any other standard

The identity resolver is connected via the network's transmis- record used by the identity resolver.) The zone user recordssion channel (205) to o ther computers. - (310) may be associated with the global user record (300)In this example, the identity resolver is a domain co ntroller 40 either by exte ndin g he existing global user record (300) if thefor Active ~i k c to ryAD), a Microsoft product that can pro- identity resolver permits such extension or by other methodsvide direct ow information for both Windows andUNlX com- such as creatin g additional records or attaching external files.~ -puters, but it hg h t also be any directory sewer such as LDAP The global user record (300) contains he gGbal user nameor a relational database. The identiw resolver stores do bal (320). which in this im~le men tations the user name ~ro vid ed. ,entity records, zone entity records, and com puter records on 45 in an Active D irectory user record. The record co ntains otheran accomp anying database (210). The information stored by standard user record information (330) such as a passwordthis particular embodimen t of the nvention for entity records and a real user name that are typically stored in an Activeis shown in FIGS. 4,5 , and 6. Directory user record. The record is associated with a set ofIn this implementation, the identity resolver (200) used for zone user record s (310) that each conta in the following infor-the invention requires no special alterations or additions 50 mation for a single zone in the network: a UNlX user nameexcept for modified records. In other impleme ntations of this (340), a UlD (350), the user's preferred shell (360), the user'sinvention, the zone logic that-in this implementation-re- home directory (370), and the name of the user's primarysides on each UNlX compu ter in the network may reside group (380). Each zone user record (310 ) may contain addi -instead on the identity resolver. tional zone-specific information as well.The identity resolver in this implementation is managed by 55 The zon e user records (310) associated with the global useran administrator (220) h u g h a separate workstation (230) record (300) provide discrete sets of zone-specific infonna-that is connected to the identity resolver via the network's tion for the user in zero or mo re zones. In this example, theretransmission channel (205). This workstation provides the alr: zone entity records for zone 1 390) and zone 2 (395).Active Directory Users and Computers console (ADUC) If the global user record (300 ) is not associated with a zon e(240), a user interface that the administrator can use to m an- 60 user record (310) for a zone defined in the n etwork, the userage records stored in the identity resolver. The workstation has no account in that zone and cannot log into a computeralso provides a zone manag ement console in the form of a belonging to that zone. In this examp le, Alex Hsu's globalsnap-in com ponent (25 0) for th e M icrosoft Management user record is not associated with a zone user record for zoneConsole (MMC). The administrator can use this snap-in in as 3 and so he cannot log into that zone.an alternative to the ADUC to managed stored records. The 65 Adding zone user records (310) to an Active Directoryadministmtorcan also use the MMC snap-in (250) to manag e record (300 ) in this impleme ntation of the invention involvesthe zones themselves as described later. creating child instances of an object that defines zone user


20/22

US 8,024,360 B27 8informa tion. Each Active Directory user record contains one enhanced ADUC will not allow it. Once the administrator ischild instance for each zone user record. finished and the modified record is stored, Alex Hsu is nowAdding zone user records (310) to an LDAP record typi- enabled to log on and work in all the comp uters in zone 1.cally im olves adding a multi-valued attribute to each LDAP Because there is no zone user record for zone 3 associateduser record. Each row in the attribute conta ins he inform ation s with the global user record, Hsu cannot log on to any com-

for a zone user record. puters in zone 3.Adding zone user records (310) to a relational database FIG. 7 illustrates the process that occurs when an admin-typically involves creating a new tab le for each zone. Each istrator sets up a global group reco rd in the identity resolver totable contains zone-specific data for all users enabled for a include information for a zone in the network. In this imple-zone.The key to retrieving zone-spe cific data fo r a single user 10 mentation, the global group record is an Active Directory(which constiMes a zone user record) is the global user name group record. Although this example uses the ADUC to workand the zone identity inform ation. The key for UID lookup is with a group record, other types of identity resolvers wouldthe UID and the zone identity information. supply an alternate form o f record management.FIG. 5 shows a global group record (400) that is-in this FIG . 7A shows the global group record (600): the globalexample-an Active Directory group record. The global 1s group name (610) for the record is "operators". The admin -group record (400) is associated with zone group records istrator looks at the zone group records assoc iated with the(410) that contain additional zone-specific identity informa- global group record and finds them for zones 1 (620) and 2tion. These zone group records (410) areassociated with the (630) but not for zone 3. This means that the group exists inglobal group record using the same methods described pre- zones 1 and 2, but not in zone 3.viously in the description of a global user record. (The global 20 FIG. 78 shows the zone group records after the adminis-group record could also be an LDAP record or any other trator asks the enhanced ADUC to enable the p u p or zonestandard record used by the identity resolver.) 3.The ADUC creates a new zone group record (640) for zoneThe global group record (400) contains the global group 3, attaches it to the global grou p record, generates a GID (650)name (420), which in this implementation is the p u p name for the zone that is unique within the zone, and uses theprovided in an Active Directory directory p u p ecord. The 2s directory group name for theUNIX p u p name (660) withinglobal group record (400) contains other standard p u p the zone group record after ensuring that the name is uniquerecord information (430). The record is associated with a set in the zone.of zone group records (410) that each contain the following FIG. 8 illustrates the process that occurs when a user (700)information for a single zone in the network: a UNIX p u p attempts log-on through a UNIX computer (710) in the net-name (440) and a GID (450). Each zone group record (410) 30 work. For this examp le, the user enter s his UNIX u ser namemay contain additional zone-sp ecific information as w ell. (740) for zone 2, of which the computer (710) is a mem ber. InIf the global group record (400) is not associated with a another case the user might enter his global user namezon e p u p ecord (410) for a zone defined in the network, the instead. The U N N user name in this example is "ahsu".group does not exist in that zone. In th is example, there is no The computer (710), while in the process of authenticatingassociated zone p u p ecord for zone 2 for th is p u p , s o the 3s the log-on, executes its zone logic (720) to retrieve resolvedp u p does not exist in zone 2. entity information for the supplied UNIX user name (740).Adding zone-specific data to a global group record uses the The zone logic (720) reads the zone configuration data andsame techniques for AD, LDAP or an identity resolver as retriwes the name of its computer's zone ( 7 5 0 t h his case,described for global user records in FIG. 4. "zone 2." The logic (720) queries the identity resolver (730)FIG. 6 illustrates the process that occurs when an adrnin- 40 for resolved entity information that is appro priate for the useristrator sets up a global user record (500) in the identity in zone 2. To do so, the logic (720) requests that the identityresolver to include a zone user record for a zone in the net- resolver (730) look throug h all UNIX user nam es specified inwork. The global user record in this implementation is an zone user records for zone 2 to find a match for the suppliedActive Directory user record. The administrator begins by UNIX user name (740) and, if that fails, to search for therunning the enhanced ADUC and findinganappropriate g lo- 4s supplied user name amon g all global user names-in otherbal user record (500), in this case for Alex Hsu of FIG. 1. words, to search outside zone-sp ecific UNIX use r names.Although this example uses the ADUC to work with a user If the identity resolver (730) finds a match e ither in zone 2record, other types of identity resolvers would supply an UNIX user nam es or in the global user names f or all zones, italternate form of record management. returns resolved entity information (760) from the global userFIG. 6A shows the original global user record (500): the so record where the match was fou nd. The resolved entity infor-global user name (510) for the record is mation (760) may include information necessary for user"alex.hm@ acme.com". The administrator looks at the zone authentication. It may also include global user informationuser records (520) associated with the global user record and zone-specific information such as UID, home directory,(500), and sees that Alex is enabled to log on to zo ne 2, but not preferred shell, and primary p u p .zone 3 or zone 1 because there are no zone user records for ss If the user (700) had provided a global user nam e and thethose zones. identity resolver (730) found a m atching global user recordFIG. 6 8 shows the global user record after the admin istra- but could not find a zone user record for zone 2, then thetor asks the enhanced ADUC to enable Alex Hsu for zone 1. look-up would have failed.The ADUC creates a new zon e user record for zone 1 540), If the look-up succeeds, the zone logic (720) returns theassociatesthenew reco rdwith the global userrecord, and fills 60 information (760) to the computer (710), which can proceedin default information in the zone user record for zone 1. It with authentication and can use the resolved entity inform a-also generates a UID (550) for the zone user record (540) and tion as necessary for ht ur e interactions with the user.ensures that the UID (550) is unique within zone 1. Note that because the logic (720) looks for a user nameFIG. 6C shows the global user record after the adm inistra- (740) in both zone user record s and in global user records, ator edits the default zone information in the new zone user 65 user (700) may logon su ccessfully using either his UNIX userrecord. If the administrator attempts to create a UNIX user name for the zone or his global user name. For examp le, Alexname (560) or UID (550) that is not unique for the zone, the Hsu can log into a UNIX computer (710) in zone 2 using


21/22

US 8,024,360 B29 10eithe r his zone user name "ahsu" (740) or his global user said zone information from said determined zone,name "[email protected]". His UNIX user name (740) is wherein the second inform ation is at least a UNIX UIDnot guaranteed to work in other zone s, because he might have for the determined zone;different UNIX user names defined in those zones. His globa l enabling said user to logon to said UNIX client computer ifuser name, however, will work for logan in any Zone in 5 and only said global user record is associated with said

which he is enabled. zone information for the determined zone,FIG. 9 illustrates the action s that occur when a precess wherein said user identifieran d U N ~D have dif-(800) running on a UNIX computer requests a group infor- ferent values.mation lookup from the identity (830). Theprocess 2, The computer-m&b]e storage medium of claim 1a number(840)and equests the l o wherein the zone identity infom ation identifies one zone ofgroup name hm the UNIX operating system (810)' The said plurality of zones, said plurality including at least a firstUNIX OS executesthe zone logic (820)' which looks up the zone and a sec ond zone, whe re a first user record of the firstcompu ter's zon e in the zone configuration data, finds "zonethen queries the identity resolver (830) to find any zone zone may conflict with a second user record of the secondgroup record specifying the GID 11000 (840) for zone 1. 1 5 'One.The iden tity resolver (830) finds the GID in a zo ne group 3. The c o m ~ ~ t ~ r - ~ ~ ~ ~ ~ etorage medium claimrecord associated a global group record using the global wherein the zone identity information is an explicit zonegroup name uopem tors". The identity resolver (830) looks up identifier obtained with the user id entifier.the UNIX group name (850) in the associated zon e record for 4. The computer-readable storage medium of claim 1zone 1 , finds "staff', and returns that name to the zone logic 20 wherein the zon e identity information is implicit in a method(820). The zon e logic (820) returns "staff' to the UNIX O S by which user identifier was obtained .(810), which returns it to the requesting process (800). 5. The computer-readable storage medium of claim 4The foregoing description of specific embod iments of the wherein the zone iden tity information may be inferred from apresent invention are presented for purposes of illustration method by w hich the user identifier was received.and description. They are not inten ded to be exhaustive or to 25 6. The computer-readable storage medium of claim 1limit the invention to the precise forms disclosed. Many wherein the user identifier is a global user na me.modificationsand variati ons are possible in view of the above 7. ?he c omputer-md able storage medium of claim 1teachings. The em bodiments were chosen and described in wherein the first information and seco nd information fromorder to best explain the principles of the invention and its the globaluser record is at least on e o f a global username, apractical applications, to thereby e nable others skilled in the 30 password, a real name, a preferred shell, a home directoryart to best utilize the invention and various embodim ents with location, UNIX a UNIX roup anda UNIXvarious mod ifications as are suited to the particular use con- -.,.templated. It is intended that the scope df the invention bedefihed by the follow ing claims and their equiva lents.An em bodiment of the inventionmay be a machine-read- 3sable medium having stored thereon i n sk ti o n s which causea processor to perform op erations as described above. In oth erembodiments, he operations might beperformed by specifichardware components that contain hardwired logic. Thoseoperations might alternatively be performed by any combi- 40nation of programmed computer components and customhardware components.A machin e-readable medium may include any mechanismfor storing or transmitting information in a form readable bya machine (e.g., a computer), not limited to Compact Disc 45Read-Only Memory (CD-ROMs), Read-Only Memory(ROMs), Random Access Memory (RAM), Erasable Pro-grammable Read-Only Memory (EPROM), and a transmis-sion over the Internet.

50I claim:1. A computer-readable storage medium storing instruc-tions that, when executed by a UNIX client computer, cause

the compu ter to perform operations comprising:obtaining a user identifier from a user; 55determininga zone of the UNIX client computer h m oneidentity information located on the UNIX client com-puter, wherein said zon e identity information is a com-puter identifier created by an administrator via anadministration co nsole; 60selecting a global user record using the user iden tifier, saidglobal user record including a global u se rm n e and zoneinformation for a plurality of zones, one of which is thedetermined zone; andrehieving h m aid selected global user record first infor- 65mation correspondin g to sa id user identifier and secon dinformation corresponding to said user identifier and

8. A computer-readable storage medium storing instruc-tions that, when executed by a UNIX client computer, causethe computer to perform operations comprising:obtaining a user identifier from a user;determining a zone of the UNIX client compu ter from zoneidentity information located on the UNIX client com-puter, wherein said zon e identity information is a com-puter identifier created by an administrator via anadministration co nsole;said UNIX client computer selecting a zone user recordusing the user identifier and the zo ne;select ing a global user record using said zone user record,said global user record including a global user name andzone information fora plurality of zones, one ofwhich isthe determined zone;retrieving from said selected glo bal user record first infor-mation corresponding o said user identifier and secondinformation corresponding to said user identifier andsaid zone information from said determined zone,wherein the secon d information is at least a UNIX UID

for the determined zone;enabling saiduser to logon to saidUNIX client computer ifand only if said global user record is associated with saidzone information for the determ ined zone,wherein said user id entifier and said UNIX UID have dif-ferent values.9. A computer-readable storage medium storing instruc-tions that,when execu ted by a UNIX client computer, causethe computer to perform operations comprising:determining a zone of the UNIX client computer from zoneidentity information located on the UNIX client com-puter, wherein said zon e identity information is a com -puter identifier created by an administrator via anadministration co nsole;


22/22

US 8,024,360 B211 12

said UNIX client comp uter selecting a zone user record deter min inga zone of the UNlX clien t cornpuler from zonelocated in an identity resolver datab ase using a user identity information located on the UNIX client com-identification number and the zone; puter, wherein said zone identity information is a com-selecting a global user record u sing said zone user record , puter identifier created by an administrator via ansaid global user record including a global user nam e and administration con sole;zone information for a plurality ofzones, oneo fwh ich is said UNIX client computer selecting a zone user recordthe determined zone; located in an identity resolver database using a userrehiw ing from said selected global user record first infor- identification number and the zone, said identitymation corresponding to a user identifier and second resolver database including a global user re cord, saidinformation corresponding to said user identification lo global user record including a global user name and saidzone user record;number and said zone information from said determined from said zone user record informationzone, wherein the second inform ation is at least a UN M sponding to said user identification number and saidUID for the detem ined zone; zone;a user to logon to saidUNIX 'Iient if I S enabling a user to logon to said UNIX client computer ifand only if said globa l user record is asso ciated with said and only if said global user record is associated withzone inform ation for the determined zone, zone information retrieved from said zone user recordwherein said global user name and said UNM UID have for the determined zone,different values. wherein said global user nam e and said user identification10 .A computer-readable storage medium storing instruc- 20 num ber have different values.tions that, when executed by a UNIX client com puter, causethe computer to perform operations comprising: L * * * *

Date post:	07-Apr-2018
Category:	Documents
Upload:	priorsmart
View:	237 times
Download:	0 times

Centrify v. Quest Software

Documents